CN120110815A - Device data blocking detection method and system based on network security defense - Google Patents

Abstract

The invention discloses a device data blocking detection method and system based on network security defense, and relates to the field of data processing, wherein the method comprises the steps of obtaining device session data and a corresponding network session scene mark of a network session scene; the method comprises the steps of obtaining target intrusion detection guide information associated with a network session scene mark, carrying out network threat detection on equipment session data through a first general flow detection algorithm based on the target intrusion detection guide information, determining a first reference network threat type of the equipment session data, carrying out network threat detection on the equipment session data through the network threat detection algorithm, and determining a second reference network threat type corresponding to the equipment session data based on a transition network threat detection result output by the network threat detection algorithm.

Description

Equipment data blocking detection method and system based on network security defense

Technical Field

The invention relates to the field of data processing, in particular to a device data blocking detection method and system based on network security defense.

Background

In the present digital age, the network security problem is more serious, which forms serious threat to personal privacy and enterprise assets, the network attack means is various and complex and hidden, and hackers invade and destroy the network system by utilizing various vulnerabilities and modes such as malicious software, phishing, distributed denial of service (DDoS) attack and the like, so that not only can the personal information of users such as account passwords, credit card information and the like be revealed, but also enterprise business confidentiality can be stolen and the business system is paralyzed.

Although various device data blocking detection methods have been developed to deal with network security threats, these methods have a number of drawbacks in practical applications. The existing network threat detection methods mostly adopt general detection strategies, the characteristics of different network session scenes are not fully considered, the types and the risk preferences of network threats faced by different scenes such as enterprise office networks, home wireless networks and industrial control system networks are different, the general methods cannot be optimized according to specific scene demands, so that the accuracy and the reliability of detection results are low, many existing detection methods only depend on a single detection mode, if a large number of rules are required to be predefined for rule-based detection, the continuously-changing network threats are difficult to cope with, the problems of over-fitting of models, limited unknown threat identification capability and the like exist in the detection based on machine learning, various detection technology advantages cannot be fully exerted by the single detection mode, and the network threats are difficult to be comprehensively and accurately identified.

Disclosure of Invention

The present invention has been made in view of the above-described problems.

The invention solves the technical problems that the existing network threat detection method does not fully consider the characteristics of different network session scenes, adopts a general detection strategy mostly, and only depends on a single detection mode, so that the detection result has low accuracy and reliability, and the network threat is difficult to comprehensively and accurately identify.

In order to solve the technical problems, the invention provides the following technical scheme:

In a first aspect, an embodiment of the present invention provides a method for detecting device data blocking based on network security defense, including:

Acquiring equipment session data and a corresponding network session scene mark of a network session scene;

acquiring target intrusion detection guide information associated with a network session scene mark;

based on target intrusion detection guide information, detecting network threat to the equipment session data through a first general flow detection algorithm, and determining a first reference network threat type of the equipment session data;

Performing network threat detection on the equipment session data through a network threat detection algorithm, and determining a second reference network threat type corresponding to the equipment session data based on a transition network threat detection result output by the network threat detection algorithm;

And determining a target network threat type of the equipment session data in the network session scene based on the first reference network threat type and the second reference network threat type.

As a preferred scheme of the device data blocking detection method based on network security defense, wherein:

The step of detecting the network threat to the equipment session data through the network threat detection algorithm, and the step of determining the second reference network threat type corresponding to the equipment session data based on the transition network threat detection result output by the network threat detection algorithm comprises the following steps:

detecting the network threat to the equipment session data through a network threat detection algorithm to obtain a transition network threat detection result which is output by the network threat detection algorithm for the equipment session data in a candidate network threat set of a plurality of network session scenes;

the transition network threat detection result comprises confidence degrees of all network threat types in candidate network threat sets of the equipment session data belonging to a plurality of network session scenes, and a second reference network threat type corresponding to the equipment session data is determined from a plurality of reference network threat types in the network session scenes according to the confidence degrees.

As a preferred scheme of the device data blocking detection method based on network security defense, wherein:

The cyber threat detection algorithm includes a pre-training algorithm and a plurality of domain-specific enhancement operators, one domain-specific enhancement operator corresponding to each of the plurality of cyber session scenes.

As a preferred scheme of the device data blocking detection method based on network security defense, wherein:

The method for acquiring the detection result of the transition network threat comprises the following steps:

performing characterization information mining on the equipment session data through a pre-training algorithm to obtain a first session characterization vector;

Determining a domain-specific enhancement operator corresponding to a network session scene from a plurality of domain-specific enhancement operators;

the characterization information mining is carried out on the equipment session data through a field-specific enhancement operator corresponding to the network session scene, and a second session characterization vector is obtained;

And detecting the network threat according to the fusion result of the first session characterization vector and the second session characterization vector to obtain a transition network threat detection result.

As a preferred scheme of the device data blocking detection method based on network security defense, wherein:

The determining, according to the confidence, a second reference network threat type corresponding to the device session data from a plurality of reference network threat types in a network session scene includes:

according to the confidence degree of each reference network threat type of the network session scene to which the equipment session data belongs and the equipment session data, carrying out confidence degree reasoning on each reference network threat type through a target detection algorithm trained for the network session scene to obtain a reasoning result, and determining the reference network threat type with the highest confidence degree as the network threat type to which the equipment session data belongs as a second reference network threat type according to the reasoning result.

As a preferred scheme of the device data blocking detection method based on network security defense, wherein:

the determining the target network threat type of the equipment session data in the network session scene based on the first reference network threat type and the second reference network threat type comprises:

And counting the occurrence frequency of the reference network threat types in the reference set, and determining the target network threat type of the equipment session data in the network session scene based on the occurrence frequency counting result, wherein the reference set comprises a first reference network threat type and a second reference network threat type.

As a preferred scheme of the device data blocking detection method based on network security defense, wherein:

The reference set further comprises a third reference network threat type of the equipment session data in the multiple reference network threat types, wherein the third reference network threat type is obtained by inquiring reference example equipment session data matched with the equipment session data mode in an equipment session database corresponding to the network session scene, the equipment session database comprises multiple example equipment session data which are stored in a correlated mode with the reference network threat type in the network session scene, and the third reference network threat type of the equipment session data in the multiple reference network threat types is determined according to the reference network threat type correlated with the reference example equipment session data.

In a second aspect, an embodiment of the present invention provides a device data blocking detection system based on network security defense, including:

the device and network session information acquisition module is used for acquiring device session data and a network session scene mark of a corresponding network session scene;

the associated guide information acquisition module is used for acquiring target intrusion detection guide information associated with the network session scene mark;

The general flow initial detection module is used for detecting the network threat to the equipment session data through a first general flow detection algorithm based on the target intrusion detection guide information, and determining a first reference network threat type of the equipment session data;

The specific algorithm fine detection module is used for carrying out network threat detection on the equipment session data through the network threat detection algorithm, and determining a second reference network threat type corresponding to the equipment session data based on a transition network threat detection result output by the network threat detection algorithm;

The threat type comprehensive judging module is used for determining a target network threat type of the equipment session data in a network session scene based on the first reference network threat type and the second reference network threat type.

In a third aspect, embodiments of the present invention provide a computing device comprising:

A memory and a processor;

The memory is configured to store computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to implement a network security defense-based device data blocking detection method according to any of the embodiments of the present invention.

In a fourth aspect, embodiments of the present invention provide a computer readable storage medium storing computer executable instructions that when executed by a processor implement the network security defense-based device data blocking detection method.

The method has the beneficial effects that the first reference network threat type and the second reference network threat type are respectively output by combining the dual detection mechanism of the first general flow detection algorithm and the network threat detection algorithm, and the final target network threat type is determined by integrating the first reference network threat type and the second reference network threat type. The advantages of the two algorithms are complementary, so that the limitation of a single detection method (such as rigidification of rule matching or over fitting of a machine learning model) is avoided, and the threat judgment accuracy is remarkably improved. For example, the general algorithm identifies threat modes based on the scenerization guiding information, the special algorithm digs deep features through the pre-training model, the cooperative verification of the two reduces misjudgment and missed judgment, and the detection algorithm can dynamically adapt to threat features of different scenes (such as enterprise networks and industrial control networks) by introducing the network session scene mark and associated target intrusion detection guiding information (comprising scenerization reference threat types, example data and data templates). For example, industrial protocol vulnerability attacks are preferentially detected for industrial scenarios, while financial scenarios focus on data theft behavior. The scene customization strategy optimizes the distribution of detection resources, improves the sensitivity to specific threats, and supports the rapid response to novel threats by dynamically generating example data (including disturbance data) and fusing multi-algorithm detection results to construct a device session database. For example, when an unknown attack pattern is found, the system may generate simulation data and update the threat library based on expert annotations, enabling subsequent detection to identify similar variant attacks. In addition, the labeling and warehousing mechanism (such as encryption communication abnormality) of the difficult sample enhances the adaptability of the system to complex threats, avoids detection blind areas caused by data scarcity in the traditional method, adopts a pre-training model and combines the design of a low-rank self-adaptive field special operator, thereby reducing the model adjustment cost while ensuring the detection precision. For example, when a network session scene is newly added, only the corresponding enhancement operator is needed to be finely adjusted, instead of reconstructing the whole model, so that the deployment period is greatly shortened. Meanwhile, by separating the general pre-training layer from the special scene layer, the advantage of cross-scene knowledge sharing is reserved, the model is prevented from being bloated, the method is suitable for the deployment of the edge equipment with limited resources, and a self-strengthening closed loop is formed from data generation (such as example data synthesis under the guidance of a restraint), disturbance enhancement (simulating real network noise), multi-algorithm voting decision and threat library dynamic update. For example, the disturbance data generation simulates network jitter and attack confusion technology, so that the detection model is forced to learn more generalized characteristics, and the multi-algorithm voting mechanism (such as frequency statistics and confidence fusion) effectively suppresses the risk of single-point algorithm failure, so that the stability of the system in a complex countermeasure environment is ensured.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a general flow chart of a device data blocking detection method based on network security defense according to the present invention.

Detailed Description

So that the manner in which the above recited objects, features and advantages of the present invention can be understood in detail, a more particular description of the invention, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

Embodiment 1, referring to fig. 1, is a first embodiment of the present invention, and this embodiment provides a device data blocking detection method based on network security defense, including:

s1, acquiring equipment session data and a corresponding network session scene mark of a network session scene;

s2, acquiring target intrusion detection guide information associated with a network session scene mark;

s3, based on target intrusion detection guide information, detecting network threat to the equipment session data through a first general flow detection algorithm, and determining a first reference network threat type of the equipment session data;

S4, detecting the network threat to the equipment session data through a network threat detection algorithm, and determining a second reference network threat type corresponding to the equipment session data based on a transition network threat detection result output by the network threat detection algorithm;

S5, determining a target network threat type of the equipment session data in a network session scene based on the first reference network threat type and the second reference network threat type.

It should be noted that, through steps S1-S5, the method constructs a comprehensive and strict equipment data blocking detection system. Firstly, step S1 accurately collects equipment session data and network session scene marks, provides a basic basis for subsequent analysis, and step S2 acquires associated intrusion detection guide information, and determines detection directions and standards. And then, step S3 and step S4 respectively detect the equipment session data by using different detection algorithms, identify the potential network threat from multiple dimensions, obtain a first reference network threat type and a second reference network threat type, and improve the accuracy and reliability of detection results. Finally, step S5 synthesizes two reference threat types, and accurately determines the target network threat type of the equipment session data in the specific network session scene. The method is beneficial to timely detecting and blocking potential threats by a network security defense system, ensures the safe and stable operation of equipment and a network, and effectively improves the security and the anti-attack capability of the whole network.

