A kind of network malicious data detection method, Apparatus and systemTechnical field
The present invention relates to network invasion monitoring (NIDS) technical field, be specifically related to a kind of network malicious data detection sideMethod, Apparatus and system.
Background technology
NIDS is the abbreviation of Network Intrusion Detection System (Network Intrusion Detection System), is netThe important development direction of network safety, it utilizes state-of-the-art data grabber and Protocol Analysis Technology, and that monitors in network is all formerThe data got are carried out the analyzing and processing of flow and agreement by beginning flow, enter according to existing event and behavior characteristics storehouseRow mode mates, and identifies assault and provides event response, it is achieved monitoring, filtration to network data even block,The safety of Logistics networks environment.
The detection method that current existing Network Intrusion Detection System is used mainly has two kinds: the detection of feature based(Signature-based Detection) and detection (Anomaly-based detection) based on exception.Feature detectionExisting with system to network data or behavior malicious data feature database is mainly mated by method, but this mode is easy toCause wrong report and fail to report, and the invasion of the unknown cannot be detected;Method for detecting abnormality is then based on building network normal characteristicsOn the basis of define characteristic quantity and the threshold of "abnormal", once exceed threshold, be identified as exception and report to the police, and if threshold valueArrange unreasonable, also easily lead to wrong report and fail to report.
Summary of the invention
Therefore, the embodiment of the present invention to solve the technical problem that and to be to overcome network inbreak detection method of the prior artWrong report, the defect that rate of failing to report is high.
To this end, embodiments provide following technical scheme:
Embodiments provide a kind of network malicious data detection method, including:
Gather network data;
Extract the data feature values in described network data;
Malicious data eigenvalue in the malice characteristic value collection obtaining each described data feature values and prestore itBetween correlation degree;
If the correlation degree between certain described data feature values with described malicious data eigenvalue associates journey beyond presettingDegree threshold, expands described malicious data characteristic value collection according to this data feature values.
Method described in the embodiment of the present invention also includes:
If the correlation degree between described data feature values and described malicious data eigenvalue is beyond presetting correlation degree faultValue, it is judged that this data feature values is malicious data eigenvalue, network data corresponding to this data feature values is network malicious data;
The number of times of described network malicious data occurs in statistics preset duration;
If described number of times exceeds preset security threshold, it is judged that existing Network Abnormal, and according to the exception of described Network AbnormalDegree takes the safety measure of correspondence.
Method described in the embodiment of the present invention also includes:
According to occurring in preset duration that the described number of times of network malicious data and the network environment in the same time dynamically adjustDescribed preset security threshold.
Method described in the embodiment of the present invention, described collection network data includes:
Capture network data;
According to current network conditions and storage pressure, the shunting of described network data is stored to corresponding Circular buffer district.
Method described in the embodiment of the present invention, described collection network data also includes: when reading network data, by correspondenceIn described Circular buffer district, the network data of storage maps directly to client layer.
Method described in the embodiment of the present invention, the data feature values in the described network data of described extraction includes:
Use the concrete agreement in network data described in event analysis engine filter analysis and consequent network event;
Strategy interpreting engine is used to monitor and analyze the behavior characteristics of each described network event;
Using the behavior characteristics of described network event and its correspondence as the data feature values of described network data.
Method described in the embodiment of the present invention, the rule of described event analysis engine and described strategy interpreting engine writes baseIn script.
Method described in the embodiment of the present invention, each described data feature values of described acquisition and described malicious data eigenvalueBetween correlation degree include:
Predict the probability that any one of data feature values is any one of malicious data eigenvalue;
If the probability of certain described data feature values described malicious data eigenvalue that is certain is less than default value, in advanceSurvey the probability that there is association between this data feature values and this malicious data eigenvalue;
Predict the probability that this malicious data eigenvalue occurs;
Special according to the probability and this malicious data that there is association between this data feature values and this malicious data eigenvalueThe probability that value indicative occurs predicts that this data feature values develops into the probability of this malicious data eigenvalue;
Probability or this data feature values according to this data feature values is this malicious data eigenvalue develop into this evilThe probability of meaning data feature values determines the correlation degree between this data feature values and this malicious data eigenvalue.
