Search

CN-120582813-B - Network attack flow detection method, device, computer equipment and storage medium

CN120582813BCN 120582813 BCN120582813 BCN 120582813BCN-120582813-B

Abstract

The embodiment of the application provides a network attack flow detection method, a network attack flow detection device, computer equipment and a storage medium. The method comprises the steps of obtaining flow to be detected and corresponding detection instructions, inputting the flow to be detected and the detection instructions into a large language model to obtain corresponding flow detection results, wherein the large language model carries out flow pattern learning training based on first loss through a first preset large language model to obtain a second preset large language model, the second preset large language model carries out instruction understanding training based on second loss to obtain the second preset large language model, the first loss is determined according to the difference between the predicted flow to be detected and the first sample flow to be detected, the predicted flow to be detected is obtained through recursive prediction based on the first sample flow to be detected, and the second loss is determined according to the difference between the predicted flow detection result output by the second sample flow to be detected and the sample flow detection result. Therefore, the flexibility and the accuracy of the network attack flow detection can be improved.

Inventors

  • GU ZHAOQUAN
  • SHI YUJIA
  • ZHANG HUAN
  • WANG ZIYU
  • ZENG LIYI
  • LIU CHANGAN
  • JING XIAO
  • LUO CUI
  • YUAN HUAPING

Assignees

  • 鹏城实验室

Dates

Publication Date
20260505
Application Date
20250508

Claims (8)

