CN107040517A - A kind of cognitive intrusion detection method towards cloud computing environment - Google Patents

Abstract

Translated fromChinese

本发明公开了一种面向云计算环境的认知入侵检测方法，包括数据预处理单元、数据包检测单元、数据库、认知规则库、入侵检测引擎单元事件处理单元、云认知推理机和统计分析单元，其中云认知推理学习模块采用遗传算法对特征向量进行优化，使所需的训练时间和监测时间比其他方法短，其次，实时在线的检测能力较强，最后，在云计算的环境中充分利用云计算进行大规模并行计算和大数据量处理的能力，使运算能力大大加强，使系统更加安全高效。

The invention discloses a cognitive intrusion detection method oriented to a cloud computing environment, comprising a data preprocessing unit, a data packet detection unit, a database, a cognitive rule base, an intrusion detection engine unit, an event processing unit, a cloud cognitive inference engine and a statistical The analysis unit, in which the cloud cognition reasoning learning module uses genetic algorithm to optimize the feature vector, so that the required training time and monitoring time are shorter than other methods. Secondly, the real-time online detection ability is strong. Finally, in the cloud computing environment The ability to make full use of cloud computing for large-scale parallel computing and large-scale data processing greatly enhances computing power and makes the system more secure and efficient.

Description

Translated fromChinese

一种面向云计算环境的认知入侵检测方法A Cognitive Intrusion Detection Method for Cloud Computing Environment

技术领域technical field

本发明属于云计算领域，具体的是一种面向云计算环境的认知入侵检测方法。The invention belongs to the field of cloud computing, in particular to a cognitive intrusion detection method for a cloud computing environment.

背景技术Background technique

云计算已经成为当前IT界关注的热点话题，但云计算的发展也面临许多关键性问题，而安全问题首当其冲，并且随着云计算的不断普及，其重要性呈现逐步上升趋势，已成为制约云计算发展的核心因素。云安全的挑战体现在3个方面：(1)数据安全，包含数据加密解密、访问控制、传输安全等；(2)服务安全，包含服务器安全、安全单点登录、身份认证、信任模型等；(3)安全监控体系，用来防御和阻止恶意入侵行为，保障所有用户的数据与隐私安全，是云安全至关重要的一环。Cloud computing has become a hot topic in the current IT industry, but the development of cloud computing also faces many key issues, and security issues are the first to bear the brunt, and with the continuous popularization of cloud computing, its importance is gradually increasing, which has become a constraint cloud computing. A core element of computing development. Cloud security challenges are reflected in three aspects: (1) data security, including data encryption and decryption, access control, transmission security, etc.; (2) service security, including server security, secure single sign-on, identity authentication, trust model, etc.; (3) The security monitoring system is used to defend and prevent malicious intrusions, and to ensure the data and privacy security of all users, which is a crucial part of cloud security.

传统的被动式防御方法不能及时判断并阻止网络攻击，缺乏识别已知或未知的安全攻击的认知能力，不具备实时性、智能性已经不能满足云计算的环境。因此，云计算环境下需要更加主动的，先验的认知入侵检测方法，以达到快速识别、预警与防护云计算环境下的安全攻击。Traditional passive defense methods cannot judge and prevent network attacks in a timely manner, lack the cognitive ability to identify known or unknown security attacks, do not have real-time and intelligence, and cannot meet the cloud computing environment. Therefore, a more proactive and prior cognitive intrusion detection method is needed in the cloud computing environment to achieve rapid identification, early warning and protection against security attacks in the cloud computing environment.

现有技术中文献一(申请号：201510870283.X)提供了一种基于云计算的入侵检测方法，将入侵检测功能从传统的主机端转移到云端，在云端以服务形式提供。其核心入侵检测分析服务置于云端，通过云服务商专业的网络安全团队对其进行更新维护。简化了主机端的复杂性，降低了维护成本。其主要过程如图1所示。该文献是针对互联网入侵检测的一个基础性专利，对于入侵检测系统而言，基于云计算环境的入侵检测系统使系统拥有了云数据库的数据集中和共享的优点。该技术的不足是：(1)未对入侵检测引擎，入侵检测比对规则库，智能异常检测作出具体阐述；(2)对于比较得到的可能的未知类入侵行为没有识别能力，没有给出相应的解决方案，简单作为新的入侵行为，不具备对未知攻击的认知能力。Document 1 in the prior art (application number: 201510870283.X) provides a cloud computing-based intrusion detection method, which transfers the intrusion detection function from the traditional host to the cloud, and provides it as a service on the cloud. Its core intrusion detection and analysis service is placed in the cloud, and it is updated and maintained by the professional network security team of the cloud service provider. Simplifies the complexity of the host side and reduces maintenance costs. Its main process is shown in Figure 1. This document is a basic patent for Internet intrusion detection. For the intrusion detection system, the intrusion detection system based on the cloud computing environment enables the system to have the advantages of data centralization and sharing of the cloud database. The deficiencies of this technology are: (1) It did not elaborate on the intrusion detection engine, the intrusion detection comparison rule base, and the intelligent anomaly detection; The solution is simply as a new intrusion behavior and does not have the ability to recognize unknown attacks.