The embodiment of the present invention additionally provides a kind of network malicious data detection device, including:
Data acquisition unit, is used for gathering network data;
Data processing unit, for extracting the data feature values in described network data;
Data analysis unit, for obtain each described data feature values with in the malice characteristic value collection prestoredCorrelation degree between malicious data eigenvalue;If the pass between certain described data feature values and described malicious data eigenvalueDescribed malicious data characteristic value collection, beyond presetting correlation degree threshold, is expanded by connection degree according to this data feature values.
The embodiment of the present invention additionally provides a kind of network malicious data detecting system, detects including above-mentioned network malicious dataDevice and display device;
Described display device, for receiving and show the data of described network malicious data detection device transmission.
Embodiment of the present invention technical scheme, has the advantage that
Present embodiments provide a kind of network malicious data detection method and device, first gather network data, and extract netData feature values in network data, obtains each data feature values and the malice in the malice characteristic value collection prestored afterwardsCorrelation degree between data feature values, the correlation degree between certain data feature values and malicious data eigenvalue is beyond pre-If during correlation degree threshold, according to this data feature values, malicious data characteristic value collection is expanded.Can constantly reviseWith optimization malicious data characteristic value collection, it is achieved that the prediction threatening unknown network judges, and the active to network securityDefence, reduce network malicious data intrusion detection wrong report, rate of failing to report.
Accompanying drawing explanation
In order to be illustrated more clearly that the specific embodiment of the invention or technical scheme of the prior art, below will be to specificallyIn embodiment or description of the prior art, the required accompanying drawing used is briefly described, it should be apparent that, in describing belowAccompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not paying creative workPut, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of an instantiation of network malicious data detection method in the embodiment of the present invention 1;
Fig. 2 is the signal of the instantiation disposing framework in the embodiment of the present invention 1 network malicious data detection methodFigure;
Fig. 3 is the instantiation gathering network data in the embodiment of the present invention 1 network malicious data detection methodFlow chart;
Fig. 4 is in the embodiment of the present invention 1 network malicious data detection method the one of network data acquisition technical implementation wayThe schematic diagram of individual instantiation;
Fig. 5 is to extract the data feature values in network data in the embodiment of the present invention 1 network malicious data detection methodThe flow chart of one instantiation;
Fig. 6 is the instantiation obtaining correlation degree in the embodiment of the present invention 1 network malicious data detection methodFlow chart;
Fig. 7 is the theory diagram of an instantiation of network malicious data detection device in the embodiment of the present invention 2.
Reference:
1-data acquisition unit;2-data processing unit;3-data analysis unit;4-feedback regulation unit;11-captures sonUnit;12-storing sub-units;13-maps subelement;21-event analysis subelement;22-strategy interpreting subelement;23-extractsSubelement;31-first predicts subelement;32-second predicts subelement;33-the 3rd predicts subelement;34-the 4th prediction is singleUnit;35-association analysis subelement.
Detailed description of the invention
Below in conjunction with accompanying drawing, the technical scheme of the embodiment of the present invention is clearly and completely described, it is clear that describedEmbodiment be a part of embodiment of the present invention rather than whole embodiments.Based on the embodiment in the present invention, this area is generalThe every other embodiment that logical technical staff is obtained under not making creative work premise, broadly falls into present invention protectionScope.
In the description of the embodiment of the present invention, it should be noted that term " " center ", " on ", D score, "left", "right",Orientation or the position relationship of the instruction such as " vertically ", " level ", " interior ", " outward " are based on orientation shown in the drawings or position relationship,It is for only for ease of the description embodiment of the present invention and simplifies description rather than instruction or imply that the device of indication or element must haveHave specific orientation, with specific azimuth configuration and operation, be therefore not considered as limiting the invention.Additionally, term " theOne ", " second ", " the 3rd " are only used for describing purpose, and it is not intended that instruction or hint relative importance.
