A network attack behavior identification method and device, electronic equipment and storage medium
By performing quintuple classification and encoding matrix similarity calculation on the raw network traffic data of industrial control systems, and combining this with adversarial generative model training, the problems of low recognition accuracy and low processing efficiency in existing technologies are solved, thus achieving efficient and secure identification of industrial control systems.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA ELECTRONICS CORP 6TH RES INST
- Filing Date
- 2022-12-06
- Publication Date
- 2026-06-09
AI Technical Summary
Existing technologies suffer from insufficient accuracy and low efficiency when processing large amounts of data in identifying cyberattacks, especially in industrial control systems, where existing methods are prone to information loss and inadequate clustering.
By classifying the raw network traffic data of industrial control systems into five-tuples, a target encoding matrix is generated. The similarity is calculated and the adversarial generative model is updated. The attack behavior is identified by comparing the encoding matrix and the preset screening rules. The adversarial generative model is then trained to improve the recognition accuracy.
It improves the efficiency and accuracy of identifying cyberattacks, can efficiently process large amounts of data, and ensures the security of industrial control systems.
Smart Images

Figure CN115941321B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network attack behavior identification technology, and more specifically, to a network attack behavior identification method, device, electronic device, and storage medium. Background Technology
[0002] Industrial Control Systems (ICS) are business process management systems that ensure the automated operation, process control, and monitoring of industrial infrastructure. They consist of various automated control components and process control components that acquire and monitor real-time data. With the development of computer, communication, and control technologies, ICS have entered a period of networking, leading to a sharp increase in network attacks targeting them. Timely detection and handling of network attacks are crucial.
[0003] Current technologies for identifying cyberattacks mostly extract partial information from collected data, which can lead to information loss and insufficient accuracy. Other methods use clustering, but clustering still has limitations when handling large volumes of data or dealing with data obfuscation. Summary of the Invention
[0004] In view of this, the purpose of this application is to provide a method, apparatus, electronic device and storage medium for identifying network attack behavior, which improves processing efficiency and matching accuracy, and enables efficient processing of large amounts of data.
[0005] In a first aspect, embodiments of this application provide a method for identifying network attack behaviors, the method comprising:
[0006] Based on the five-tuple information contained in the raw network traffic data of the target industrial control system, the raw network traffic data is classified to obtain raw network traffic data of different attack types.
[0007] The original network traffic data for different attack types are converted into different data formats to generate target encoding matrices corresponding to the original network traffic data for each attack type.
[0008] Based on the target encoding matrix corresponding to the original network traffic data of any target attack type, the comparison encoding matrix corresponding to the existing attack behavior data under the target attack type is used as the target value to calculate the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type.
[0009] Based on the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type, and according to preset filtering rules, the target attack behavior corresponding to each original network traffic data under the target attack type is determined from the existing attack behavior data under the target attack type.
[0010] In some technical solutions of this application, the aforementioned target attack behavior corresponds to target attack attribute information, and the method further includes:
[0011] Based on the target attack attribute information of the target attack behavior, predict the attack trend and attack result of the target attack behavior;
[0012] Based on the attack trend and the attack result of the target attack behavior, a corresponding target processing scheme is matched for the target attack behavior.
[0013] In some technical solutions of this application, the aforementioned existing attack behavior data is stored in an existing attack behavior database, and the method further includes:
[0014] The existing attack behavior database is updated based on the original network traffic data and the target attack behavior corresponding to the original network traffic data.
[0015] In some technical solutions of this application, the step of calculating the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type is implemented by an adversarial generative model; the adversarial generative model is trained using the existing attack behavior data;
[0016] The method further includes:
[0017] The adversarial generative model is retrained using the updated existing attack behavior database to continuously improve its recognition accuracy.
[0018] In some technical solutions of this application, the aforementioned five-tuple information includes: attack source address information, destination address information, source port information, destination port information, and transport protocol information, and the original network traffic data is classified in the following way:
[0019] Based on the attack source address information contained in the original network traffic data, the original network traffic data containing the same attack source address information are divided into one category to obtain the original network traffic data with different attack source attack types.
[0020] For any target attack source attack type, the original network traffic data is divided into categories based on the destination address information contained in the original network traffic data, thereby obtaining the original network traffic data of different target attack types.
[0021] For any type of attack, the raw network traffic data containing the same source port information is classified into one category based on the source port information contained in the raw network traffic data, thus obtaining raw network traffic data of different source port attack types.
