CN-115987615-B - Network behavior safety early warning method and system

Abstract

The invention provides a network behavior safety early warning method and a system, which relate to the technical field of network safety, wherein the method comprises the steps of obtaining attack event data; the method comprises the steps of preprocessing and clustering attack event data to obtain a first clustering result, obtaining first key features of network behaviors corresponding to attack events in similar results, constructing a network abnormal behavior feature set, predicting subsequent network behaviors based on a prediction model, determining a risk value of the predicted subsequent network behaviors based on a network behavior association principle, acquiring predicted subsequent network behavior features to obtain second key features when the risk value is not smaller than a first preset threshold value, performing feature matching on the second key features and the network abnormal behavior feature set, judging whether the predicted subsequent behaviors face the attack events based on the matching degree, and performing safety pre-warning. And determining the risk value of the subsequent network behavior under attack by analyzing the attack event data and predicting the subsequent network behavior, so as to realize safety early warning.

Inventors

• LIU ZHIWEN
• ZHANG SHUGUI
• SONG WEI
• LI YANG
• CUI YONG
• Wang Jiangneng
• WEI MIAO

Assignees

• 深圳市星火电子工程公司
• 深圳铸泰科技有限公司

Dates

Publication Date

20260505

Application Date

20221219

Claims (7)

1. 1. The network behavior safety early warning method is characterized by comprising the following steps of: step 1, capturing a historical network behavior data packet of a target user, and screening attack event data from the historical network behavior data packet; Step 2, preprocessing and clustering the attack event data to obtain a first clustering result; step 3, obtaining first key characteristics of network behaviors corresponding to attack events in similar results, and constructing a network abnormal behavior characteristic set; training the neural network model based on the current network behavior and the historical network behavior of the target user to obtain a prediction model, so as to predict the subsequent network behavior; Step 5, based on the network behavior association principle, determining a predicted risk value of the subsequent network behavior, and if the risk value is smaller than a first preset threshold value, continuing to monitor the network behavior safety; Otherwise, carrying out feature collection on the predicted subsequent network behavior to obtain second key features, carrying out feature matching on the second key features and the network abnormal behavior feature set, and if the matching degree is larger than a second preset threshold value, determining that the predicted subsequent behavior is faced with an attack event and carrying out safety precaution; Training the neural network model based on the current network behavior and the historical network behavior of the target user to obtain a prediction model to predict the subsequent network behavior, including: analyzing the current network behavior and the historical network behavior of the target user, and realizing behavior classification according to the similarity of the current network behavior and the historical network behavior to obtain a behavior habit sequence of the target user; analyzing and processing multiple occurrence sequences in the behavior habit sequences and triggering conditions corresponding to the occurrence sequences to obtain a behavior habit mode; Training the neural network model based on the behavior habit mode to generate a prediction model, and predicting the subsequent network behavior based on the triggering condition of the current network behavior; predicting successor network behavior, comprising: step 11, predicting the current network behavior and the corresponding triggering conditions based on the prediction model to obtain a plurality of subsequent behavior modes; Step 12, generating a behavior weight directed graph based on a plurality of subsequent behavior modes and combining the behavior habit modes and the triggering conditions of each behavior habit mode, and screening out the subsequent behavior with the maximum weight as a first behavior to be selected and outputting; Step 13, calculating weight errors of subsequent behaviors corresponding to a plurality of historical network behaviors, and updating and adjusting the behavior weight directed graph according to the weight errors, wherein a weight error formula is as follows: wherein M is expressed as a weight error; True weights for subsequent behavior expressed as the ith historical network behavior, wherein ; The i-th historical network behavior data is input into a prediction model to obtain a prediction weight of a corresponding subsequent behavior; n represents the number of historical network behaviors in the input prediction model; the deviation influence factor brought by the current network behavior is represented as the value range ; And 14, acquiring a second behavior to be selected with the maximum weight according to the updated weight directed graph, and selecting the second behavior to be selected as a predicted subsequent network behavior to output if the first behavior to be selected is inconsistent with the second behavior to be selected.
2. 2. The network behavior safety precaution method according to claim 1, wherein capturing historical network behavior data packets of the target user and screening attack event data from the historical network behavior data packets comprises: Monitoring a network to obtain a historical network behavior data packet of a target user; Detecting historical network behavior data packets of the target user, and screening to obtain abnormal data information with potential safety hazards; And analyzing and filtering the abnormal data information to obtain valuable data as attack event data to output.
3. 3. The network behavior security pre-warning method of claim 1, wherein preprocessing and clustering the attack event data to obtain a first clustering result comprises: preprocessing the attack event data to obtain a standard characteristic value; Inputting the standard characteristic value into a cluster analysis model for clustering to obtain a first clustering result, wherein the method comprises the following steps of: Step 01, constructing a sample data set by taking the standard characteristic value as a sample Inputting the clustering result into a clustering model for clustering; step 02, obtaining an initial clustering center by carrying out density analysis on sample distribution in each primary clustering result; Step 03, calculating a first distance between each sample in each primary clustering result and a corresponding primary clustering center; Step 04, if all the first distances are smaller than or equal to a preset threshold value, drawing the corresponding first samples into the category; If a second sample with the first distance larger than a preset threshold exists, the second sample is excluded from the class to which the second sample belongs, an isolated point set is constructed, and a corresponding second aggregation center is determined based on density analysis; Step 05, obtaining a second distance from the center of the second clustering class to each sample, dividing a third sample with the second distance smaller than the first distance while being smaller than a preset threshold value into the first clustering class, removing the first sample consistent with the third sample from the first clustering class, and finally summarizing to obtain a first clustering result.
