CN106506567A - A proactive discovery method for covert network attacks based on behavior evaluation - Google Patents

Abstract

The invention discloses the hidden network attack that a kind of Behavior-based control is passed judgment on is actively discovered method, including：Using fuzzy clustering algorithm to being classified according to its behavior characteristics by the mobile subscriber of " mobile subscriber's behavior is credible judge " result " insincere "；The corresponding aggressive behavior factor is defined as each mobile subscriber's behavior characteristicss, the corresponding aggressive behavior metric of mobile subscriber is set up, using the hidden attack depth mining algorithm based on fuzzy clustering；The aggressive behavior factor of " insincere " mobile subscriber is calculated, judges that " insincere " mobile subscriber is attacked with the presence or absence of certain；If being somebody's turn to do " insincere " mobile subscriber has aggressive behavior, corresponding coping strategy is taken.The present invention solves the contradiction under mobile internet environment between the low controllability of safety applications and demand for security；The present invention prevents the hidden network attack that may occur in advance, is to build safe and reliable mobile Internet applied environment based theoretical.

Description

A proactive discovery method for covert network attacks based on behavior evaluation

technical field

The invention belongs to the technical field of mobile Internet, and in particular relates to a method for actively discovering concealed network attacks based on behavior evaluation.

Background technique

Since covert network attacks in the current mobile Internet environment are still in the stage of exploration and research, no better solution can be found even in the short term. A large number of practices have proved that human behavior is cyclical and regular, and the behaviors shown at intervals are similar; and the mobile Internet, which is closely related to human beings, is more and more in line with certain characteristics of human behavior. Certain behaviors of mobile users in the mobile Internet also have periodicity and regularity. At the same time, considering that the existing knowledge discovery methods, blacklist detection methods, whitelist detection methods, digital signature detection methods, sandbox detection technologies, etc. cannot cope with unknown hidden network attacks, and it is also difficult to detect the attack behavior of the hostile party. , The means or methods of concealed network attacks are developing rapidly, and the attack behaviors are also emerging in an endless stream. Traditional knowledge discovery methods based on known attack means or methods, blacklist detection methods, whitelist detection methods, digital signature detection methods, sand Box detection technology cannot satisfy the discovery or detection of new attack means or methods in a complex network environment. These detection methods are improvements on the basis of traditional network attack detection and defense methods, and there is no qualitative breakthrough. They are traditional knowledge discovery methods based on known attack methods or methods, blacklist detection methods, whitelist detection methods, digital Signature detection methods and sandbox detection technologies can only detect or detect known attacks, and it is difficult to detect and defend against the current ever-changing covert network attacks; and behavioral feature detection is the most fundamental technology for active discovery of covert network attacks (behavioral Feature detection is firstly through statistics and analysis of mobile user behavior; then combined with covert network attack behavior rules to detect mobile user behavior (compared with the rules in the attack behavior feature database); finally, according to the detection results, it is found whether there is an attack behavior , can only discover or detect known attacks. Existing knowledge discovery methods, blacklist detection methods, whitelist detection methods, digital signature detection methods, sandbox detection techniques, etc. cannot discover or detect unknown network attacks (this is Because traditional knowledge discovery methods, blacklist detection methods, whitelist detection methods, digital signature detection methods, sandbox detection techniques, etc. can only discover or detect known attack means or methods)

To sum up, the existing knowledge discovery methods, blacklist detection methods, whitelist detection methods, digital signature detection methods, sandbox detection technologies, etc. cannot cope with unknown hidden network attacks, and it is difficult to detect the enemy's aggressive behavior.

Contents of the invention

The purpose of the present invention is to provide a method for actively discovering concealed network attacks based on behavior evaluation, aiming to solve the existing knowledge discovery methods, blacklist detection methods, whitelist detection methods, digital signature detection methods, sandbox detection technologies, etc. Neither can cope with unknown covert network attacks, and it is also difficult to detect the attack behavior of the hostile party.

The present invention is achieved in this way, a method for actively discovering a concealed network attack based on behavioral judgment, the method for actively discovering a concealed network attack based on behavioral judgment includes the following steps:

Step 1, using fuzzy clustering algorithm to classify mobile users who pass the "credible evaluation of mobile user behavior" results as "unreliable" according to their behavior characteristics;

Step 2: mining and discovering attackers from the mobile users judged as "untrustworthy"; defining the behavior characteristics of each mobile user as corresponding attack behavior factors, establishing the corresponding attack behavior measurement indicators of mobile users, and introducing fuzzy clustering based The mining algorithm adopts the deep mining algorithm of concealed network attack behavior based on fuzzy clustering;

Step 3: Calculate the attack behavior factor of the "untrustworthy" mobile user, and determine whether there is some kind of attack in the "untrustworthy" mobile user; if the "untrustworthy" mobile user has attack behavior, then adopt corresponding countermeasures.