[0022] For any target source port attack type, the original network traffic data is divided into categories based on the destination port information contained in the original network traffic data, thereby obtaining the original network traffic data of different target port attack types.
[0023] For any target port attack type, the raw network traffic data containing the same transmission protocol information is classified into one category based on the transmission protocol information contained in the raw network traffic data, thus obtaining raw network traffic data of different transmission protocol attack types.
[0024] In some technical solutions of this application, the above-mentioned data format conversion of the original network traffic data for different attack types to generate target encoding matrices corresponding to the original network traffic data for each attack type includes:
[0025] With the aim of obtaining a preset data format, the original network traffic data under different attack types are converted into different data formats.
[0026] The raw network traffic data in the preset data format is organized according to different attack types to obtain the target encoding matrix corresponding to the raw network traffic data of the attack type.
[0027] In some technical solutions of this application, the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type is calculated in the following way:
[0028] Pool the target encoding matrix corresponding to the original network traffic data of the target attack type to determine the identification value corresponding to each original network traffic data under the target attack type;
[0029] Pool the comparison coding matrix corresponding to the existing attack behavior data under the target attack type to determine the target value corresponding to each existing attack behavior data under the target attack type.
[0030] Based on the unidentified value corresponding to each original network traffic data under the target attack type and the target value corresponding to each existing attack behavior data under the target attack type, the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type is calculated.
[0031] Secondly, embodiments of this application provide a network attack behavior identification device, the device comprising:
[0032] The classification module is used to classify the raw network traffic data of the target industrial control system according to the five-tuple information contained in the raw network traffic data to obtain the raw network traffic data of different attack types.
[0033] The conversion module is used to convert the data format of the original network traffic data for different attack types and generate the target encoding matrix corresponding to the original network traffic data for each attack type.
[0034] The calculation module is used to calculate the similarity between the original network traffic data of the target attack type and the existing attack behavior data of the target attack type, based on the target encoding matrix corresponding to the original network traffic data of any target attack type and the comparison encoding matrix corresponding to the existing attack behavior data of the target attack type as the target value.
[0035] The determination module is used to determine the target attack behavior corresponding to each piece of original network traffic data under the target attack type from the existing attack behavior data under the target attack type based on the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type and a preset filtering rule.
[0036] Thirdly, embodiments of this application provide an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the steps of the network attack behavior identification method described above.
[0037] Fourthly, embodiments of this application provide a computer-readable storage medium storing a computer program, which, when executed by a processor, performs the steps of the network attack behavior identification method described above.
[0038] The technical solutions provided by the embodiments of this application may include the following beneficial effects:
[0039] The method of this application includes: classifying the raw network traffic data of a target industrial control system based on the 5-tuple information contained in the raw network traffic data to obtain raw network traffic data of different attack types; converting the data format of the raw network traffic data of different attack types to generate target encoding matrices corresponding to the raw network traffic data of each attack type; calculating the similarity between the raw network traffic data of the target attack type and the existing attack behavior data of the target attack type based on the target encoding matrix corresponding to the raw network traffic data of the target attack type and the existing attack behavior data of the target attack type, according to the similarity between the raw network traffic data of the target attack type and the existing attack behavior data of the target attack type and a preset filtering rule; and determining the target attack behavior corresponding to each raw network traffic data of the target attack type from the existing attack behavior data of the target attack type. This application improves processing efficiency and matching accuracy by classifying the raw network traffic data, and by converting the raw network traffic data of each attack type into the form of encoding matrices for processing, it can achieve efficient processing of large amounts of data.
[0040] To make the above-mentioned objectives, features and advantages of this application more apparent and understandable, preferred embodiments are described below in detail with reference to the accompanying drawings. Attached Figure Description
[0041] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0042] Figure 1 A flowchart illustrating a network attack behavior identification method provided in an embodiment of this application is shown.
[0043] Figure 2 This illustration shows a target processing scheme matching diagram provided in an embodiment of this application;
[0044] Figure 3 A schematic diagram of a network attack behavior identification device provided in an embodiment of this application is shown;
[0045] Figure 4 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation
[0046] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. It should be understood that the accompanying drawings in this application are for illustrative and descriptive purposes only and are not intended to limit the scope of protection of this application. Furthermore, it should be understood that the schematic drawings are not drawn to scale. The flowcharts used in this application illustrate operations implemented according to some embodiments of this application. It should be understood that the operations in the flowcharts may not be implemented in sequence, and steps without logical contextual relationships may be reversed or implemented simultaneously. In addition, those skilled in the art, guided by the content of this application, may add one or more other operations to the flowcharts, or remove one or more operations from the flowcharts.