4. 4. The method of claim 1, wherein the network behavior feature set includes a number of bytes of data packets, a number of destination ports, a number of data stream source subnets, a number of source ports, a number of source IPs, and a ratio of total flows for each network behavior feature set.
5. 5. The network behavior safety precaution method according to claim 1, wherein determining the risk value of the predicted subsequent network behavior based on the network behavior association principle comprises; Calculating a predicted risk value of the subsequent network behavior under attack, wherein the formula is as follows: wherein F is represented as a risk value of the predicted subsequent network behavior under attack, b is represented as a risk influence factor of the current network behavior on the predicted subsequent network behavior, and the value range is that A1 represents the behavior value of the current network behavior; All network behaviors consistent with the predicted subsequent network behaviors in the historical network behaviors are attacked and blocked by failure factors, and the value range is (0, 1); represented as a first weight; Represented as a second weight, and < 。
6. 6. The method of claim 1, wherein the feature matching the second key feature with the network abnormal behavior feature set comprises: analyzing and processing the main component of the predicted subsequent network behavior to obtain a second key feature; Removing the mismatching characteristic values in the second key characteristics to realize coarse removal, so as to obtain second key characteristic values; Comparing the second key characteristic value with a corresponding first characteristic matching value of each network abnormal behavior in the network abnormal behavior characteristic set; determining feature matching degree according to the j-th group of first matching feature values and the second key feature values; Wherein, the Z represents the number of network abnormal behaviors in the network abnormal behavior feature set; The number of the first matching characteristic values is expressed as the j-th group, and the number of the second key characteristic values is expressed as the N; Representing the second key feature value Abnormal behavior with j-th group network Is a function of similarity of (2); If it is And less than a second preset threshold, determining that the predicted subsequent network behavior is not attacked, at which time, continuing security monitoring, wherein, Represented as all Maximum value of (2); If it is Not less than a second preset threshold, at this time, extracting And corresponding attack event data of network abnormal behaviors, and adopting targeted emergency measures to realize safety precaution.
7. 7. A network behavior security early warning system, comprising: the data acquisition module is used for capturing a historical network behavior data packet of the target user and screening attack event data from the historical network behavior data packet; The cluster analysis module is used for preprocessing and clustering the attack event data to obtain a first clustering result; the feature acquisition module is used for acquiring first key features of network behaviors corresponding to attack events in similar results and constructing a network abnormal behavior feature set; The prediction behavior module is used for training the neural network model based on the current network behavior and the historical network behavior of the target user to obtain a prediction model so as to predict the subsequent network behavior; The safety early warning module is used for determining a predicted risk value of a subsequent network behavior based on a network behavior association principle and determining whether safety early warning is needed in the future by combining the matching condition of the predicted risk value and the network abnormal characteristics; Training the neural network model based on the current network behavior and the historical network behavior of the target user to obtain a prediction model to predict the subsequent network behavior, including: analyzing the current network behavior and the historical network behavior of the target user, and realizing behavior classification according to the similarity of the current network behavior and the historical network behavior to obtain a behavior habit sequence of the target user; analyzing and processing multiple occurrence sequences in the behavior habit sequences and triggering conditions corresponding to the occurrence sequences to obtain a behavior habit mode; Training the neural network model based on the behavior habit mode to generate a prediction model, and predicting the subsequent network behavior based on the triggering condition of the current network behavior; predicting successor network behavior, comprising: step 11, predicting the current network behavior and the corresponding triggering conditions based on the prediction model to obtain a plurality of subsequent behavior modes; Step 12, generating a behavior weight directed graph based on a plurality of subsequent behavior modes and combining the behavior habit modes and the triggering conditions of each behavior habit mode, and screening out the subsequent behavior with the maximum weight as a first behavior to be selected and outputting; Step 13, calculating weight errors of subsequent behaviors corresponding to a plurality of historical network behaviors, and updating and adjusting the behavior weight directed graph according to the weight errors, wherein a weight error formula is as follows: wherein M is expressed as a weight error; True weights for subsequent behavior expressed as the ith historical network behavior, wherein ; The i-th historical network behavior data is input into a prediction model to obtain a prediction weight of a corresponding subsequent behavior; n represents the number of historical network behaviors in the input prediction model; the deviation influence factor brought by the current network behavior is represented as the value range ; And 14, acquiring a second behavior to be selected with the maximum weight according to the updated weight directed graph, and selecting the second behavior to be selected as a predicted subsequent network behavior to output if the first behavior to be selected is inconsistent with the second behavior to be selected.