Embodiment 2, referring to fig. 1, provides a device data blocking detection method based on network security defense according to the previous embodiment, which includes:

In an embodiment, the acquiring the device session data and the corresponding network session scene flag of the network session scene in the step S1 includes:

The device session data refers to a series of data generated in the process of network communication of the device, wherein the data records interaction information between the device and the network and comprises various information such as data packets sent and received by the device, a communication time stamp, a source address, a destination address, a port number and the like;

the network session scene mark is an identifier for identifying a specific network environment and a service scene where the device session data is located, and different network session scene marks represent different network usage scenes, such as an enterprise office network scene, a home wireless network scene, a mobile data network scene, and the like.

Specifically, at the network layer, a network packet capturing tool, such as Wireshark network protocol analysis software, may be used to capture all data packets on the network interface, screen out data packets related to a specific device according to needs, and sort and analyze the data packets, so as to obtain device session data. Taking an enterprise office network as an example, a server inside the enterprise may communicate with a plurality of client devices, a network packet capturing tool may be deployed at a core switch of the network to capture all data packets flowing through the switch, and session data of a specific client device is screened out according to information such as a source IP address and a destination IP address of the data packets.

At the device level, device session data may be obtained through the logging function of the device. Many devices record their own network communication behavior, for example, a router records connection information of the devices, accessed websites, etc., and device session data is extracted by reading log files of the devices.

In another possible implementation, the web session scene tag may be determined by configuration information of the device. For example, in an enterprise office network, a device is configured as a specific network domain, and the network domain to which the device belongs can be obtained by reading the network configuration information of the device, so as to determine a network session scene mark corresponding to the session data of the device. The enterprise is assumed to have a plurality of departments, each department has an independent network domain, and whether the equipment belongs to a sales department network session scene, a research and development department network session scene, an administrative department network session scene and the like can be judged according to the network domains displayed in the network configuration information of the equipment.

In another possible implementation, the web session scene markers may be inferred by analyzing characteristics of the device session data. Different network session scenes have different network traffic characteristics, and the network session scene mark corresponding to the device session data can be inferred by analyzing the traffic mode of the device session data, the type of the accessed website, the frequency of communication and the like. For example, in a home wireless network scenario, network traffic of devices is mainly concentrated in the evening, and accessed websites are mostly entertainment websites such as videos and social networks, while in an enterprise office network scenario, network traffic of devices is mainly concentrated in working hours of working days, and accessed websites are mostly office systems inside companies, business related websites, and the like. The device session data may be classified according to these traffic characteristics to determine its corresponding network session scene label.

In an embodiment, the obtaining the target intrusion detection guidance information associated with the network session scene tag in the step S2 includes:

it should be noted that the network session scene mark represents a specific network environment and a service scene where the device session data is located, and different network session scenes may face different types of network threats, so that corresponding target intrusion detection guiding information is acquired according to the network session scene mark, so as to more accurately detect the network threats.

The target intrusion detection guidance information includes a plurality of reference network threat types for the network session scenario, network threat session example data for each reference network threat type.

Specifically, target intrusion detection guide information associated with the network session scene markers is acquired through a pre-constructed association database, and the mapping relation between different network session scene markers and corresponding target intrusion detection guide information is stored in the database. After the network session scene mark is obtained, the related database can be queried, so that the target intrusion detection guide information related to the network session scene mark is obtained.

The reference cyber-threat type is the result of classifying and defining cyber-threats that may occur in a particular cyber-session scenario. Different web session scenarios may have different reference web threat types. For example, in a home wireless network scenario, the reference network threat types may include phishing, wi-Fi cracking, etc., while in an industrial control system network scenario, the reference network threat types may include denial of service attacks, man-in-the-middle attacks, virus-infected industrial control devices, etc. When the target intrusion detection guide information is acquired, a plurality of reference network threat types in the network session scene can be defined so as to carry out targeted network threat detection on the equipment session data later.

The cyber threat session example data for each reference cyber threat type refers to a sample of device session data that can characterize the reference cyber threat type. These example data may help better understand and identify the reference network threat type. For example, for phishing such reference cyber threat types, the cyber threat session example data may include a record of communications with the phishing website, such as the URL address of the request, submitted form data, and so forth. By analyzing the example data, features of the phishing threat, such as a specific domain name mode, abnormal form submission behavior and the like, can be extracted, so that whether the phishing threat exists can be accurately judged when the equipment session data is detected later.

In another possible implementation, the target intrusion detection guidance information associated with the network session context label may also be obtained through a network security intelligence platform. The network security information platform can collect and sort various network security threat information and classify and label according to different network session scenes. The method can perform data interaction with the network security information platform, and obtain corresponding target intrusion detection guide information according to the network session scene mark. For example, when it is detected that the network session scene corresponding to the device session data is marked as a "mobile payment network scene", the target intrusion detection guide information in the scene may be acquired from the network security intelligence platform, where the target intrusion detection guide information may include reference network threat types for mobile payment, such as payment information stealing, false payment link induction, and the like, and corresponding network threat session example data.

In another possible implementation, the target intrusion detection guidance information may also be analyzed and optimized in conjunction with a machine learning algorithm. For example, clustering network threat session example data through a clustering algorithm to find potential relations and characteristic modes among different reference network threat types, and classifying new equipment session data through a classification algorithm to judge the reference network threat types to which the new equipment session data belong. Thus, the identification capability and detection efficiency of the network threat can be improved.

In another possible implementation, the acquired target intrusion detection guidance information may also be shared and coordinated with other security devices and systems. For example, target intrusion detection guiding information is shared to firewall equipment, and the firewall can filter and intercept network traffic in real time according to the information, and cooperate with an intrusion detection system to detect and prevent network threats together.

It should be noted that, acquiring the target intrusion detection guidance information associated with the network session scene mark is an important link of network security defense. By accurately acquiring and effectively utilizing the information, the network threat can be better identified and prevented, and the safe and stable operation of the network is ensured.

In an embodiment, in the step S3, the detecting the network threat to the device session data by using a first general traffic detection algorithm, and determining the first reference network threat type of the device session data includes:

And detecting the network threat of the equipment session data according to the multiple reference network threat types and the network threat session example data of each reference network threat type by a first general flow detection algorithm, and determining the corresponding first reference network threat type of the equipment session data in the multiple reference network threat types.

The first general flow detection algorithm is a general algorithm capable of analyzing and detecting network flow, and judges whether the equipment session data has network threat and which type of reference network threat exists through feature extraction and pattern matching of the equipment session data.

For example, it may be a first generic flow detection algorithm based on feature matching. By predefining a series of characteristic rules related to the network threat, and comparing the device session data with the rules, whether the network threat exists is judged. The feature rules cover various attributes of the data packet, such as source IP address, destination IP address, port number, packet length, protocol type, etc., as well as specific strings, patterns, etc. in the data content. For example, in an enterprise network environment, to protect against attacks from a particular piece of malicious IP addresses, an algorithm may compare the source IP address in the received device session data to a predefined list of malicious IP addresses. If the source IP address is found to be in the malicious IP address segment, the potential threat of the session data of the equipment is judged. For another example, for an SQL injection attack, the algorithm may examine the data content in the device session data, and if it is found that typical SQL injection feature strings such as "OR 1 = 1-" are included, it is determined that the session data is at risk for the SQL injection attack.

For example, a rule base is constructed to store predefined feature rules, and rule comparison is performed by adopting technologies such as character string matching, regular expression matching and the like. The rule base needs to be updated periodically to cope with the changing network threats.

Or the first generic flow detection algorithm is an anomaly detection based algorithm. The algorithm firstly learns the mode and the behavior characteristics of the normal network flow and builds a normal flow model. And then, comparing the real-time equipment session data with a normal flow model, and judging that the abnormal flow possibly has network threat if the behavior of the equipment session data deviates from the normal model to reach a certain threshold value. For example, in an office network, the network traffic of staff computers at work time usually shows a certain rule, such as mainly visiting an internal office system of a company, slightly visiting an external news website, and the like. The algorithm establishes this normal flow pattern through long learning. If a certain employee computer suddenly generates a large amount of communication traffic with an external unknown server in non-working time and the difference between the communication traffic and a normal traffic mode is obvious, the algorithm marks the communication traffic as abnormal traffic, and threats such as data leakage, malicious software infection and the like are suspected to exist.

For example, a normal flow model is constructed using a machine learning algorithm, such as a statistical-based method (e.g., mean, variance, probability distribution, etc.), a clustering algorithm (e.g., K-Means clustering), and the like. Whether the device is abnormal is judged by calculating the distance (such as Euclidean distance, manhattan distance and the like) between the session data of the device and the normal flow model.

Or the first general flow detection algorithm is an algorithm based on machine learning classification, and the algorithm is trained by using a large amount of marked network flow data (including normal flow and various network threat flows) to construct a classification model. In actual detection, the equipment session data are input into a classification model, the model classifies the equipment session data according to the learned characteristics and modes, and whether the equipment session data belong to normal traffic or a specific network threat type is judged. For example, taking a decision tree classification algorithm as an example, in a training stage, the algorithm learns the relationships between characteristics such as a data packet size, a transmission frequency, an accessed port and the like and different network threat types according to a large amount of network traffic data, and builds a decision tree model. Upon detecting new device session data, the decision tree model will determine the data based on these characteristics. If the data packet of session data of a certain device is abnormally large in size, the transmission frequency is too high, and an unusual port is accessed, the decision tree model may classify the data packet as DDoS attack traffic.

For example, machine learning classification algorithms such as decision trees, support vector machines, naive bayes, etc. are used. In the training process, the data needs to be preprocessed, including operations such as feature extraction, normalization and the like, so as to improve the accuracy and generalization capability of the model.

In implementing this step, device session data is compared with cyber-threat session example data for each reference cyber-threat type. The cyber threat session example data is a sample of device session data featuring a particular reference cyber threat type from which key features of the reference cyber threat type may be extracted, such as a particular data packet format, communication frequency, particular port accessed, etc. And then, extracting the characteristics of the equipment session data by using a first general flow detection algorithm, and matching the extracted characteristics with key characteristics of the reference network threat type. If the characteristics of the device session data are highly matched with key characteristics of a certain reference network threat type, then a preliminary determination may be made that the device session data may belong to the reference network threat type.

For example, in an enterprise office network, reference network threat types include malware attacks and data leakage. For malware attacks, which are a reference type of cyber-threat, the cyber-threat session example data may feature frequent communications with a particular malware server, such as accessing a particular IP address and port. After the equipment session data is obtained, the communication information in the equipment session data is extracted by using a first general flow detection algorithm, and the equipment is found to be frequently communicated with a known IP address of a malicious software server, and the communication port is consistent with the port in the example data of the malicious software attack, so that the first reference network threat type corresponding to the equipment session data can be primarily judged to be possibly the malicious software attack.

One way to implement this step is a rule-based matching method. A series of rules may be predefined that are summarized based on exemplary data of network threat sessions of each reference network threat type. For example, the rules may specify that if a particular string, a particular packet length, or a particular communication mode is included in the device session data, it is determined to be of a certain reference network threat type. When the equipment session data is processed, the equipment session data and the rules are matched one by one, and the first reference network threat type is determined according to the matching result.

