技术领域technical field
本发明属于网络异常检测技术领域,具体涉及一种基于数据包捕获技术的网络威胁分析系统及方法。The invention belongs to the technical field of network anomaly detection, and in particular relates to a network threat analysis system and method based on data packet capture technology.
背景技术Background technique
随着互联网技术的高速发展,网络结构日趋复杂,网络环境交叉渗透,网络攻击纷繁多样。层出不穷的网络安全事件给社会带来巨大的经济损失和严重的社会影响。With the rapid development of Internet technology, the network structure is becoming more and more complex, the network environment is cross-penetrated, and network attacks are numerous and diverse. The endless network security incidents have brought huge economic losses and serious social impact to the society.
为应对目前网络中越来越多的威胁,当前市场上出现了入侵检测系统、入侵防御系统、杀毒软件、防火墙等多样化的网络安全产品,但是这些产品具有以下局限性:In response to more and more threats in the current network, a variety of network security products such as intrusion detection systems, intrusion prevention systems, antivirus software, and firewalls have appeared on the market, but these products have the following limitations:
(1)无法满足高速网络的发展:面对较大实时的网络数据,很难满足精准检测的要求,而满足精确检测要求的产品效率较低或需要消耗大量的系统资源;(1) Unable to meet the development of high-speed network: In the face of large real-time network data, it is difficult to meet the requirements of accurate detection, and the products that meet the requirements of accurate detection have low efficiency or consume a lot of system resources;
(2)报文检测无关性:绝大多数入侵检测系统采用模式匹配的方法。而简单包模式匹配是基于单个包的匹配检测,由于其无法跟踪协议的状态,因此针对协议破绽的很多攻击由于单个包都是看似正常的,故攻击是无法检测出来的;(2) Irrelevance of message detection: Most intrusion detection systems use pattern matching. The simple packet pattern matching is based on the matching detection of a single packet. Since it cannot track the state of the protocol, many attacks against protocol vulnerabilities cannot be detected because a single packet seems to be normal;
(3)无法检测未知类型攻击:一系列IDS产品主要是采用模式匹配等方法来发现入侵行为,而IDS所使用的规则库主要依赖于人工分析提取;(3) Unable to detect unknown types of attacks: A series of IDS products mainly use methods such as pattern matching to discover intrusion behaviors, while the rule base used by IDS mainly relies on manual analysis and extraction;
(4)网络检测结果复杂:由于网络规模的不断扩大与网络结构的日益复杂,多种网络安全软件的多源海量检测结果也纷繁复杂,致使管理人员无法及时做出响应。(4) Complex network detection results: Due to the continuous expansion of the network scale and the increasingly complex network structure, the multi-source massive detection results of various network security software are also complicated, which makes it impossible for managers to respond in a timely manner.
发明内容Contents of the invention
针对上述现有技术存在的不足,本发明提供一种基于数据包捕获技术的网络威胁分析系统及方法。Aiming at the deficiencies in the prior art above, the present invention provides a network threat analysis system and method based on data packet capture technology.
本发明的技术方案如下:Technical scheme of the present invention is as follows:
一种基于数据包捕获技术的网络威胁分析系统,包括:数据包捕获模块、基于包的异常检测模块、基于流的异常检测模块、网络威胁数据库和威胁分析展示模块;A network threat analysis system based on packet capture technology, including: packet capture module, packet-based anomaly detection module, flow-based anomaly detection module, network threat database and threat analysis display module;
所述数据包捕获模块,用于实时捕获大规模网络流量数据包,将一定时间片长度内捕获到的数据包以该时间片命名,并发送给基于包的异常检测模块;The data packet capture module is used to capture large-scale network traffic data packets in real time, and the data packets captured within a certain time slice length are named after the time slice, and sent to the packet-based anomaly detection module;
所述基于包的异常检测模块,用于接收数据包捕获模块发送的时间片,对该时间片进行概要信息的记录;根据概要信息提取该时间片网络流数据特征,形成特征文件;利用GBRT提升树算法对特征文件进行检测,得到异常时间片;将异常时间片发送给网络威胁数据库,并将异常时间片及其相邻时间片发送给基于流的异常检测模块;The abnormal detection module based on the packet is used to receive the time slice sent by the data packet capture module, and record the summary information of the time slice; extract the network flow data characteristics of the time slice according to the summary information, and form a feature file; utilize GBRT to improve The tree algorithm detects the feature file and obtains the abnormal time slice; sends the abnormal time slice to the network threat database, and sends the abnormal time slice and its adjacent time slices to the flow-based anomaly detection module;
所述基于流的异常检测模块,用于接收基于包的异常检测模块发送的异常时间片和相邻时间片,对异常时间片结合相邻时间片进行流重组,判断是否能提取出该异常时间片的流,是,进行该异常时间片的流特征提取和流特征选择,形成流特征文件,否则,重新进行流重组;利用AdaBoost算法对流特征文件进行异常检测,将检测结果融合得到异常流数据检测结果;将异常流数据检测结果发送给网络威胁数据库;所述异常流数据检测结果包括:攻击类型、攻击源、攻击目标和攻击发生的时间;The stream-based anomaly detection module is used to receive the abnormal time slice and adjacent time slices sent by the packet-based anomaly detection module, perform flow reorganization on the abnormal time slice in combination with adjacent time slices, and judge whether the abnormal time can be extracted If yes, perform stream feature extraction and stream feature selection for the abnormal time slice to form a stream feature file, otherwise, stream recombination; use the AdaBoost algorithm to detect abnormalities in the stream feature files, and fuse the detection results to obtain abnormal stream data Detection result; sending the abnormal flow data detection result to the network threat database; the abnormal flow data detection result includes: attack type, attack source, attack target and attack occurrence time;