Further, the method for classifying behavioral characteristics includes:

Divide n vectors into c fuzzy classes, calculate the cluster center and membership matrix of each class, and solve the fuzzy partition matrix and cluster center that make the clustering objective function J the smallest;

x _i is the weighted behavior feature value of mobile user u _i , c _j is the jth cluster center, which has the same dimension as x _i , v _ij is the membership degree of mobile user u _i to category j, V=[ v _ij ] is the membership matrix, and the objective function J is defined as the weighted average sum of the distances from various types of data to the corresponding cluster centers;

By iteratively calculating the degree of membership and clustering center, the objective function is minimized. The calculation methods of degree of membership and clustering center are shown in the formulas respectively:

Among them, d _ij is the distance from the i-th data to the j-th data center c _j d _ij =||x _i -c _j ||; set a threshold ε(0<ε<1), when |V ^{(k +1)} Stop iteration when -V ^(k) |<ε.

Further, the method for classifying behavioral characteristics specifically includes:

(a) Initialize the membership matrix V;

(b) Calculate the k-th classification center c _k with the k-th degree of membership matrix V ^(k) ;

(c) Utilize the degree of membership matrix V ^(k) of the kth time to update the degree of membership matrix V ^(k+1) of the k+1 time;

(d) Judge whether the iteration condition is met according to the threshold ε (0<ε<1), if |V ^(k+1) -V ^(k) |<ε, terminate the iteration, otherwise repeat steps (b) and (c) , (d) to iterate.

Further, the depth mining algorithm includes:

(a) Initialization: specific or untrustworthy mobile user set U, user set U' = φ with attack behavior, threshold ε = 0, the characteristic value of the latest behavior attribute of mobile user u _i is x _i , mobile user u _i The latest characteristic value with the attribute of aggressive behavior

(b) Conduct behavior statistics and analysis on the characteristic value x _i of mobile user u _i , and obtain the latest characteristic value of mobile user u _i with attack behavior attribute

(c) Calculate x _i to The Euclidean distance of and the attack behavior factor of mobile user u _i And perform normalization processing;

(d) Judging the attack behavior index of mobile user u _i according to ζ _i , and comparing it with the threshold ε, giving the judgment of whether mobile user u _i has aggressive behavior.

Another object of the present invention is to provide a mobile Internet utilizing the method for actively discovering covert network attacks based on behavior evaluation.

The method for actively discovering hidden network attacks based on behavior evaluation provided by the present invention introduces algorithms and theories such as fuzzy clustering, mining algorithms, and similarity comparison, and designs a mechanism and method for actively discovering hidden network attacks in the mobile Internet environment. The concealed network attack active discovery model based on behavior evaluation in the Internet environment solves the contradiction between the low controllability and security requirements of security applications in the mobile Internet environment; A credible mobile Internet application environment lays a theoretical foundation, which is of great significance for timely discovery of security threats, protection of personal privacy and property security, maintenance of public network security, construction of a safe and credible mobile Internet application environment, and promotion of mobile Internet security research and development. , and has practical value. Since most covert network attacks disguise or hide their own network communication in legal normal network data flows to avoid security detection; and the active discovery model of covert network attacks in the present invention is based on the cloud model theory in the previous study On the basis of the mathematical model of mobile user behavior management and the trusted evaluation model of mobile user behavior based on cloud model reasoning, the present invention uses the behavior feature classification algorithm based on fuzzy C-means clustering and the network attack behavior deep data mining algorithm based on fuzzy clustering , dig out whether there is an attack behavior (covert attack behavior) from the complex behavior hidden in the mobile user, and has the initiative. The behavior feature classification method adopts the behavior feature classification algorithm based on fuzzy C-means clustering, through iterative calculation of membership degree and cluster center, the objective function is minimized, and the latest behavior features of mobile users are recorded. The deep mining algorithm is based on the classification of behavioral characteristics to compare specific (untrustworthy) mobile users' similarity and other theories to find out mobile users with aggressive behavior.

Description of drawings

Fig. 1 is a flow chart of a method for actively discovering covert network attacks based on behavior evaluation provided by an embodiment of the present invention.