  1. 1. A method for detecting network attack traffic, the method comprising: acquiring flow to be detected and a detection instruction generated according to the flow to be detected; Inputting the flow to be detected and the detection instruction into a large language model to obtain a flow detection result corresponding to the flow to be detected; The large language model carries out flow pattern learning training based on first loss through a first preset large language model to obtain a second preset large language model, and carries out instruction understanding training based on second loss through the second preset large language model to obtain the large language model; The first loss is determined according to the difference between the predicted flow to be detected and the first sample flow to be detected through the first preset large language model, and the predicted flow to be detected is obtained by recursively predicting the first sample flow to be detected through the first preset large language model; the recursion prediction process is a recursion process of generating an intermediate prediction sequence based on a first flow characteristic corresponding to a first time step of the flow to be detected of the first sample, and predicting a next flow characteristic based on the intermediate prediction sequence so as to update the intermediate prediction sequence according to the next flow characteristic; The second loss is determined through the second preset large language model based on a predicted flow detection result output by the second sample flow to be detected and the difference between the predicted flow detection result and the sample flow detection result; The large language model is obtained through training in the following modes that a first sample to-be-detected flow is obtained from a preset pre-training data set, the first sample to-be-detected flow is subjected to recursive prediction through the first pre-training data set to obtain a predicted to-be-detected flow, a first loss is determined based on the difference between the first sample to-be-detected flow and the predicted to-be-detected flow, the first pre-training data set is trained based on the first loss to obtain a second pre-training large language model, a second sample to-be-detected flow, a corresponding sample flow detection result and a plurality of sample detection instructions corresponding to the second sample to-be-detected flow are obtained from a preset fine-tuning data set, the second sample to-be-detected flow and each sample detection instruction are sequentially input into the second pre-training large language model to obtain a predicted flow detection result, a second loss is determined based on the difference between the predicted flow detection result and the sample flow detection result, and the second pre-training large language model is obtained based on the second loss; The method comprises the steps of generating an intermediate prediction sequence based on a first flow characteristic corresponding to a first time step of the first sample flow to be detected through the first preset large language model, predicting a next flow characteristic of a next time step based on the intermediate prediction sequence to update the intermediate prediction sequence, repeatedly executing the step of predicting the next flow characteristic of the next time step based on the intermediate prediction sequence to update the end of the intermediate prediction sequence until the quantity of the flow characteristic of the recursively updated intermediate prediction sequence is the same as that of the first sample flow to be detected, and obtaining the predicted flow to be detected based on the intermediate prediction sequence corresponding to a last time step.
  2. 2. The method for detecting network attack traffic according to claim 1, wherein training the first preset large language model based on the first loss to obtain a second preset large language model includes: adding a low-rank adaptation layer in the self-attention layer in the second preset large language model; And adjusting the parameters of the low-rank adaptation layer based on the second loss to obtain a large language model.
  3. 3. The method for detecting network attack traffic according to claim 1, wherein the obtaining the first sample traffic to be detected from the preset pre-training data set, and performing recursion prediction based on the first sample traffic to be detected through the first preset large language model, before obtaining the predicted traffic to be detected, further comprises: acquiring attack load data, normal flow data, attack flow data and vulnerability code data; performing data cleaning processing on the attack load data, the normal flow data, the attack flow data and the vulnerability code data to obtain a plurality of initial sample data; respectively marking a plurality of characteristic fields contained in each initial sample data according to a plurality of preset classification fields to obtain a first sample flow to be detected corresponding to each initial sample data; and constructing a pre-training data set according to the flow to be detected of the plurality of first samples.
  4. 4. The method for detecting network attack traffic according to claim 1, wherein the obtaining the second sample to-be-detected traffic, the corresponding sample traffic detection result, and the plurality of sample detection instructions corresponding to the second sample to-be-detected traffic from the preset fine tuning data set, and inputting the second sample to-be-detected traffic and each sample detection instruction into the second preset large language model in sequence, before obtaining the predicted traffic detection result, further includes: Acquiring a plurality of preset instruction types; generating a plurality of seed instructions corresponding to a plurality of instruction types according to the flow to be detected of each second sample; Expanding task instructions corresponding to each seed instruction according to a plurality of preset network attack categories to obtain a plurality of sample detection instructions corresponding to the flow to be detected of each second sample under the plurality of network attack categories; And acquiring a sample flow detection result corresponding to each second sample flow to be detected, and generating a fine adjustment data set based on the second sample flows to be detected, the corresponding sample detection instructions and the corresponding sample flow detection results.
  5. 5. The method for detecting network attack traffic according to claim 1, wherein after inputting the traffic to be detected and the detection instruction into a large language model to obtain a traffic detection result corresponding to the traffic to be detected, further comprises: Acquiring preset vulnerability classification, and performing feature extraction on the flow detection result to obtain structured data of corresponding attack features; acquiring a preset security knowledge base, mapping the structured data in the security knowledge base, and determining vulnerability entries and threat levels corresponding to the structured data; and generating a corresponding processing scheme based on the vulnerability item and the threat level corresponding to the flow detection result.
  6. 6. A network attack traffic detection device, the device comprising: The acquisition module is used for acquiring the flow to be detected and a detection instruction generated according to the flow to be detected; The input module is used for inputting the flow to be detected and the detection instruction into a large language model to obtain a flow detection result corresponding to the flow to be detected; The large language model carries out flow pattern learning training based on first loss through a first preset large language model to obtain a second preset large language model, and carries out instruction understanding training based on second loss through the second preset large language model to obtain the large language model; The first loss is determined according to the difference between the predicted flow to be detected and the first sample flow to be detected through the first preset large language model, and the predicted flow to be detected is obtained by recursively predicting the first sample flow to be detected through the first preset large language model; the recursion prediction process is a recursion process of generating an intermediate prediction sequence based on a first flow characteristic corresponding to a first time step of the flow to be detected of the first sample, and predicting a next flow characteristic based on the intermediate prediction sequence so as to update the intermediate prediction sequence according to the next flow characteristic; The second loss is determined through the second preset large language model based on a predicted flow detection result output by the second sample flow to be detected and the difference between the predicted flow detection result and the sample flow detection result; The large language model is obtained through training in the following modes that a first sample to-be-detected flow is obtained from a preset pre-training data set, the first sample to-be-detected flow is subjected to recursive prediction through the first pre-training data set to obtain a predicted to-be-detected flow, a first loss is determined based on the difference between the first sample to-be-detected flow and the predicted to-be-detected flow, the first pre-training data set is trained based on the first loss to obtain a second pre-training large language model, a second sample to-be-detected flow, a corresponding sample flow detection result and a plurality of sample detection instructions corresponding to the second sample to-be-detected flow are obtained from a preset fine-tuning data set, the second sample to-be-detected flow and each sample detection instruction are sequentially input into the second pre-training large language model to obtain a predicted flow detection result, a second loss is determined based on the difference between the predicted flow detection result and the sample flow detection result, and the second pre-training large language model is obtained based on the second loss; The method comprises the steps of generating an intermediate prediction sequence based on a first flow characteristic corresponding to a first time step of the first sample flow to be detected through the first preset large language model, predicting a next flow characteristic of a next time step based on the intermediate prediction sequence to update the intermediate prediction sequence, repeatedly executing the step of predicting the next flow characteristic of the next time step based on the intermediate prediction sequence to update the end of the intermediate prediction sequence until the quantity of the flow characteristic of the recursively updated intermediate prediction sequence is the same as that of the first sample flow to be detected, and obtaining the predicted flow to be detected based on the intermediate prediction sequence corresponding to a last time step.
  7. 7. A computer device, characterized in that it comprises a memory storing a computer program and a processor implementing the network attack traffic detection method according to any of claims 1 to 5 when the computer program is executed by the processor.
  8. 8. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the network attack traffic detection method according to any of claims 1 to 5.