[0047] Furthermore, the described embodiments are merely some, not all, of the embodiments of this application. The components of the embodiments of this application described and illustrated herein can typically be arranged and designed in various different configurations. Therefore, the following detailed description of the embodiments of this application provided in the accompanying drawings is not intended to limit the scope of the claimed application, but merely to illustrate selected embodiments of the application. All other embodiments obtained by those skilled in the art based on the embodiments of this application without inventive effort are within the scope of protection of this application.
[0048] It should be noted that the term "comprising" will be used in the embodiments of this application to indicate the presence of the features declared thereafter, but does not exclude the addition of other features.
[0049] Industrial Control Systems (ICS) are business process management systems that ensure the automated operation, process control, and monitoring of industrial infrastructure. They consist of various automated control components and process control components that acquire and monitor real-time data. With the development of computer, communication, and control technologies, ICS have entered a period of networking, leading to a sharp increase in network attacks targeting them. Timely detection and handling of network attacks are crucial.
[0050] Current technologies for identifying cyberattacks mostly extract partial information from collected data, which can lead to information loss and insufficient accuracy. Other methods use clustering, but clustering still has limitations when handling large volumes of data or dealing with data obfuscation.
[0051] Based on this, embodiments of this application provide a method, apparatus, electronic device, and storage medium for identifying network attack behaviors, which are described below through embodiments.
[0052] Figure 1 The diagram illustrates a flowchart of a network attack behavior identification method provided in an embodiment of this application, wherein the method includes steps S101-S104; specifically:
[0053] S101. Based on the five-tuple information contained in the raw network traffic data of the target industrial control system, the raw network traffic data is classified to obtain raw network traffic data of different attack types.
[0054] S102. Convert the data format of the original network traffic data for different attack types respectively to generate the target encoding matrix corresponding to the original network traffic data for each attack type;
[0055] S103. Based on the target encoding matrix corresponding to the original network traffic data of any target attack type, take the comparison encoding matrix corresponding to the existing attack behavior data under the target attack type as the target value, and calculate the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type.
[0056] S104. Based on the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type and the preset filtering rules, determine the target attack behavior corresponding to each original network traffic data under the target attack type from the existing attack behavior data under the target attack type.
[0057] This application improves processing efficiency and matching accuracy by classifying raw network traffic data, and transforms raw network traffic data of various attack types into the form of an encoding matrix for processing, enabling efficient processing of large amounts of data.
[0058] The following describes some embodiments of this application in detail. Unless otherwise specified, the following embodiments and features can be combined with each other.
[0059] S101. Based on the five-tuple information contained in the raw network traffic data of the target industrial control system, the raw network traffic data is classified to obtain raw network traffic data of different attack types.
[0060] The security of industrial control systems is paramount to a company's survival; the damage to such systems would result in incalculable losses. To ensure the security of any target industrial control system, this application acquired raw network traffic data generated during the actual production and control processes of that system. Since most network traffic in industrial control is automatically generated by industrial control equipment according to production processes, it differs significantly from the majority of human-generated internet traffic. Therefore, a thorough understanding of the characteristics of industrial control system traffic is crucial for developing effective threat detection methods.
[0061] This application obtains raw network traffic data from the target industrial control system. This raw network traffic data represents data that has not undergone any preprocessing; that is, this application uses data directly collected from the target industrial control system using data acquisition probe technology and web crawling technology. The collected raw network traffic data contains a five-tuple of information. This five-tuple includes the attack source address, destination address, source port, destination port, and transport protocol information. For example, 192.168.1.1 10000TCP 121.14.88.76 80 constitutes a five-tuple. This means that a terminal with IP address 192.168.1.1 (attack source address information) connects to a terminal with IP address 121.14.88.76 (destination address information) and port 80 (destination port information) via port 10000 (source port information) using the TCP protocol (transport protocol information).