所述网络威胁数据库,用于存储基于包的异常检测模块和基于流的异常检测模块发送的异常时间片和异常数据流检测结果,并将异常数据流检测结果转发给威胁分析展示模块;存储威胁分析展示模块发送的统计分析结果;The network threat database is used to store abnormal time slices and abnormal data flow detection results sent by the packet-based anomaly detection module and the flow-based anomaly detection module, and forward the abnormal data flow detection results to the threat analysis and display module; store threat Analyze the statistical analysis results sent by the display module;
所述威胁分析展示模块,用于接收异常数据流检测结果,进行检测结果统计分析,将统计分析结果发送给网络威胁数据库,并向用户显示。The threat analysis and display module is used to receive abnormal data stream detection results, perform statistical analysis of the detection results, send the statistical analysis results to the network threat database, and display them to users.
利用基于数据包捕获技术的网络威胁分析系统的网络威胁分析方法,包括如下步骤:The network threat analysis method using the network threat analysis system based on the data packet capture technology includes the following steps:
步骤1:数据包捕获模块实时捕获数据包,并判断是否满足时间片长度,是,以时间片命名捕获到的数据包,将该时间片发送给基于包的异常检测模块,否则,继续捕获数据包;Step 1: The data packet capture module captures the data packets in real time, and judges whether the time slice length is satisfied. If yes, name the captured data packets with the time slice, and send the time slice to the packet-based anomaly detection module, otherwise, continue to capture data Bag;
步骤2:基于包的异常检测模块接收数据包捕获模块发送的时间片,进行概要信息的记录;Step 2: The packet-based anomaly detection module receives the time slice sent by the data packet capture module, and records the summary information;
步骤3:基于包的异常检测模块根据概要信息提取该时间片网络流数据特征,形成特征文件;Step 3: The packet-based anomaly detection module extracts the characteristics of the time slice network flow data according to the summary information, and forms a characteristic file;
步骤4:基于包的异常检测模块利用GBRT提升树算法对特征文件进行异常检测,判断该时间片是否异常,是,得到异常时间片,执行步骤5,否则,执行步骤1;Step 4: The package-based anomaly detection module uses the GBRT boosting tree algorithm to perform anomaly detection on the feature file, and judges whether the time slice is abnormal. If yes, obtain the abnormal time slice, and execute step 5, otherwise, execute step 1;
步骤5:基于包的异常检测模块将异常时间片发送给网络威胁数据库,并将异常时间片及其相邻时间片发送给基于流的异常检测模块;Step 5: The packet-based anomaly detection module sends the abnormal time slice to the network threat database, and sends the abnormal time slice and its adjacent time slices to the stream-based anomaly detection module;
步骤6:基于流的异常检测模块接收基于包的异常检测模块发送的异常时间片和相邻时间片,对异常时间片结合相邻时间片进行流重组,判断是否能提取出该异常时间片的流,是,进行该异常时间片的流特征提取和流特征选择,形成流特征文件,否则,重新进行流重组;Step 6: The flow-based anomaly detection module receives the abnormal time slice and adjacent time slices sent by the packet-based anomaly detection module, performs flow reorganization on the abnormal time slice and adjacent time slices, and judges whether the abnormal time slice can be extracted Flow, yes, perform flow feature extraction and flow feature selection for the abnormal time slice, and form a flow feature file, otherwise, re-perform flow reorganization;
步骤7:基于流的异常检测模块利用AdaBoost算法对流特征文件进行异常检测,将检测结果融合得到异常流数据检测结果,所述异常流数据检测结果包括:攻击类型、攻击源、攻击目标、攻击发生的时间;Step 7: The flow-based anomaly detection module uses the AdaBoost algorithm to perform anomaly detection on the flow signature file, and fuses the detection results to obtain the abnormal flow data detection results. The abnormal flow data detection results include: attack type, attack source, attack target, and attack occurrence time;
步骤8:基于流的异常检测模块将异常流数据检测结果发送给网络威胁数据库;Step 8: The flow-based anomaly detection module sends the abnormal flow data detection results to the network threat database;
步骤9:网络威胁数据库存储基于包的异常检测模块和基于流的异常检测模块发送的异常时间片和异常数据流检测结果,并将异常数据流检测结果发送给威胁分析展示模块;Step 9: The network threat database stores the abnormal time slice and abnormal data flow detection results sent by the packet-based anomaly detection module and the flow-based anomaly detection module, and sends the abnormal data flow detection results to the threat analysis and display module;
步骤10:威胁分析展示模块接收异常数据流的检测结果,进行检测结果统计分析,将统计分析结果发送给网络威胁数据库,并向用户显示;Step 10: The threat analysis and display module receives the detection result of the abnormal data flow, performs statistical analysis of the detection result, sends the statistical analysis result to the network threat database, and displays it to the user;
步骤11:网络威胁数据库存储威胁分析展示模块发送的分析结果。Step 11: The network threat database stores the analysis results sent by the threat analysis and display module.