文献二(申请号：201610049716.X)提供了一种云计算环境中的自主分析入侵检测方法，利用改进的BP神经网络训练入侵检测器实时对经过预处理的网络流量异常的数据包进行检测，随后对异常数据进行识别，将得到的未知入侵行为进行特征提取以下次识别出新类型的入侵行为，提出了自主分析与检测的思路，扩展率高。其主要过程如图2所示。该文献是针对互联网入侵检测的一个较为前沿的专利，对于入侵检测系统而言，基于云计算环境且能检测已知和未知类型入侵行为并及时反馈，补充云数据库，使系统检测和防御功能得到改善。该技术的不足是：未知入侵行为的特征值提取方法还有很大改进空间，来提高系统的速度和安全性。Document 2 (application number: 201610049716.X) provides an autonomous analysis intrusion detection method in a cloud computing environment, using an improved BP neural network to train an intrusion detector to detect preprocessed abnormal data packets in real time. Then identify the abnormal data, and extract the features of the obtained unknown intrusion behaviors to identify new types of intrusion behaviors next time. The idea of independent analysis and detection is proposed, and the expansion rate is high. Its main process is shown in Figure 2. This document is a relatively cutting-edge patent for Internet intrusion detection. For the intrusion detection system, it is based on the cloud computing environment and can detect known and unknown types of intrusion behaviors and provide timely feedback, supplementing the cloud database, so that the detection and defense functions of the system can be improved. improve. The disadvantage of this technology is that there is still a lot of room for improvement in the feature value extraction method of unknown intrusion behaviors, so as to improve the speed and security of the system.

发明内容Contents of the invention

针对传统入侵检测系统(Intrusion Detection System)模型的被动式防御策略不能及时判断并阻止已知或未知的安全攻击，系统的危险系数较大等问题，提出了一种面向云计算的具有认知能力的入侵检测系统，具体方案如下：一种面向云计算环境的认知入侵检测方法，包括如下步骤：Aiming at the problems that the passive defense strategy of the traditional Intrusion Detection System model cannot judge and block known or unknown security attacks in time, and the system has a large risk factor, a cloud computing-oriented cognitive capability is proposed. An intrusion detection system, the specific scheme is as follows: a cognitive intrusion detection method for a cloud computing environment, including the following steps:

步骤1，云计算环境中数据预处理单元接收到流量异常的数据包，对数据包中的数据进行规则化预处理，从而获取包含有特征向量的数据包文件，并把预处理后的数据包分别发到数据库和数据包检测单元中；Step 1, the data preprocessing unit in the cloud computing environment receives the data packets with abnormal traffic, and performs regular preprocessing on the data in the data packets, so as to obtain the data packet files containing the feature vectors, and convert the preprocessed data packets sent to the database and the packet detection unit respectively;

步骤2，所述数据库接收并存储带有特征向量数据的数据包文件，并根据存入的数据包建立日志记录；Step 2, the database receives and stores the data packet file with feature vector data, and establishes a log record according to the stored data packet;

步骤3，建立认知规则库，认知规则库中包含有已知入侵行为特征数据；Step 3, establishing a cognitive rule base, which contains known intrusion behavior characteristic data;

步骤3，数据包检测单元根据已经建立起来的认知规则库中的信息进行规则匹配，若发现符合的匹配规则，则向入侵检测引擎单元报警，入侵检测引擎单元根据收到的报警信息向事件处理单元发送指令，事件处理单元收到指令后进行发出警报以及切断网络；Step 3, the data packet detection unit performs rule matching according to the information in the cognitive rule base that has been established, and if a matching rule is found, it reports to the intrusion detection engine unit, and the intrusion detection engine unit reports to the event The processing unit sends instructions, and the event processing unit issues an alarm and cuts off the network after receiving the instructions;

步骤4，如果数据包检测单元没有发现符合的匹配规则，则表示无法识别该数据包中的攻击种类，则由数据库将该数据包的信息传给云推理学习模块做入侵可能性进行评估；Step 4, if the data packet detection unit does not find a matching rule, it means that the attack type in the data packet cannot be identified, and the information of the data packet is passed to the cloud inference learning module by the database to evaluate the possibility of intrusion;

步骤5，建立云规则，在无网络连接时，云认知推理机以数据库中存储的特征向量数据为训练样本建立起云规则数据库；Step 5, establish cloud rules. When there is no network connection, the cloud cognitive inference engine uses the feature vector data stored in the database as training samples to establish a cloud rule database;

步骤6，判断无法识别的攻击种类，网络连接时，云认知推理机接收无法识别攻击种类的数据包的特征向量数据，云认知推理机采用基于遗传算法的特征向量提取算法对征向量数据进行优化选择获得最优选的入侵特征向量，该入侵特征向量和建立的运管站数据库比对，激活多条定性云规则，通过云认知推理机进行不确定性推理，确定入侵种类，并把结果发送至入侵检测引擎单元；Step 6. Determine the type of attack that cannot be identified. When the network is connected, the cloud cognitive inference machine receives the eigenvector data of the data packet that cannot identify the attack type, and the cloud cognitive inference machine uses the eigenvector extraction algorithm based on the genetic algorithm to compare the eigenvector data Perform optimization selection to obtain the most optimal intrusion feature vector. The intrusion feature vector is compared with the established transportation management station database, and multiple qualitative cloud rules are activated. Uncertainty reasoning is performed through the cloud cognitive reasoning machine to determine the type of intrusion, and The result is sent to the intrusion detection engine unit;

步骤7，所述入侵特征向量发送至原云规则化数据库中修正、更新成为型的云规则化数据库。Step 7, the intrusion feature vector is sent to the modified and updated cloud regularized database in the original cloud regularized database.

步骤8，所述入侵特征向量发送至统计分析单元中，统计分析单元根据入侵特征向量的日志记录判断是否构成网络入侵，把判断的结果发至入侵检测引擎单元和事件处理单元，同时把该入侵特征向量的数据信息发送至认知规则库中进行更新；Step 8, the intrusion feature vector is sent to the statistical analysis unit, and the statistical analysis unit judges whether a network intrusion is constituted according to the log record of the intrusion feature vector, sends the result of the judgment to the intrusion detection engine unit and the event processing unit, and simultaneously sends the intrusion The data information of the feature vector is sent to the cognitive rule base for updating;

步骤9，所述入侵检测引擎单元接收来自云认知推理机的推理结果和来自统计分析单元的判断结果，向事件处理单元发送指令；Step 9, the intrusion detection engine unit receives the reasoning result from the cloud cognitive reasoning machine and the judgment result from the statistical analysis unit, and sends an instruction to the event processing unit;

步骤10，所述事件处理单元收到来自入侵检测引擎单元和统计分析单元的指令后进行发出警报以及切断网络。Step 10, the event processing unit issues an alarm and cuts off the network after receiving instructions from the intrusion detection engine unit and the statistical analysis unit.