[0062] To improve the processing efficiency of raw network traffic data, this application requires the classification of raw network traffic data. Specifically, to further improve the accuracy of matching the raw network traffic data, this application classifies the raw network traffic data based on the five-tuple information contained within it. The specific classification process is as follows:
[0063] Based on the attack source address information contained in the original network traffic data, the original network traffic data containing the same attack source address information are divided into one category to obtain the original network traffic data with different attack source attack types.
[0064] For any target attack source attack type, the original network traffic data is divided into categories based on the destination address information contained in the original network traffic data, thereby obtaining the original network traffic data of different target attack types.
[0065] For any type of attack, the raw network traffic data containing the same source port information is classified into one category based on the source port information contained in the raw network traffic data, thus obtaining raw network traffic data of different source port attack types.
[0066] For any target source port attack type, the original network traffic data is divided into categories based on the destination port information contained in the original network traffic data, thereby obtaining the original network traffic data of different target port attack types.
[0067] For any target port attack type, the raw network traffic data containing the same transmission protocol information is classified into one category based on the transmission protocol information contained in the raw network traffic data, thus obtaining raw network traffic data of different transmission protocol attack types.
[0068] As demonstrated by the above process, this application can categorize raw network traffic data into various attack types at different levels based on the five-tuple information. In practical implementation, the specific classification level can be selected according to the actual situation.
[0069] For example, consider the following raw network traffic data:
[0070] Data A: 192.168.1.1 10001TCP 121.14.88.76 80;
[0071] Data B: 192.168.1.1 10002TCP 121.14.88.76 80;
[0072] Data C: 192.168.1.1 10001TCP 121.14.88.77 80;
[0073] Data D: 192.168.1.0 10000TCP 121.14.88.76 80.
[0074] When classifying the above data, firstly, it is classified according to the attack source address information. Data A, data B, and data C have the same attack source address information, so this application classifies data A, data B, and data C into one category, and data D into another category. That is, data A, data B, and data C belong to the same attack source, while data D belongs to another attack source. Data A, data B, and data C from the same attack source can be further classified as needed, based on the destination address information. Data A and data B have the same destination address, while data A and data B have different destination addresses than data C. This application further classifies data A and data B into data with the same destination. Other classification methods in this application are similar to the above process and will not be repeated here.
[0075] After classifying the raw network traffic data obtained from the target industrial control system, this application needs to process the raw network traffic data according to different attack types.
[0076] S102. Convert the data format of the original network traffic data for different attack types to generate target encoding matrices corresponding to the original network traffic data for each attack type.
[0077] After obtaining the raw network traffic data for various attack types, this application needs to convert the raw network traffic data into a data format so that it can meet the needs of subsequent processing.
[0078] This application aims to obtain a preset data format by converting the original network traffic data under different attack types; then, the original network traffic data in the preset data format is organized according to different attack types to obtain the target encoding matrix corresponding to the original network traffic data of that attack type.
[0079] Each attack type in this application includes at least one raw network traffic data. By converting the format of each raw network traffic data under each attack type, multiple converted raw network traffic data for that attack type can be obtained. By treating each converted raw network traffic data under that attack type as a separate row of data, the target encoding matrix corresponding to the raw network traffic data of that attack type can be obtained.
[0080] For example, the format of data packets from the same attack source can be reduced from hexadecimal through a base conversion, and each data packet can be converted into decimal data. This will give us several sets of decimal data. Assuming that each set of data is regarded as an array, all data packets of the same attack source can be arranged into a matrix, namely the target encoding matrix.
[0081] S103. Based on the target encoding matrix corresponding to the original network traffic data of any target attack type, take the comparison encoding matrix corresponding to the existing attack behavior data under the target attack type as the target value, and calculate the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type.
[0082] After obtaining the target encoding matrix corresponding to the original network traffic data for each attack type, this application also sets up a comparison encoding matrix corresponding to the existing attack behavior data for each attack type. The comparison encoding matrix for existing attack behavior data in this application is obtained by processing the existing attack behavior data in the manner described in the above embodiments. Specifically, the existing attack behavior data is classified and processed to obtain existing attack behavior data for each different attack type. Then, the existing attack behavior data for each attack type is converted into a new format and organized according to different attack types. Each converted existing attack behavior data for that attack type is treated as a separate row of data, thus obtaining the encoding matrix corresponding to the existing attack behavior data for that attack type. To improve the matching accuracy, this application selects the encoding matrix of existing attack behavior data with the same attack type as the original network traffic data from the encoding matrix corresponding to the existing attack behavior data as the comparison encoding matrix. This application compares the target encoding matrix corresponding to the original network traffic data under the target attack type with the contrast encoding matrix corresponding to the existing attack behavior data under the target attack type to determine the similarity between each data in the target encoding matrix and each data in the contrast encoding matrix. This allows the similarity between the original network traffic data and the existing attack behavior to be obtained, thereby determining what kind of attack behavior the original network traffic data belongs to.
