Summary of the invention
Change above-mentioned status, a kind of effective method is started with from the deep learning of network behavior and analysis, realWhen, intelligently detect abnormal network behavior, to effectively defend newest network attack.
It is excellent it is an object of the invention to solve at least the above problems and/or defect, and provide at least to will be described laterPoint.
It is a still further object of the present invention to provide a kind of security gateways based on intelligent behavior analysis.
A further object of the present invention is to provide the security protection system of the security gateway comprising analyzing based on intelligent behavior.
For this purpose, technical solution provided by the invention are as follows:
A kind of security gateway based on intelligent behavior analysis, comprising:
Flow parameter abstraction function module is joined by the behavior pattern that real time sample calculates the network flow of userNumber;
User behavior intelligent analysis module is connect with the flow parameter abstraction function module communication;
Using intelligent recognition and traffic management and control functional module, it is based on user behavior intelligent analysis module, to mainstream applicationsAgreement carries out intelligent protocol identification, and realizes based on interface/region, group of addresses/user group, every IP/ three ranks of every userRefine application traffic control.
Preferably, the security gateway based on intelligent behavior analysis, further includes:
Anti- ddos attack functional module, be used for framed-protocol abnormality detection, source address authenticity verifying, black and white lists,Rate abnormality detection, access control, feature abnormalities detection and seven grades of defense systems of traffic management and control;
Intrusion detection and defense function module, the security gateway are built-in with Network Intrusion behavioural characteristic library, the invasionDetection and defense module also automatically generate defence policies according to the independent IPS rule of client's real network setting, and intelligence is defenddNetwork intrusions;
Network visualization management function module provides graphical network management system, is automatically generated by selection a variety ofView and statistical report form, the view and statistical report form include interface flow, traffic trends, monitoring session, system mode, eventStatistics, session, Anti-DDoS view and statistical report form.
Preferably, the security gateway based on intelligent behavior analysis, further includes content filtering function module and bodyPart authentication function module.
Preferably, in the security gateway based on intelligent behavior analysis, the behavior pattern parameter includes connectionDirection, source IP, destination IP, source port, destination port, protocol number, list IP connection number, connection speed, packet rate, URL, control lifeOrder and operating frequency.
A kind of security protection system comprising the security gateway based on intelligent behavior analysis, comprising:
Intelligent cloud security centre, deployment is beyond the clouds;
The security gateway, is deployed in client;
Wherein, the security gateway and intelligent cloud security centre real-time linkage, the security gateway will extractUser network traffic behavior mode parameter is transferred to the intelligent cloud security centre in network, and executes described intelligent Yunan County in real timeThe defence instruction that full center issues, the intelligent cloud security centre carry out deep learning and peace to network-flow characteristic mode parameterComplete analysis, and based on the risk quantification result production defence instruction to abnormal behaviour and it is handed down to the security gateway.
Preferably, the security protection system based on intelligent behavior analysis, further includes:
The intelligent cloud security centre receives the user network traffic behavior mode parameter uploaded from the security gateway,Real-time perfoming quantization, generates vector data, and draw network behavior surface chart, establishes network behavior phasor coordinate system;
The intelligent cloud security centre is according to the behavioral parameters of securing network traffic, and the behavior of statistical induction business network is mostSmall set generates service network security white ring border;
The intelligent cloud security centre will implement network behavior vector and service network security white ring border carries out difference, according toProbability and secure threshold distinguish abnormal network behavior and its vector parameters, establish network behavior abnormal index system;
The intelligent cloud security centre generates defence instruction according to the key element of abnormal network behavior, is handed down to the peaceFull gateway executes defence movement, and the key element includes source IP, source port, destination IP, destination port, agreement and application contentKeyword.
Preferably, in the security protection system based on intelligent behavior analysis, the network behavior abnormal indexDuring system is established, the intelligent cloud security centre also utilizes the data on flows of the automatic learning network user of neural network algorithm, knotThe service network security white ring border and limited supervised learning, generation security criteria coordinate system for sharing family are based on this, will be detectedThe exception and deviation of user behavior are quantified, and calculate user network behaviorist risk value, and establish network behavior abnormal indexSystem.