进一步所述步骤6中的基于遗传算法的特征向量提取算法的具体步骤如下：The specific steps of the eigenvector extraction algorithm based on genetic algorithm in further described step 6 are as follows:

1)设定进化代数g＝0，生成包含n个个体的初始化群体P(g)；1) Set the evolution algebra g=0, generate an initialization group P(g) containing n individuals;

2)在该群体中对每个个体估值，计算各自适应度f(x)；2) Evaluate each individual in the group, and calculate the respective fitness f(x);

3)根据个体适应度f(x)，从P(g)中选择两个个体作为父代(适应度值越大，选中的机会越大)，根据交叉概率，让选出的两个个体进行交叉产生新的后代(如果交叉概率为0，即不进行交叉，则后代就是父代的完全复制)，再根据变异概率，新生后代在各自基因座产生变异；重复上述步骤，产生新个体，将最后生成的个体形成新的群体P(g+1)；3) According to the individual fitness f(x), select two individuals from P(g) as parents (the greater the fitness value, the greater the chance of selection), and according to the crossover probability, let the selected two individuals perform Crossover produces new offspring (if the crossover probability is 0, that is, if crossover is not performed, the offspring is a complete copy of the parent), and then according to the mutation probability, the newborn offspring will mutate at their respective loci; repeat the above steps to generate new individuals, and The last generated individuals form a new group P(g+1);

4)将新产生的群体P(g+1)作为后续进化操作所需的群体，令进化代数g＝g+1；4) The newly generated population P(g+1) is used as the population required for the subsequent evolution operation, so that the evolution algebra g=g+1;

5)若终止条件满足，则算法结束，返回在当前群体中最好的个体，即最优解5) If the termination condition is met, the algorithm ends, and the best individual in the current group is returned, that is, the optimal solution

6)若终止条件不满足，则跳至步骤2)继续该遗传算法。6) If the termination condition is not satisfied, skip to step 2) to continue the genetic algorithm.

进一步所述步骤6中所述的不确定性推理具体步骤如下：Further, the specific steps of uncertainty reasoning described in step 6 are as follows:

Step1，经过数据预处理后的一组未知入侵特征向量(X₁,X₂…X_n)，每个X_i根据3En原则：|Ex-X_i|＜3En激活规则；Step1, a set of unknown intrusion feature vectors (X₁ , X₂ ...X_n ) after data preprocessing, each X_i is activated according to the 3En principle: |Ex-X_i |<3En activation rule;

Step2，每条被激活规则对应正向云发生器推理输出云滴(drop x_i,y_i)；Step2, each activated rule corresponds to the inference output cloud drop (drop x_i , y_i ) of the forward cloud generator;

Step3，逆向云发生器在云滴drop(x₁,y₁),…(x_n,y_n)的基础上得到虚拟云的数值特征：E_xij，E_nij，H_eij；Step3, the reverse cloud generator obtains the numerical characteristics of the virtual cloud on the basis of cloud drop drop(x₁ ,y₁ ),…(x_n ,y_n ): E_xij , E_nij , H_eij ;

Step4，再将x_i代入虚拟云中得到它的确定度；Step4, then substitute_xi into the virtual cloud to obtain its degree of certainty;

Step5，对每个x_i重复Step2-5过程，分别得到对应的确定度；Step5, repeat the Step2-5 process for each_xi , and obtain the corresponding degree of certainty respectively;

Step6，依据最大确定度原则确定入侵类型。Step6, determine the type of intrusion according to the principle of maximum certainty.

更进一步所述步骤8中统计分析处理单元通过在任意给定的时刻，对n个变量值进行测量，推理判断系统是否有入侵发生，每个Ni(i＝1,2,···,n)变量表示系统不同方面的特征，包含SYN数据包数目、用户登录失败次数、CPU使用率及网络流量等，Mi(i＝1,2,···,n)是正常情况下该数据的期望值预测，在t时刻定义的检测函数为：Furthermore, in step 8, the statistical analysis processing unit measures n variable values at any given moment, reasoning and judging whether there is an intrusion in the system, and each Ni (i=1,2,...,n ) variables represent the characteristics of different aspects of the system, including the number of SYN data packets, the number of user login failures, CPU usage and network traffic, etc. Mi(i=1,2,···,n) is the expected value of the data under normal circumstances Forecasting, the detection function defined at time t is:

其中，λ_i＞0体现了重要程度的权值，即敏感程度，F(t)越小，通信过程越接近正常情况，当F(t)超过预先设定的阀值后，就认为网络入侵发生了。Among them, λ_i > 0 reflects the weight of importance, that is, the degree of sensitivity. The smaller F(t) is, the closer the communication process is to normal conditions. When F(t) exceeds the preset threshold, it is considered network intrusion happened.

和现有技术相比较本发明中云认知推理学习模块采用遗传算法对特征向量进行优化，使所需的训练时间和监测时间比其他方法短，其次，实时在线的检测能力较强，最后，在云计算的环境中充分利用云计算进行大规模并行计算和大数据量处理的能力，使运算能力大大加强，使系统更加安全高效。Compared with the prior art, the cloud cognitive reasoning learning module of the present invention uses a genetic algorithm to optimize the feature vector, so that the required training time and monitoring time are shorter than other methods. Secondly, the real-time online detection ability is stronger. Finally, In the cloud computing environment, making full use of cloud computing's ability to perform large-scale parallel computing and large-scale data processing, the computing power is greatly enhanced, and the system is more secure and efficient.