Fig. 2 is a specific implementation flow chart of the method for actively discovering covert network attacks based on behavior evaluation provided by an embodiment of the present invention.

detailed description

In order to make the object, technical solution and advantages of the present invention more clear, the present invention will be further described in detail below in conjunction with the examples. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

The application principle of the present invention will be described in detail below in conjunction with the accompanying drawings.

As shown in Figure 1, the method for actively discovering concealed network attacks based on behavior judgment provided by the embodiment of the present invention includes the following steps:

S101: Using a fuzzy clustering algorithm to classify mobile users who have passed the "credible evaluation of mobile user behavior" results "not credible" according to their behavioral characteristics;

S102: Mining and discovering attackers from mobile users judged as "untrustworthy"; defining the behavior characteristics of each mobile user as corresponding attack behavior factors, establishing corresponding attack behavior metrics for mobile users, and introducing fuzzy clustering-based The mining algorithm adopts the deep mining algorithm of hidden network attack behavior based on fuzzy clustering;

S103: Calculate the attack behavior factor of the "untrustworthy" mobile user, and determine whether the "untrustworthy" mobile user has some kind of attack; if the "untrustworthy" mobile user has attack behavior, adopt a corresponding countermeasure.

The application principle of the present invention will be further described below in conjunction with the accompanying drawings.

The basic idea of the present invention's active discovery of covert network attacks based on behavior evaluation (as shown in Figure 2): firstly adopt fuzzy clustering algorithm (the present invention intends to adopt fuzzy C-means clustering algorithm, research mobile Internet environment based on fuzzy C Behavioral feature classification algorithm based on mean value clustering) to classify mobile users who pass the "credible evaluation of mobile user behavior" results "untrustworthy" according to their behavioral features (in order to quickly and efficiently discover hidden attacks in the mobile Internet environment, In the present invention, at first intend to mine and discover the assailant from being judged as " unreliable " mobile user (this is because the mobile user of " credible " generally is " law-abiding " user); Certainly, In practical applications, mobile users whose evaluation results are "credible" can be further mined to find out whether they have covert attack behaviors according to the actual situation, so as to prevent the occurrence of "trustworthy is safe" and prevent the real attacker from being missed.) , divided into mobile user behavior characteristics with smaller granularity; then, each mobile user behavior characteristic is defined as the corresponding attack behavior factor, and the corresponding attack behavior measurement index of mobile users is established, and a mining algorithm based on fuzzy clustering is introduced to study and propose A deep mining algorithm for covert network attack behavior based on fuzzy clustering; finally, calculate the attack behavior factor of the "untrustworthy" mobile user to determine whether there is any kind of attack on the "untrustworthy" mobile user; if the "untrustworthy" mobile user has an attack behavior, adopt corresponding coping strategies. (Because most of the covert network attacks are all to camouflage or conceal their network communication in the legal normal network data flow, to avoid security detection; and the covert network attack active discovery model of the present invention is based on the cloud model theory in the previous research Based on the mathematical model of mobile user behavior management and the credible evaluation model of mobile user behavior based on cloud model reasoning, the behavior feature classification algorithm based on fuzzy C-means clustering and the deep mining of network attack behavior based on fuzzy clustering of the present invention are used. According to the algorithm, dig out whether there is an attack behavior (concealed attack behavior) from the complex behavior hidden in the mobile user, and has initiative, so the present invention calls it a concealed network attack active discovery model based on behavior evaluation.)

The invention provides a behavior characteristic classification algorithm based on fuzzy C-means clustering and a hidden network attack behavior depth mining algorithm based on fuzzy clustering.

Definition 1. x _i is the characteristic value of the i-th mobile user u _i (i=1, 2,...,n) behavior attribute (i=1,2,...,n), t _j is the weight coefficient Where x _ij (j=1,2,...,m) is the feature value of user u _i about the jth behavior attribute.

Definition 2. Attack behavior factor of mobile user u _i (i=1, 2, ..., n) is the attack behavior metric based on the Euclidean distance of the mobile user u _i , where is the characteristic value of the mobile user u _i having the attack behavior attribute.

① Behavioral feature classification algorithm based on fuzzy C-means clustering

Fuzzy C-Means Clustering (Fuzzy C-Means Clustering, FCM) divides n vectors into c fuzzy classes, and calculates the cluster center and membership matrix of each class to solve the clustering objective function J (see the formula for the objective function (1)) The smallest fuzzy partition matrix and cluster center.