Preferably, in the security protection system based on intelligent behavior analysis, in conjunction with the safe white ring borderDeep learning method includes: that the intelligent cloud security centre acquires first, merger and filtering user network traffic behavior mode are joinedThen several and Asset State is parsed and carries out behavior description, carries out business diagnosis again later, if the behavior is normal rowSafe white ring border to be then included into, and be recorded as white rule, if the abnormal behavior, is included into abnormal behaviour;
If the behavior is unknown behavior, it is included into grey behavior, and is acquired again, merger and filtration step, and according toSecondary carry out subsequent step.
Preferably, it is described based on intelligent behavior analysis security protection system in, the intelligent cloud terminal with it is describedSecurity gateway realizes real-time linkage by api interface.
The way of thinking of neural network learning and risk measurement is applied to network safety gateway product for the first time by the present invention, andAnd its cloud+end linkage security mechanism is also the innovation to single product safe practice isolated island.
The present invention is include at least the following beneficial effects:
The present invention is established using artificial intelligence neural networks and deep learning algorithm for the user behavior in target network completeVector model is ceased, adaptive learning-security baseline-risk quantification-intelligence defence-intelligent security defense closed loop, energy are realizedEnough effectively detections and defence abnormal network behavior and complex network attack.Technology based on the analysis of depth intelligent behavior overcomes biographySafety product unite to the dependence of intrusion feature database, the timing node of Prevention-Security is shifted to an earlier date significantly, so that Prevention-Security is synchronousIn the implementation for being even ahead of attack.
Small lot is produced security gateway of new generation based on this technology, which is by newest intelligent algorithmIt is applied to the innovative safety product of network safety filed, is in forward position status at home, there is biggish novelty.ByThe gateway is disposed on the boundary of large and medium-sized network, and with applicant's intelligent and safe cloud center real-time linkage, effectively can detect and preventIt is imperial to be attacked including distributed denial of service attack (ddos attack), advanced sustainability attack (APT attack), zero-day vulnerabilityComplex network attack including (Zero-Day attack) etc., can be widely applied to the concerning security matters such as government, army, military project network and goldMelt, telecommunications, the commercial networks such as enterprises and institutions, ensures the network security in China.
The present invention has successfully been deployed to more than ten large and medium-sized networks, and generating direct economic benefit is more than 13,000,000, passes through indirectlyJi benefit about 30,000,000, expected future economic benefit is more than 100,000,000.
Novelty the invention belongs to artificial intelligence technology in network safety filed is applied, it will greatly promotes intelligence of new generationThe progress of energy network security technology is that China's network security strategy, internet+action strategy and my area turn to high-end industrial strategyType contributes.
This hair is suitable for the safety detection of most network flows, can achieve 80% or more in real network testAccuracy rate.
Further advantage, target and feature of the invention will be partially reflected by the following instructions, and part will also be by thisThe research and practice of invention and be understood by the person skilled in the art.
Specific embodiment
Present invention will be described in further detail below with reference to the accompanying drawings, to enable those skilled in the art referring to specification textWord can be implemented accordingly.
It should be appreciated that such as " having ", "comprising" and " comprising " term used herein do not allot one or moreThe presence or addition of a other elements or combinations thereof.
Conventional security gateway heavy dependence known attack feature database can only detect known threat and attack, for mostIt is helpless if the emerging advanced attack such as control unknown risks that APT, 0-Day are attacked and are hidden in normal discharge, cause to passThe failure of system safety product or Prevention-Security measure lag behind network attack.Change above-mentioned status, a kind of effective methodIt is to start with from the deep learning of network behavior and analysis, in real time, abnormal network behavior is intelligently detected, to effectively defend newestNetwork attack.
Development along with data analysis technique and artificial intelligence technology and the large-scale application in different industries are being attackedBig data analysis and artificial intelligence technology are used in detection, the mode of the advanced duration attack such as reply APT is in security firmSound grow louder and stronger.This technology can reach the hardship that overcome traditional unusual checking technology that can not establish effective and safe modelDifficulty also can improve complex attack detection by a variety of safe practices such as integrated security strategy, security audit, access controlAccuracy rate is the development trend of future attacks detection and defence product.