附图说明Description of drawings

图1为文献一的基于云计算的入侵检测方法流程图；Figure 1 is a flow chart of the intrusion detection method based on cloud computing in Document 1;

图2为文献二云计算环境中的自主分析入侵检测方法流程图；Fig. 2 is a flow chart of the autonomous analysis intrusion detection method in the cloud computing environment of Document 2;

图3为面向云计算的认知入侵检测方法流程图；3 is a flowchart of a cloud computing-oriented cognitive intrusion detection method;

图4为基于遗传算法获取特征向量提取的算法流程框图；Fig. 4 obtains the algorithm flow chart of feature vector extraction based on genetic algorithm;

图5云认知推理机的具体推理算法流程框图。Figure 5 is a flow chart of the specific reasoning algorithm of the cloud cognitive reasoning machine.

具体实施方式detailed description

实施例1Example 1

如图1所示，所述一种面向云计算的具有认知能力的入侵检测系统，包括认知检测模块：数据预处理负责收集网络中的数据流，生成一定格式的数据流文件。数据包检测对经过预处理的数据流进行数据包检测，根据已经建立起来的认知规则库，判断该数据流是否为已知的攻击形式，对已知的攻击建立符合一定规则的攻击签名，包含处理方式、传输层协议类型、应用层协议类型、端口号、IP地址范围、备注信息等。As shown in FIG. 1 , the cloud computing-oriented intrusion detection system with cognitive capabilities includes a cognitive detection module: data preprocessing is responsible for collecting data streams in the network and generating data stream files in a certain format. Data packet detection performs packet detection on the preprocessed data flow, and judges whether the data flow is a known attack form according to the established cognitive rule base, and establishes an attack signature that meets certain rules for the known attack. Including processing method, transport layer protocol type, application layer protocol type, port number, IP address range, remarks, etc.

云认知推理学习模块：云推理学习模块是对入侵可能性进行评估。推理机的输入分为两部分：一部分入侵检测时(在线判决),采集器将采集到的网络特征向量提供给云认知推理机进行分析和推理。而网络连接时采集器采集的特征向量很多，为了快速云计算环境下海量的连接数据，采用遗传算法对特征向量进行优化选择，根据高检出率低误报率的适应度值，选出最优的特征个体；另一个是样本训练时(离线学习),采集器将预处理后的信息存储到数据库中为云认知推理机提供信息，进而采用云计算对入侵可能性进行评估。Cloud cognitive reasoning learning module: The cloud reasoning learning module evaluates the possibility of intrusion. The input of the reasoning machine is divided into two parts: one part is during intrusion detection (online judgment), and the collector provides the collected network feature vectors to the cloud cognitive reasoning machine for analysis and reasoning. However, there are many eigenvectors collected by the collector during network connection. For the massive connection data in the fast cloud computing environment, the genetic algorithm is used to optimize the selection of eigenvectors. According to the fitness value of high detection rate and low false alarm rate, the best The other is when the sample is trained (offline learning), the collector stores the preprocessed information in the database to provide information for the cloud cognitive reasoning machine, and then uses cloud computing to evaluate the possibility of intrusion.

统计分析处理模块：针对虚拟组织的日志记录，用于实时分析，发现异常事件。入侵检测引擎综合各个系统的报警信息，分析后向事件处理模块下达指令，完成报警、切断连接等工作。Statistical analysis and processing module: for the log records of virtual organizations, for real-time analysis and discovery of abnormal events. The intrusion detection engine synthesizes the alarm information of each system, and after analysis, issues instructions to the event processing module to complete the work of alarming and disconnection.

所述认知检测模块中包括数据预处理单元、数据包检测单元、入侵检测引擎单元、数据库；云认知推理学习模块中包含有云认知推理机和云规则化单元；统计分析处理模块中包括统计分析单元和事件处理单元。The cognitive detection module includes a data preprocessing unit, a data packet detection unit, an intrusion detection engine unit, and a database; the cloud cognitive reasoning learning module includes a cloud cognitive reasoning machine and a cloud regularization unit; the statistical analysis processing module Including statistical analysis unit and event processing unit.

所述设计预处理单元分别与数据包检测单元和数据库连接，数据包检测单元与入侵检测引擎单元连接，入侵检测引擎单元与事件处理单元连接；所述数据库与云规则化单元连接，云规则化单元与云认知推理机相互连接，云认知推理机分别与云规则化单元、入侵检测引擎单元和统计分析单元连接，所述统计分析单元分别与认知规则库、事件处理单元和入侵检测引擎单元连接，所述认知认知规则库与数据包检测单元连接。The design preprocessing unit is respectively connected with the data packet detection unit and the database, the data packet detection unit is connected with the intrusion detection engine unit, and the intrusion detection engine unit is connected with the event processing unit; the database is connected with the cloud regularization unit, and the cloud regularization The unit is connected with the cloud cognitive reasoning machine, and the cloud cognitive reasoning machine is respectively connected with the cloud regularization unit, the intrusion detection engine unit and the statistical analysis unit, and the statistical analysis unit is respectively connected with the cognitive rule base, the event processing unit and the intrusion detection unit. The engine unit is connected, and the cognitive cognitive rule base is connected with the data packet detection unit.

