The Host Security appraisal procedure analyzed based on network behavior feature association and systemTechnical field
The present invention relates to computer network security field, more particularly to a kind of master analyzed based on network behavior feature associationMachine safety evaluation method and system.
Background technology
Security evaluation is carried out to main frame mainly two kinds at present, and a kind of detected for the file in host computer system,Judge whether this document is malicious code load or rogue program by Study document content and its dynamic behaviour, judged with thisWhether hosted environment is safe.It is another kind of then be to carry out detection detection for network traffics, by the stream in network transmission processAmount carries out reducing, decompress determine whether malicious service receiving remote operation instruction or upload host information or or even underThe behavior of malicious code load is carried, judges whether Host Status are safe with this.
Detection detection is carried out for the file in host computer system, is to ensure that power of test needs constantly to go analysis newfoundMalicious code is ensureing power of test.No small resource but also the mutation to malicious code or unknown malicious code are occupied not onlyIdentification ability is not enough.Host Security detection for network traffics is enhanced in a way to malicious code mutation or position evilThe ability of meaning code identification.The problem for so producing therewith is exactly that As time goes on a part of network characterization loses reliabilityProperty or attacker improve the technological means of hiding network characterization, and in the network characterization included in malicious code, generallyOnly one for attack main-machine communication, other network characterizations be including but not limited to used for the local host ip of test orUrl, for obtaining the tool-class url of host ip, for earning the commercial paper url of profit, for judging network link situationUrl etc..Factors above causes network characterization available resources few and the probability of generation wrong report is big.
The content of the invention
The present invention proposes a kind of Host Security appraisal procedure analyzed based on network behavior feature association and system, by thisThe method of invention, solves in traditional method, and data user rate is low and is difficult to wrong report problem caused by characteristic reliability change.
A kind of Host Security appraisal procedure analyzed based on network behavior feature association, including:
Obtain the network characterization of known malicious code;
The network characterization is analyzed, the attribute of each network characterization is determined;The attribute of the network characterization include weights,The relation of current signature and other features, combinations of features pattern;
The network communication behavior in the main frame unit interval to be assessed is monitored, if the network communication behavior in the unit interval and at leastThe network characterization of individual known malicious code matches, then according to weights, the safety to main frame is scored;
The scoring for obtaining is compared with default early warning score line, if scoring is confirmed more than or equal to early warning score lineThere is security threat in main frame to be assessed, main frame otherwise to be assessed does not have security threat;
If main frame to be assessed is present threatening, according to the attribute of network characterization, confirm the affiliated family of malicious code and launch a offensiveOrganizational information.
In described method, the weights of the network characterization are adjusted according to the increase of network characterization quantity.
In described method, described according to weights, the safety to main frame is scored specially:Set each network characterizationThe corresponding parameter of weights, by parameter and weight computing linear weighted function and.
Another technical scheme of the present invention proposes a kind of Host Security assessment system analyzed based on network behavior feature association,Including:
Characteristic module, for obtaining the network characterization of known malicious code;
Analysis module, for being analyzed to the network characterization, determines the attribute of each network characterization;The network characterizationAttribute includes the relation of weights, current signature and other features, combinations of features pattern;
Monitoring module, for monitoring the network communication behavior in the main frame unit interval to be assessed, if the network in the unit interval is logicalNews behavior is matched with the network characterization of at least one known malicious code, then according to weights, the safety to main frame is commentedPoint;
Threat verdict module, for the scoring for obtaining is compared with default early warning score line, if scoring is more than or equal toEarly warning score line, then confirm that main frame to be assessed has security threat, and main frame otherwise to be assessed does not have security threat;
Validation of information module, if exist for main frame to be assessed threatening, according to the attribute of network characterization, confirms malicious code instituteCategory family and the organizational information launched a offensive.
In described system, the weights of the network characterization are adjusted according to the increase of network characterization quantity.
In described system, described according to weights, the safety to main frame is scored specially:Set each network characterizationThe corresponding parameter of weights, by parameter and weight computing linear weighted function and.
The key problem in technology point of this method is the mode analyzed based on network behavior feature association, by analysis and arrangement maliceAll-network behavior in code, each network behavior will obtain one as the weights for judging malicious code ability, andThe weights can be adjusted in the propagation process of feature quantity, are made all of network behavior participate in Host Security as feature and are commentedEstimate.And then reach the utilization rate for improving data and lift the purpose of the accuracy of Host Security assessment.
Present method solves in traditional method, data user rate is low to ask with being difficult to report by mistake caused by characteristic reliability changesTopic.Method using being analyzed based on network behavior feature association, effectively increases the utilization rate of data, and to characteristic reliabilityThere is the numerical value for quantifying, result is obtained by the calculation of science, so that assessment result is more accurate, effectively reduce wrong report feelingsThe generation of condition.And the attribute of network characterization, it can be shown that associating between the network characterization and other features and malicious codeRelation, more conducively later stage carry out classification analysis to the threat event for finding.
Description of the drawings
In order to be illustrated more clearly that technical scheme of the invention or of the prior art, below will be to embodiment or prior artNeeded for description, accompanying drawing to be used is briefly described, it should be apparent that, during drawings in the following description are only the present inventionSome embodiments recorded, for those of ordinary skill in the art, on the premise of not paying creative work, can be withOther accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of Host Security appraisal procedure flow chart analyzed based on network behavior feature association of the present invention;
Fig. 2 is a kind of Host Security assessment system structural representation analyzed based on network behavior feature association of the present invention.