As shown in figure 5, the present invention provides a kind of security gateway based on intelligent behavior analysis, comprising:
Flow parameter abstraction function module is joined by the behavior pattern that real time sample calculates the network flow of userNumber;Preferably, the behavior pattern parameter include connection direction, source IP, destination IP, source port, destination port, protocol number,Single IP connection number, connection speed, packet rate, URL, control command and operating frequency;
User behavior intelligent analysis module is connect with the flow parameter abstraction function module communication;
Using intelligent recognition and traffic management and control functional module, it is based on user behavior intelligent analysis module, to mainstream applicationsAgreement carries out intelligent protocol identification, and realizes based on interface/region, group of addresses/user group, every IP/ three ranks of every userRefine application traffic control.
In the above scheme, preferably, the security gateway further include:
Anti- ddos attack functional module, be used for framed-protocol abnormality detection, source address authenticity verifying, black and white lists,Rate abnormality detection, access control, feature abnormalities detection and seven grades of defense systems of traffic management and control;
Intrusion detection and defense function module, the security gateway are built-in with Network Intrusion behavioural characteristic library, the invasionDetection and defense module also automatically generate defence policies according to the independent IPS rule of client's real network setting, and intelligence is defenddNetwork intrusions;
Network visualization management function module provides graphical network management system, is automatically generated by selection a variety ofView and statistical report form, the view and statistical report form include interface flow, traffic trends, monitoring session, system mode, eventStatistics, session, Anti-DDoS view and statistical report form.
In the above scheme, preferably, the security gateway further includes content filtering function module and identity authentication functionModule.
As shown in Figure 1, the present invention also provides a kind of safety comprising the security gateway based on intelligent behavior analysisGuard system, comprising:
Intelligent cloud security centre, deployment is beyond the clouds;
The security gateway, is deployed in client;
Wherein, the security gateway and intelligent cloud security centre real-time linkage, the security gateway will extractUser network traffic behavior mode parameter is transferred to the intelligent cloud security centre in network, and executes described intelligent Yunan County in real timeThe defence instruction that full center issues, the intelligent cloud security centre carry out deep learning and peace to network-flow characteristic mode parameterComplete analysis, and based on the risk quantification result production defence instruction to abnormal behaviour and it is handed down to the security gateway.
Framework of the invention consists of two parts: intelligent cloud security centre and security gateway, by disposing intelligence beyond the cloudsCloud security center and the security gateway real-time linkage of client network can be deployed in carry out intelligent measurement and Real-time defence.SafetyProtection gateway is responsible for extracting user behavior data in network and is transferred to cloud intelligent and safe center, and executes intelligent cloud security in real timeThe defence instruction that center issues;Intelligent cloud security centre is responsible for the deep learning and safety analysis of network behavior data, and is based onPrevention-Security gateway is handed down to the risk quantification result production defence instruction of abnormal behaviour.
The Intellectual Analysis Technology based on user network behavior that the present invention uses passes through structure completely without feature databaseThe traffic security vector model an of dynamic self-adapting is built, the network behavior that tens kinds of traffic security parameters of real-time monitoring are constituted is differentOrdinary index system, real-time monitoring and the various hiding network attacks of defence, thoroughly get rid of the dependence to known attack feature database,It is a kind of breakthrough in detection method and principle by the unartificial determining abnormal behavior of adaptive deep learning.
In the above scheme, preferably, the security protection system further include:
The intelligent cloud security centre receives the user network traffic behavior mode parameter uploaded from the security gateway,Real-time perfoming quantization, generates vector data, and draw network behavior surface chart, establishes network behavior phasor coordinate system;
The intelligent cloud security centre is according to the behavioral parameters of securing network traffic, and the behavior of statistical induction business network is mostSmall set generates service network security white ring border;
The intelligent cloud security centre will implement network behavior vector and service network security white ring border carries out difference, according toProbability and secure threshold distinguish abnormal network behavior and its vector parameters, establish network behavior abnormal index system;
The intelligent cloud security centre generates defence instruction according to the key element of abnormal network behavior, is handed down to the peaceFull gateway executes defence movement, and the key element includes source IP, source port, destination IP, destination port, agreement and application contentKeyword.