[0083] When making a comparison, this application uses the comparison coding matrix of existing attack behavior data as the target value. By calculating the difference between the target value of the target coding matrix corresponding to the original network traffic data, the similarity between the original network traffic data and the existing attack behavior can be determined.
[0084] To further improve processing efficiency, this application calculates the similarity between the original network traffic data of the target attack type and existing attack behavior data under the target attack type in the following manner:
[0085] Pool the target encoding matrix corresponding to the original network traffic data of the target attack type to determine the identification value corresponding to each original network traffic data under the target attack type;
[0086] Pool the comparison coding matrix corresponding to the existing attack behavior data under the target attack type to determine the target value corresponding to each existing attack behavior data under the target attack type.
[0087] Based on the unidentified value corresponding to each original network traffic data under the target attack type and the target value corresponding to each existing attack behavior data under the target attack type, the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type is calculated.
[0088] From another perspective, to process large amounts of data more efficiently, this application simplifies the data in the target encoding matrix and the comparison encoding matrix by performing one or more pooling operations. The specific number of pooling operations and the amount of data after simplification can be determined according to specific processing requirements. As a preferred implementation, this application performs multiple pooling operations, so that each original network traffic data or existing attack behavior data is represented by only one number. That is, the target encoding matrix and the comparison encoding matrix in this application are both matrices with one column and multiple rows after processing. Then, each first element in the target encoding matrix is compared with each second element in the comparison encoding matrix to determine the similarity between each first element and the second element. Here, the similarity between the first element and the second element can be considered as the absolute value of the difference between the two numbers. The larger the absolute value, the greater the similarity between the two elements, and vice versa.
[0089] S104. Based on the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type and the preset filtering rules, determine the target attack behavior corresponding to each original network traffic data under the target attack type from the existing attack behavior data under the target attack type.
[0090] After obtaining the similarity between the original network traffic data and existing attack behavior data under the target attack type, this application sets up filtering rules to select the target attack behavior data that best matches the original network traffic data. By filtering the original network traffic data and existing attack behavior data under the target attack type according to the similarity of the original network traffic data, the similarity can be determined to identify the target attack behavior data that matches the original network traffic data. The preset filtering rules include selecting original network traffic data with similarity greater than a preset threshold, and also sorting and selecting the N data with the highest similarity, etc.
[0091] After selecting the target attack behavior data that best matches the original network traffic data according to preset filtering rules, this application establishes a preset first mapping relationship between the target attack behavior data and the target attack behavior. That is, once the target attack behavior data is determined, the target attack behavior can be determined based on the preset first mapping relationship. Simultaneously, this application also establishes a second mapping relationship between the target attack behavior and target attack attribute information. This target attack attribute information includes the attack method, attack time, and attack tools used.
[0092] To further secure the target industrial control system, this application, after determining the target attack behavior corresponding to the raw traffic data, such as... Figure 2 As shown, the method further includes:
[0093] S201. Based on the target attack attribute information of the target attack behavior, predict the attack trend and attack result of the target attack behavior;
[0094] S201. Based on the attack trend and the attack result of the target attack behavior, match a corresponding target processing scheme for the target attack behavior.
[0095] After identifying the target attack behavior corresponding to the original traffic data, this application also predicts the attack trend and attack result of the target attack behavior and matches the target processing scheme to deal with the attack behavior in a timely manner and avoid damage to the target industrial control system.
[0096] When predicting attack trends and outcomes, this application primarily relies on target attack attributes such as attack methods, timing, and tools. By analyzing which components of the target industrial control system the attack methods affect, the potential targets of the attack can be identified. By analyzing which components of the target industrial control system are undefended at the time of the attack, the potential targets of the attack can be determined. By analyzing the consequences of historical attack methods and tools, the outcome of this current attack on the target industrial control system can be predicted.