有益效果:本发明的一种基于数据包捕获技术的网络威胁分析系统及方法与现有技术相比,具有以下优点:Beneficial effects: Compared with the prior art, a network threat analysis system and method based on packet capture technology of the present invention has the following advantages:
1、通过数据包捕获技术能够精准捕获网络中数据流量,减少资源消耗;1. The data flow in the network can be accurately captured through the data packet capture technology to reduce resource consumption;
2、基于数据包和数据流的多粒度异常检测能够精准检测网络威胁;2. Multi-granularity anomaly detection based on data packets and data streams can accurately detect network threats;
3、通过威胁分析能自动分析提取攻击类型;3. Through threat analysis, it can automatically analyze and extract attack types;
4、对网络威胁能够及时做出预警。4. Be able to give early warning of network threats in time.
附图说明Description of drawings
图1本发明一种实施方式的一种基于数据包捕获技术的网络威胁分析系统结构框图;Fig. 1 is a block diagram of a network threat analysis system based on packet capture technology in an embodiment of the present invention;
图2本发明一种实施方式的一种基于数据包捕获技术的网络威胁分析方法流程图。FIG. 2 is a flowchart of a network threat analysis method based on packet capture technology in an embodiment of the present invention.
具体实施方式detailed description
下面结合附图对本发明的一种实施方式作详细说明。An embodiment of the present invention will be described in detail below in conjunction with the accompanying drawings.
基于数据包捕获技术的网络威胁分析系统对网络中大规模实时的网络流量通过winpcap监听,基于包的异常检测模块将网络流量按照时间片通过检测技术检测出时间片是否异常;通过基于流的异常检测模块对异常时间片及相邻的时间片进行数据流检测,将得到的异常时间片流信息与异常检测统计信息写入威胁分析数据库;威胁分析展示模块通过分析网络异常检测结果,得到网络威胁分析评估结果,写入威胁分析数据库,并实时读取网络威胁分析评估结果、网络异常检测统计结果、网络数据统计记录信息在web界面进行实时展示,提供决策人员实时掌控网络分析状况。The network threat analysis system based on data packet capture technology monitors the large-scale real-time network traffic in the network through winpcap, and the packet-based anomaly detection module detects whether the time slice is abnormal according to the time slice through the detection technology; through the flow-based anomaly The detection module detects the data flow of abnormal time slices and adjacent time slices, and writes the obtained abnormal time slice flow information and abnormal detection statistics into the threat analysis database; the threat analysis display module obtains network threat information by analyzing the network anomaly detection results. Analyze and evaluate the results, write them into the threat analysis database, and read the network threat analysis and evaluation results, network anomaly detection statistics, and network data statistical records in real time on the web interface to provide decision makers with real-time control over the network analysis status.
本实施方式采用的是后台为PHP语言、前台为extjs框架的MVC框架搭建。MVC是一种使用模型-视图-控制器(Model View Controller,MVC)设计创建基于B/S架构的Web应用程序的模式。What this implementation mode adopts is that the background is the PHP language, and the foreground is the MVC frame construction of the extjs framework. MVC is a pattern that uses Model-View-Controller (Model View Controller, MVC) to design and create Web applications based on B/S architecture.