Description

Network behavior safety early warning method and system Technical Field The invention relates to the technical field of network security, in particular to a network behavior security early warning method and system. Background The continuous progress and large-scale popularization of computer network technology make society truly enter an informatization era, and the production and living efficiency and living standard of people are continuously improved. However, while the internet is continuously developed, the risk of network security threat is also higher and higher, and many situations such as vulnerability attack, luxury software attack, virus attack and the like, which cause huge errors and losses due to malicious network behaviors, occur. At present, the handling mode of the network security threat is to process the security threat after the security threat is generated, or the client is required to refuse to access an unknown file or website, so that the user experience is greatly affected. It is important how to effectively ensure stable operation of the network without affecting user experience. Therefore, the invention provides a network behavior safety early warning method and system. Disclosure of Invention The invention provides a network behavior safety early warning method and system, which are used for obtaining and analyzing attack event data by obtaining historical network behavior data packets of a target user, predicting and obtaining subsequent network behaviors based on a prediction model, determining the risk value of the predicted subsequent network behaviors being attacked, and effectively judging whether the subsequent behaviors are attacked by combining the characteristic matching condition between the subsequent network behaviors and the network behaviors corresponding to the attack event so as to realize safety early warning. The invention provides a network behavior safety early warning method, which comprises the following steps: step 1, capturing a historical network behavior data packet of a target user, and screening attack event data from the historical network behavior data packet; Step 2, preprocessing and clustering the attack event data to obtain a first clustering result; step 3, obtaining first key characteristics of network behaviors corresponding to attack events in similar results, and constructing a network abnormal behavior characteristic set; training the neural network model based on the current network behavior and the historical network behavior of the target user to obtain a prediction model, so as to predict the subsequent network behavior; Step 5, based on the network behavior association principle, determining a predicted risk value of the subsequent network behavior, and if the risk value is smaller than a first preset threshold value, continuing to monitor the network behavior safety; otherwise, carrying out feature collection on the predicted subsequent network behavior to obtain a second key feature, carrying out feature matching on the second key feature and the network abnormal behavior feature set, and if the matching degree is larger than a second preset threshold value, determining that the predicted subsequent behavior is faced with an attack event and carrying out safety precaution. Preferably, capturing a historical network behavior data packet of the target user, and screening attack event data from the historical network behavior data packet, including: Monitoring a network to obtain a historical network behavior data packet of a target user; Detecting historical network behavior data packets of the target user, and screening to obtain abnormal data information with potential safety hazards; And analyzing and filtering the abnormal data information to obtain valuable data as attack event data to output. Preferably, preprocessing and clustering the attack event data to obtain a first clustering result, including: preprocessing the attack event data to obtain a standard characteristic value; Inputting the standard characteristic value into a cluster analysis model for clustering to obtain a first clustering result, wherein the method comprises the following steps of: Step 01, inputting a sample data set X constructed by taking the standard characteristic value as a sample into a clustering model for clustering; step 02, obtaining an initial clustering center by carrying out density analysis on sample distribution in each primary clustering result; Step 03, calculating a first distance between each sample in each primary clustering result and a corresponding primary clustering center; Step 04, if all the first distances are smaller than or equal to a preset threshold value, drawing the corresponding first samples into the category; If a second sample with the first distance larger than a preset threshold exists, the second sample is excluded from the class to which the second sample belongs, an isolated point set is constructed, and a corres