CN115333801B

CN115333801B - Method and system based on bidirectional message intrusion detection

Info

Publication number: CN115333801B
Application number: CN202210890816.0A
Authority: CN
Inventors: 侯小超; 周瑞红; 刘玉佳
Original assignee: Beijing Guorui Digital Intelligence Technology Co ltd
Current assignee: Beijing Guorui Digital Intelligence Technology Co ltd
Priority date: 2022-07-27
Filing date: 2022-07-27
Publication date: 2024-08-16
Anticipated expiration: 2042-07-27
Also published as: CN115333801A

Abstract

The invention provides a method and a system based on bidirectional message intrusion detection, which are used for carrying out random forest classification by extracting time sequence characteristics and space characteristics of message data, can comprehensively detect and quickly highlight required characteristic vectors, and solve the problem of intrusion detection based on ports or load keywords by using different classification capabilities of integration so as to overcome the problem of using encryption traffic of malicious codes in the prior art; when the time stamp carried by the bidirectional message is calculated and transmitted, the deviation between the time stamp and the estimated time of channel measurement is calculated, and whether the message data of the client is maliciously tampered is judged, so that other detection angles are introduced to assist, and the detection accuracy is improved.

Description

Method and system based on bidirectional message intrusion detection

Technical Field

The application relates to the technical field of network security, in particular to a method and a system based on bidirectional message intrusion detection.

Background

With the continuous development of traffic encryption technology, encrypted traffic gradually replaces non-encrypted traffic to become the main stream of the current network, and meanwhile, the encrypted traffic is often used by various malicious software to avoid the traditional intrusion detection system based on ports or load keywords, thereby bringing serious threat to network security.

The conventional encrypted traffic detection method is to use a convolutional neural network model to identify an encrypted feature vector, so that intrusion detection on encrypted traffic can be realized, but a single detection angle is easily influenced by a model training effect. Other detection angles need to be introduced to assist, which helps to improve the accuracy of the detection.

Therefore, a targeted two-way message intrusion detection-based method and system are urgently needed.

Disclosure of Invention

The invention aims to provide a method and a system based on bidirectional message intrusion detection, which solve the problems that malicious codes avoid intrusion detection based on ports or load keywords by means of encrypted messages and a single detection angle is easily influenced by a model training effect.

In a first aspect, the present application provides a method for bidirectional message intrusion detection, where the method includes:

The method comprises the steps of obtaining message data of a client, dividing the network message data into different session messages by taking a session as a unit, extracting feature vectors of the session messages, and respectively inputting a time sequence feature module and a space feature module;

The time sequence characteristic module comprises a plurality of hidden layer neurons, wherein the hidden layer neurons are divided into two groups, one group is a forward feedback line, the other group is a reverse feedback line, a bidirectional feedback loop is formed, the current neuron in each feedback line receives hidden layer information transmitted by the last neuron, receives state information transmitted by neighbor neurons adjacent to the last neuron, outputs hidden layer information at the current moment and state information updated by the current neuron, and outputs the state information to an accumulation unit of the time sequence characteristic module for vector element alignment addition;

The spatial feature module comprises the steps of storing global feature vectors in a plurality of local feature matrixes, capturing time sequence relations among different message loads, obtaining long-distance dependency relations of data among the vectors, endowing the vectors with different weight values to form different weight matrixes Q, K, V, carrying out linear transformation on the weight matrixes Q, K, V in parallel, and merging and outputting global features;

Extracting intermediate layer output of the fully-connected neural network of the time sequence feature module and the space feature module as new time sequence features and space features of the session message, and splicing the new time sequence features and the new space features together to obtain a mixed feature vector of the session message;

Transmitting the mixed feature vector to a random forest of a server for classification, extracting the random forest for n rounds to obtain n training sets, training the extracted n training sets by using a specified quantity feature value randomly through column sampling to obtain n decision trees, and obtaining classification results of the n decision trees according to a voting mode;

The message data of the client carries a first sent time stamp, the response message returned to the client carries a second returned time stamp, and the time for message transmission is calculated according to the first time stamp and the second time stamp;

measuring and estimating a channel, judging whether the deviation between the time of message transmission and the estimated time is within a preset range or not according to the estimated time of message transmission obtained by the result of measurement and estimation, if so, continuing to judge the classification result, otherwise, recognizing that the message data of the client is maliciously tampered;

Judging whether malicious codes exist in the message data of the client according to the classification result, and terminating the TLS1.3 handshake process by the server when the malicious codes exist in the message data of the client.

