Search

CN-121984752-A - Attack detection method, electronic device, storage medium, and program product

CN121984752ACN 121984752 ACN121984752 ACN 121984752ACN-121984752-A

Abstract

The application provides an attack detection method, electronic equipment, a storage medium and a program product, and relates to the technical field of security. According to the method, the target HMM model is designed into the self-adaptive system capable of carrying out online updating training based on the network flow data corresponding to the new attack mode, so that the fundamental defect of response lag to the new threat is effectively overcome. The method realizes synchronous evolution of detection capability and attack evolution, not only remarkably improves the accuracy and coverage rate of real-time identification of unknown attacks and advanced variabilities (such as APT and novel DDoS), but also greatly reduces the continuous consumption of computing resources and storage resources by a system by relying on the light-weight characteristic and closed-loop updating mechanism of an HMM model, ensures sustainable and efficient deployment in an environment of an integrated network edge with limited resources, and further realizes accurate, efficient and light-weight attack detection.

Inventors

  • LIU JING
  • CHEN YANG

Assignees

  • 北京天融信网络安全技术有限公司
  • 北京天融信科技有限公司
  • 北京天融信软件有限公司

Dates

Publication Date
20260505
Application Date
20260202

Claims (13)

  1. 1. An attack detection method, the method comprising: acquiring an observation sequence generated by data to be detected of an heaven-earth integrated network; and obtaining an attack state evaluation result of the world integration network based on the observation sequence through a target HMM model, wherein the attack state evaluation result comprises a normal state, a suspicious state and an attack state, and the target HMM model is obtained by updating and training based on network flow data corresponding to a new attack mode under the condition that the new attack mode is determined to exist.
  2. 2. The method of claim 1, wherein determining whether a new attack pattern exists is performed by: When the attack state evaluation result is a suspicious state, carrying out attack mode identification on the data to be detected; and determining whether a new attack mode exists according to the identification result.
  3. 3. The method of claim 1, wherein determining whether a new attack pattern exists is performed by: Receiving external threat information, and extracting attack characteristics of the external threat information; Matching the attack characteristics with a standard characteristic library, wherein the standard characteristic library is constructed based on attack characteristics of various attack types; And determining whether a new attack mode exists according to the matching result.
  4. 4. The method of claim 1, wherein the target HMM model is updated by: And taking the network flow data corresponding to the new attack mode as an incremental training sample, and adopting an incremental learning algorithm to adjust probability parameters of the target HMM model.
  5. 5. The method of claim 4, wherein the adjusting probability parameters of the target HMM model using an incremental learning algorithm with the network traffic data corresponding to the new attack pattern as incremental training samples comprises: generating a corresponding observation training sequence based on the network traffic data corresponding to the new attack mode; according to the observation training sequence, a state transition probability matrix and an observation probability matrix are counted; fusing the state transition probability matrix with the current state transition probability matrix of the target HMM model by adopting a weighted moving average method to obtain an updated state transition probability matrix; and fusing the observation probability matrix with the current observation probability matrix of the target HMM model by adopting a Bayesian smoothing method to obtain an updated observation probability matrix.
  6. 6. The method according to claim 1, further comprising, prior to the obtaining the observation sequence generated by the data to be detected of the heaven-earth integrated network: Constructing a standard feature library based on attack features of various attack types; in training data of the world integration network, determining the salient features in each recording period, and taking the salient features as observation results of the corresponding recording periods; and training the initial HMM model based on training sequences generated by a plurality of observation results to obtain a target HMM model.
  7. 7. The method of claim 6, wherein said determining the salient features in each recording cycle comprises: For each recording period, acquiring a characteristic value corresponding to each attack characteristic in each recording period; Calculating the deviation degree between the characteristic value corresponding to each attack characteristic and the standard characteristic value corresponding to the standard characteristic library, wherein the deviation degree comprises the node communication frequency deviation degree and/or the connection relation entropy value; And determining the salient features of each recording period according to the deviation degree corresponding to each attack feature in the recording period.
  8. 8. The method of claim 6, wherein the method further comprises: and extracting the attack characteristics of the network traffic data corresponding to the new attack mode, and adding the attack characteristics into the standard characteristic library.
  9. 9. The method according to claim 1, wherein the obtaining an observation sequence generated by data to be detected of the heaven-earth integrated network comprises: acquiring data to be detected of an heaven-earth integrated network; According to flow characteristic analysis, behavior baseline comparison and threat information association analysis, carrying out multidimensional characteristic extraction on the data to be detected to obtain multidimensional characteristics; And generating a corresponding multidimensional observation sequence aiming at the multidimensional feature.
  10. 10. The method according to claim 1, further comprising, after the step of obtaining the attack state evaluation result of the heaven-earth integrated network: When the attack state evaluation result is an attack state, generating and executing a corresponding network security response action, wherein the network security response action comprises at least one of the following steps: generating and reporting safety alarm information; issuing instructions to a firewall or network controller to block or isolate network connections identified as attacks; issuing a configuration updating instruction to the distributed probe so as to adjust a data acquisition strategy or a behavior analysis rule of the distributed probe; And starting a deep evidence collection analysis strategy for related network traffic.
  11. 11. An electronic device comprising a processor and a memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-10.
  12. 12. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, performs the method according to any of claims 1-10.
  13. 13. A computer program product comprising computer program instructions which, when read and executed by a processor, perform the method of any of claims 1-10.