Another approach is a machine learning based approach. Machine learning algorithms, such as decision trees, support vector machines, and the like, can be used to train the network threat session example data of each reference network threat type to obtain a corresponding classification model. And then, inputting the equipment session data into a trained classification model, classifying the model according to the characteristics of the equipment session data, and outputting a first reference network threat type corresponding to the equipment session data. For example, a decision tree algorithm is used to train network threat session example data of two reference network threat types, namely malware attack and data leakage, to obtain a decision tree model. When new equipment session data is input, the decision tree model judges according to the characteristics of the equipment session data, and outputs whether the equipment session data belongs to malicious software attack or data leakage.

In an embodiment, in the step S4, performing network threat detection on the device session data by using a network threat detection algorithm, and determining, based on a transition network threat detection result output by the network threat detection algorithm, a second reference network threat type corresponding to the device session data includes:

It should be noted that, the network threat detection algorithm is a special algorithm, and compared with the universality of the first general flow detection algorithm, the network threat detection algorithm is specially used for detecting the network threat, can comprehensively analyze equipment session data and identify a tool of potential network security threats therefrom, is applicable to multiple network session scenes, has universality and flexibility, and can be used for detecting the targeted threats according to the characteristics of different scenes. The transitional network threat detection result is an intermediate result generated by the algorithm after processing the device session data, and contains association information between the device session data and a plurality of reference network threat types, wherein the information can help to further determine a second reference network threat type corresponding to the device session data.

When the step is executed, the network threat detection algorithm is firstly used for expanding the comprehensive analysis on the equipment session data. The algorithm performs feature extraction and pattern recognition on the device session data from multiple angles, for example, checks information such as the size of a data packet, the frequency of transmission, the communication port used, the protocol type adopted and the like, and detects whether malicious codes, abnormal behavior patterns and the like exist in the data. Through the detailed analysis, the algorithm can evaluate the matching degree of the equipment session data and each reference network threat type, and further generates a transition network threat detection result.

In order to achieve the above procedure, various means may be employed. For example, machine learning based algorithms such as deep learning, support vector machines, etc. The algorithms can be trained through a large amount of network threat sample data, learn characteristic patterns of different threat types, and then classify and predict the equipment session data in practical application. For example, deep learning algorithms may automatically extract complex features from device session data and can continually optimize their own models to accommodate emerging threat patterns. The support vector machine can accurately divide the device session data into different reference network threat types by searching for an optimal classification hyperplane. Another approach is a rule-based detection method. A series of rules may be predefined detailing characteristics and behavior patterns of different reference network threat types. When detecting the device session data, the system will match the data with the rules one by one, and if the data accords with a certain rule, the device session data is considered to have a corresponding network threat. For example, a rule may specify that if device session data contains a particular malicious code feature string, or abnormal port scan behavior occurs, a corresponding security threat is determined to exist.

And after obtaining the transition network threat detection results, determining a second reference network threat type corresponding to the equipment session data in a plurality of reference network threat types according to the results. This process will typically refer to the degree of association of the device session data with each of the reference network threat types in the transition network threat detection results, such as, for example, indicators of confidence, similarity, etc. If the transition network threat detection result shows that the confidence of the device session data is highest with a certain reference network threat type, the threat type is determined to be a second reference network threat type.

Further, step S4 includes:

Step S410, carrying out network threat detection on the equipment session data through a network threat detection algorithm to obtain a transition network threat detection result which is output by the network threat detection algorithm for the equipment session data in a candidate network threat set of a plurality of network session scenes, wherein the transition network threat detection result comprises the confidence coefficient of each network threat type in the candidate network threat set of the equipment session data belonging to the plurality of network session scenes;

Step S420, obtaining the confidence coefficient of each reference network threat type under the network session scene of the equipment session data in the transition network threat detection result;

Step S430, determining a second reference network threat type corresponding to the equipment session data in a plurality of reference network threat types in the network session scene according to the confidence that the equipment session data belongs to each reference network threat type in the network session scene.

In step S410, the network threat detection algorithm is used to detect the network threat of the device session data, so as to obtain a transition network threat detection result which is output by the algorithm for the device session data in the candidate network threat sets of the multiple network session scenes, where the transition network threat detection result is an intermediate result and includes the confidence level of each network threat type in the candidate network threat sets of the device session data belonging to the multiple network session scenes. The network threat detection algorithm is an algorithm capable of performing deep analysis on device session data and identifying potential network threats therein, and can be applicable to a plurality of different network session scenes. The candidate cyber-threat set is a set of predefined possible cyber-threat types in each cyber-session scenario. The confidence level indicates the probability that the device session data belongs to a certain network threat type, and is generally expressed by a probability value, the value ranges from 0 to 1, and the closer the value is to 1, the greater the probability that the device session data belongs to the network threat type.

In performing this step, the device session data is input into the cyber threat detection algorithm. The algorithm extracts and analyzes various characteristics of the device session data, such as the size of a data packet, transmission frequency, communication port, protocol type and the like, and detects whether malicious codes, abnormal behavior patterns and the like are contained in the data. Through comprehensive analysis of the characteristics, the algorithm evaluates the matching degree of the equipment session data and each network threat type in the candidate network threat set, and calculates the confidence coefficient of the equipment session data belonging to each network threat type according to the matching degree.

For example, in an enterprise office network scenario, the candidate set of cyber threats may include types of cyber threats such as malware attacks, data leakage, phishing, and the like.

To accomplish this, a variety of ways may be employed. One approach is machine learning based algorithms such as neural networks, decision trees, etc. The algorithms can be trained through a large amount of network threat sample data, learn characteristic modes of different network threat types, classify and predict equipment session data in actual application, and calculate corresponding confidence degrees. Another approach is a rule-based detection approach, where a series of rules describing characteristics and behavior patterns of different network threat types may be predefined. When detecting the device session data, the system will match the data with these rules and calculate the confidence level based on the degree of match.

In step S420, a confidence level that the device session data belongs to each reference network threat type in the network session scene is obtained from the transition network threat detection result. The reference cyber-threat type is a cyber-threat type that requires significant attention in a particular cyber-session scenario and is part of a candidate cyber-threat set. And after the transition network threat detection result is obtained, confidence information corresponding to the reference network threat type in the current network session scene is screened out.

For example, in the enterprise office network scenario described above, it is assumed that the reference network threat types are malware attacks and data leakage. The confidence coefficient 0.1 of the equipment session data belonging to the malicious software attack and the confidence coefficient 0.7 of the data leakage are extracted from the transitional network threat detection result, and the confidence coefficient information of the network threat types, such as phishing, which are not in the reference range, is ignored.

In step S430, according to the confidence that the device session data belongs to each reference network threat type in the network session scene, a second reference network threat type corresponding to the device session data is determined from the multiple reference network threat types in the network session scene. These confidences are analyzed and inferred using a method to determine the most likely type of cyber threat.

One embodiment is that a target detection algorithm trained for a network session scene is used for carrying out confidence reasoning on each reference network threat type according to the confidence coefficient of each reference network threat type of the network session scene to which the device session data belongs and the device session data, so as to obtain a reasoning result, wherein the reasoning result is used for indicating the confidence coefficient of each reference network threat type as the network threat type to which the device session data belongs. The target detection algorithm is specially trained for specific network session scenes, and can be used for more accurately evaluating each reference network threat type by combining specific characteristics and confidence information of equipment session data.

For example, in an enterprise office network scenario, the target detection algorithm considers more detailed information of the device session data, such as the service time of the device, the operation habit of the user, and the like, and performs confidence reasoning by combining the previously calculated confidence level 0.1 belonging to the malware attack and the confidence level 0.7 belonging to the data leakage. After reasoning, the confidence coefficient of the attack belonging to the malicious software is adjusted to be 0.2, and the confidence coefficient of the attack belonging to the data leakage is adjusted to be 0.8.

And then, according to the reasoning result, determining the reference network threat type with highest confidence as the network threat type to which the equipment session data belongs as a second reference network threat type. In the above example, since the confidence level of the data disclosure is 0.8 higher than the confidence level of the malware attack by 0.2, the data disclosure is determined as the second reference network threat type corresponding to the device session data.

Real-time and accuracy of the data also need to be considered when performing this series of steps. For a network environment with high real-time requirements, network threat detection and confidence calculation need to be completed quickly, and potential network threats are found in time. And under the condition of higher accuracy requirement, the confidence calculation and reasoning process needs to be optimized, so that the reliability of the detection result is improved. In addition, there is a need for continuous optimization and updating of network threat detection algorithms and target detection algorithms. With the continuous development of network technology and the continuous change of network threats, the original algorithm may not meet the new detection requirements. New network threat sample data needs to be continuously collected, and algorithms are trained and optimized to improve the detection capability and adaptability of the algorithms.

In practical applications, the determined second reference network threat type may be compared and verified with the first reference network threat type previously determined by the first generic traffic detection algorithm. If the two types are different, other factors such as the reliability of the two detection methods, the historical data and the like can be comprehensively considered to finally determine the target network threat type of the equipment session data.

When the steps S410-S430 are executed, network threat detection is carried out on the equipment session data through a network threat detection algorithm, confidence coefficient is calculated, then confidence coefficient reasoning is carried out through a target detection algorithm, and finally a second reference network threat type corresponding to the equipment session data is determined. The process needs to comprehensively use various modes, considers the real-time performance and accuracy of data, and continuously optimizes and updates the algorithm so as to improve the efficiency and effect of network threat detection and ensure the safe and stable operation of the network.

In another possible implementation manner, step S430 includes determining, according to the confidence that the device session data belongs to each reference cyber-threat type in the cyber-session scene, a second reference cyber-threat type corresponding to the device session data from among the plurality of reference cyber-threat types in the cyber-session scene, including:

Step S431, carrying out confidence reasoning on each reference network threat type according to the confidence coefficient of each reference network threat type of the network session scene to which the equipment session data belongs and the equipment session data through a target detection algorithm trained for the network session scene to obtain a reasoning result, wherein the reasoning result is used for indicating the confidence coefficient of each reference network threat type as the network threat type to which the equipment session data belongs;

And step 432, determining the reference network threat type with highest confidence as the network threat type to which the equipment session data belongs as a second reference network threat type according to the reasoning result.

In step S431, by using a target detection algorithm trained for the network session scene, performing confidence inference on each reference network threat type according to the confidence level of each reference network threat type of the network session scene to which the device session data belongs and the device session data, to obtain an inference result, where the inference result is used to indicate the confidence level of each reference network threat type as the network threat type to which the device session data belongs. The target detection algorithm is specially designed and trained for a specific network session scene, and can be used for carrying out deeper analysis and reasoning by combining specific characteristics of equipment session data and the initial confidence coefficient of each reference network threat type obtained through previous calculation, so that more accurate confidence coefficient assessment is obtained.

In performing this step, the device session data and the initial confidence of each reference network threat type are provided as inputs to the target detection algorithm. The object detection algorithm performs more detailed feature extraction and analysis on the device session data, considering various aspects of the device session data, such as a time mode of communication, a transmission frequency of the data, a type of a website accessed, and the like. Meanwhile, the algorithm can comprehensively judge the matching degree of each reference network threat type and the equipment session data by combining the initial confidence coefficient.