In formula (2), x _i is the weighted behavior feature value of mobile user u _i , c _j is the jth cluster center (with the same dimension as x _i ), v _ij is the classification of mobile user u _i The degree of membership of j, V=[v _ij ] is the membership matrix, and the objective function J can be defined as the weighted average sum of the distances from various data to the corresponding cluster center (research of the present invention uses Euclidean distance to calculate the distance from the data to the cluster center distance).

The behavior feature classification algorithm based on fuzzy C-means clustering achieves the minimization of the objective function by iteratively calculating the degree of membership and the cluster center. The calculation methods of membership degree and cluster center are shown in formula (2) and formula (3) respectively:

Wherein, d _ij is the distance from the i-th data to the j-th data center c _j d _ij =|| _xi -c _j ||. Set a threshold ε (0<ε<1) in the behavioral feature classification algorithm based on fuzzy C-means clustering, and stop iteration when |V ^(k+1) -V ^(k) |<ε; when m is close to When 1, the algorithm is close to the C-means algorithm (the selection of m needs to come from a large number of experiments and practical experience).

The flow of behavior feature classification algorithm based on fuzzy C-means clustering is as follows:

(a) Initialize the membership matrix V;

(b) Calculate the k-th classification center c _k with the k-th degree of membership matrix V ^(k) ;

(c) Utilize the degree of membership matrix V ^(k) of the kth time to update the degree of membership matrix V ^(k+1) of the k+1 time;

(d) Judge whether the iteration condition is met according to the threshold ε (0<ε<1), if |V ^(k+1) -V ^(k) |<ε, terminate the iteration, otherwise repeat steps (b) and (c) , (d) to iterate.

②Deep mining algorithm for concealed network attack behavior based on fuzzy clustering

In order to use the classification algorithm based on fuzzy C-means clustering to measure the attack behavior of mobile users, firstly, statistics and analysis are made on the behavior distribution of mobile users, and the latest behavior characteristics of mobile users are recorded at the same time; on this basis, a method based on fuzzy Clustering hidden network attack behavior depth mining algorithm, the specific process is as follows:

(a) Initialization: specific (untrustworthy) mobile user set U, user set U'=φ with aggressive behavior, threshold ε=0, the characteristic value of the latest behavior attribute of mobile user u _i is x _i , mobile user u _i latest feature value with attack behavior attribute

(b) Conduct behavior statistics and analysis on the characteristic value x _i of mobile user u _i , and obtain the latest characteristic value of mobile user u _i with attack behavior attribute

(c) Calculate x _i to The Euclidean distance of and the attack behavior factor of mobile user u _i And perform normalization processing;

(d) Judging the attack behavior index of mobile user u _i according to ζ _i , and comparing it with the threshold ε, giving the judgment of whether mobile user u _i has aggressive behavior.

Introduce fuzzy clustering, mining algorithms, similarity comparison and other theories, and design a mechanism and method for the active discovery of hidden network attacks based on behavioral evaluation in the mobile Internet environment, to solve the problem of low controllability and security requirements of security applications in the mobile Internet environment. Low controllability means that in the current network environment, due to hacker attacks, users sometimes cannot control their own resources; Effectively solve the contradiction between this low controllability and safety requirements. Prevent possible covert cyber attacks in advance.

The application effects of the present invention will be described in detail below in conjunction with experiments.

In order to verify the effectiveness, feasibility and security of the behavioral evaluation-based concealed network attack active discovery model of the present invention, the actual application scene in the mobile Internet environment is simulated to conduct experimental verification of network attack discovery. For example, a number of hidden network attacks are pre-set in the mobile office environment, and the hidden network attack active discovery model of the present invention is simulated and applied to the mobile office network to verify whether the preset hidden network attacks can be found, so as to verify Feasibility and effectiveness of the model of the present invention; by simulating and designing a mobile user tampering experiment in a mobile office environment, analysis and description of how the model of the present invention prevents the controllability problem of mobile users, and how to solve the security application under the mobile office network environment In order to solve the problem of contradiction between low controllability and security requirements, at the same time, according to the analysis of experimental result data, the active discovery model of concealed network attacks based on behavior evaluation is revised and perfected in the present invention.

The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. within range.