In the description of the embodiment of the present invention, it should be noted that unless otherwise clearly defined and limited, term " peaceDress ", should be interpreted broadly " being connected ", " connection ", for example, it may be fix connection, it is also possible to be to removably connect, or integratedlyConnect;Can be to be mechanically connected, it is also possible to be electrical connection;Can be to be joined directly together, it is also possible to be indirectly connected to by intermediary,Can also is that the connection of two element internals, can be wireless connections, it is also possible to be wired connection.Common skill for this areaFor art personnel, above-mentioned term concrete meaning in the present invention can be understood with concrete condition.
If additionally, the most non-structure of technical characteristic involved in invention described below difference embodimentBecome conflict just can be combined with each other.
Embodiment 1
Present embodiments provide a kind of network malicious data detection method, as it is shown in figure 1, include:
S1. network data is gathered.Specifically, can continue gathers LAN or the network of the Internet needing monitoringData;Every Preset Time, such as 5s can also gather LAN or the network data of the Internet needing monitoring.SpecificallyThe LAN that can monitor as required or the network environment of the Internet or security level required etc. select the collection being suitable forMode.
S2. the data feature values in network data is extracted.Specifically, any one data in prior art can be selected to divideAnalysis method extracts the data feature values in network data to obtain the currently monitored LAN or the network environment of the InternetSituation.
S3. obtain between the malicious data eigenvalue in each data feature values and the malice characteristic value collection that prestoresCorrelation degree.Specifically, maliciously the malicious data eigenvalue in characteristic value collection can monitor sample to one or moreThe network data that this long term monitoring obtains obtains.By obtaining the pass between each data feature values and malicious data eigenvalueConnection degree, even if this data feature values fails with malicious data eigenvalue, the match is successful, belongs to unknown data eigenvalue, it is also possible toBy the correlation degree between itself and certain malicious data eigenvalue judge this data feature values be this malicious data eigenvalue canCan property or develop into the situation of this malicious data eigenvalue.
S4. malicious data eigenvalue is revised.It farther includes:
S41. judge whether the correlation degree between certain data feature values with malicious data eigenvalue associates beyond presettingDegree threshold.If exceeding, enter step S42;If without departing from, return step S1.Specifically, correlation degree threshold can be according to toolThe network environment of body monitoring or the requirement of network environment safe class set, and safe class is high, then can be by correlation degreeIt is relatively low that threshold adjusts ground ratio, even this data feature values also can be divided to potential by the security threat that existence is not especially severeMalicious data eigenvalue.
S42. according to this data feature values, malicious data characteristic value collection is expanded.Specifically, if gather netNetwork data exist the correlation degree between certain data feature values and malicious data eigenvalue and exceed default correlation degree threshold,Even if illustrating that this data feature values is not currently the most malicious data eigenvalue, but future evolution being this malicious data eigenvalueProbability is the highest.By this data feature values is extended to malicious data characteristic value collection, it is possible to constantly revise and optimize evilMeaning data characteristics value set, it is achieved that the prediction threatening unknown network judges, and the Initiative Defense to network security, reducesNetwork malicious data intrusion detection wrong report, rate of failing to report.
Preferably, the present embodiment additionally provides another kind of network malicious data detection method, except including above-mentioned steps S1Outside S4, also comprise the steps S5 to S7:
If S5. the correlation degree between data feature values and malicious data eigenvalue is beyond presetting correlation degree threshold, sentenceThis data feature values disconnected is malicious data eigenvalue, and network data corresponding to this data feature values is network malicious data.
S6., the number of times of network malicious data occurs in statistics preset duration.Specifically, preset duration can be according to network ringsThe situation such as border or network safety grade is set, and can be such as 1 minute.