如图1、图2和图3所示，基于上述系统的一种面向云计算环境的认知入侵检测方法，包括以下步骤：As shown in Figure 1, Figure 2 and Figure 3, a cognitive intrusion detection method for a cloud computing environment based on the above system includes the following steps:

步骤1，云计算环境中数据预处理单元接收到流量异常的数据包，对数据包中的数据进行规则化预处理，从而获取包含有特征向量的数据包文件，并把预处理后的数据包分别发到数据库和数据包检测单元中；Step 1, the data preprocessing unit in the cloud computing environment receives the data packets with abnormal traffic, and performs regular preprocessing on the data in the data packets, so as to obtain the data packet files containing the feature vectors, and convert the preprocessed data packets sent to the database and the packet detection unit respectively;

步骤2，所述数据库接收并存储带有特征向量数据的数据包文件，并根据存入的数据包建立日志记录；Step 2, the database receives and stores the data packet file with feature vector data, and establishes a log record according to the stored data packet;

步骤3，建立认知规则库，认知规则库中包含有已知入侵行为特征数据；Step 3, establishing a cognitive rule base, which contains known intrusion behavior characteristic data;

步骤3，数据包检测单元根据已经建立起来的认知规则库中的信息进行规则匹配，若发现符合的匹配规则，则向入侵检测引擎单元报警，入侵检测引擎单元根据收到的报警信息向事件处理单元发送指令，事件处理单元收到指令后进行发出警报以及切断网络；Step 3, the data packet detection unit performs rule matching according to the information in the cognitive rule base that has been established, and if a matching rule is found, it reports to the intrusion detection engine unit, and the intrusion detection engine unit reports to the event The processing unit sends instructions, and the event processing unit issues an alarm and cuts off the network after receiving the instructions;

步骤4，如果数据包检测单元没有发现符合的匹配规则，则表示无法识别该数据包中的攻击种类，则由数据库将该数据包的信息传给云推理学习模块做入侵可能性进行评估；Step 4, if the data packet detection unit does not find a matching rule, it means that the attack type in the data packet cannot be identified, and the information of the data packet is passed to the cloud inference learning module by the database to evaluate the possibility of intrusion;

步骤5，建立云规则，在无网络连接时，云认知推理机以数据库中存储的特征向量数据为训练样本建立起云规则数据库；Step 5, establish cloud rules. When there is no network connection, the cloud cognitive inference engine uses the feature vector data stored in the database as training samples to establish a cloud rule database;

步骤6，判断无法识别的攻击种类，网络连接时，云认知推理机接收无法识别攻击种类的数据包的特征向量数据，云认知推理机采用基于遗传算法的特征向量提取算法对征向量数据进行优化选择获得最优选的入侵特征向量，该入侵特征向量和建立的运管站数据库比对，激活多条定性云规则，通过云认知推理机进行不确定性推理，确定入侵种类，并把结果发送至入侵检测引擎单元；Step 6. Determine the type of attack that cannot be identified. When the network is connected, the cloud cognitive inference machine receives the eigenvector data of the data packet that cannot identify the attack type, and the cloud cognitive inference machine uses the eigenvector extraction algorithm based on the genetic algorithm to compare the eigenvector data Perform optimization selection to obtain the most optimal intrusion feature vector. The intrusion feature vector is compared with the established transportation management station database, and multiple qualitative cloud rules are activated. Uncertainty reasoning is performed through the cloud cognitive reasoning machine to determine the type of intrusion, and The result is sent to the intrusion detection engine unit;

所述步骤6中的基于遗传算法的特征向量提取算法的具体步骤如下：The concrete steps of the eigenvector extraction algorithm based on genetic algorithm in described step 6 are as follows:

1)设定进化代数g＝0，生成包含n个个体的初始化群体P(g)；1) Set the evolution algebra g=0, generate an initialization group P(g) containing n individuals;

2)在该群体中对每个个体估值，计算各自适应度f(x)；2) Evaluate each individual in the group, and calculate the respective fitness f(x);

3)根据个体适应度f(x)，从P(g)中选择两个个体作为父代(适应度值越大，选中的机会越大)，根据交叉概率，让选出的两个个体进行交叉产生新的后代(如果交叉概率为0，即不进行交叉，则后代就是父代的完全复制)，再根据变异概率，新生后代在各自基因座产生变异；重复上述步骤，产生新个体，将最后生成的个体形成新的群体P(g+1)；3) According to the individual fitness f(x), select two individuals from P(g) as parents (the greater the fitness value, the greater the chance of selection), and according to the crossover probability, let the selected two individuals perform Crossover produces new offspring (if the crossover probability is 0, that is, if crossover is not performed, the offspring is a complete copy of the parent), and then according to the mutation probability, the newborn offspring will mutate at their respective loci; repeat the above steps to generate new individuals, and The last generated individuals form a new group P(g+1);

4)将新产生的群体P(g+1)作为后续进化操作所需的群体，令进化代数g＝g+1；4) The newly generated population P(g+1) is used as the population required for the subsequent evolution operation, so that the evolution algebra g=g+1;

5)若终止条件满足，则算法结束，返回在当前群体中最好的个体，即最优解5) If the termination condition is met, the algorithm ends, and the best individual in the current group is returned, that is, the optimal solution

6)若终止条件不满足，则跳至步骤2)继续该遗传算法。6) If the termination condition is not satisfied, skip to step 2) to continue the genetic algorithm.

根据上述步骤的计算结果可以修正并更新原来的云规则，以提高对当前网络环境的入侵检测的适应性。According to the calculation results of the above steps, the original cloud rules can be corrected and updated, so as to improve the adaptability of the intrusion detection to the current network environment.

所述步骤6中所述的不确定性推理具体步骤如下：The specific steps of uncertainty reasoning described in step 6 are as follows:

Step1，经过数据预处理后的一组未知入侵特征向量(X₁,X₂…X_n)，每个X_i根据3En原则：|Ex-X_i|＜3En激活规则；Step1, a set of unknown intrusion feature vectors (X₁ , X₂ ...X_n ) after data preprocessing, each X_i is activated according to the 3En principle: |Ex-X_i |<3En activation rule;

Step2，每条被激活规则对应正向云发生器推理输出云滴(drop x_i,y_i)；Step2, each activated rule corresponds to the inference output cloud drop (drop x_i , y_i ) of the forward cloud generator;

Step3，逆向云发生器在云滴drop(x₁,y₁),…(x_n,y_n)的基础上得到虚拟云的数值特征：E_xij，E_nij，H_eij；Step3, the reverse cloud generator obtains the numerical characteristics of the virtual cloud on the basis of cloud drop drop(x₁ ,y₁ ),…(x_n ,y_n ): E_xij , E_nij , H_eij ;

Step4，再将x_i代入虚拟云中得到它的确定度；Step4, then substitute_xi into the virtual cloud to obtain its degree of certainty;

Step5，对每个x_i重复Step2-5过程，分别得到对应的确定度；Step5, repeat the Step2-5 process for each_xi , and obtain the corresponding degree of certainty respectively;

Step6，依据最大确定度原则确定入侵类型。Step6, determine the type of intrusion according to the principle of maximum certainty.