To accomplish this, a variety of ways may be employed. One approach is a machine learning based algorithm such as bayesian networks, support vector machines, etc. The bayesian network can calculate the posterior probability of each reference network threat type, namely the adjusted confidence coefficient, by utilizing a probabilistic reasoning method according to the characteristics and the initial confidence coefficient of the equipment session data. The support vector machine can classify the equipment session data by searching the optimal classification hyperplane, and adjust the confidence coefficient of each reference network threat type according to the classification result.

Another approach is a rule-based reasoning approach. A series of rules may be predefined that describe how confidence levels for different reference network threat types under different device session data characteristics are adjusted. For example, the rules may specify that if device session data is transmitted with an external server in large amounts during non-working hours and the data contains sensitive information, the confidence of the data leakage should be increased by a certain proportion, while the confidence of other threat types is correspondingly decreased. When step S431 is performed, the features of the device session data are matched with the rules, and the confidence level of each reference network threat type is adjusted according to the matching result.

In step S432, according to the inference result, the reference network threat type with the highest confidence as the network threat type to which the device session data belongs is determined as the second reference network threat type. After confidence reasoning of the target detection algorithm, each reference network threat type has a new confidence value, and the confidence values are compared to find out the reference network threat type corresponding to the maximum confidence.

In performing this step, the accuracy of the confidence comparison is ensured. To avoid erroneous decisions due to data errors or algorithm fluctuations, multiple inference and comparison methods may be employed. For example, multiple confidence reasoning is performed on the session data of the same device, confidence degrees of each reference network threat type are recorded after each reasoning, then statistical analysis is performed on the confidence degrees obtained by the multiple reasoning, such as calculating an average value, a median value and the like, so as to obtain a more stable and accurate confidence degree value, and then comparison is performed to determine a second reference network threat type. In addition, other ancillary information may be incorporated to further verify and confirm the second reference network threat type. For example, looking at the historical data of the network session scene, which network threat type appears most frequently under the similar equipment session data characteristics, or by referring to the opinion of the network security expert, rationally evaluating the reference network threat type with the highest confidence. In practical applications, the determined second reference cyber-threat type may be comprehensively analyzed with cyber-threat types previously determined by other methods. For example, the second reference network threat type is compared with the first reference network threat type determined by the first general flow detection algorithm, if the two types are consistent, the network threat type of the equipment session data can be further confirmed, and if the two types are different, factors such as reliability of the two detection methods, specific characteristics of the equipment session data and the like can be comprehensively considered to finally determine the target network threat type of the equipment session data.

The target detection algorithm trained for the network session scenario may be obtained by training only the device session dataset of the network session scenario, unlike the network threat detection algorithm described above for multiple network session scenarios. At this time, a detection algorithm can be respectively trained for each network session scene, and the detection algorithm is used for reasoning the confidence degree of each input network threat type as the network threat type corresponding to the equipment session data based on the confidence degree of the input network threat type and the equipment session data. In this way, the output result can be indicated as the reference network threat type of the network threat type corresponding to the device session data as the second reference network threat type according to the output of the target detection algorithm. Optionally, the target detection algorithm may utilize the token vector extracted by the network threat detection algorithm for the device session data, that is, the token vector information mined by the network threat detection algorithm for the device session data is loaded to the target detection algorithm, so that the target detection algorithm does not need to mine the token information for the device session data again, and the calculation process of the target detection algorithm is simplified. The parameter quantity of the target detection algorithm is smaller than that of the network threat detection algorithm applicable to a plurality of network session scenes, the scale of the target detection algorithm is smaller than that of the network threat detection algorithm applicable to the plurality of network session scenes, the training time of the target detection algorithm can be shortened by means of a large pre-training detection algorithm (namely the network threat detection algorithm) and a small algorithm (namely the target detection algorithm), in addition, the second reference network threat type corresponding to the equipment session data under the network session scenes is determined by combining the network threat detection algorithm applicable to the plurality of network session scenes and the target detection algorithm applicable to the network session scenes, the confidence level output by the network threat detection algorithm is used as a comparison, and the reliability of obtaining the second reference network threat type can be increased by reasoning according to the confidence level output by the network threat detection algorithm applicable to the network session scenes.

In another possible implementation, the cyber threat detection algorithm includes a pre-training algorithm and a plurality of domain-specific enhancement operators, one domain-specific enhancement operator corresponding to each of a plurality of cyber-session scenarios, based on which step S4 further includes:

s401, performing characterization information mining on equipment session data through a pre-training algorithm to obtain a first session characterization vector;

step S402, determining a domain-specific enhancement operator corresponding to a network session scene in a plurality of domain-specific enhancement operators;

step S403, mining characterization information of equipment session data through a field-specific enhancement operator corresponding to a network session scene to obtain a second session characterization vector;

And step S404, detecting the network threat according to the fusion result of the first session characterization vector and the second session characterization vector to obtain a transition network threat detection result, wherein the transition network threat detection result indicates a second reference network threat type of the equipment session data in the multiple reference network threat types.

In step S401, the device session data is mined by using a pre-training algorithm to obtain a first session token vector. The pre-training algorithm is a generic model trained on a large amount of data that is capable of extracting representative feature information from the device session data and converting that information into a vector form, i.e., a first session characterization vector. The vector can reflect the integral characteristics and semantic information of the device session data, and provides a basis for subsequent network threat detection. In performing this step, device session data is input into the pre-training algorithm. The pretraining algorithm analyzes various aspects of the device session data, such as the size of the data packet, the time of transmission, the communication protocol, the source and destination addresses, etc. Through the comprehensive processing of these features, the pre-training algorithm learns the internal patterns and rules of the device session data, thereby generating a first session characterization vector.

To accomplish this, a variety of pre-training algorithms may be employed, such as deep learning based Convolutional Neural Networks (CNNs), recurrent Neural Networks (RNNs), and variants thereof (e.g., LSTM, GRU), and the like. The algorithms can automatically learn complex feature patterns from device session data and have a strong generalization capability. For example, the CNN may extract and abstract local features of the device session data through a convolution layer and a pooling layer, and the RNN and its variants may process sequence information in the device session data, such as time-series communication records.

In step S402, among the plurality of domain-specific enhancement operators, a domain-specific enhancement operator corresponding to the network session scene is determined. The special field enhancement operator is a special processing module designed for different network session scenes, each operator corresponds to a specific network session scene, can further analyze and process equipment session data in the scene, and digs out specific features related to the scene. The special enhancement operator for the field is a special network for a network session scene based on low-rank self-adaptive debugging, the special enhancement operator for the field can be added after a pre-training algorithm, the parameters of the special enhancement operator for the field are obtained based on low-rank decomposition of a pre-training array, in a debugging link, the parameters of the special enhancement operator for the field are optimized, the parameters of the pre-training algorithm are not optimized, and therefore the integral training speed of the pre-training algorithm and the special enhancement operators for a plurality of fields is improved, and meanwhile the integral performance of the algorithm and learned knowledge are fixed. When the step is executed, searching and matching are carried out in a plurality of field-specific enhancement operators according to the network session scene marks corresponding to the equipment session data, and the field-specific enhancement operators corresponding to the network session scene are determined.

The pre-training algorithm and a field-specific enhancement operator corresponding to the network session scene are used for threat detection of equipment session data of the network session scene. The field-specific enhancement operator corresponding to a network session scene is obtained by debugging based on a device session dataset of the network session scene. When training a domain-specific enhancement operator corresponding to a network session scene, parameters of the pre-training algorithm are fixed, and when debugging, optimization iteration is carried out on the parameters of the domain-specific enhancement operator corresponding to the network session scene.

Taking a first network session scene as an example, a device session data set of the first network session scene comprises example device session data from the first network session scene and network threat types annotated for the example device session data in a plurality of network threat types of the first network session scene, a debugging link of a domain-specific enhancement operator corresponding to the first network session scene comprises the steps of acquiring the network threat types corresponding to the target example device session data and the target example device session data from the device session data set of the first network session scene, performing characterization information mining on the target example device session data through a pre-trained pre-training algorithm to obtain a first example session characterization vector, performing characterization information mining on the target example device session data through a domain-specific enhancement operator corresponding to the first network session scene to obtain a second example session characterization vector, weighting the first example session characterization vector and the second example session characterization vector to obtain a target example session characterization vector, performing network threat detection according to the target example session characterization vector to obtain an inference network threat type of the target example device session data, performing characterization information mining on the target example device session data according to the network threat types corresponding to the target example device session data, and the obtained network threat types corresponding to the target example device session data, and stopping the pre-training algorithm when the pre-training algorithm is stopped, and the rest of the debugging algorithm is performed according to the training parameters.

In step S403, the characterization information mining is performed on the device session data by using the domain-specific enhancement operator corresponding to the network session scene, so as to obtain a second session characterization vector. The field-specific enhancement operator can combine the characteristics of the network session scene, analyze and process the device session data more specifically, mine out the specific characteristic information related to the scene, and convert the specific characteristic information into a vector form, namely a second session characterization vector.

In performing this step, device session data is input into the corresponding domain-specific enhancement operator. The domain-specific enhancement operator can perform in-depth analysis on the device session data according to the special requirements and rules of the network session scene. To achieve this, the domain-specific enhancement operator can take a variety of forms. For example, it may contain specific rule engines for checking whether the device session data complies with the security policy of the network session scenario, and machine learning algorithms may also be employed to identify and classify specific patterns in the device session data.

In step S404, network threat detection is performed according to the fusion result of the first session token vector and the second session token vector, so as to obtain a transition network threat detection result, where the transition network threat detection result indicates a second reference network threat type to which the device session data belongs in the multiple reference network threat types. The first session characterization vector and the second session characterization vector are fused, so that the general features mined by the pre-training algorithm and the specific scene features mined by the field-specific enhancement operator can be comprehensively utilized, and the accuracy of network threat detection is improved. When this step is performed, a certain fusion method is used to combine the first session characterization vector and the second session characterization vector. The fusion method comprises vector splicing, weighted summation and the like. For example, vector stitching is to sequentially concatenate a first session token vector and a second session token vector into a longer vector, and weighted summation is to assign different weights to different vectors based on their importance, and then add the weighted vectors. After the fused vector is obtained, the vector is input into a classification model for network threat detection. The classification model may be a machine learning-based algorithm, such as a support vector machine, a decision tree, a neural network, etc., or may be a deep learning-based classifier. The classification model classifies the device session data according to the fused vector features, and judges which of the multiple reference network threat types the device session data belongs to, so that a transition network threat detection result is obtained, and the result indicates a second reference network threat type to which the device session data belongs in the multiple reference network threat types.

In this embodiment, confidence reasoning may be performed on the fusion result of the first session token vector and the second session token vector by the cyber-threat detection layer, so as to obtain the confidence coefficient of each reference cyber-threat type in the plurality of reference cyber-threat types in the cyber-threat scene, where the device session data belongs to the cyber-threat scene, and the reference cyber-threat type with the greatest confidence coefficient is added to the transition cyber-threat detection result, and accordingly, the reference cyber-threat type with the greatest confidence coefficient is used as the second reference cyber-threat type.

In addition, the network threat detection tasks under the multiple network session scenes share the pre-training algorithm, and only the corresponding field-specific enhancement operator needs to be debugged aiming at each network session scene, so that the quantity of parameters to be regulated is small, and the debugging efficiency is improved. In addition, when the network threat type is supplemented in the network session scene, only the field-specific enhancement operator corresponding to the network session scene can be debugged, and the whole network threat detection algorithm does not need to be debugged again.