Claims (5)

1. the hidden network attack that a kind of Behavior-based control is passed judgment on is actively discovered method, it is characterised in that the Behavior-based control is commented The hidden network attack that sentences is actively discovered method and comprises the following steps：

Step one, using fuzzy clustering algorithm to the mobile subscriber by " mobile subscriber's behavior is credible judge " result " insincere " Classified according to its behavior characteristics；

Step 2, excavates from the mobile subscriber for being judged as " insincere " and finds attacker；Special for each mobile subscriber's behavior Levy and be defined as the corresponding aggressive behavior factor, set up the corresponding aggressive behavior metric of mobile subscriber, and introduce based on fuzzy The mining algorithm of cluster, using the hidden attack depth mining algorithm based on fuzzy clustering；

Step 3, calculates the aggressive behavior factor of " insincere " mobile subscriber, judges that " insincere " mobile subscriber whether there is certain Plant and attack；If being somebody's turn to do " insincere " mobile subscriber has aggressive behavior, corresponding coping strategy is taken.

2. the hidden network attack that Behavior-based control as claimed in claim 1 is passed judgment on is actively discovered method, it is characterised in that institute The method for stating behavior characteristicss classification includes：

N vector is divided into c fuzzy class, by calculating the cluster centre and Subject Matrix of each class, is solved and is caused cluster mesh The minimum fuzzy partition matrixs of scalar functions J and cluster centre；

$J=\underset{i=1}{\overset{n}{\&Sigma;}}\underset{j=1}{\overset{c}{\&Sigma;}}{v}_{ij}^m\left|\right|x_i-c_j\left|\right|,1\&le;m\&le;\mathrm{\&infin;};$

x_iFor mobile subscriber u_iBehavior characteristicss value after being weighted, c_jFor j-th cluster centre, with x_iThere is same dimension, v_ijFor mobile subscriber u_iDegree of membership to the j that classifies, V=[v_ij] it is Subject Matrix, object function J is defined as Various types of data to accordingly The weighted average of cluster centre distance and；

By iterating to calculate degree of membership and cluster centre, function to achieve the objective is minimized, the calculating side of degree of membership and cluster centre Method is respectively as shown in formula：

$v_{ij}=\frac{1}{\underset{k=1}{\overset{c}{\&Sigma;}}{\&lsqb;\frac{d_{ij}}{d_{kj}}\&rsqb;}^{\frac{2}{m-1}}};$

$c_j=\frac{\underset{j=1}{\overset{n}{\&Sigma;}}{\left(v_{ij}\right)}^m{x}_j}{\underset{j=1}{\overset{n}{\&Sigma;}}{\left(v_{ij}\right)}^m};$

Wherein, d_ijFor i-th data to j-th data center c_jApart from d_ij=| | x_i-c_j||；One threshold values ε (0 ＜ ε is set ＜ 1), as | V^(k+1)-V^(k)| stop iteration during ＜ ε.

3. the hidden network attack that Behavior-based control as claimed in claim 2 is passed judgment on is actively discovered method, it is characterised in that institute The method for stating behavior characteristicss classification is specifically included：

A () initializes subordinated-degree matrix V；

B () is with the subordinated-degree matrix V of kth time^(k)Calculate classification center c of kth time_k；

The subordinated-degree matrix V of (c) using kth time^(k)The subordinated-degree matrix V that renewal kth is+1 time^(k+1)；

D () judges whether to meet iterated conditional according to threshold values ε (0 ＜ ε ＜ 1), if | V^(k+1)-V^(k)| ＜ ε, terminate iteration, otherwise Repeat step (b), (c), (d) are iterated.

4. the hidden network attack that Behavior-based control as claimed in claim 1 is passed judgment on is actively discovered method, it is characterised in that institute Stating depth mining algorithm includes：

A () initializes：Specific or insincere mobile subscriber collects U, the user collection U'=φ with aggressive behavior, and threshold values ε=0 is moved Employ family u_iThe eigenvalue of newest behavior property is x_i, mobile subscriber u_iThe newest eigenvalue with aggressive behavior attribute

B () is to mobile subscriber u_iEigenvalue x_iBehavioral statisticses and analysis is carried out, mobile subscriber u is obtained_iNewest with aggressive behavior The eigenvalue of attribute

C () calculates x_iArriveEuclidean distance and mobile subscriber u_iThe aggressive behavior factorAnd it is normalized place Reason；

D () is according to ζ_iJudge mobile subscriber u_iAggressive behavior index, compared by carrying out size with threshold values ε, provide mobile subscriber u_iWhether there is the judgement of aggressive behavior.

5. the hidden network attack side of being actively discovered that Behavior-based control described in a kind of utilization claim 1～5 any one is passed judgment on The mobile Internet of method.