步骤7，所述入侵特征向量发送至原云规则化数据库中修正、更新成为型的云规则化数据库。Step 7, the intrusion feature vector is sent to the modified and updated cloud regularized database in the original cloud regularized database.

步骤8，所述入侵特征向量发送至统计分析单元中，统计分析单元根据入侵特征向量的日志记录判断是否构成网络入侵，把判断的结果发至入侵检测引擎单元和事件处理单元，同时把该入侵特征向量的数据信息发送至认知规则库中进行更新；Step 8, the intrusion feature vector is sent to the statistical analysis unit, and the statistical analysis unit judges whether a network intrusion is constituted according to the log record of the intrusion feature vector, sends the result of the judgment to the intrusion detection engine unit and the event processing unit, and simultaneously sends the intrusion The data information of the feature vector is sent to the cognitive rule base for updating;

所述步骤8中统计分析处理单元通过在任意给定的时刻，对n个变量值进行测量，推理判断系统是否有入侵发生，每个Ni(i＝1,2,···,n)变量表示系统不同方面的特征，包含SYN数据包数目、用户登录失败次数、CPU使用率及网络流量等，Mi(i＝1,2,···,n)是正常情况下该数据的期望值预测，在t时刻定义的检测函数为：In said step 8, the statistical analysis and processing unit measures n variable values at any given moment, reasoning and judging whether there is an intrusion in the system, and each Ni (i=1,2,...,n) variable Represents the characteristics of different aspects of the system, including the number of SYN packets, the number of user login failures, CPU usage and network traffic, etc. Mi(i=1,2,...,n) is the expected value prediction of the data under normal circumstances, The detection function defined at time t is:

其中，λ_i＞0体现了重要程度的权值，即敏感程度，F(t)越小，通信过程越接近正常情况，当F(t)超过预先设定的阀值后，就认为网络入侵发生了。Among them, λ_i > 0 reflects the weight of importance, that is, the degree of sensitivity. The smaller F(t) is, the closer the communication process is to normal conditions. When F(t) exceeds the preset threshold, it is considered network intrusion happened.

步骤9，所述入侵检测引擎单元接收来自云认知推理机的推理结果和来自统计分析单元的判断结果，向事件处理单元发送指令；Step 9, the intrusion detection engine unit receives the reasoning result from the cloud cognitive reasoning machine and the judgment result from the statistical analysis unit, and sends an instruction to the event processing unit;

步骤10，所述事件处理单元收到来自入侵检测引擎单元和统计分析单元的指令后进行发出警报以及切断网络。Step 10, the event processing unit issues an alarm and cuts off the network after receiving instructions from the intrusion detection engine unit and the statistical analysis unit.

与传统的入侵检测系统不同，面向云计算的具有认知能力的入侵检测系统(简称CIDCC)不再采用一对一的匹配，即单一特征匹配激活一条规则，而是当输入采集到的入侵特征向量，将激活多条定性云入侵规则，再通过云认知推理机来实现带有不确定性的关联推理，并只能判别结果输出给入侵检测引擎进行决策相应。Different from traditional intrusion detection systems, cloud computing-oriented cognitive intrusion detection systems (CIDCC for short) no longer use one-to-one matching, that is, a single feature match activates a rule, but when the input collected intrusion features The vector will activate multiple qualitative cloud intrusion rules, and then use the cloud cognitive reasoning machine to realize the associated reasoning with uncertainty, and only the judgment results can be output to the intrusion detection engine for decision-making.

网络连接开始后，该网络防火墙的入侵检测系统内部会截获网络中的数据流，对数据预处理，即收集网络中的数据流，生成一定格式的数据包文件。然后，在数据包检测模块经过预处理的数据流会进行数据包检测。After the network connection starts, the intrusion detection system of the network firewall will intercept the data flow in the network and preprocess the data, that is, collect the data flow in the network and generate a data packet file in a certain format. Then, the preprocessed data flow in the data packet detection module will be subjected to data packet detection.

认知规则库中所提供的数据集，所有的攻击主要分为4大类：DOS类、PROBE类、R2L类和U2R类。其中，DOS类中包含的入侵类型有land、Nepture、pod、teardrop等；PROBE类包含的入侵类型有nmap、portsweep、satan、mscan、ipsweep。根据该认知规则库，判断数据流是否是已知攻击形式。对于已知的攻击，建立符合一定规则的攻击签名，攻击签名有以下几个部分组成：处理方式(Assert警告，Disconnect切断连接，Track跟踪记录)、传输层协议类型(TCP、UDP)、应用层协议类型(FTP、HTTP、SSH、Telnet)、端口号、IP地址范围、备注信息(Message)等。实验采用了整个数据集的1％(共为50000条连接记录)，同时为了保证执行的效率，试验中分别随机选取10万条记录作为训练数据集和测试集。在训练样本中只包含DOS类、PROBE类、R2L类三类，余下的数据集另选2万条记录数据供测试用，其中包含训练集出现的各种攻击类型，也包含有在训练集中未出现的攻击类型。In the data set provided in the cognitive rule base, all attacks are mainly divided into four categories: DOS, PROBE, R2L and U2R. Among them, the intrusion types included in the DOS class include land, nepture, pod, teardrop, etc.; the intrusion types included in the PROBE class include nmap, portsweep, satan, mscan, and ipsweep. According to the cognitive rule base, it is judged whether the data flow is a known attack form. For known attacks, establish an attack signature that meets certain rules. The attack signature consists of the following parts: processing method (Assert warning, Disconnect disconnection, Track tracking record), transport layer protocol type (TCP, UDP), application layer Protocol type (FTP, HTTP, SSH, Telnet), port number, IP address range, remark information (Message), etc. The experiment uses 1% of the entire data set (a total of 50,000 connection records). At the same time, in order to ensure the efficiency of execution, 100,000 records are randomly selected as the training data set and test set in the experiment. The training samples only include three categories: DOS, PROBE, and R2L. The rest of the data set selects another 20,000 records for testing. The type of attack that occurred.