在MVC结构中,模型(Model)主要处理相应的与数据库相关的操作,具体负责基于包的检测和基于流检测结果和数据库的交互并为控制器控制访问和修改这些数据提供接口。In the MVC structure, the model (Model) mainly deals with the corresponding database-related operations, specifically responsible for packet-based detection and flow-based detection results and database interaction, and provides an interface for the controller to control access and modify these data.
视图(View)层用来显示从模型中获取的基于数据包和数据流检测结果。在原型系统中视图层主要采用ExtJS框架进行搭建。The View (View) layer is used to display the detection results based on data packets and data streams obtained from the model. In the prototype system, the view layer is mainly built with the ExtJS framework.
控制器(Controller)定义了原型系统的交互行为。在原型系统中控制器层起到了承前启后的作用。控制器层是模型层与视图层之间的桥梁,控制器可以接受用户在视图层的输入也可以将模型层数据传递给视图层。Controller (Controller) defines the interactive behavior of the prototype system. In the prototype system, the controller layer plays a role of connecting the past and the future. The controller layer is the bridge between the model layer and the view layer. The controller can accept user input in the view layer or pass model layer data to the view layer.
代码采用了分层架构,保证了整个框架逻辑清晰、将各个对象之间的耦合程度降到最低,使得本系统具有较强的拓展性和复用性。采用B/S架构,用户可以在浏览器上向服务器发送请求,服务器在确定用户身份后做出响应返回浏览器端。The code adopts a layered architecture, which ensures the clear logic of the entire framework and minimizes the degree of coupling between objects, making the system highly scalable and reusable. Using the B/S architecture, users can send requests to the server on the browser, and the server responds back to the browser after confirming the user's identity.
如图1所示,一种基于数据包捕获技术的网络威胁分析系统,包括:数据包捕获模块、基于包的异常检测模块、基于流的异常检测模块、网络威胁数据库和威胁分析展示模块;As shown in Figure 1, a network threat analysis system based on packet capture technology includes: packet capture module, packet-based anomaly detection module, flow-based anomaly detection module, network threat database and threat analysis display module;
所述数据包捕获模块,用于判断用户是否选择了网卡,未选择网卡,显示网络的设备列表,获取用户选择的网卡,选择了网卡,对大规模网络流量,利用winpcap技术实时捕获数据包,将一定时间片长度内捕获到的数据包以该时间片命名,并发送给基于包的异常检测模块;The packet capture module is used to judge whether the user has selected the network card, does not select the network card, displays the device list of the network, obtains the network card selected by the user, selects the network card, and utilizes winpcap technology to capture data packets in real time for large-scale network traffic, Name the data packets captured within a certain time slice length after the time slice, and send them to the packet-based anomaly detection module;
所述基于包的异常检测模块,用于接收数据包捕获模块发送的该时间片,进行概要信息的记录;根据概要信息,利用非广延熵提取该时间片网络流数据特征,形成特征文件;利用GBRT(Gradient Boost Regression Tree)提升树对特征文件进行检测,得到异常时间片;将异常数据包的检测结果和日志文件发送给网络威胁数据库,并将异常时间片及其相邻时间片发送给基于流的异常检测模块;所述异常数据包的检测结果为异常时间片内数据包的基本信息;The packet-based anomaly detection module is used to receive the time slice sent by the data packet capture module, and record the summary information; according to the summary information, use the non-extensive entropy to extract the network flow data characteristics of the time slice to form a feature file; Use the GBRT (Gradient Boost Regression Tree) boosting tree to detect the feature file and get the abnormal time slice; send the detection result and log file of the abnormal data packet to the network threat database, and send the abnormal time slice and its adjacent time slice to Flow-based abnormal detection module; the detection result of the abnormal data packet is the basic information of the data packet in the abnormal time slice;
本实施方式中,进行概要信息记录的方法为:对每个数据包提取出六个属性即源IP、目的IP、源端口、目的端口、字节数、协议类型,并用概要数据结构对每个时间窗口内这些属性的统计信息进行记录。In this embodiment, the method for recording summary information is: extract six attributes for each data packet, namely source IP, destination IP, source port, destination port, byte count, and protocol type, and use the summary data structure to record each Statistics for these properties are recorded over the time window.