In an embodiment, determining the target cyber threat type of the device session data in the cyber session scene based on the first reference cyber threat type and the second reference cyber threat type in the step S5 includes:

The first reference network threat type is determined after network threat detection is carried out on the equipment session data according to a plurality of reference network threat types in target intrusion detection guide information and network threat session example data of each reference network threat type through a first general flow detection algorithm, and the second reference network threat type is determined in the plurality of reference network threat types based on a transition network threat detection result output by the algorithm after the network threat detection is carried out on the equipment session data through the network threat detection algorithm. The target network threat type is the network threat type actually faced by the finally determined equipment session data in the current network session scene after the first reference network threat type and the second reference network threat type are comprehensively considered.

In determining the type of targeted cyber threat, a variety of approaches may be used. One way is to make a consistency determination. If the first reference network threat type and the second reference network threat type are the same, then the type may be determined directly as the target network threat type. For example, in an enterprise office network scenario, a first general traffic detection algorithm finds that the first general traffic detection algorithm frequently communicates with a known malware server through analysis of equipment session data, so as to determine that a first reference network threat type is a malware attack, and meanwhile, after the network threat detection algorithm detects the equipment session data, the network threat detection algorithm also obtains the characteristics of the equipment session data having the malware attack, so as to determine that a second reference network threat type is also the malware attack. In this case, a malware attack may be determined as the target network threat type for the device session data in the enterprise office network scenario.

When the first reference network threat type and the second reference network threat type are different, a voting mechanism or a weight allocation mechanism may be employed to determine the target network threat type. The voting mechanism is used for counting the occurrence times of each reference network threat type, and the type with the highest occurrence times is the target network threat type. For example, in a network environment including a plurality of device session data, for a specific device session data, the first reference network threat type is data disclosure, the second reference network threat type is phishing attack, and when detecting other related device session data, it is found that most of the data display has a threat of data disclosure, and at this time, the data disclosure can be determined as a target network threat type of the device session data through a voting mechanism. The weight distribution mechanism distributes different weights for the first reference network threat type and the second reference network threat type according to the reliability and the accuracy of different detection methods. For example, through long-term testing and evaluation, it is found that the first general traffic detection algorithm has higher accuracy in detecting certain specific types of network threats, while the network threat detection algorithm has more advantages in detecting other types of threats, so that different weights can be assigned to the results obtained by the two detection methods. Assuming that the weight of the first general flow detection algorithm is 0.6, the weight of the network threat detection algorithm is 0.4, the first reference network threat type is DDoS attack, the second reference network threat type is port scanning attack, and the comprehensive score of the DDoS attack can be calculated to be higher according to the weight, so that the DDoS attack is determined to be the target network threat type.

In addition, the type of the target network threat can be determined by combining the historical data and the characteristics of the network session scene. The major network threat types faced by different network session scenarios may be different, for example, in a financial transaction network scenario, data disclosure and fraud attacks may be the major threat types, while in an industrial control system network scenario, denial of service attacks and virus infections may be more common. The historical data of the network session scene can be consulted to know the frequency and trend of various network threat types in the scene, so that the target network threat type can be more accurately determined. For example, in a network scenario that is often subject to DDoS attacks, if the first reference network threat type is a DDoS attack and the second reference network threat type is another less severe threat type, historical data may be combined to more likely determine the DDoS attack as the target network threat type.

After the type of the target network threat is determined, corresponding measures can be taken to cope with the network threat, such as timely notifying a network manager, starting a corresponding safety protection mechanism, isolating and repairing the affected equipment and the like, and blocking equipment data is facilitated. Meanwhile, the determined target network threat type and related equipment session data can be recorded and analyzed so as to further study the characteristics and trend of the network threat and continuously optimize the network security defense strategy. The first reference network threat type and the second reference network threat type are comprehensively considered, and the target network threat type is determined in a plurality of modes, so that the accuracy and the reliability of network threat detection can be improved, and the safe and stable operation of the network can be better ensured.

In another possible embodiment, step S5 further includes:

Step S510, counting occurrence frequency of reference network threat types in a reference set, and determining a target network threat type of equipment session data in a network session scene based on the occurrence frequency counting result, wherein the reference set comprises a first reference network threat type and a second reference network threat type.

In step S510, occurrence frequency statistics is performed on the reference network threat types in the reference set, and a target network threat type of the device session data in the network session scene is determined based on the occurrence frequency statistics result, where the reference set includes a first reference network threat type and a second reference network threat type. The core of the step is that the final corresponding target network threat type of the equipment session data is determined according to the occurrence frequency by counting the occurrence frequencies of different reference network threat types in the reference set, so that the accuracy and the reliability of the judgment of the network threat types are improved.

The first reference network threat type is determined after network threat detection is carried out on the equipment session data according to a plurality of reference network threat types in target intrusion detection guide information and network threat session example data of each reference network threat type through a first general flow detection algorithm, and the second reference network threat type is determined in the plurality of reference network threat types based on a transition network threat detection result output by the algorithm after the network threat detection is carried out on the equipment session data through the network threat detection algorithm. These two reference network threat types are the underlying data for counting frequency of occurrence.

The computer system counts the occurrence frequency of the reference network threat types in the reference set. To implement this statistical process, one way is to build a counter array, each element of the array corresponding to a reference network threat type, with an initial value set to 0. When a reference cyber threat type is read from the reference set, the value of the corresponding counter is incremented by 1. And (3) completing statistics of occurrence frequency of each reference network threat type by traversing all elements in the reference set. Assuming that elements in the reference set become "malicious software attack", "data leakage" and "malicious software attack" after multiple detection, the occurrence frequency of the "malicious software attack" is 2, and the occurrence frequency of the "data leakage" is 1 after statistics.

And after the occurrence frequency statistics is completed, determining the target network threat type of the equipment session data in the network session scene based on the statistics result. For example, the most frequently occurring reference network threat type is determined as the target network threat type. This is because the high frequency of occurrence means that the reference cyber-threat type is frequently identified under different detection methods, which is more likely to be the type of cyber-threat actually faced by the device session data.

In practice, it may happen that multiple reference cyber threat types occur with the same frequency and are all highest. At this point, other auxiliary methods may be employed to further determine the target network threat type. One approach is to refer to historical data of the web session scenario to see which web threat types occur more frequently under similar device session data features. For example, according to the historical data record of the enterprise office network scene, under similar equipment communication behaviors and data transmission modes, the occurrence frequency of the 'malicious software attack' is far higher than that of the 'data leakage', and even if the occurrence frequency of the 'malicious software attack' is the same in the statistics, the 'malicious software attack' can be determined as the target network threat type. Another approach is to incorporate the opinion of the network security specialist. The network security specialist can analyze and judge the reference network threat types with the same occurrence frequency according to the expertise and experience of the network security specialist, and provide reference advice. The opinion of the expert can be used as an important reference factor, and the type of the target network threat is determined after comprehensive consideration.

When step S510 is executed, the occurrence frequency statistics is performed on the reference network threat types in the reference set, and the target network threat types are determined according to the statistics result. The process can comprehensively utilize the results of different detection methods, improves the accuracy and reliability of network threat type judgment, and provides more powerful support for subsequent network security defense measures. Meanwhile, when the conditions of the same occurrence frequency are processed, the determination process of the threat type of the target network can be further optimized by combining auxiliary methods such as historical data and expert opinions, and the safe and stable operation of the network can be better ensured.

In another possible implementation, the reference set further includes a third reference cyber-threat type to which the device session data belongs among the plurality of reference cyber-threat types, the method further comprising:

S5.1, inquiring reference example equipment session data matched with the equipment session data mode in an equipment session database corresponding to the network session scene, wherein the equipment session database corresponding to the network session scene comprises a plurality of example equipment session data which are stored in association with a reference network threat type under the network session scene;

Step S5.2, determining a third reference network threat type of the device session data in the multiple reference network threat types according to the reference network threat types associated with the reference example device session data.

In this embodiment, the device session data is queried in the device session database corresponding to the network session scene, so as to determine the reference network threat type corresponding to the device session data, which is defined as the third reference network threat type. The third reference cyber-threat type is also at least one of a plurality of reference cyber-threat types of the cyber-session scene.

Because the device session database corresponding to the network session scenario includes the reference network threat type and the example device session data stored in association, wherein the reference network threat type associated with an example device session data is considered to be the reference network threat type corresponding to the example device session data. Example device session data in a device session database corresponding to a network session scenario is related to the network session scenario.

For example, the pattern matching commonality degree calculation may be performed on the example device session data and the device session data in the device session database corresponding to the network session scene, and the example device session data with the pattern matching commonality degree greater than the pattern matching degree threshold value between the device session data and the device session data in the device session database corresponding to the network session scene is used as the reference example device session data.

In step S5.1, reference example device session data that matches the device session data pattern is queried in a device session database corresponding to a network session scenario, where the device session database corresponding to the network session scenario includes a plurality of example device session data stored in association with a reference network threat type under the network session scenario. The device session database is a collection of stored large amounts of example device session data associated with different network session scenarios, each of which is associated with a particular reference network threat type, which provides a data basis for pattern matching. The device session data mode refers to a combination of features presented by the device session data, including information such as a size of a data packet, a transmission frequency, a communication port, a protocol type, an accessed IP address, etc., and these feature combinations form a unique mode of the device session data.

In performing this step, the pattern of the current device session data is compared to the pattern of the example device session data in the device session database. To achieve this comparison, one approach is to extract key features of the device session data and the example device session data based on an algorithm of feature matching, and then calculate the similarity between them. For example, a cosine similarity algorithm may be used to calculate the similarity between two vectors, where each dimension of the vector corresponds to a feature of one device session data. The smaller the angle between the two vectors, the closer the cosine value is to 1, indicating that their similarity is higher. Another approach is a rule-based matching approach, where a series of rules describing characteristics and matching conditions of different device session data patterns can be predefined. When a query is made, the device session data is matched with the rules to find out example device session data that meets the rules.

In step S5.2, a third reference network threat type to which the device session data belongs among the plurality of reference network threat types is determined based on the reference network threat types associated with the reference example device session data. When reference example device session data matching the device session data pattern is found in the device session database, the reference network threat type associated with the reference example device session data is checked and determined as a third reference network threat type of the device session data.

Further, in performing pattern matching, a case may occur in which a plurality of reference example device session data are pattern-matched with the device session data. In this case, a variety of policies may be employed to determine the third reference network threat type. One strategy is to select the reference example equipment session data with the highest occurrence frequency of the associated reference network threat types, namely counting the occurrence times of each reference network threat type in all the matched reference example equipment session data, and selecting the reference network threat type with the highest occurrence times as the third reference network threat type. Another strategy is to combine other auxiliary information, such as generation time of the session data of the reference example device, credibility of data sources, and the like, and comprehensively judge and select the most suitable session data of the reference example device and the associated reference network threat types thereof.

In practical applications, the determined third reference network threat type may be comprehensively analyzed with the first and second reference network threat types previously determined by other methods. For example, the three reference network threat types may be formed into a reference set, then the occurrence frequency statistics is performed on the reference network threat types in the reference set, and the reference network threat type with the highest occurrence frequency is determined as the target network threat type of the device session data in the network session scene. Therefore, the method can comprehensively utilize various detection methods and information of data sources, and improves the accuracy and reliability of determining the type of the equipment session data network threat.