检测结果验证，该系统对未知攻击和已知攻击有较好的检测能力，无论是对已知攻击还是未知攻击，利用了本文提出的新模型比利用传统入侵检测模型具有更高的ROC分值。而且基于云计算的认知入侵监测模型具有以下优点：首先，采用了该方法遗传算法对特征向量进行优化，使所需的训练时间和监测时间比其他方法短，其次，实时在线的检测能力较强，最后，在云计算的环境中充分利用云计算进行大规模并行计算和大数据量处理的能力，使运算能力大大加强，使系统更加安全高效。The detection results verify that the system has a good detection ability for unknown attacks and known attacks. Whether it is for known attacks or unknown attacks, the new model proposed in this paper has a higher ROC score than the traditional intrusion detection model. . Moreover, the cognitive intrusion monitoring model based on cloud computing has the following advantages: First, the genetic algorithm is used to optimize the feature vector, so that the required training time and monitoring time are shorter than other methods; second, the real-time online detection ability is relatively low. Strong, finally, in the cloud computing environment, make full use of the ability of cloud computing for large-scale parallel computing and large-scale data processing, so that the computing power is greatly enhanced, and the system is more secure and efficient.

Claims (4)

Translated fromChinese

1.一种面向云计算环境的认知入侵检测方法，其特征在于，包括如下步骤：1. A cognitive intrusion detection method for a cloud computing environment, characterized in that, comprising the steps of:步骤1，云计算环境中数据预处理单元接收到流量异常的数据包，对数据包中的数据进行规则化预处理，从而获取包含有特征向量的数据包文件，并把预处理后的数据包分别发到数据库和数据包检测单元中；Step 1, the data preprocessing unit in the cloud computing environment receives the data packets with abnormal traffic, and performs regular preprocessing on the data in the data packets, so as to obtain the data packet files containing the feature vectors, and convert the preprocessed data packets sent to the database and the packet detection unit respectively;步骤2，所述数据库接收并存储带有特征向量数据的数据包文件，并根据存入的数据包建立日志记录；Step 2, the database receives and stores the data packet file with feature vector data, and establishes a log record according to the stored data packet;步骤3，建立认知规则库，认知规则库中包含有已知入侵行为特征数据；Step 3, establishing a cognitive rule base, which contains known intrusion behavior characteristic data;步骤3，数据包检测单元根据已经建立起来的认知规则库中的信息进行规则匹配，若发现符合的匹配规则，则向入侵检测引擎单元报警，入侵检测引擎单元根据收到的报警信息向事件处理单元发送指令，事件处理单元收到指令后进行发出警报以及切断网络；Step 3, the data packet detection unit performs rule matching according to the information in the cognitive rule base that has been established, and if a matching rule is found, it reports to the intrusion detection engine unit, and the intrusion detection engine unit reports to the event The processing unit sends instructions, and the event processing unit issues an alarm and cuts off the network after receiving the instructions;步骤4，如果数据包检测单元没有发现符合的匹配规则，则表示无法识别该数据包中的攻击种类，则由数据库将该数据包的信息传给云推理学习模块做入侵可能性进行评估；Step 4, if the data packet detection unit does not find a matching rule, it means that the attack type in the data packet cannot be identified, and the information of the data packet is passed to the cloud inference learning module by the database to evaluate the possibility of intrusion;步骤5，建立云规则，在无网络连接时，云认知推理机根据数据库中的特征向量数据为训练样本建立起云规则化的数据库单元；Step 5, establish cloud rules. When there is no network connection, the cloud cognitive reasoning machine establishes a cloud regularized database unit for the training samples according to the feature vector data in the database;步骤6，判断无法识别的攻击种类，网络连接时，云认知推理机接收无法识别攻击种类的数据包的特征向量数据，云认知推理机采用基于遗传算法的特征向量提取算法对征向量数据进行优化选择获得最优选的入侵特征向量，该入侵特征向量和建立的运管站数据库比对，激活多条定性云规则，通过云认知推理机进行不确定性推理，确定入侵种类，并把结果发送至入侵检测引擎单元；Step 6. Determine the type of attack that cannot be identified. When the network is connected, the cloud cognitive inference machine receives the eigenvector data of the data packet that cannot identify the attack type, and the cloud cognitive inference machine uses the eigenvector extraction algorithm based on the genetic algorithm to compare the eigenvector data Perform optimization selection to obtain the most optimal intrusion feature vector. The intrusion feature vector is compared with the established transportation management station database, and multiple qualitative cloud rules are activated. Uncertainty reasoning is performed through the cloud cognitive reasoning machine to determine the type of intrusion, and The result is sent to the intrusion detection engine unit;步骤7，所述入侵特征向量发送至原云规则化数据库中修正、更新成为型的云规则化数据库。Step 7, the intrusion feature vector is sent to the modified and updated cloud regularized database in the original cloud regularized database.步骤8，所述入侵特征向量发送至统计分析单元中，统计分析单元根据入侵特征向量的日志记录判断是否构成网络入侵，把判断的结果发至入侵检测引擎单元和事件处理单元，同时把该入侵特征向量的数据信息发送至认知规则库中进行更新；Step 8, the intrusion feature vector is sent to the statistical analysis unit, and the statistical analysis unit judges whether a network intrusion is constituted according to the log record of the intrusion feature vector, sends the result of the judgment to the intrusion detection engine unit and the event processing unit, and simultaneously sends the intrusion The data information of the feature vector is sent to the cognitive rule base for updating;步骤9，所述入侵检测引擎单元接收来自云认知推理机的推理结果和来自统计分析单元的判断结果，向事件处理单元发送指令；Step 9, the intrusion detection engine unit receives the reasoning result from the cloud cognitive reasoning machine and the judgment result from the statistical analysis unit, and sends an instruction to the event processing unit;步骤10，所述事件处理单元收到来自入侵检测引擎单元和统计分析单元的指令后进行发出警报以及切断网络。