所述基于流的异常检测模块,用于接收基于包的异常检测模块发送的异常时间片和相邻时间片,对异常时间片结合相邻时间片进行流重组,判断是否能提取出该异常时间片的流,是,进行该异常时间片的流特征提取和流特征选择,形成流特征文件,否则,重新进行流重组;利用AdaBoost算法对流特征文件进行异常检测,将检测结果融合得到异常流数据检测结果;将异常流数据检测结果和日志文件发送给网络威胁数据库;所述异常流数据检测结果包括:攻击类型、攻击源、攻击目标、攻击发生的时间;The stream-based anomaly detection module is used to receive the abnormal time slice and adjacent time slices sent by the packet-based anomaly detection module, perform flow reorganization on the abnormal time slice in combination with adjacent time slices, and judge whether the abnormal time can be extracted If yes, perform stream feature extraction and stream feature selection for the abnormal time slice to form a stream feature file, otherwise, stream recombination; use the AdaBoost algorithm to detect abnormalities in the stream feature files, and fuse the detection results to obtain abnormal stream data Detection results; abnormal flow data detection results and log files are sent to the network threat database; the abnormal flow data detection results include: attack type, attack source, attack target, and time of attack;
本实施方式中,采用数据集国际知识发现和数据挖掘竞赛(Data Mining andKnowledge Discovery CUP99,KDD CUP99),根据DARPA(Defense Advanced ResearchProjects Agency)提供的truthlist对时间片进行标记,含有攻击数据的时间窗口标记为DARPA中的四种攻击类别之一,不含有攻击数据的窗口则标记为NORMAL。In this embodiment, the data set international knowledge discovery and data mining competition (Data Mining and Knowledge Discovery CUP99, KDD CUP99) is used, and the time slice is marked according to the truthlist provided by DARPA (Defense Advanced Research Projects Agency), and the time window mark containing the attack data It is one of the four attack categories in DARPA, and the window that does not contain attack data is marked as NORMAL.
DARPA数据集中主要的四种攻击类型是:The main four attack types in the DARPA dataset are:
1)R2L:Remote File Access1) R2L: Remote File Access
远端的攻击者利用如netBIOS、NFS等服务,发现可利用的帐号或不适当的设定,非法登入主机。Remote attackers use services such as netBIOS and NFS to find exploitable accounts or inappropriate settings and illegally log in to the host.
2)U2R:User Gain Root2) U2R: User Gain Root
发动此类攻击的攻击者,是一些有一般用户权限的合法使用者,或通过非法手段获得一般用户权限的非法使用者。他们通过利用漏洞,发动诸如缓冲区溢出等攻击,获得超级用户的权限。Attackers who launch such attacks are legitimate users with general user rights, or illegal users who obtain general user rights through illegal means. They gain superuser privileges by exploiting vulnerabilities and launching attacks such as buffer overflows.
3)DOS:拒绝服务攻击3) DOS: denial of service attack
最基本的DOS攻击就是利用合理的服务请求来占用过多的服务资源,使服务器超载,从而无法为正常的用户提供服务。服务资源通常包括网络带宽,存储容量,开放的进程或向内的连接。The most basic DOS attack is to use reasonable service requests to occupy too many service resources, overload the server, and thus fail to provide services for normal users. Service resources usually include network bandwidth, storage capacity, open processes or inbound connections.
4)PROBE:网络扫描4) PROBE: network scan
网络扫描是一种常见的产生网络异常流量的行为,通常攻击者都是通过扫描来确定其目标的。扫描可以得到目标的操作系统版本信息,提供的服务和端口信息,有了这些信息攻击者就可以有针对性地发动攻击。它表现为在一段时间内,一个或多个源IP访问大量不同的目的IP的某个端口或一个目标的不同端口。Network scanning is a common behavior that generates abnormal network traffic, and attackers usually use scanning to determine their targets. Scanning can obtain target operating system version information, provided service and port information, and with this information, attackers can launch targeted attacks. It is manifested in that one or more source IPs access a certain port of a large number of different destination IPs or different ports of a target within a period of time.
网络流具有连续性,利用时间片存储数据包可能导致将异常流连接或正常流连接从中分开,因此在对一个时间片流重组时候需要制定策略来读取相邻的时间片来确保需要流重组的时间片的流的完整性,TCP是一种面向连接的协议,客户和服务器之间的任何一次会话都需要建立连接。而TCP流重组是为了对TCP会话进行分析,是对应用层分析检测的基础。因此需要对异常时间片进行流重组以提取出流特征属性进行详细的检测。The network flow is continuous, and the use of time slices to store data packets may cause abnormal flow connections or normal flow connections to be separated from it. Therefore, when reorganizing a time slice flow, a strategy needs to be formulated to read adjacent time slices to ensure that flow reassembly is required. The integrity of the stream of the time slice, TCP is a connection-oriented protocol, and any session between the client and the server needs to establish a connection. The purpose of TCP flow reassembly is to analyze the TCP session, which is the basis for analysis and detection of the application layer. Therefore, it is necessary to perform flow reorganization on abnormal time slices to extract flow characteristic attributes for detailed detection.