[0097] After determining the attack trend and outcome of the target attack, the attack outcome can be divided into different levels according to its severity, and then matched with alternative handling schemes of different levels to obtain a target handling scheme with the same level as the attack outcome.
[0098] In this embodiment of the application, as an optional embodiment, the existing attack behavior data, target attack attribute information, first mapping relationship, second mapping relationship, and other information are stored in the existing attack behavior database. After determining the target attack behavior corresponding to the original network traffic data, the method further includes:
[0099] The existing attack behavior database is updated based on the original network traffic data and the target attack behavior corresponding to the original network traffic data.
[0100] In other words, the target attack behavior corresponding to the original network traffic data obtained by the method of this application is also saved to the existing attack behavior database for identification in the next attack behavior, which can improve the accuracy of identification.
[0101] In this embodiment of the application, as an optional embodiment, step S103 is implemented by an adversarial generation model; the adversarial generation model is trained using the existing attack behavior data.
[0102] The method further includes:
[0103] The adversarial generative model is retrained using the updated existing attack behavior database to continuously improve its recognition accuracy.
[0104] When implementing the above steps using the adversarial generative model, this application also continuously learns and adjusts the adversarial generative model based on the target attack behavior corresponding to the obtained original network traffic data, so that the accuracy of identification through the method of this application is higher.
[0105] Figure 3 This illustration shows a structural diagram of a network attack behavior identification device provided in an embodiment of this application. The device includes:
[0106] The classification module is used to classify the raw network traffic data of the target industrial control system according to the five-tuple information contained in the raw network traffic data to obtain the raw network traffic data of different attack types.
[0107] The conversion module is used to convert the data format of the original network traffic data for different attack types and generate the target encoding matrix corresponding to the original network traffic data for each attack type.
[0108] The calculation module is used to calculate the similarity between the original network traffic data of the target attack type and the existing attack behavior data of the target attack type, based on the target encoding matrix corresponding to the original network traffic data of any target attack type and the comparison encoding matrix corresponding to the existing attack behavior data of the target attack type as the target value.
[0109] The determination module is used to determine the target attack behavior corresponding to each piece of original network traffic data under the target attack type from the existing attack behavior data under the target attack type based on the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type and a preset filtering rule.
[0110] The target attack behavior corresponds to a target attack attribute information, and the device further includes:
[0111] The prediction module is used to predict the attack trend and attack result of the target attack behavior based on the target attack attribute information of the target attack behavior;
[0112] The matching module is used to match a corresponding target processing scheme for the target attack behavior based on the attack trend and the attack result of the target attack behavior.
[0113] Existing attack behavior data is stored in an existing attack behavior database, and the device further includes:
[0114] The update module is used to update the existing attack behavior database based on the original network traffic data and the target attack behavior corresponding to the original network traffic data.
[0115] The step of calculating the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type is implemented by an adversarial generative model; the adversarial generative model is trained using the existing attack behavior data.
[0116] The device further includes a training module for retraining the adversarial generative model using the updated existing attack behavior database to continuously improve the recognition accuracy of the adversarial generative model.
[0117] The five-tuple information includes: attack source address information, destination address information, source port information, destination port information, and transport protocol information. The raw network traffic data is classified in the following way:
[0118] Based on the attack source address information contained in the original network traffic data, the original network traffic data containing the same attack source address information are divided into one category to obtain the original network traffic data with different attack source attack types.
[0119] For any target attack source attack type, the original network traffic data is divided into categories based on the destination address information contained in the original network traffic data, thereby obtaining the original network traffic data of different target attack types.
[0120] For any type of attack, the raw network traffic data containing the same source port information is classified into one category based on the source port information contained in the raw network traffic data, thus obtaining raw network traffic data of different source port attack types.
[0121] For any target source port attack type, the original network traffic data is divided into categories based on the destination port information contained in the original network traffic data, thereby obtaining the original network traffic data of different target port attack types.
[0122] For any target port attack type, the raw network traffic data containing the same transmission protocol information is classified into one category based on the transmission protocol information contained in the raw network traffic data, thus obtaining raw network traffic data of different transmission protocol attack types.
[0123] The step of converting the original network traffic data for different attack types to generate target encoding matrices corresponding to the original network traffic data for each attack type includes:
[0124] With the aim of obtaining a preset data format, the original network traffic data under different attack types are converted into different data formats.
[0125] The raw network traffic data in the preset data format is organized according to different attack types to obtain the target encoding matrix corresponding to the raw network traffic data of the attack type.