S7. Prevention-Security.It farther includes:
S71. judge that whether number of times is beyond preset security threshold.If exceeding, enter step S72, if without departing from, enter stepS73。
S72. judge existing Network Abnormal, and take the safety measure of correspondence according to the intensity of anomaly of Network Abnormal.SpecificallyGround, takes different safety measures to the Network Abnormal of different intensity of anomalys, more meets network actual environment.If such as netNetwork intensity of anomaly is smaller, it is possible to without any action, if Network Abnormal degree is bigger, it is possible to be accomplished by performing policeReport is notified of etc..
S73. network environment safety is judged.
Preferably, the present embodiment additionally provides another kind of network malicious data detection method, except including above-mentioned steps S1Outside S4 or S1 to S7, also comprise the steps S8:
S8. according to occurring in preset duration that the number of times of network malicious data and the network environment in the same time dynamically adjust pre-If safe threshold.Specifically, the number of times of network malicious data occurs and in the same time by the preset duration that feeds back toNetwork environment dynamically adjusts preset security threshold value, it is possible to reduces further the failing to report of network malicious data intrusion detection, report by mistakeRate.
Specifically, as in figure 2 it is shown, the application program performing above-mentioned steps S1 to S4 or S1 to S7 can be divided into numberAccording to acquisition layer, data analysis layer and data analysis layer.Data collection layer can select TAP assembly and FRONTEND assembly as adoptingCollection equipment, by the network data transmission that collects to multiple detection child nodes of data analysis layer, carries out carrying of data feature valuesTake;The data feature values extracted is transmitted the Analysis server to data analysis layer, in Analysis server by detection child node afterwardsBeing previously stored with malice characteristic value collection, this set comprises multiple malicious data eigenvalue, and it is special that Analysis server receives dataAfter value indicative, the correlation degree between each data feature values and malicious data eigenvalue can be obtained, if correlation degree is beyond presettingCorrelation degree threshold, can extend to this data feature values malicious data characteristic value collection, enter malicious data characteristic value collectionRow updates and revises.The network malicious data of analysis can be fed back to data analysis layer by the management server of data analysis layer afterwardsDetection child node, detection child node can be added up the number of times occurring above-mentioned network malicious data in preset duration, and be surpassed at number of timesWhen going out preset security threshold, the degree according to Network Abnormal takes the log recording of correspondence, execution mail notification, execution alarm to lead toKnow etc. that safety measure is to ensure networked environments safety.Detection child node also can be according to occurring malice in the preset duration of statistics simultaneouslyPreset security threshold value is dynamically adjusted by number of times and the network environment of network data, to reduce network malicious data furtherThe wrong report of detection, rate of failing to report.Preferably, the data such as the disparate networks malicious data that analysis can also be obtained by Analysis server are enteredRow is added up and collects, and uses B/S etc. to visualize the form with web page element of the chart after framework will be added up and collect at browserIn draw, and presented by display devices such as display, it is achieved that the visualization of data, the form presented can have areaFigure, data form, broken line graph, cake chart, bar diagram etc., simple and clear.
Preferably, as it is shown on figure 3, in each embodiment above-mentioned, step S1 includes:
S11. network data is captured.
S12. according to current network conditions and storage pressure, network data shunting is stored to corresponding Circular buffer district.ToolBody ground, before the network data write Circular buffer district of capture, needs location to write index, after write network data, moves and write ropeGuide to the end of data queue, due to the structure in Circular buffer district be annular, it is not necessary to carry out frequently buffer area distribution andRelease, reduces performance loss.
When S13. reading network data, the network data of storage in corresponding Circular buffer district is mapped directly to userLayer.