In the above scheme, preferably, in the security protection system, the network behavior abnormal index system is establishedIn, the intelligent cloud security centre also utilizes the data on flows of the automatic learning network user of neural network algorithm, in conjunction with user'sService network security white ring border and limited supervised learning generate security criteria coordinate system, this are based on, by detected user behaviorException and deviation quantified, calculate user network behaviorist risk value, and establish network behavior abnormal index system.
In the above scheme, preferably, in the security protection system, in conjunction with the deep learning side in the safe white ring borderMethod include: the intelligent cloud security centre acquire first, merger and filtering user network traffic behavior mode parameter and assets shapeThen state is parsed and carries out behavior description, carries out business diagnosis again later, if the behavior is normal behaviour, be included into peaceFull white ring border, and it is recorded as white rule, if the abnormal behavior, is included into abnormal behaviour;
If the behavior is unknown behavior, it is included into grey behavior, and is acquired again, merger and filtration step, and according toSecondary carry out subsequent step.
In the above scheme, preferably, in the security protection system, the intelligent cloud terminal and the security gateway are logicalIt crosses api interface and realizes real-time linkage.
In order to enable those skilled in the art to better understand the present invention, it now provides as described below:
The present invention provide it is a kind of comprising the security protection system for the security gateway analyzed based on intelligent behavior, as shown in Figure 1,Inventive architecture consists of two parts: intelligent cloud security centre and active safety protect gateway, by disposing intelligent cloud beyond the cloudsSecurity centre and the security protection gateway real-time linkage of client network is deployed in carry out intelligent measurement and Real-time defence.SafetyProtection gateway is responsible for extracting user behavior data in network and is transferred to cloud intelligent and safe center, and executes intelligent cloud security in real timeThe defence instruction that center issues;Intelligent cloud security centre is responsible for the deep learning and safety analysis of network behavior data, and is based onPrevention-Security gateway is handed down to the risk quantification result production defence instruction of abnormal behaviour.Product overall structure of the invention is such asShown in Fig. 2,3 and 4.The functional block diagram of security gateway product of the invention is as shown in Figure 5.
The invention mainly comprises the hardware devices of intelligent gateway and cloud safety analysis platform, pass through cloud and gateway systemLinkage realize intelligent security defense platform.
1. the major function of security gateway includes:
Flow parameter extracts
Security gateway calculates the behavior pattern parameter of network flow, including connection direction, source IP, mesh by real time sampleIP, source port, destination port, protocol number, list IP connection number, connection speed, packet rate, URL, control command and operating frequencyEtc..
Anti- ddos attack
Protocol anomaly detection, source address authenticity verifying, black and white lists, rate abnormality detection, access control, spy are constructedSeven grades of defense systems of abnormality detection and traffic management and control are levied, have powerful anti-ddos attack ability.
Intrusion detection and defence
The built-in 8000 a plurality of Network Intrusion behavioural characteristic libraries of gateway, can be arranged independent according to client's real networkIPS
Rule can also automatically generate defence policies, intelligent defending against network invasion in conjunction with the analysis engine of cloud.
Using intelligent recognition and traffic management and control
Based on user behavior intelligent analysis module, intelligent protocol identification can be carried out to nearly all mainstream applications agreement,It can also realize the fining application traffic control based on interface/region, group of addresses/user group, every IP/ three ranks of every userSystem.
Network visualization management
Interface flow, traffic trends, monitoring session, system mode, event system can be needed to automatically generate according to administratorThe various views such as meter, session, Anti-DDoS and statistical report form provide an easy-to-use graphical network management for administratorSystem.
Multifunctional safe gateway
It is multiple to be also integrated with information filtering (CF), intrusion prevention (IPS), Anti-DDoS, traffic management and control, authentication etc.Security function can provide comprehensive security protection for user network.
2. safe and intelligent cloud center major function includes:
Network behavior phasor coordinate system
Intelligent cloud central server receives the traffic behavior parameter uploaded from security gateway, and real-time perfoming quantization generatesVector data,
And draw network behavior surface chart.
Service network security white ring border
According to the behavioral parameters of securing network traffic, the minimal set of statistical induction business network behavior, that is, service networkNetwork white ring border.
Network behavior abnormal index system
It will implement network behavior vector and network white ring border carries out difference, abnormal net is distinguished according to probability and secure thresholdNetwork behavior and
Its vector parameters.