所述流特征提取是从数据流里提取出通过流特征选择程序选择好的流特征,流特征选择是指从原始特征集中选择使某种评估标准最优的特征子集。其目的是使选出的最优特征子集所构建的模型达到和特征选择前近似甚至更好的预测精度。这样不但提高了分类计算效率,而且大幅度提升了测试准确度。The stream feature extraction is to extract the stream features selected by the stream feature selection program from the data stream, and the stream feature selection refers to selecting a feature subset that optimizes a certain evaluation standard from the original feature set. Its purpose is to make the model constructed by the selected optimal feature subset achieve a prediction accuracy similar to or even better than that before feature selection. This not only improves the classification calculation efficiency, but also greatly improves the test accuracy.
由于不同网络流可能属于同一攻击,因此需要将AdaBoost算法检测结果根据攻击融合策略进行所述检测结果融合,得到更加准确可靠的网络异常状况。Since different network flows may belong to the same attack, the detection results of the AdaBoost algorithm need to be fused according to the attack fusion strategy to obtain more accurate and reliable network anomalies.
所述网络威胁数据库,用于存储基于包的异常检测模块和基于流的异常检测模块发送的异常数据包的检测结果和异常数据流的检测结果,并将异常数据流的检测结果转发给威胁分析展示模块,存储日志文件;存储威胁分析展示模块发送的统计分析结果;The network threat database is used to store the detection result of the abnormal data packet and the detection result of the abnormal data flow sent by the packet-based anomaly detection module and the flow-based anomaly detection module, and forward the detection result of the abnormal data flow to threat analysis The display module stores log files; stores the statistical analysis results sent by the threat analysis display module;
所述威胁分析展示模块,用于接收异常数据流检测结果,进行检测结果统计分析,统计分析结果包括:网络异常检测统计结果即攻击类型发生种类、每类攻击发生的次数、至当前时间窗口为止各攻击类型发生的概率和攻击类型所占的事件安全权重,根据网络异常检测统计结果得到一个综合的威胁值即网络威胁分析评估结果。将威胁值、网络异常检测统计结果和网络数据记录发送给网络威胁数据库,将威胁值和网络异常检测统计结果向用户展示,展示的形式是攻击事件统计表、攻击事件饼图、网络威胁分析图等。The threat analysis and display module is used to receive abnormal data flow detection results and perform statistical analysis of the detection results. The statistical analysis results include: network abnormality detection statistical results, that is, the types of attack types, the number of times each type of attack occurs, and until the current time window The probability of occurrence of each attack type and the event security weight of the attack type accounted for, according to the statistical results of network anomaly detection, a comprehensive threat value is obtained, which is the network threat analysis and evaluation result. Send the threat value, statistical results of network anomaly detection and network data records to the network threat database, and display the threat value and statistical results of network anomaly detection to users in the form of attack event statistics table, attack event pie chart, and network threat analysis graph Wait.
本实施方式中,威胁分析展示模块通过web前端实现动态展示的效果。前端采用EXTJS技术实现结果的展现,后台采用PHP技术实现对本地功能代码的调用及与网络威胁数据库的交互。In this embodiment, the threat analysis and display module realizes the effect of dynamic display through the web front end. The front end uses EXTJS technology to realize the display of results, and the background uses PHP technology to realize the call of local function codes and the interaction with the network threat database.
如图2所示,利用基于数据包捕获技术的网络威胁分析系统的网络威胁分析方法,包括如下步骤:As shown in Figure 2, the network threat analysis method using the network threat analysis system based on packet capture technology includes the following steps:
步骤1:数据包捕获模块判断用户是否选择了网卡,未选择网卡,显示网络的设备列表,获取用户选择的网卡,选择了网卡,执行步骤2;Step 1: The packet capture module judges whether the user has selected a network card, and if the network card is not selected, the device list of the network is displayed, and the network card selected by the user is obtained, and the network card is selected, and step 2 is performed;
步骤2:数据包捕获模块利用winpcap技术实时捕获数据包,并判断是否满足时间片长度,是,以时间片命名捕获到的数据包,将该时间片发送给基于包的异常检测模块,否则,继续捕获数据包;Step 2: The data packet capture module uses winpcap technology to capture data packets in real time, and judges whether the time slice length is satisfied. Yes, name the captured data packets with the time slice, and send the time slice to the packet-based anomaly detection module, otherwise, Continue to capture packets;
步骤3:基于包的异常检测模块接收数据包捕获模块发送的时间片,进行概要信息记录;Step 3: The packet-based anomaly detection module receives the time slice sent by the data packet capture module, and records the summary information;