Step 10, the event processing unit issues an alarm and cuts off the network after receiving instructions from the intrusion detection engine unit and the statistical analysis unit.2.根据权利要求1所述的面向云计算环境的认知入侵检测方法，其特征在于，所述步骤6中的基于遗传算法的特征向量提取算法的具体步骤如下：2. the cognitive intrusion detection method facing cloud computing environment according to claim 1, is characterized in that, the specific steps of the feature vector extraction algorithm based on genetic algorithm in described step 6 are as follows:1)设定进化代数g＝0，生成包含n个个体的初始化群体P(g)；1) Set the evolution algebra g=0, generate an initialization group P(g) containing n individuals;2)在该群体中对每个个体估值，计算各自适应度f(x)；2) Evaluate each individual in the group, and calculate the respective fitness f(x);3)根据个体适应度f(x)，从P(g)中选择两个个体作为父代(适应度值越大，选中的机会越大)，根据交叉概率，让选出的两个个体进行交叉产生新的后代(如果交叉概率为0，即不进行交叉，则后代就是父代的完全复制)，再根据变异概率，新生后代在各自基因座产生变异；重复上述步骤，产生新个体，将最后生成的个体形成新的群体P(g+1)；3) According to the individual fitness f(x), select two individuals from P(g) as parents (the greater the fitness value, the greater the chance of selection), and according to the crossover probability, let the selected two individuals perform Crossover produces new offspring (if the crossover probability is 0, that is, if crossover is not performed, the offspring is a complete copy of the parent), and then according to the mutation probability, the newborn offspring will mutate at their respective loci; repeat the above steps to generate new individuals, and The last generated individuals form a new group P(g+1);4)将新产生的群体P(g+1)作为后续进化操作所需的群体，令进化代数g＝g+1；4) The newly generated population P(g+1) is used as the population required for the subsequent evolution operation, so that the evolution algebra g=g+1;5)若终止条件满足，则算法结束，返回在当前群体中最好的个体，即最优解5) If the termination condition is met, the algorithm ends, and the best individual in the current group is returned, that is, the optimal solution6)若终止条件不满足，则跳至步骤2)继续该遗传算法。6) If the termination condition is not satisfied, skip to step 2) to continue the genetic algorithm.3.根据权利要求1所述的面向云计算环境的认知入侵检测方法，其特征在于，所述步骤6中所述的不确定性推理具体步骤如下：3. The cognitive intrusion detection method for cloud computing environment according to claim 1, characterized in that, the specific steps of uncertainty reasoning described in the step 6 are as follows:Step1，经过数据预处理后的一组未知入侵特征向量(X₁,X₂…X_n)，每个X_i根据3En原则：|Ex-X_i|＜3En激活规则；Step1, a set of unknown intrusion feature vectors (X₁ , X₂ ...X_n ) after data preprocessing, each X_i is activated according to the 3En principle: |Ex-X_i |<3En activation rule;Step2，每条被激活规则对应正向云发生器推理输出云滴(drop x_i,y_i)；Step2, each activated rule corresponds to the inference output cloud drop (drop x_i , y_i ) of the forward cloud generator;Step3，逆向云发生器在云滴drop(x₁,y₁),…(x_n,y_n)的基础上得到虚拟云的数值特征：E_xij，E_nij，H_eij；Step3, the reverse cloud generator obtains the numerical characteristics of the virtual cloud on the basis of cloud drop drop(x₁ ,y₁ ),…(x_n ,y_n ): E_xij , E_nij , H_eij ;Step4，再将x_i代入虚拟云中得到它的确定度；Step4, then substitute_xi into the virtual cloud to obtain its degree of certainty;Step5，对每个x_i重复Step2-5过程，分别得到对应的确定度；Step5, repeat the Step2-5 process for each_xi , and obtain the corresponding degree of certainty respectively;Step6，依据最大确定度原则确定入侵类型。Step6, determine the type of intrusion according to the principle of maximum certainty.4.根据权利要求1所述的面向云计算环境的认知入侵检测方法，其特征在于，所述步骤8中统计分析处理单元通过在任意给定的时刻，对n个变量值进行测量，推理判断系统是否有入侵发生，每个Ni(i＝1,2,···,n)变量表示系统不同方面的特征，包含SYN数据包数目、用户登录失败次数、CPU使用率及网络流量等，Mi(i＝1,2,···,n)是正常情况下该数据的期望值预测，在t时刻定义的检测函数为：4. The cognitive intrusion detection method oriented to cloud computing environment according to claim 1, characterized in that, in said step 8, the statistical analysis processing unit measures n variable values at any given moment, and infers To judge whether there is an intrusion in the system, each Ni (i=1,2,...,n) variable represents the characteristics of different aspects of the system, including the number of SYN data packets, the number of user login failures, CPU usage and network traffic, etc. Mi(i=1,2,...,n) is the expected value prediction of the data under normal circumstances, and the detection function defined at time t is:其中，λ_i＞0体现了重要程度的权值，即敏感程度，F(t)越小，通信过程越接近正常情况，当F(t)超过预先设定的阀值后，就认为网络入侵发生了。Among them, λ_i > 0 reflects the weight of importance, that is, the degree of sensitivity. The smaller F(t) is, the closer the communication process is to normal conditions. When F(t) exceeds the preset threshold, it is considered network intrusion happened.