[0126] The similarity between the original network traffic data of the target attack type and existing attack behavior data under the target attack type is calculated using the following method:
[0127] Pool the target encoding matrix corresponding to the original network traffic data of the target attack type to determine the identification value corresponding to each original network traffic data under the target attack type;
[0128] Pool the comparison coding matrix corresponding to the existing attack behavior data under the target attack type to determine the target value corresponding to each existing attack behavior data under the target attack type.
[0129] Based on the unidentified value corresponding to each original network traffic data under the target attack type and the target value corresponding to each existing attack behavior data under the target attack type, the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type is calculated.
[0130] like Figure 4 As shown, this application provides an electronic device for executing the network attack behavior identification method of this application. The device includes a memory, a processor, a bus, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the steps of the network attack behavior identification method described above.
[0131] Specifically, the aforementioned memory and processor can be general-purpose memory and processor, without any specific limitations. When the processor runs the computer program stored in the memory, it can execute the aforementioned network attack behavior identification method.
[0132] Corresponding to the network attack behavior identification method in this application, this application embodiment also provides a computer-readable storage medium storing a computer program, which is executed by a processor to perform the steps of the network attack behavior identification method described above.
[0133] Specifically, the storage medium can be a general-purpose storage medium, such as a removable disk or hard disk. When the computer program on the storage medium is run, it can execute the aforementioned network attack behavior identification method.
[0134] In the embodiments provided in this application, it should be understood that the disclosed systems and methods can be implemented in other ways. The system embodiments described above are merely illustrative. For example, the division of units is only a logical functional division, and there may be other division methods in actual implementation. Furthermore, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Additionally, the coupling or direct coupling or communication connection shown or discussed may be through some communication interface; the indirect coupling or communication connection between systems or units may be electrical, mechanical, or other forms.
[0135] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0136] In addition, the functional units in the embodiments provided in this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.
[0137] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0138] It should be noted that similar labels and letters in the following figures indicate similar items. Therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures. In addition, the terms "first", "second", "third", etc. are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.
[0139] Finally, it should be noted that the above-described embodiments are merely specific implementations of this application, used to illustrate the technical solutions of this application, and not to limit them. The protection scope of this application is not limited thereto. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that any person skilled in the art can still modify or easily conceive of changes to the technical solutions described in the foregoing embodiments, or make equivalent substitutions for some of the technical features, within the scope of the technology disclosed in this application; and these modifications, changes, or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application. All should be covered within the protection scope of this application. Therefore, the protection scope of this application should be determined by the protection scope of the claims.
Claims
1. A method for identifying network attack behavior, characterized in that, The method includes: Based on the five-tuple information contained in the raw network traffic data of the target industrial control system, the raw network traffic data is classified to obtain raw network traffic data of different attack types. The original network traffic data for different attack types are converted into different data formats to generate target encoding matrices corresponding to the original network traffic data for each attack type. Based on the target encoding matrix corresponding to the original network traffic data of any target attack type, the comparison encoding matrix corresponding to the existing attack behavior data under the target attack type is used as the target value to calculate the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type. Based on the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type and the preset filtering rules, the target attack behavior corresponding to each original network traffic data under the target attack type is determined from the existing attack behavior data under the target attack type. The five-tuple information includes: attack source address information, destination address information, source port information, destination port information, and transport protocol information. The raw network traffic data is classified in the following way: Based on the attack source address information contained in the original network traffic data, the original network traffic data containing the same attack source address information are divided into one category to obtain the original network traffic data with different attack source attack types. For any target attack source attack type, the original network traffic data is divided into categories based on the destination address information contained in the original network traffic data, thereby obtaining the original network traffic data of different target attack types. For any type of attack, the raw network traffic data containing the same source port information is classified into one category based on the source port information contained in the raw network traffic data, thus obtaining raw network traffic data of different source port attack types. For any target source port attack type, the original network traffic data is divided into categories based on the destination port information contained in the original network traffic data, thereby obtaining the original network traffic data of different target port attack types. For any target port attack type, the raw network traffic data is divided into categories based on the transmission protocol information contained in the raw network traffic data, and the raw network traffic data containing the same transmission protocol information is obtained to obtain the raw network traffic data of different transmission protocol attack types. The step of converting the original network traffic data for different attack types to generate target encoding matrices corresponding to the original network traffic data for each attack type includes: With the aim of obtaining a preset data format, the original network traffic data under different attack types are converted into different data formats. The raw network traffic data in the preset data format is organized according to different attack types to obtain the target encoding matrix corresponding to the raw network traffic data of the attack type.
