Research And Application Of Self-aware Methods For Network Attack Behavior Targeting Unknown Threats

Currently,cybercrime is rapidly evolving from traditional crimes against property and personal privacy into the realms of national political security and social stability,making the cybersecurity landscape increasingly severe and complex.As a professional force tasked with protecting national political security,maintaining social stability,and safeguarding the legal rights and interests of citizens,public security organs face the real challenge of continuously monitoring the cybersecurity situation within their jurisdiction.This requires the ability to provide timely warnings,rapid responses,efficient handling,and effective countermeasures against various cybersecurity risks,thereby enhancing overall cybersecurity defenses.Therefore,building a cybersecurity situational awareness system,especially to address widespread issues such as software vulnerabilities,network intrusions,and botnets,is both urgent and necessary.However,existing technologies for vulnerability discovery,intrusion detection,and botnet detection have significant shortcomings,particularly when applied in the context of public security work.Specifically,vulnerability discovery techniques lack comprehensiveness,efficiency,and depth,often resulting in delayed disclosures and reactive patch updates;intrusion detection systems suffer from a reliance on singular models and struggle with detecting unknown types of intrusions,leading to low accuracy in attack recognition and insufficient diversity in detection capabilities,thereby weakening the overall security perception;in terms of botnet detection,although current graph neural network-based models perform well,they require complex structural models that demand high computational costs and substantial resources,making them difficult to deploy and maintain in resource-limited environments.Due to the "black box" nature of existing detection models,which lack clear criteria and interpretability,public security organs often find it challenging to quickly verify the authenticity and reliability of botnet alerts.This places decision-makers in a dilemma between responding promptly to potential threats and avoiding the waste of police resources.Thus,improving the accuracy and efficiency of vulnerability discovery,enhancing the real-time capabilities and intelligence of intrusion detection systems,and advancing botnet detection technology are pressing challenges in the field of cybersecurity.This dissertation explores these issues,proposes corresponding solutions,and has developed an application system.The main innovative achievements are summarized as follows:(1)To address the problem in vulnerability mining where fuzzing struggles to quickly direct and reach deeper paths,this dissertation proposes a vulnerability mining framework called AFL++ that integrates directed greybox fuzzing with symbolic execution.This framework utilizes alias analysis to refine interprocedurally control flow graphs,optimizes basic block distance calculation methods,employs Newton’s interpolation method for initial seed energy allocation,uses heuristic energy scheduling algorithms for optimization,and employs shortest path search strategies to mitigate path explosion.Experimental results show that AFL++ outperforms common vulnerability mining frameworks like AFL and AFLGO on the LAVA-M dataset,having obtained eight CVE identifiers.It effectively enhances both the efficiency of vulnerability mining and the reproducibility of vulnerabilities.(2)Addressing the issue in network intrusion detection where a single deep learning model can only extract part of the implicit features,this dissertation proposes a traffic intrusion detection algorithm based on a hybrid neural network.This model designs a densely connected mechanism and a Dense-CNN network module,which effectively reduces parameter calculations and improves model efficiency.It also designs a temporal feature extraction module,utilizing a multi-head self-attention mechanism to extract temporal features of traffic,enhancing the detection capabilities of the model.Additionally,for the issue of unknown traffic intrusions in networks,precise classification of unknown attack traffic is achieved through Open Max and a self-clustering-based attack traffic labeling algorithm,followed by deep transfer learning to speed up model updates,accommodating the real-time updating network environment.Experimental results show that the proposed network intrusion detection model excels in both binary and multi-class experiments and can perform closed-loop detection of known and unknown attack types,proving to be of significant value in practical scenarios.(3)To address the problem of complex and uninterpretable model structures in botnet detection using graph neural networks,this dissertation introduces a botnet detection algorithm based on graph isomorphism neural networks.The model aims to more effectively capture and depict the isomorphic information of botnets.It emphasizes layer simplification to enhance computational efficiency and adaptability.The model includes key components such as an information aggregation module that represents neighborhood isomorphic information,residual connections,and inter-layer connection optimization.It also designs interpretability methods based on model weight distribution and subgraph mining,making the model’s decision-making process more transparent and understandable.Experimental results show that this model performs excellently on four P2 P botnet datasets,maintaining high computational efficiency and providing clear explanations while significantly reducing the inference time cost of the model.(4)Based on the research of the aforementioned algorithmic models,a network security situational awareness system has been developed.This dissertation thoroughly discusses the design and implementation of the system,covering the entire development process from requirement analysis to system application.Through requirement analysis,the functional requirements of the system were determined,laying a solid foundation for subsequent system design.The implementation of the system is then elaborated in detail,including system architecture,technical architecture,and module design,ensuring the reasonableness and feasibility of the system design.In summary,this dissertation conducts in-depth research on the issues in vulnerability mining,intrusion detection,and botnet detection,and develops a network security situational awareness system.Overall,this dissertation advances the development of self-awareness technology for network attack behaviors through theoretical research and practical application.