步骤4:基于包的异常检测模块根据概要信息提取时间片网络流数据特征,形成特征文件;Step 4: The packet-based anomaly detection module extracts time-slice network flow data features according to the summary information to form a feature file;
步骤5:基于包的异常检测模块利用GBRT提升树算法对特征文件进行检测,判断该时间片是否异常,是,得到异常时间片,执行步骤6,否则,执行步骤2;Step 5: The packet-based anomaly detection module uses the GBRT boosting tree algorithm to detect the feature file, and judges whether the time slice is abnormal, if yes, obtains the abnormal time slice, and performs step 6, otherwise, performs step 2;
步骤6:基于包的异常检测模块将异常时间片和日志文件发送给网络威胁数据库,并将异常时间片及其相邻时间片发送给基于流的异常检测模块;Step 6: The packet-based anomaly detection module sends the abnormal time slice and the log file to the network threat database, and sends the abnormal time slice and its adjacent time slices to the flow-based anomaly detection module;
步骤7:基于流的异常检测模块接收基于包的异常检测模块发送的异常时间片和相邻时间片,对异常时间片结合相邻时间片进行流重组,判断是否能提取出该异常时间片的流,是,进行该异常时间片的流特征提取和流特征选择,形成流特征文件,否则,重新进行流重组;Step 7: The flow-based anomaly detection module receives the abnormal time slice and adjacent time slices sent by the packet-based anomaly detection module, performs flow reorganization on the abnormal time slice and adjacent time slices, and judges whether the abnormal time slice can be extracted Flow, yes, perform flow feature extraction and flow feature selection for the abnormal time slice, and form a flow feature file, otherwise, re-perform flow reorganization;
步骤8:基于流的异常检测模块利用AdaBoost算法对流特征文件进行异常检测,将检测结果融合得到异常流数据检测结果,所述异常流数据检测结果包括:攻击类型、攻击源、攻击目标、攻击发生的时间;Step 8: The flow-based anomaly detection module uses the AdaBoost algorithm to perform anomaly detection on the flow signature file, and fuses the detection results to obtain the abnormal flow data detection results. The abnormal flow data detection results include: attack type, attack source, attack target, and attack occurrence time;
步骤9:基于流的异常检测模块将异常流数据检测结果和日志文件发送给网络威胁数据库;Step 9: The flow-based anomaly detection module sends the abnormal flow data detection results and log files to the network threat database;
步骤10:网络威胁数据库存储基于包的异常检测模块和基于流的异常检测模块发送的异常时间片数据包、异常数据流的检测结果和日志文件,并将异常数据流的检测结果转发给威胁分析展示模块;Step 10: The network threat database stores the abnormal time slice data packets sent by the packet-based anomaly detection module and the flow-based anomaly detection module, the detection results of abnormal data flows and log files, and forwards the detection results of abnormal data flows to threat analysis display module;
步骤11:威胁分析展示模块接收异常数据流的检测结果,进行检测结果统计分析,将统计分析结果发送给网络威胁数据库,并向用户显示;Step 11: The threat analysis and display module receives the detection result of the abnormal data flow, performs statistical analysis of the detection result, sends the statistical analysis result to the network threat database, and displays it to the user;
步骤12:网络威胁数据库存储威胁分析展示模块发送的统计分析结果。Step 12: The network threat database stores the statistical analysis results sent by the threat analysis and display module.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710032555.8ACN106685984A (en) | 2017-01-16 | 2017-01-16 | A network threat analysis system and method based on packet capture technology |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710032555.8ACN106685984A (en) | 2017-01-16 | 2017-01-16 | A network threat analysis system and method based on packet capture technology |
| Publication Number | Publication Date |
|---|---|
| CN106685984Atrue CN106685984A (en) | 2017-05-17 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710032555.8APendingCN106685984A (en) | 2017-01-16 | 2017-01-16 | A network threat analysis system and method based on packet capture technology |
| Country | Link |
|---|---|
| CN (1) | CN106685984A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107404400A (en)* | 2017-07-20 | 2017-11-28 | 中国电子科技集团公司第二十九研究所 | A kind of network situation awareness implementation method and device |
| CN107688619A (en)* | 2017-08-10 | 2018-02-13 | 北京奇安信科技有限公司 | A kind of daily record data processing method and processing device |
| CN108574609A (en)* | 2017-12-29 | 2018-09-25 | 北京视联动力国际信息技术有限公司 | A kind of transmitting, monitoring method and apparatus |
| CN108600188A (en)* | 2018-04-02 | 2018-09-28 | 江苏中控安芯信息安全技术有限公司 | A kind of network security hardware system running environment threat cognitive method |
| CN109447651A (en)* | 2018-10-22 | 2019-03-08 | 武汉极意网络科技有限公司 | Business air control detection method, system, server and storage medium |