Description

Attack detection method, electronic device, storage medium, and program product Technical Field The present application relates to the field of security technologies, and in particular, to an attack detection method, an electronic device, a storage medium, and a program product. Background With the deep advancement of the construction of the space-earth integrated information network, the complex heterogeneous architecture of the integration of a space-base backbone network, a space-base access network and a foundation node network is faced with unprecedented security challenges while realizing global coverage and random access. Network attack means are evolving towards automation, persistence and concealment, advanced persistence threats (ADVANCED PERSISTENT THREAT, APT), distributed denial of service (Distributed Denial of Service, DDoS) variant attacks, precise utilization of network protocol vulnerabilities and the like, and the traditional security defense system forms a serious test. However, the mainstream artificial intelligence (ARTIFICIAL INTELLIGENCE, AI) technology at the present stage needs to consume a large amount of resources to perform preparation works such as pre-training, sample collection and the like, while hardware devices in the space-based network often need higher radiation resistance in a vacuum environment, and the chip processing capacity and corresponding resources of the hardware devices are often far lower than those of the current ground hardware devices, so that the AI technology is difficult to be effectively deployed in a whole disk in the space-based network, and accurate, efficient and light attack detection is difficult to be realized in the space-based integrated network environment. Disclosure of Invention An embodiment of the application aims to provide an attack detection method, electronic equipment, a storage medium and a program product, which are used for solving the problem that accurate, efficient and light attack detection is difficult to realize in an heaven-earth integrated network environment. In a first aspect, an embodiment of the present application provides an attack detection method, where the method includes: acquiring an observation sequence generated by data to be detected of an heaven-earth integrated network; and obtaining an attack state evaluation result of the world integration network based on the observation sequence through a target HMM model, wherein the attack state evaluation result comprises a normal state, a suspicious state and an attack state, and the target HMM model is obtained by updating and training based on network flow data corresponding to a new attack mode under the condition that the new attack mode is determined to exist. In the implementation process, the target HMM model is designed into the self-adaptive system capable of carrying out online updating training based on the network traffic data corresponding to the new attack mode, so that the fundamental defect of response lag to the new threat is effectively overcome. The method realizes synchronous evolution of detection capability and attack evolution, not only remarkably improves the accuracy and coverage rate of real-time identification of unknown attacks and advanced variabilities (such as APT and novel DDoS), but also greatly reduces the continuous consumption of computing resources and storage resources by a system by relying on the light-weight characteristic and closed-loop updating mechanism of an HMM model, ensures sustainable and efficient deployment in an environment of an integrated network edge with limited resources, and further realizes accurate, efficient and light-weight attack detection. Optionally, it is determined whether a new attack pattern exists by: When the attack state evaluation result is a suspicious state, carrying out attack mode identification on the data to be detected; and determining whether a new attack mode exists according to the identification result. In the implementation process, suspicious states in the attack state evaluation result are used as accurate trigger points, the to-be-detected data of potential risks are focused to carry out attack pattern recognition, so that not only is the resource waste caused by indiscriminate analysis of the whole data avoided, but also hidden features of novel attacks can be captured pertinently, by directly carrying out pattern recognition on the suspicious data, attack behavior logic and feature combinations which are not covered by the existing feature library can be rapidly mined, reliable basis is provided for accurate judgment of the novel attack pattern, high-quality incremental data is conveyed for updating training of a target HMM model, and the self-adaptive detection capability of the model on the novel attacks and varieties is effectively improved. Optionally, it is determined whether a new attack pattern exists by: Receiving external threat information, and extracting attack cha