In a second aspect, the present application provides a system based on bidirectional message intrusion detection, the system comprising:

The preprocessing module is used for acquiring message data of a client, dividing the network message data into different session messages by taking a session as a unit, extracting feature vectors of the session messages, and respectively inputting the feature vectors into the time sequence feature module and the space feature module;

The time sequence feature module comprises a plurality of hidden layer neurons, wherein the hidden layer neurons are divided into two groups, one group is a forward feedback line, the other group is a reverse feedback line, a bidirectional feedback loop is formed by the hidden layer neurons, the current neurons in each feedback line receive hidden layer information transmitted by the last neuron and state information transmitted by neighbor neurons adjacent to the last neuron, the hidden layer information at the current moment and the state information updated by the current neurons are output, and vector element alignment addition is carried out by an accumulation unit of the time sequence feature module;

The spatial feature module comprises a step of storing global feature vectors in a plurality of local feature matrixes, capturing time sequence relations among different message loads, obtaining long-distance dependency relations of data among the vectors, endowing the vectors with different weight values to form different weight matrixes Q, K, V, carrying out linear transformation on the weight matrixes Q, K, V in parallel, and merging and outputting global features;

The classification module is used for extracting the middle layer output of the fully-connected neural network of the time sequence feature module and the space feature module as new time sequence features and space features of the session message, and splicing the new time sequence features and the space features together to obtain a mixed feature vector of the session message; transmitting the mixed feature vector to a random forest of a server for classification, extracting the random forest for n rounds to obtain n training sets, training the extracted n training sets by using a specified quantity feature value randomly through column sampling to obtain n decision trees, and obtaining classification results of the n decision trees according to a voting mode;

The bidirectional message judging module is used for calculating the time consumption of message transmission according to the first time stamp and the second time stamp by utilizing the fact that the message data of the client carries the sent first time stamp and the response message returned to the client carries the returned second time stamp; measuring and estimating a channel, judging whether the deviation between the time of message transmission and the estimated time is within a preset range or not according to the estimated time of message transmission obtained by the result of measurement and estimation, if so, continuing to judge the classification result, otherwise, recognizing that the message data of the client is maliciously tampered;

and the execution module is used for judging whether malicious codes exist in the message data of the client according to the classification result, and if so, the server terminates the TLS1.3 handshake process.

In a third aspect, the present application provides a system based on bidirectional message intrusion detection, the system comprising a processor and a memory:

The memory is used for storing program codes and transmitting the program codes to the processor;

the processor is configured to perform the method according to any one of the four possible aspects of the first aspect according to instructions in the program code.

In a fourth aspect, the present application provides a computer readable storage medium for storing program code for performing the method of any one of the four possibilities of the first aspect.

Advantageous effects

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.

FIG. 1 is a schematic flow chart of a method based on two-way message intrusion detection according to the present invention;

fig. 2 is a block diagram of a system based on two-way message intrusion detection according to the present invention.

Detailed Description

The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, thereby making clear and defining the scope of the present invention.

TLS1.3 is a new transport layer encryption protocol for providing secure communications between web browsers and servers. TLS1.3 has the characteristics of higher speed and higher safety.

TLS1.3 speeds up the encrypted connection by TLS false start and zero round trip time 0-RTT. In short, two round trips are required to complete the handshake in TLS1.2, and only one round trip is required to use TLS1.3, which in turn reduces the encryption delay by half, so the encryption connection is faster. This allows for faster and more efficient detection of the identification in the new encryption protocol TLS1.3 usage scenario, thus discovering the presence of malicious code before the handshake is successful.