In another possible implementation manner, the method provided by this embodiment further includes a process of constructing a device session database, and specifically includes:

Step S10, session data constraint information aiming at a network session scene is obtained;

Step S20, generating device session data according to session data generation guide information and session data constraint information through a second general flow detection algorithm to obtain example device session data meeting the session data constraint information;

Step S30, based on a plurality of different third universal flow detection algorithms, detecting intrusion detection guide information and session data constraint information according to network threat, detecting the network threat to the session data of the example equipment, and obtaining a plurality of network threat detection results of the session data of the example equipment;

Step S40, determining a target network threat type corresponding to the example equipment session data in a plurality of network threat detection results of the example equipment session data;

And step S50, the example equipment session data and the target network threat types corresponding to the example equipment session data are associated and stored in an equipment session database corresponding to the network session scene.

In step S10, session data constraint information for a network session scenario is acquired. Session data constraint information is various restrictions and specifications for device session data in a particular network session scenario, which specifies the conditions that the device session data should satisfy in terms of format, content, behavior, etc. The constraint information is formulated according to the characteristics and the security requirements of a network session scene, for example, in an enterprise office network scene, session data constraint information may specify that the communication ports of the device can only be specific ports, the data transmission time can only be within the working time range, and the transmitted data content cannot contain sensitive information and the like. These session data constraint information may be obtained from a network management system, security policy profile, or related security standard documents.

In step S20, device session data is generated by using the second universal traffic detection algorithm to generate guide information and session data constraint information according to the session data, so as to obtain example device session data satisfying the session data constraint information. Session data generation guidance information is information that guides the generation of device session data, and may contain rules, patterns, examples, etc. for data generation to help generate representative device session data. The second general traffic detection algorithm is an algorithm capable of generating device session data according to given guiding information and constraint conditions, and generates example device session data according to the requirement of the session data for generating the guiding information on the premise of meeting the constraint information of the session data. In performing this step, session data generation guide information and session data constraint information are input into a second general traffic detection algorithm. The algorithm can gradually generate the device session data according to rules and modes in the guiding information and combined with the limitation of constraint information. For example, the algorithm generates a complete device session data based on the packet format and communication frequency specified in the boot information, while following the restrictions on ports and data content in the session data constraint information.

To accomplish this, one approach is a template-based generation method, where templates of device session data may be predefined, which contain the basic packet structure and communication patterns. The algorithm then populates and modifies the templates according to the session data generation guide information and the session data constraint information to generate example device session data that meets the requirements. Another method is a machine learning-based generation method, which may use a machine learning model such as a generation countermeasure network (GAN), learn a distribution rule of device session data by training the model, and then generate example device session data from session data and session data constraint information. For example, in a home wireless network scenario, session data generation guidance information may specify that the device communicate 10-20 times per hour, with packet sizes between 100-500 bytes. The session data constraint information specifies that the ports for communication are only 80 and 443. By means of a second general flow detection algorithm, an example device session data is generated in combination with the information, which data contains satisfactory communication frequencies, packet sizes and port information.

In step S30, based on a plurality of different third universal traffic detection algorithms, network threat detection is performed on the session data of the example device according to the network threat detection intrusion detection guide information and the session data constraint information, so as to obtain a plurality of network threat detection results of the session data of the example device. The network threat detection intrusion detection guide information comprises a plurality of reference network threat types of network session scenes, network threat session example data of each reference network threat type and the like, and provides references and bases for network threat detection. The third generic traffic detection algorithm is an algorithm for detecting network threats to device session data, and different third generic traffic detection algorithms may employ different detection strategies and techniques, so that example device session data may be detected from multiple angles.

In performing this step, the example device session data is input into a plurality of different third generic traffic detection algorithms, respectively. Each algorithm analyzes and judges the session data of the example equipment according to the network threat detection intrusion detection guide information and the session data constraint information, and outputs a corresponding network threat detection result. These results may include information as to whether the example device session data is cyber-threatening, to which reference cyber-threat type.

For example, in one enterprise office network scenario, three different third-pass traffic detection algorithms are used to detect the generated example device session data. The method comprises the steps of determining whether network threat exists or not, wherein a first algorithm is possibly based on a rule matching method, matching the session data of the example equipment according to the rule in the network threat detection intrusion detection guide information, judging whether the network threat exists or not, a second algorithm is possibly based on a machine learning classification method, classifying the session data of the example equipment through a trained model, determining the type of the reference network threat to which the session data belongs, and a third algorithm is possibly based on a behavior analysis method, analyzing whether the communication behavior of the session data of the example equipment is abnormal, and judging whether the potential network threat exists or not. Each algorithm outputs a network threat detection result.

In step S40, a target network threat type corresponding to the example device session data is determined from a plurality of network threat detection results of the example device session data. Because different third-pass traffic detection algorithms may obtain different detection results, it is necessary to comprehensively consider these results to determine a most accurate target network threat type.

One method of determining the type of the target cyber-threat is a voting mechanism, counting the number of occurrences of each reference cyber-threat type in a plurality of detection results, and determining the reference cyber-threat type with the largest number of occurrences as the target cyber-threat type. The other method is a weight distribution mechanism, different weights are distributed to the third traffic detection algorithm according to the reliability and the accuracy of the third traffic detection algorithm, then the comprehensive score of each reference network threat type is calculated according to the detection result of each algorithm and the corresponding weight, and the reference network threat type with the highest comprehensive score is determined as the target network threat type.

For example, in the example of the enterprise office network scenario, the detection results of the three third general flow detection algorithms are that the first algorithm judges that "malicious software attack" exists in the session data of the example device, the second algorithm judges that "data leakage" exists, and the third algorithm judges that "malicious software attack" exists. By adopting a voting mechanism, the 'malicious software attack' appears twice and the 'data leakage' appears once, so the 'malicious software attack' is determined as the target network threat type corresponding to the session data of the example equipment.

In step S50, the example device session data and the target network threat type corresponding to the example device session data are stored in a device session database corresponding to the network session scene in an associated manner. The device session database is a collection storing a large number of example device session data related to different network session scenes and associated reference network threat types, and the newly generated example device session data and corresponding target network threat types are stored in the database, so that the content of the database can be enriched, and more reference data can be provided for subsequent network threat detection.

In performing this step, the example device session data and the target network threat type are stored in a device session database in a format and structure. For example, the example device session data and the target network threat type may be stored as a record containing details of the example device session data and an identification of the corresponding target network threat type.

In practical application, the series of steps can be performed to continuously enrich the equipment session database, and the accuracy and reliability of network threat detection are improved. Through generating more example equipment session data which accords with the session data constraint information and carrying out accurate network threat detection and classified storage on the session data, the continuous changing network security threat can be better dealt with, and the safe and stable operation of the network is ensured. Meanwhile, the equipment session database is required to be maintained and updated regularly, so that the accuracy and timeliness of the data in the database are ensured to be always maintained. In addition, for the newly emerging changes in the network threat type and session data constraint information, the policies for generating example device session data and performing network threat detection need to be adjusted in time to accommodate the new network security environment.

In another possible implementation manner, in step S20, the device session data generation is performed by using the second universal traffic detection algorithm to generate the guiding information and the session data constraint information according to the session data, and after obtaining the example device session data that meets the session data constraint information, the method further includes:

step S201, perturbation is carried out on the session data of the example equipment to obtain session data of the perturbation equipment;

step S202, based on a plurality of different third universal flow detection algorithms, detecting network threat to disturbance equipment session data according to corresponding network threat detection intrusion detection guide information and session data constraint information to obtain a plurality of network threat detection results of the disturbance equipment session data;

Step S203, determining a target network threat type corresponding to disturbance equipment session data in a plurality of network threat detection results of the disturbance equipment session data;

and step S204, the disturbance equipment session data and the target network threat types corresponding to the disturbance equipment session data are associated and stored in an equipment session database corresponding to the network session scene.

In step S201, perturbation is performed on the example device session data, and perturbation device session data is obtained. Perturbation refers to modifying or adjusting certain features of example device session data to deviate somewhat from the original example device session data, yet remain within reasonable limits to simulate various changes and anomalies that may occur in a network environment. The example device session data is device session data meeting specific conditions generated in step S20 from session data generation guidance information and session data constraint information by a second general traffic detection algorithm. The perturbed device session data is perturbed device session data that has similar but different characteristics than the example device session data.

One way to do this is to perturb the packet characteristics of the device session data. For example, the size of the data packet, the transmission time, the communication port, etc. may be randomly adjusted. Assuming that one packet size in the example device session data is 500 bytes, the packet size may be randomly increased or decreased over a range, such as by adjusting it to 480 bytes or 520 bytes. Another approach is to perturb the communication behavior of the device session data, such as changing the frequency of the communication, the object of the communication, etc. For example, the devices in the example device session data communicate with a certain server 10 times per hour, and the communication frequency may be adjusted to 8 or 12 times per hour. In addition, the data content in the device session data can be disturbed. For example, when some text information is included in the example device session data, certain characters in the text may be replaced, inserted, or deleted to simulate errors or tampering that may occur during the transmission of the data.

In step S202, based on a plurality of different third universal traffic detection algorithms, network threat detection is performed on the session data of the disturbance device according to the corresponding network threat detection intrusion detection guide information and session data constraint information, so as to obtain a plurality of network threat detection results of the session data of the disturbance device. The third general flow detection algorithm is an algorithm for detecting network threat to the equipment session data, and different algorithms may adopt different detection strategies and technologies, so that the disturbance equipment session data can be analyzed and judged from multiple angles. The network threat detection intrusion detection guide information comprises a plurality of reference network threat types of network session scenes, network threat session example data of each reference network threat type and the like, and provides references and bases for network threat detection. The session data constraint information specifies the conditions that the device session data should satisfy in terms of format, content, behavior, etc., and ensures that the detection process is performed within a reasonable range.

In performing this step, perturbing device session data is input into a plurality of different third generic flow detection algorithms, respectively. Each algorithm analyzes and judges the session data of the disturbance equipment according to the network threat detection intrusion detection guide information and the session data constraint information, and outputs a corresponding network threat detection result. These results may include information as to whether or not the perturbation device session data is cyber-threat, which type of reference cyber-threat it belongs to, and so on.

For example, three different third-pass traffic detection algorithms are used to detect perturbing device session data. The method comprises the steps of determining whether network threat exists or not, wherein a first algorithm is possibly based on a rule matching method, matching disturbance equipment session data according to rules in network threat detection intrusion detection guide information, judging whether the network threat exists or not, a second algorithm is possibly based on a machine learning classification method, classifying the disturbance equipment session data through a trained model to determine the type of the reference network threat, and a third algorithm is possibly based on a behavior analysis method, analyzing whether communication behaviors of the disturbance equipment session data are abnormal or not, and judging whether the potential network threat exists or not. Each algorithm outputs a network threat detection result.

In step S203, a target network threat type corresponding to the disturbance device session data is determined from a plurality of network threat detection results of the disturbance device session data. Because different third-pass traffic detection algorithms may obtain different detection results, it is necessary to comprehensively consider these results to determine a most accurate target network threat type.

The voting mechanism, the weight allocation mechanism, etc. mentioned above may be used in determining the threat type of the target network, which will not be described herein.

In step S204, the disturbance device session data and the target network threat type corresponding to the disturbance device session data are stored in a device session database corresponding to the network session scene in an associated manner. The equipment session database is a set which stores a large number of example equipment session data related to different network session scenes and associated reference network threat types, and the disturbance equipment session data and the corresponding target network threat types are stored in the database, so that the content of the database can be further enriched, and more reference data are provided for subsequent network threat detection.