Specific embodiment
In order that those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, and make the present invention'sAbove-mentioned purpose, feature and advantage can become apparent from understandable, and below in conjunction with the accompanying drawings technical scheme in the present invention is made further in detailThin explanation.
The proposition of the present invention, is due to the network communication configuration feature included in malicious code, such as domain name, server ip groundLocation, ftp server information and E-mail address etc. are differed as the ability of the foundation for judging main frame infection malicious code, andAs time goes on it is gradually lowered the reliability of many features with the lifting of technological means.And in Host Security evaluation processIn, need enough conditions again to judge the safe condition of main frame.Therefore propose here a kind of based on network behavior feature associationThe Host Security appraisal procedure of analysis:It is i.e. planned the network communication feature that includes in existing malicious code to be carried out pointThe volume of data such as class, association are analyzed.And then obtain the power of influence that these network characterizations are assessed to Host Security, i.e., as wall scrollFeature just can provide the ability that main frame infects malicious code basis for estimation.
The present invention proposes a kind of Host Security appraisal procedure analyzed based on network behavior feature association and system, by thisThe method of invention, solves in traditional method, and data user rate is low and characteristic reliability changes caused wrong report problem.
A kind of Host Security appraisal procedure analyzed based on network behavior feature association, as shown in figure 1, including:
S101:Obtain the network characterization of known malicious code;
S102:The network characterization is analyzed, the attribute of each network characterization is determined;The attribute of the network characterization includesThe relation of weights, current signature and other features, such as comes from same class malicious code, belongs to same malicious code family;FeatureIntegrated mode, the combinations of features as belonging to feature, similar combinations of features mode then can be shown that inhomogeneous malicious code mayCome from same hacker's tissue etc.;
S103:Monitor the network communication behavior in the main frame unit interval to be assessed, if the network communication behavior in the unit interval withThe network characterization of at least one known malicious code matches, then according to weights, the safety to main frame is scored;
S104:The scoring for obtaining is compared with default early warning score line, if scoring is more than or equal to early warning score line,Confirm that main frame to be assessed has security threat and performs S105, main frame otherwise to be assessed does not have security threat;
S105:If main frame to be assessed is present threatening, according to the attribute of network characterization, the affiliated family of malicious code and initiation are confirmedThe organizational information of attack.I.e. by the malice of the attribute primitive decision main frame infection such as combinations of features pattern of network characterization of hitThe affiliated family of code, it might even be possible to it is determined that the tissue launched a offensive.
In described method, the weights of the network characterization are adjusted according to the increase of network characterization quantity.
In described method, described according to weights, the safety to main frame is scored specially:Set each network characterizationThe corresponding parameter of weights, by parameter and weight computing linear weighted function and.The corresponding parameter of every feature is set such as all as a1, a2 ...An, the corresponding weights of every feature are p1, p2 ... pn, then threaten scoring for its weighted sum:score = p1*a1+p2*a2+...+pn*an.Certainly, linear weighted function and be only the scoring of numerous weight computings one kind, be not limited only in actual applications linearThe mode of weighted calculation.
Another technical scheme of the present invention proposes a kind of Host Security assessment system analyzed based on network behavior feature association,As shown in Fig. 2 including:
Characteristic module 201, for obtaining the network characterization of known malicious code;
Analysis module 202, for being analyzed to the network characterization, determines the attribute of each network characterization;The network is specialThe attribute levied includes the relation of weights, current signature and other features, combinations of features pattern;
Monitoring module 203, for monitoring the network communication behavior in the main frame unit interval to be assessed, if the network in the unit intervalCommunication behavior is matched with the network characterization of at least one known malicious code, then according to weights, the safety to main frame is carried outScoring;
Threat verdict module 204, for the scoring for obtaining is compared with default early warning score line, if scoring is more than or waitsIn early warning score line, then confirm that main frame to be assessed has security threat, main frame otherwise to be assessed does not have security threat;
Validation of information module 205, if exist for main frame to be assessed threatening, according to the attribute of network characterization, confirms malice generationFamily and the organizational information launched a offensive belonging to code.
In described system, the weights of the network characterization are adjusted according to the increase of network characterization quantity.
In described system, described according to weights, the safety to main frame is scored specially:Set each network characterizationThe corresponding parameter of weights, by parameter and weight computing linear weighted function and.
Present method solves in traditional method, data user rate is low to ask with being difficult to report by mistake caused by characteristic reliability changesTopic.Method using being analyzed based on network behavior feature association, effectively increases the utilization rate of data, and to characteristic reliabilityThere is the numerical value for quantifying, result is obtained by the calculation of science, so that assessment result is more accurate, effectively reduce wrong report feelingsThe generation of condition.And the attribute of network characterization, it can be shown that associating between the network characterization and other features and malicious codeRelation, more conducively later stage carry out classification analysis to the threat event for finding.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention have it is many deformation andChange the spirit without deviating from the present invention, it is desirable to which appended claim includes these deformations and changes without deviating from the present invention'sSpirit.