Specifically, as shown in Figure 4, TAP assembly and FRONTEND assembly can be used to perform step S11 to S13.TAPAssembly can bypass access need gather network data network environment (including LAN or the Internet), data acquisition function byHIGHCAP module in TAP assembly realizes, and this module supports the data acquisition of multiple 10Gb/s network interface cards, and can realizeThe network data shunting of maximum 1Gb/s, can be the data source support of the distributed node offer multichannel of rear end, after alleviating simultaneouslyThe cost of end data process and pressure.After HIGHCAP module bypass access network environment (including LAN and the Internet), can catchObtain the Frame of link layer and the target MAC (Media Access Control) address of frame head is revised as the MAC Address of monitoring client, replicate this Frame and sendTo the monitoring client specified.Equally loaded is done, according to network environment and the process of rear end afterwards after monitoring client capture network dataPressure shunts, and network data is written to Circular buffer district.RING-SOCK module in FRONTEND assembly utilizes annularThe mode of buffer area and direct memory access (Direct Memory Access is called for short DMA) realizes, it is ensured that depositing of dataTake efficiency, reduce packet loss and performance loss.Preferably, because detection child node is when reading data, need from client layerObtain the network data in Circular buffer district, in order to avoid network data from Circular buffer district copied to client layer memory headroomJourney, it is possible to use network data is directly reflected by direct memory access technology (Direct Memory Access is called for short DMA technology)It is mapped to client layer, the reading efficiency of network data can be promoted further, reduce performance loss simultaneously.
Preferably, as it is shown in figure 5, in each embodiment above-mentioned, step S2 includes:
S21. the concrete agreement in event analysis engine filter analysis network data and consequent network event are used.
S22. strategy interpreting engine is used to monitor and analyze the behavior characteristics of each network event.
S23. using the behavior characteristics of network event and its correspondence as the data feature values of network data.Preferably, eventThe rule of analysis engine and strategy interpreting engine is write based on script.
Specifically, the rule of event analysis engine and strategy interpreting engine is write can be based on the script of Bro language, this footThis language uses event-driven mechanism, and procotol and application protocol for current main flow preset multiple event handling function,State including connecting during protocol communication, ask, in each stage, and data transmission procedure such as response, header parserWith data analysis etc., self-defined combination can realize the hybrid analysis of various protocols, tackle network environment the most complicated and changeable.
Table 1: the http request information (example request address www.baidu.com) of Event processing engine analysis record
As shown in table 1, strategy interpreting engine is specified a strategy, comprises three attributes
(1) the IP address resp_host=61.135.169.125 that www.baidu.com domain name is corresponding
(2) requesting method method=GET
(3) response contents attribute resp_mime_type=text/html,
If returning response data to meet this three tactful attributes, then explanation accesses normal.If returning response to find IPAddress is tampered, or response contents attribute is inconsistent with policy definition, illustrate DNS or flow suffered kidnap, need intoBeing analyzed of one step.
Table 2: type of security
| ACTION_NONE | Action without execution |
| ACTION_LOG | Execution journal record |
| ACTION_EMAIL | Perform mail notification |
| ACTION_ALARM | Perform alert notification |
As shown in table 2, the safety measure taked can be set gradually into nothing according to intensity of anomaly order from low to highExecution action, execution journal record, execution mail notification and execution alert notification.Achieve at the classification of safety precautionsReason.
Network malicious data detection method in the present embodiment, the rule of event analysis engine and strategy interpreting engine is writeBased on script, can from dynamic and static two in terms of effectively detect and record the behavior of each network event and correspondence thereofFeature, and because amendment and interpolation are based on script, it is easy to operation so that user and operator attendant only need to understandBasic exploitation knowledge just can carry out the interpolation of rule according to actual network condition, it is not necessary to waits or buys from manufacturerUpgrading, it is ensured that repair in time the monitoring leak of network environment, also reduce the cost of O&M simultaneously.
Preferably, as shown in Figure 6, in each embodiment above-mentioned, step S32 includes:
S321. the probability that any one data feature values is any one malicious data eigenvalue is predicted.
S322. association probability prediction.It farther includes:
S3221. judge whether the probability that certain data feature values is certain malicious data eigenvalue is less than default value.If being less than, entering step S3222, if being not less than, entering step S325.
S3222. the probability that there is association between this data feature values and this malicious data eigenvalue is predicted.
S323. the probability that this malicious data eigenvalue occurs is predicted.
S324. according to probability and this malice number that there is association between this data feature values and this malicious data eigenvalueThe probability occurred according to eigenvalue predicts that this data feature values develops into the probability of this malicious data eigenvalue.