Description

Network attack flow detection method, device, computer equipment and storage medium Technical Field The present application relates to the field of network security technologies, and in particular, to a method and apparatus for detecting network attack traffic, a computer device, and a storage medium. Background Network attacks are actions by which an attacker illegally invades, destroys, or steals computer systems, networks, and data using technical means or vulnerabilities, such as virus propagation, phishing fraud, DDoS attacks, etc. Network attacks may cause serious consequences such as information leakage, data tampering, service interruption, property loss and even social infrastructure breakdown, so in order to maintain the ecological stability of the network and the sustainable development of the urban digital society, the network attacks need to be detected, and the threats are timely identified, attack chains are blocked, and the privacy and the asset security of users are protected. In the related art, a signature-based detection method is generally adopted to detect network attacks, the signature-based detection method matches known threat modes in network traffic or system behaviors through a predefined attack feature signature library, and when the monitored behaviors are completely matched with attack features in the signature library, the system triggers an alarm and takes defensive measures. However, the signature-based detection method relies on a signature library with known attack characteristics, and for novel attacks or unknown threats, especially when an attacker bypasses detection by adopting means such as code confusion, encryption or deformation, the signature library may not be identified, so that the problem of insufficient detection accuracy and flexibility exists when network attack detection is performed. Disclosure of Invention The embodiment of the application mainly aims to provide a network attack flow detection method, a network attack flow detection device, computer equipment and a storage medium, which can improve the flexibility and the accuracy of network attack flow detection. In order to achieve the above object, a first aspect of an embodiment of the present application provides a method for detecting network attack traffic, where the method includes: acquiring flow to be detected and a detection instruction generated according to the flow to be detected; Inputting the flow to be detected and the detection instruction into a large language model to obtain a flow detection result corresponding to the flow to be detected; The large language model carries out flow pattern learning training based on first loss through a first preset large language model to obtain a second preset large language model, and carries out instruction understanding training based on second loss through the second preset large language model to obtain the large language model; The first loss is determined according to the difference between the predicted flow to be detected and the first sample flow to be detected through the first preset large language model, and the predicted flow to be detected is obtained by recursively predicting the first sample flow to be detected through the first preset large language model; the recursion prediction process is a recursion process of generating an intermediate prediction sequence based on a first flow characteristic corresponding to a first time step of the flow to be detected of the first sample, and predicting a next flow characteristic based on the intermediate prediction sequence so as to update the intermediate prediction sequence according to the next flow characteristic; And determining the second loss through the second preset large language model based on the difference between the predicted flow detection result output by the second sample flow to be detected and the sample flow detection result. Accordingly, a second aspect of an embodiment of the present application proposes a network attack traffic detection device, where the device includes: The acquisition module is used for acquiring the flow to be detected and a detection instruction generated according to the flow to be detected; The input module is used for inputting the flow to be detected and the detection instruction into a large language model to obtain a flow detection result corresponding to the flow to be detected; The large language model carries out flow pattern learning training based on first loss through a first preset large language model to obtain a second preset large language model, and carries out instruction understanding training based on second loss through the second preset large language model to obtain the large language model; The first loss is determined according to the difference between the predicted flow to be detected and the first sample flow to be detected through the first preset large language model, and the predicted flow to be detected is obtained