When this step is performed, perturbed device session data and the target network threat type are stored in a device session database in a format and structure. For example, the perturbation device session data and the target network threat type may be stored as a record containing detailed information of the perturbation device session data and an identification of the corresponding target network threat type.

By perturbing the example device session data, a more complex and varied network environment can be simulated, so that the network threat detection algorithm can better cope with various potential security threats. For example, in an actual network, device session data may be affected by factors such as network delay, data loss, malicious tampering, etc., and disturbance device session data similar to those cases may be generated through disturbance processing, so as to improve robustness and adaptability of a network threat detection algorithm. Meanwhile, the disturbance equipment session data and the corresponding target network threat types are stored in the equipment session database, so that more training data and reference samples can be provided for subsequent network threat detection, and the accuracy and reliability of detection can be improved.

When the steps S201-S204 are executed, network threat detection is carried out on the disturbance equipment session data by carrying out disturbance on the example equipment session data, the target network threat type is determined, and the correlation is stored in the equipment session database, so that the equipment session database can be enriched, the comprehensiveness and accuracy of the network threat detection are enhanced, and the safe and stable operation of a network is better ensured.

In another possible implementation, the target intrusion detection guidance information further includes device session data templates for respective reference network threat types. The method provided by the embodiment can further comprise the following steps:

step S101, acquiring a complementary network threat type aiming at a network session scene and second session data constraint information annotated for the complementary network threat type;

step S102, generating device session data according to session data generation guide information and supplementary session data constraint information through a second general flow detection algorithm to obtain second example device session data meeting the supplementary session data constraint information;

step S103, associating and storing the second example equipment session data and the supplementary network threat type into an equipment session database corresponding to the network session scene;

Step S104, adding the second example equipment session data, the supplementary network threat type and the network threat session example data annotated for the supplementary network threat type into the target intrusion detection guide information, wherein the second example equipment session data is used as a supplementary network threat type equipment session data template in the target intrusion detection guide information.

In step S101, complementary network threat types for the network session scene and second session data constraint information annotated for the complementary network threat types are acquired. The supplementary network threat type refers to a newly discovered or newly defined network threat type in addition to the reference network threat type contained in the original target intrusion detection guidance information. With the development of network technology and the continuous evolution of network attack means, new network threats are continuously presented, and the new threats need to be incorporated into a network security defense system, so that the types of complementary network threats need to be acquired. The second session data constraint information is a constraint condition formulated for the data characteristic and the behavior mode specific to the complementary network threat type, and defines the requirements of the format, the content, the behavior and the like which are required to be met by the session data of the equipment related to the complementary network threat type, so that the new network threat can be accurately identified and detected.

One way to obtain supplemental cyber-threat types and second session data constraint information is from cyber-security intelligence platforms that collect and sort and analyze various emerging cyber-threat information, and from which the latest supplemental cyber-threat types and corresponding constraint information can be obtained. Another way is through feedback and research results of network security specialists, after analyzing and researching network security events, the specialists find new network threat types and formulate corresponding constraint conditions, and can acquire the information from the specialists.

For example, in an enterprise office network scenario, with the widespread use of cloud computing technology, a new type of network threat, cloud service account hijacking, has emerged. The complementary network threat type is obtained from the network security information platform, and second session data constraint information annotated for the complementary network threat type is obtained, such as abnormal cloud service login requests, frequent account authority change operations and the like.

In step S102, device session data generation is performed according to the session data generation guidance information and the supplemental session data constraint information by a second general traffic detection algorithm, so as to obtain second example device session data satisfying the supplemental session data constraint information. The second generic traffic detection algorithm is an algorithm that is capable of generating device session data based on given guidance information and constraints. The session data generation guide information provides rules and patterns for the generation of device session data, while the supplemental session data constraint information restricts and normalizes the generated device session data, ensuring that the generated second example device session data is relevant to and meets the feature requirements of the supplemental network threat type.

In performing this step, session data generation guide information and supplemental session data constraint information are input into a second general traffic detection algorithm. The algorithm will gradually generate second example device session data in accordance with rules and patterns in the guidance information, in combination with the constraints of the supplemental session data constraint information. For example, the algorithm may generate a complete second example device session data based on the packet format and communication frequency specified in the boot information, while following the restrictions on cloud service login requests and account rights change operations in the supplemental session data constraint information.

To accomplish this, one approach is a template-based generation method that predefines a number of device session data templates associated with complementary network threat types, the templates comprising a basic packet structure and communication patterns. The algorithm then populates and modifies the template according to the session data generation guide information and the supplemental session data constraint information to generate second example device session data that meets the requirements. Another approach is a machine learning based generation method, which may use machine learning models such as a generation countermeasure network (GAN), learn the distribution rules of device session data related to the supplemental network threat types by training the models, and then generate guidance information and supplemental session data constraint information from the session data to generate second example device session data.

For example, in the enterprise office network scenario, for the complementary network threat type of cloud service account hijacking, session data generation guide information specifies a packet format and frequency of an abnormal login request, and complementary session data constraint information specifies a time range of abnormal login and an operation feature of account authority change. And generating second example equipment session data by combining the information through a second general flow detection algorithm, wherein the second example equipment session data comprises information of an abnormal cloud service login request and account authority changing operation which meet requirements.

In step S103, the second exemplary device session data and the complementary network threat type are stored in association with the device session database corresponding to the network session scene. The device session database is a collection storing a large number of example device session data related to different network session scenes and associated reference network threat types, and the second example device session data and the complementary network threat types are associated and stored in the database, so that the content of the database can be enriched, and more reference data can be provided for subsequent network threat detection.

In performing this step, the second example device session data and supplemental network threat types are stored in a device session database in a format and structure. For example, the second example device session data and the supplemental network threat type may be stored as a record containing details of the second example device session data and an identification of the corresponding supplemental network threat type.

In step S104, adding the second exemplary device session data, the supplemental cyber-threat type, and cyber-threat session exemplary data annotated for the supplemental cyber-threat type to the target intrusion detection guide information, where the second exemplary device session data is used as a device session data template for the supplemental cyber-threat type in the target intrusion detection guide information. The target intrusion detection guide information comprises a plurality of reference network threat types of the network session scene, network threat session example data of each reference network threat type, equipment session data templates and the like, and provides references and bases for network threat detection. The second example equipment session data, the complementary network threat types and the corresponding network threat session example data are added into the target intrusion detection guide information, so that the target intrusion detection guide information is more comprehensive and accurate, and the network threat detection algorithm can be better guided to identify and detect the newly-appearing network threat types.

When this step is performed, the second example device session data, the supplemental cyber-threat type, and the cyber-threat session example data are integrated and added in accordance with the format and structure of the target intrusion detection guidance information. For example, a new entry is added to the target intrusion detection guidance information, including an identification of the complementary network threat type, corresponding network threat session example data, and related information using the second example device session data as a device session data template.

Along with the continuous change of network environment and the continuous evolution of network threat, the effectiveness and adaptability of network security defense can be improved by timely updating and expanding the target intrusion detection guide information and the equipment session database. By acquiring the new complementary network threat type and corresponding constraint information, the related second example equipment session data is generated and stored in a database and added into the target intrusion detection guide information, so that the network threat detection algorithm can better identify and cope with the newly-appearing network threat, and the safe and stable operation of the network is ensured. In addition, there is a need to manage and maintain this newly added information. For example, the second example device session data and the cyber threat session example data are updated and validated periodically to ensure accuracy and timeliness thereof. Meanwhile, the definition and classification of the complementary network threat types are continuously optimized and adjusted to better adapt to the change of the network security situation.

When the steps S101-S104 are executed, the second example equipment session data is generated by acquiring the supplementary network threat type and the second session data constraint information, the association is stored in the equipment session database, and the second example equipment session data is added into the target intrusion detection guide information, so that newly-appearing network threats can be timely dealt with, the network security defense capability is enhanced, and powerful guarantee is provided for the security operation of the network.

In another possible implementation, the target intrusion detection guidance information further includes device session data templates for respective reference network threat types, the method further comprising:

step 105, obtaining difficult equipment session data corresponding to the network session scene;

Step S106, acquiring annotation network threat types annotated to the difficult device session data and network threat session example data annotated for the annotation network threat types;

Step S107, the difficult equipment session data and the corresponding annotation network threat type association are stored in an equipment session database corresponding to the network session scene;

And S108, adding the difficult equipment session data, the corresponding annotation network threat type and the network threat session example data annotated for the annotation network threat type into target intrusion detection guide information, wherein the difficult equipment session data in the target intrusion detection guide information is used as an equipment session data template for annotating the network threat type.

In step S105, the difficult device session data corresponding to the network session scene is acquired, where the difficult device session data refers to session data that cannot be accurately identified by the existing detection method. In an actual network environment, due to the continuous change and innovation of network attack means and the complexity of the device session data, some device session data which is difficult to judge whether or not the network threat exists and which type of network threat belongs to may appear. These difficult device session data may have special features such as abnormal packet formats, communication behavior that does not conform to conventional patterns, or contain some unknown encryption information, etc., making it difficult for existing network threat detection algorithms to accurately classify and identify them.

One way to obtain difficult device session data is to tag and collect the difficult device session data when the detection results of existing detection algorithms on some device session data are uncertain or disputed during the daily network threat detection process. For example, in an enterprise office network, when detecting the session data of a device, it is found that the communication behavior of a certain device neither accords with the normal service flow nor completely matches with the known network threat mode, and at this time, the session data of the device can be obtained as difficult device session data. Another approach is to derive from analysis of network security events, where relevant device session data tends to have high complexity and uncertainty when some hard-to-interpret network security event occurs, which can be included in the category of difficult device session data.

In step S106, the annotated cyber-threat type annotated to the difficult device session data, and cyber-threat session example data annotated to the annotated cyber-threat type are acquired. The annotation network threat type is a network threat type possibly corresponding to the difficult device session data according to deep analysis and research of the difficult device session data by network security experts or related personnel. The cyber threat session example data is a sample of device session data associated with an annotated cyber threat type that can be characterized by the cyber threat type, which example data can help better understand and identify the annotated cyber threat type.

The manner in which the annotated cyber-threat types and cyber-threat session example data are obtained typically relies on expertise and experience of cyber-security specialists. The expert can analyze the session data of the difficult equipment in detail, including the content of the data packet, the time mode of communication, the access destination address and the like, and judge the type of the network threat possibly corresponding to the session data of the difficult equipment by combining the expert knowledge and the knowledge of the network security situation, and provide corresponding example data of the network threat session. For example, for difficult device session data that occurs in an enterprise network, the data display device frequently communicates with an unknown external IP address during non-operating hours, and the transmitted data is subject to encryption. After analysis, the network security expert judges that the annotation network threat type possibly corresponding to the difficult device session data is "data theft", and provides the device session data in some previous data theft events as network threat session example data.

In step S107, the difficult device session data and the corresponding annotation network threat type association are saved in the device session database corresponding to the network session scene. The device session database is a collection which stores a large number of example device session data related to different network session scenes and associated reference network threat types, and the difficult device session data and the corresponding annotation network threat types are associated and stored in the database, so that the content of the database can be enriched, and more reference data can be provided for subsequent network threat detection.