S325. probability or this data feature values according to this data feature values is this malicious data eigenvalue develop intoThe probability of this malicious data eigenvalue determines the correlation degree between this data feature values and this malicious data eigenvalue.
Specifically, association algorithm (such as Apriori algorithm, FP-Tree algorithm etc.) can be used and prediction algorithm is (such asLogistic regression algorithm, ridge regression algorithm and CART tree regression algorithm etc.) it is any one malice number to data feature valuesThe probability of association, malicious data feature is there is according between probability, data feature values and this malicious data eigenvalue of eigenvalueThe probability etc. that value occurs is associated predicting, and then obtains the correlation degree of this data feature values and malicious data eigenvalue,Unknown network is threatened and is predicted judging, it is achieved the Initiative Defense of network security.
The http connection request such as initiated domain name www.baidu.com, contains in the network data of return and is usurpedThe data feature values such as the response host IP address resp_host changed and the part exception web page contents that carries, are defined herein as X.
Association algorithm and prediction algorithm is used to obtain the pass of data feature values X and the malicious data eigenvalue Y prestoredConnection degree, finds that the correlation degree of X and malicious data eigenvalue Y is up to 90%, but with the feature in malicious data eigenvalue YThe resp_host degree of association is little, it may be possible to a mutation of malicious data eigenvalue Y, the most now data feature values X is also regardedIt is that a malicious data eigenvalue expands into the resp_host in malicious data characteristic value collection, and associated data eigenvalue X,If being in the same network segment or similar between feature resp_host of X and Y, can predict from this according to this featureThe network data of the network segment is network malicious data and directly blocks or be analyzed to process.
Embodiment 2
Present embodiments provide a kind of network malicious data detection device, as in figure 2 it is shown, include:
Data acquisition unit 1, is used for gathering network data.
Data processing unit 2, for extracting the data feature values in network data.
Data analysis unit 3, for obtaining each data feature values and the evil in the malice characteristic value collection prestoredCorrelation degree between meaning data feature values;If the correlation degree between certain data feature values and malicious data eigenvalue exceedsPreset correlation degree threshold, according to this data feature values, malicious data characteristic value collection is expanded.Specifically, if gatheredNetwork data in there is correlation degree between certain data feature values and malicious data eigenvalue beyond presetting correlation degreeThreshold, even if illustrating that this data feature values is not currently the most malicious data eigenvalue, but future evolution is this malicious data spyThe probability of value indicative is the highest.By this data feature values is extended to malicious data characteristic value collection, it is possible to constantly revise andOptimize malicious data characteristic value collection, it is achieved that the prediction threatening unknown network judges, and the active to network security is preventedImperial, reduce network malicious data intrusion detection wrong report, rate of failing to report.
Preferably, present embodiments provide another kind of network malicious data detection device, on the basis of above-described embodiment,Data analysis unit 3, the correlation degree being additionally operable between data feature values with malicious data eigenvalue associates journey beyond presettingDuring degree threshold, it is judged that this data feature values is malicious data eigenvalue, network data corresponding to this data feature values is that network is dislikedMeaning data.
, there is the number of times of network malicious data, and exceeds at number of times in data processing unit 2 in being additionally operable to add up preset durationDuring preset security threshold, it is judged that existing Network Abnormal, and take the safety measure of correspondence according to the intensity of anomaly of Network Abnormal.ToolBody ground, takes different safety measures to the Network Abnormal of different intensity of anomalys, more meets network actual environment.If such asNetwork Abnormal degree is smaller, it is possible to without any action, if Network Abnormal degree is bigger, it is possible to be accomplished by performingAlert notification etc..
Preferably, the present embodiment additionally provides another kind of network malicious data detection device, on the basis of above-described embodimentOn, also include feedback regulation unit 4, for according to the number of times of network malicious data and the net in the same time occur in preset durationNetwork environment dynamically adjusts preset security threshold.Specifically, by occur in the preset duration that feeds back to network malicious data timeNetwork environment in number and same time dynamically adjusts preset security threshold value, it is possible to reduce the invasion of network malicious data furtherDetection fail to report, rate of false alarm.