Prevention-Security instruction system
According to the key element of abnormal network behavior, including source IP, source port, destination IP, destination port, agreement and applicationContent-keyword generates defence instruction, is handed down to security gateway and executes defence movement.
The intelligence of security gateway is embodied in place of main innovation of the invention.It is different from traditional firewall or safety netIt closes, the product of the present invention computing capability powerful by cloud, realizes that carrying out deep learning to the whole network traffic characteristic generates safe baseLinear system system, 7x24 real time down safety command, Initiative Defense potential network threaten.It is equivalent to as traditional firewall or security gatewayEquipment increases the brain of meeting thinking, the various attacks of security gateway equipment Real-time defence of real-time linkage user terminal.This skillThe way of thinking of neural network learning and risk measurement is not only applied to network safety gateway product for the first time by art, but also its cloud+The security mechanism of end linkage is also the innovation to single product safe practice isolated island.It is carried out in terms of the two below more detailedExplanation:
3. network behavior neural network learning and risk measurement technology
The technology utilizes the data on flows of the automatic learning network user of neural network algorithm, and combines customer service " safetyWhite ring border " and limited supervised learning generate security criteria coordinate system (baseline);Based on this, by the different of detected user behaviorOften quantified with deviation, calculate user network behaviorist risk value, thus analysis and determining potential unsafe acts.The skillThe key point of art is the accuracy and system depth learning ability of security criteria coordinate system, the safe white ring that the present invention passes through auxiliaryBorder and limited intervention and feedback system are capable of the accuracy of constantly improve security baseline coordinate system.
Safe white ring border depth learning technology schematic diagram is as shown in Figure 6.
Security technology area at present, other than the out-of-date detection method based on intrusion feature database, based on sandbox technologyDetection technique is also a kind of abnormal behavior detection technique in fact, but this technology is commonly used to detection malicious code or file, to netNetwork number flow practicability is not high, and only judges risk by a few abnormal behaviour attribute in the implementation, not comprehensivelyAnd it is limited to the definition to abnormal behaviour, accuracy is not high.And the technology of the present invention is suitable for the safety of most network flowsDetection can achieve 80% or more accuracy rate in real network test.The technology belongs to current manual's intellectual technology in netThe hot spot direction of network security fields application, is at the leading level at home.
4. network attack defence installation and method based on cloud and local platform
Safe early warning instruction is triggered, is connect by safety interaction API according to the value-at-risk of network behavior in safe and intelligent cloud centerThe Initiative Defense gateway of mouth and user terminal realizes linkage, so as to the network behavior of Real-time defence danger, realizes riskThe closed loop of detection and defence.The technology not only solves the intelligent measurement problem of Behavior-based control analysis, also this safety detectionAbility has been directly translated into actual time safety defence capability.The key advantages of the technology are the specific aim and accuracy of its defence,Security criteria coordinate system is different due to specific network, and risk quantification and threat judgment standard are just different, and the technology of the present invention is not forSame network flow carries out deep learning respectively, establishes independent security baseline and threat judgment standard, therefore has stronger needleTo property, this is also the characteristics of technology is better than based on the defense technique for threatening information.
The many innovative technologies in current network security field are only limitted to attack detecting level, by bypass duplicate network flow intoRow analysis, provides report or early warning, but not can be carried out Real-time defence based on the analysis results, therefore can not form safe closed loop.PeaceFull essence isAttacking and defending, only the technology of detection not Real-time defence is limited to its technological deficiency after all, can will more effectively be meltedThe technology for closing intelligent measurement and linkage defense replaces.And the present invention realizes the technology.The principle of the present invention block diagram such as Fig. 7 instituteShow.Products application deployment scheme of the invention is as shown in Figure 8.
Module number and treatment scale described herein are for simplifying explanation of the invention.To of the invention based on intelligenceCan behavioural analysis security gateway and the application of security protection system comprising the security gateway, modifications and variations to this fieldIt is obvious for technical staff.
Although the embodiments of the present invention have been disclosed as above, but its is not only in the description and the implementation listedWith it can be fully applied to various fields suitable for the present invention, for those skilled in the art, can be easilyRealize other modification, therefore without departing from the general concept defined in the claims and the equivalent scope, the present invention is simultaneously unlimitedIn specific details and legend shown and described herein.