Fig. 1 is a general flowchart of a method based on bidirectional message intrusion detection according to the present application, where the method includes:

The method comprises the steps of obtaining message data of a client, dividing the network message data into different session messages by taking a session as a unit, extracting feature vectors of the session messages, judging whether the feature vectors comprise service loads or not, and judging whether handshake information is complete or not;

if the feature vector of the session message does not include the service load, the session message can be considered to be irrelevant to the service, and is likely to be the result of malicious code tampering.

If the handshake information of the session message is incomplete, the session message can be considered to be the result of malicious code tampering.

Judging whether to execute further feature compression according to the number of the session messages obtained by dividing, executing feature compression when the number of the session messages exceeds a preset threshold value, and respectively inputting the feature vectors of the session messages obtained by previous extraction into a time sequence feature module and a space feature module;

if the number of the session messages is smaller than the preset threshold value, the feature vector can be directly input into the time sequence feature module and the space feature module respectively without executing feature compression.

The feature compression refers to selecting a feature quantity with strong part specificity from the extracted feature vectors of the session message, so as to compress the data quantity and improve the operation speed. Feature compression methods common in the art may be employed.

The information transmission and long-term memory capacity of the input mixed feature vector are realized through the multi-layer structure formed by the hidden layer neurons.

And when the malicious codes do not exist in the message data of the client, the server completes the handshake process according to the handshake execution standard of TLS 1.3.

In some preferred embodiments, after extracting the feature vector of the session packet, the method further includes: judging whether the feature vector comprises a service load or not and judging whether handshake information is complete or not, wherein the judging comprises the following steps: if the feature vector of the session message does not comprise the service load, the session message is determined to be irrelevant to the service and is the result of tampering of malicious codes; if the handshake information of the session message is incomplete, the session message is determined to be the result of malicious code tampering.

In some preferred embodiments, the classification capability of each decision tree has pertinence, the specified quantity feature value is obtained according to different classifications, and the same feature vector matrix is classified according to different angles through the decision tree, namely, the integration function aiming at different classification capabilities is completed. Its classification performance is higher than that of a single classifier.

The average generalization error of a decision tree in a random forest is related to the regression function.

In some preferred embodiments, the voting approach involves weighted accumulation of the output results of each decision tree.

Fig. 2 is a schematic diagram of a system based on bidirectional message intrusion detection according to the present application, where the system includes:

The application provides a system based on bidirectional message intrusion detection, which comprises: the system includes a processor and a memory:

the processor is configured to perform the method according to any of the embodiments of the first aspect according to instructions in the program code.

The present application provides a computer readable storage medium for storing program code for performing the method of any one of the embodiments of the first aspect.

In a specific implementation, the present invention also provides a computer storage medium, where the computer storage medium may store a program, where the program may include some or all of the steps in the various embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).

It will be apparent to those skilled in the art that the techniques of embodiments of the present invention may be implemented in software plus a necessary general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in essence or a part contributing to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present invention.

The same or similar parts between the various embodiments of the present description are referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for the matters.

The embodiments of the present invention described above do not limit the scope of the present invention.

Claims

1. A method for two-way message-based intrusion detection, the method comprising:

2. The method according to claim 1, characterized in that: after extracting the feature vector of the session message, the method further comprises: judging whether the feature vector comprises a service load or not and judging whether handshake information is complete or not, wherein the judging comprises the following steps: if the feature vector of the session message does not comprise the service load, the session message is determined to be irrelevant to the service and is the result of tampering of malicious codes; if the handshake information of the session message is incomplete, the session message is determined to be the result of malicious code tampering.

3. The method according to claim 1, characterized in that: the classification capability of each decision tree has pertinence, the specified quantity characteristic values are obtained according to different classifications, and the same characteristic vector matrix is classified according to different angles through the decision tree, so that the integration function aiming at different classification capabilities is completed.

4. A method according to any one of claims 2 or 3, wherein: the voting mode comprises the step of carrying out weighted accumulation on the output result of each decision tree.

5. A system based on two-way message intrusion detection, the system comprising:

6. A system based on two-way message intrusion detection, the system comprising a processor and a memory:

The processor is configured to perform the method according to any of the claims 1-4 according to instructions in the program code.

7. A computer readable storage medium, characterized in that the computer readable storage medium is for storing a program code for performing a method implementing any of claims 1-4.