Preferably, the network malicious data detection device in the present embodiment, its data acquisition unit 1 includes:
Capture subelement 11, is used for capturing network data.
Storing sub-units 12, for storing network data shunting to correspondence according to current network conditions and storage pressureCircular buffer district.
Preferably, data acquisition unit 1 also includes: map subelement 13, for when reading network data, by correspondenceIn Circular buffer district, the network data of storage maps directly to client layer.
Preferably, the network malicious data detection device in the present embodiment, its data processing unit 2 includes:
Event analysis subelement 21, for use the concrete agreement in event analysis engine filter analysis network data and byThis network event produced.
Strategy interpreting subelement 22, for using strategy interpreting engine to monitor and analyze the behavior spy of each network eventLevy.
Extract subelement 23, for using the behavior characteristics of network event and its correspondence as the data characteristics of network dataValue.Preferably, the rule of event analysis engine and strategy interpreting engine is write based on script.
Preferably, the network malicious data detection device in the present embodiment, its data analysis unit 3 includes:
First prediction subelement 31, for predicting that any one data feature values is any one malicious data eigenvalueProbability.
For presetting subelement 31 first, second prediction subelement 32, predicts that certain data feature values is certain malice numberWhen being less than default value according to the probability of eigenvalue, it was predicted that between this data feature values with this malicious data eigenvalue, existence associatesProbability.
3rd prediction subelement 33, for predicting the probability that this malicious data eigenvalue occurs.
4th prediction subelement 34, can for associate according to existence between this data feature values with this malicious data eigenvalueThe probability that energy property and this malicious data eigenvalue occur predicts that this data feature values develops into this malicious data eigenvalueProbability.
Association analysis subelement 35, is used for according to the probability that this data feature values is this malicious data eigenvalue or is somebody's turn to doData feature values develop into the probability of this malicious data eigenvalue determine this data feature values and this malicious data eigenvalue itBetween correlation degree.
Embodiment 3
Present embodiments provide a kind of network malicious data detecting system, examine including the network malicious data in embodiment 2Survey device and display device.
Display device, for receiving and show the data of network malicious data detection device transmission.Specifically, display deviceIt can be display screen.
Malicious data detecting system in the present embodiment, its network malicious data detection device certain data feature values withCorrelation degree between malicious data eigenvalue is beyond when presetting correlation degree threshold, according to this data feature values to malicious dataCharacteristic value collection expands.Can constantly revise and optimize malicious data characteristic value collection, it is achieved that to unknown network prestigeThe prediction of the side of body judges, and the Initiative Defense to network security, reduce network malicious data intrusion detection wrong report, fail to reportRate.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or computer programProduct.Therefore, the reality in terms of the present invention can use complete hardware embodiment, complete software implementation or combine software and hardwareExecute the form of example.And, the present invention can use at one or more computers wherein including computer usable program codeThe upper computer program product implemented of usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.)The form of product.
The present invention is with reference to method, equipment (system) and the flow process of computer program according to embodiments of the present inventionFigure and/or block diagram describe.It should be understood that can the most first-class by computer program instructions flowchart and/or block diagramFlow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be providedInstruction arrives the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produceA raw machine so that the instruction performed by the processor of computer or other programmable data processing device is produced for realThe device of the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame now.
These computer program instructions may be alternatively stored in and computer or other programmable data processing device can be guided with spyDetermine in the computer-readable memory that mode works so that the instruction being stored in this computer-readable memory produces and includes referring toMake the manufacture of device, this command device realize at one flow process of flow chart or multiple flow process and/or one square frame of block diagram orThe function specified in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that at meterPerform sequence of operations step on calculation machine or other programmable devices to produce computer implemented process, thus at computer orThe instruction performed on other programmable devices provides for realizing at one flow process of flow chart or multiple flow process and/or block diagram oneThe step of the function specified in individual square frame or multiple square frame.