In performing this step, the difficult device session data and corresponding annotated network threat types are stored in a device session database in a format and structure. For example, the difficult device session data and the annotated network threat type may be stored as a record containing detailed information of the difficult device session data and an identification of the corresponding annotated network threat type. In this way, new device session data may be more accurately classified and identified with reference to such information in the database during subsequent network threat detection.

In step S108, the difficult device session data, the corresponding annotated network threat type, and the network threat session example data annotated for the annotated network threat type are added to the target intrusion detection guide information, where the difficult device session data in the target intrusion detection guide information is used as a device session data template for annotating the network threat type. The target intrusion detection guide information comprises a plurality of reference network threat types of the network session scene, network threat session example data of each reference network threat type, equipment session data templates and the like, and provides references and bases for network threat detection. The difficult equipment session data, the corresponding annotation network threat types and the network threat session example data are added into the target intrusion detection guide information, so that the target intrusion detection guide information is more comprehensive and accurate, and the network threat detection algorithm can be better guided to identify and detect the newly-appearing or difficultly-identified network threat types.

When the step is executed, the difficult device session data, the corresponding annotation network threat type and the network threat session example data are integrated and added according to the format and structure of the target intrusion detection guidance information. For example, a new entry is added to the target intrusion detection guidance information, including an identification of the type of the annotated network threat, corresponding network threat session example data, and related information using the difficult device session data as a device session data template. In this way, in the subsequent network threat detection process, the network threat detection algorithm can refer to the newly added information to perform more accurate judgment on the device session data.

With the continuous development of network technology and the increasing complexity of network attack means, the occurrence of difficult device session data is unavoidable. The difficult equipment session data are processed and are incorporated into the equipment session database and the target intrusion detection guide information, so that a network threat detection system can be continuously perfected, and the detection accuracy and the detection comprehensiveness are improved. For example, when a new network attack mode occurs, the initial device session data may be difficult to accurately identify, and by annotating and processing these difficult device session data, the subsequent detection algorithm may better identify similar attack behaviors and take precautions in time.

In addition, this newly added information needs to be managed and maintained. For example, the difficult device session data and the cyber threat session example data are updated and verified periodically to ensure accuracy and timeliness. Meanwhile, the definition and classification of the annotation network threat types are continuously optimized and adjusted to better adapt to the change of the network security situation.

When the steps S105-S108 are executed, the difficult equipment session data are obtained, annotated, and associated with the difficult equipment session data are stored in an equipment session database and added into target intrusion detection guide information, so that a network threat detection system can be continuously perfected, the network security defense capability is improved, complex and changeable network security environments are better dealt with, and the safe and stable operation of the network is ensured.

Aiming at the difficult equipment session data, the embodiment stores the difficult equipment session data and the corresponding annotation network threat detection association into an equipment session database corresponding to a network session scene, adds the difficult equipment session data, the corresponding annotation network threat detection and the network threat session example data annotated for the annotation network threat detection into target intrusion detection guide information, and can query the equipment session database corresponding to the network session scene and perform network threat detection on the basis of the equipment session data matched with the difficult equipment session data mode and perform accurate network threat detection on the equipment session data through the guidance of the target intrusion detection guide information by a first general flow detection algorithm if the equipment session data matched with the difficult equipment session data mode is acquired. Compared with the prior art, the method only adopts the network threat detection algorithm to detect the network threat, and when the difficult equipment session data is acquired, the network threat detection algorithm is iterated again, so that the equipment session data similar to the difficult equipment session data can be accurately detected. The application is based on the fact that the network threat detection results obtained by combining the three network threat detection modes are cooperatively determined, and even if the network threat detection algorithm is not updated iteratively when the network threat type is supplemented, the network threat detection results obtained at the moment are accurate based on the fact that the equipment session database corresponding to the network session scene is queried and the network threat is detected under the guidance of the target intrusion detection guide information through the first general flow detection algorithm, so that the reliability of the determined network threat type can be ensured. When the session data of the difficult equipment is acquired, the response can be carried out in a short period, and the network threat detection algorithm can be iterated according to a preset iteration period.

Embodiment 3 the foregoing is a schematic solution of the device data blocking detection method based on network security defense of this embodiment. It should be noted that, the technical solution of the device data blocking detection system based on network security defense and the technical solution of the device data blocking detection method based on network security defense belong to the same concept, and details of the technical solution of the device data blocking detection system based on network security defense in this embodiment, which are not described in detail, can be referred to the description of the technical solution of the device data blocking detection method based on network security defense.

The embodiment also provides a system of the device data blocking detection method based on network security defense, which comprises the following steps:

the device and network session information acquisition module is used for acquiring device session data and a network session scene mark of a corresponding network session scene;

the associated guide information acquisition module is used for acquiring target intrusion detection guide information associated with the network session scene mark;

The general flow initial detection module is used for detecting the network threat to the equipment session data through a first general flow detection algorithm based on the target intrusion detection guide information, and determining a first reference network threat type of the equipment session data;

The specific algorithm fine detection module is used for carrying out network threat detection on the equipment session data through the network threat detection algorithm, and determining a second reference network threat type corresponding to the equipment session data based on a transition network threat detection result output by the network threat detection algorithm;

The threat type comprehensive judging module is used for determining a target network threat type of the equipment session data in a network session scene based on the first reference network threat type and the second reference network threat type.

The embodiment also provides a computing device, which is suitable for the situation of a device data blocking detection method based on network security defense, and comprises the following steps:

A memory and a processor; the memory is configured to store computer executable instructions, and the processor is configured to execute the computer executable instructions to implement a device data blocking detection method based on network security defense as set forth in the above embodiment.

The present embodiment also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the network security defense-based device data blocking detection method as proposed in the above embodiments.

The storage medium proposed in this embodiment belongs to the same inventive concept as the device data blocking detection method based on network security defense proposed in the above embodiment, and technical details not described in detail in this embodiment can be seen in the above embodiment, and this embodiment has the same beneficial effects as the above embodiment.

It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present invention may be modified or substituted without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered in the scope of the claims of the present invention.

Claims (8)

1. The device data blocking detection method based on network security defense is characterized by comprising the following steps:

Acquiring equipment session data and a corresponding network session scene mark of a network session scene;

acquiring target intrusion detection guide information associated with a network session scene mark;

based on target intrusion detection guide information, detecting network threat to the equipment session data through a first general flow detection algorithm, and determining a first reference network threat type of the equipment session data;

Performing network threat detection on the equipment session data through a network threat detection algorithm, and determining a second reference network threat type corresponding to the equipment session data based on a transition network threat detection result output by the network threat detection algorithm;

Determining a target network threat type of the equipment session data in a network session scene based on the first reference network threat type and the second reference network threat type;

the determining the target network threat type of the equipment session data in the network session scene based on the first reference network threat type and the second reference network threat type comprises:

the method comprises the steps of carrying out occurrence frequency statistics on reference network threat types in a reference set, determining a target network threat type of equipment session data in a network session scene based on an occurrence frequency statistics result, wherein the reference set comprises a first reference network threat type and a second reference network threat type, the reference set further comprises a third reference network threat type of the equipment session data in the multiple reference network threat types, and the acquisition mode is that reference example equipment session data matched with the equipment session data in a mode is queried in an equipment session database corresponding to the network session scene, the equipment session database comprises multiple example equipment session data which are stored in a correlated mode with the reference network threat type in the network session scene, and the third reference network threat type of the equipment session data in the multiple reference network threat types is determined according to the reference network threat type correlated with the reference example equipment session data.

2. The method for detecting blocking of device data based on network security defense according to claim 1, wherein the step of detecting the network threat to the device session data by the network threat detection algorithm and determining the second reference network threat type corresponding to the device session data based on the transition network threat detection result output by the network threat detection algorithm comprises:

detecting the network threat to the equipment session data through a network threat detection algorithm to obtain a transition network threat detection result which is output by the network threat detection algorithm for the equipment session data in a candidate network threat set of a plurality of network session scenes;

the transition network threat detection result comprises confidence degrees of all network threat types in candidate network threat sets of the equipment session data belonging to a plurality of network session scenes, and a second reference network threat type corresponding to the equipment session data is determined from a plurality of reference network threat types in the network session scenes according to the confidence degrees.

3. The network security defense-based device data blocking detection method of claim 2 wherein the network threat detection algorithm comprises a pre-training algorithm and a plurality of domain-specific enhancement operators, one domain-specific enhancement operator corresponding to each of the plurality of network session scenarios.

4. The method for detecting blocking of device data based on network security defense as claimed in claim 3, wherein the method for obtaining the detection result of the transition network threat is as follows:

performing characterization information mining on the equipment session data through a pre-training algorithm to obtain a first session characterization vector;

Determining a domain-specific enhancement operator corresponding to a network session scene from a plurality of domain-specific enhancement operators;

the characterization information mining is carried out on the equipment session data through a field-specific enhancement operator corresponding to the network session scene, and a second session characterization vector is obtained;

And detecting the network threat according to the fusion result of the first session characterization vector and the second session characterization vector to obtain a transition network threat detection result.

5. The method for detecting blocking of device data based on network security defense as recited in claim 4, wherein determining a second reference network threat type corresponding to device session data among a plurality of reference network threat types in a network session scene according to the confidence level comprises:

according to the confidence degree of each reference network threat type of the network session scene to which the equipment session data belongs and the equipment session data, carrying out confidence degree reasoning on each reference network threat type through a target detection algorithm trained for the network session scene to obtain a reasoning result, and determining the reference network threat type with the highest confidence degree as the network threat type to which the equipment session data belongs as a second reference network threat type according to the reasoning result.

6. A device data blocking detection system based on network security defense, applying the method as claimed in any one of claims 1 to 5, comprising:

the device and network session information acquisition module is used for acquiring device session data and a network session scene mark of a corresponding network session scene;

the associated guide information acquisition module is used for acquiring target intrusion detection guide information associated with the network session scene mark;

The general flow initial detection module is used for detecting the network threat to the equipment session data through a first general flow detection algorithm based on the target intrusion detection guide information, and determining a first reference network threat type of the equipment session data;

The specific algorithm fine detection module is used for carrying out network threat detection on the equipment session data through the network threat detection algorithm, and determining a second reference network threat type corresponding to the equipment session data based on a transition network threat detection result output by the network threat detection algorithm;

the threat type comprehensive judging module is used for determining a target network threat type of the equipment session data in a network session scene based on the first reference network threat type and the second reference network threat type;

the determining the target network threat type of the equipment session data in the network session scene based on the first reference network threat type and the second reference network threat type comprises:

the method comprises the steps of carrying out occurrence frequency statistics on reference network threat types in a reference set, determining a target network threat type of equipment session data in a network session scene based on an occurrence frequency statistics result, wherein the reference set comprises a first reference network threat type and a second reference network threat type, the reference set further comprises a third reference network threat type of the equipment session data in the multiple reference network threat types, and the acquisition mode is that reference example equipment session data matched with the equipment session data in a mode is queried in an equipment session database corresponding to the network session scene, the equipment session database comprises multiple example equipment session data which are stored in a correlated mode with the reference network threat type in the network session scene, and the third reference network threat type of the equipment session data in the multiple reference network threat types is determined according to the reference network threat type correlated with the reference example equipment session data.

7. A computing device, comprising:

A memory and a processor;

The memory is for storing computer executable instructions, the processor being for executing the computer executable instructions which when executed by the processor implement the steps of the method of any one of claims 1 to 5.

8. A computer-readable storage medium, characterized in that it stores computer-executable instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 5.