2. The method according to claim 1, characterized in that, The target attack behavior corresponds to a target attack attribute information, and the method further includes: Based on the target attack attribute information of the target attack behavior, predict the attack trend and attack result of the target attack behavior; Based on the attack trend and the attack result of the target attack behavior, a corresponding target processing scheme is matched for the target attack behavior.
3. The method according to claim 2, characterized in that, The existing attack behavior data is stored in the existing attack behavior database, and the method further includes: The existing attack behavior database is updated based on the original network traffic data and the target attack behavior corresponding to the original network traffic data.
4. The method according to claim 3, characterized in that, The step of calculating the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type is implemented by an adversarial generative model; the adversarial generative model is trained using the existing attack behavior data. The method further includes: The adversarial generative model is retrained using the updated existing attack behavior database to continuously improve its recognition accuracy.
5. The method according to claim 1, characterized in that, The similarity between the original network traffic data of the target attack type and existing attack behavior data under the target attack type is calculated using the following method: Pool the target encoding matrix corresponding to the original network traffic data of the target attack type to determine the identification value corresponding to each original network traffic data under the target attack type; Pool the comparison coding matrix corresponding to the existing attack behavior data under the target attack type to determine the target value corresponding to each existing attack behavior data under the target attack type. Based on the unidentified value corresponding to each original network traffic data under the target attack type and the target value corresponding to each existing attack behavior data under the target attack type, the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type is calculated.
6. A network attack behavior identification device, characterized in that, The device includes: The classification module is used to classify the raw network traffic data of the target industrial control system according to the five-tuple information contained in the raw network traffic data to obtain the raw network traffic data of different attack types. The conversion module is used to convert the data format of the original network traffic data for different attack types and generate the target encoding matrix corresponding to the original network traffic data for each attack type. The calculation module is used to calculate the similarity between the original network traffic data of the target attack type and the existing attack behavior data of the target attack type, based on the target encoding matrix corresponding to the original network traffic data of any target attack type and the comparison encoding matrix corresponding to the existing attack behavior data of the target attack type as the target value. The determination module is used to determine the target attack behavior corresponding to each piece of original network traffic data under the target attack type from the existing attack behavior data under the target attack type based on the similarity between the original network traffic data of the target attack type and the existing attack behavior data under the target attack type and a preset filtering rule. The five-tuple information includes: attack source address information, destination address information, source port information, destination port information, and transport protocol information. The raw network traffic data is classified in the following way: Based on the attack source address information contained in the original network traffic data, the original network traffic data containing the same attack source address information are divided into one category to obtain the original network traffic data with different attack source attack types. For any target attack source attack type, the original network traffic data is divided into categories based on the destination address information contained in the original network traffic data, thereby obtaining the original network traffic data of different target attack types. For any type of attack, the raw network traffic data containing the same source port information is classified into one category based on the source port information contained in the raw network traffic data, thus obtaining raw network traffic data of different source port attack types. For any target source port attack type, the original network traffic data is divided into categories based on the destination port information contained in the original network traffic data, thereby obtaining the original network traffic data of different target port attack types. For any target port attack type, the raw network traffic data is divided into categories based on the transmission protocol information contained in the raw network traffic data, and the raw network traffic data containing the same transmission protocol information is obtained to obtain the raw network traffic data of different transmission protocol attack types. The step of converting the original network traffic data for different attack types to generate target encoding matrices corresponding to the original network traffic data for each attack type includes: With the aim of obtaining a preset data format, the original network traffic data under different attack types are converted into different data formats. The raw network traffic data in the preset data format is organized according to different attack types to obtain the target encoding matrix corresponding to the raw network traffic data of the attack type.
7. An electronic device, characterized in that, include: The device includes a processor, a memory, and a bus. The memory stores machine-readable instructions executable by the processor. When the electronic device is running, the processor communicates with the memory via the bus. When the machine-readable instructions are executed by the processor, the steps of the network attack behavior identification method as described in any one of claims 1 to 5 are performed.
8. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, performs the steps of the network attack behavior identification method as described in any one of claims 1 to 5.