| CN109639587A (en)* | 2018-12-11 | 2019-04-16 | 国网河南省电力公司开封供电公司 | A kind of flow monitoring system based on electric automatization |
| CN110881022A (en)* | 2018-09-06 | 2020-03-13 | 福建雷盾信息安全有限公司 | Large-scale network security situation detection and analysis method |
| CN111083172A (en)* | 2019-12-31 | 2020-04-28 | 厦门耐特源码信息科技有限公司 | Link communication monitoring view construction method based on data packet analysis |
| CN111092900A (en)* | 2019-12-24 | 2020-05-01 | 北京北信源软件股份有限公司 | Method and device for monitoring abnormal connection and scanning behavior of server |
| CN111163103A (en)* | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Risk control method, apparatus, computing device, medium performed by computing equipment |
| CN113765843A (en)* | 2020-06-01 | 2021-12-07 | 深信服科技股份有限公司 | Method, device and equipment for detecting identification detection capability and readable storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103748999B (en)* | 2010-06-09 | 2012-02-08 | 北京理工大学 | A kind of network safety situation integrated estimation system |
| CN103581186A (en)* | 2013-11-05 | 2014-02-12 | 中国科学院计算技术研究所 | Network security situation awareness method and system |
| CN105407103A (en)* | 2015-12-19 | 2016-03-16 | 中国人民解放军信息工程大学 | Network threat evaluation method based on multi-granularity anomaly detection |
| CN105491013A (en)* | 2015-11-20 | 2016-04-13 | 电子科技大学 | Multi-domain network security situation perception model and method based on SDN |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103748999B (en)* | 2010-06-09 | 2012-02-08 | 北京理工大学 | A kind of network safety situation integrated estimation system |
| CN103581186A (en)* | 2013-11-05 | 2014-02-12 | 中国科学院计算技术研究所 | Network security situation awareness method and system |
| CN105491013A (en)* | 2015-11-20 | 2016-04-13 | 电子科技大学 | Multi-domain network security situation perception model and method based on SDN |
| CN105407103A (en)* | 2015-12-19 | 2016-03-16 | 中国人民解放军信息工程大学 | Network threat evaluation method based on multi-granularity anomaly detection |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107404400A (en)* | 2017-07-20 | 2017-11-28 | 中国电子科技集团公司第二十九研究所 | A kind of network situation awareness implementation method and device |
| CN107404400B (en)* | 2017-07-20 | 2020-05-19 | 中国电子科技集团公司第二十九研究所 | Network situation awareness implementation method and device |
| CN107688619A (en)* | 2017-08-10 | 2018-02-13 | 北京奇安信科技有限公司 | A kind of daily record data processing method and processing device |
| CN107688619B (en)* | 2017-08-10 | 2020-06-16 | 奇安信科技集团股份有限公司 | Log data processing method and device |
| CN108574609A (en)* | 2017-12-29 | 2018-09-25 | 北京视联动力国际信息技术有限公司 | A kind of transmitting, monitoring method and apparatus |
| CN108600188A (en)* | 2018-04-02 | 2018-09-28 | 江苏中控安芯信息安全技术有限公司 | A kind of network security hardware system running environment threat cognitive method |
| CN110881022A (en)* | 2018-09-06 | 2020-03-13 | 福建雷盾信息安全有限公司 | Large-scale network security situation detection and analysis method |
| CN109447651A (en)* | 2018-10-22 | 2019-03-08 | 武汉极意网络科技有限公司 | Business air control detection method, system, server and storage medium |
| CN109639587A (en)* | 2018-12-11 | 2019-04-16 | 国网河南省电力公司开封供电公司 | A kind of flow monitoring system based on electric automatization |
| CN111092900A (en)* | 2019-12-24 | 2020-05-01 | 北京北信源软件股份有限公司 | Method and device for monitoring abnormal connection and scanning behavior of server |
| CN111083172A (en)* | 2019-12-31 | 2020-04-28 | 厦门耐特源码信息科技有限公司 | Link communication monitoring view construction method based on data packet analysis |
| CN111163103A (en)* | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Risk control method, apparatus, computing device, medium performed by computing equipment |
| CN111163103B (en)* | 2019-12-31 | 2022-07-29 | 奇安信科技集团股份有限公司 | Risk control method and apparatus executed by computing device, and medium |
| CN113765843A (en)* | 2020-06-01 | 2021-12-07 | 深信服科技股份有限公司 | Method, device and equipment for detecting identification detection capability and readable storage medium |
| CN113765843B (en)* | 2020-06-01 | 2022-09-30 | 深信服科技股份有限公司 | Method, device and equipment for detecting identification detection capability and readable storage medium |
| Publication | Publication Date | Title |
|---|---|---|
| CN106685984A (en) | A network threat analysis system and method based on packet capture technology | |
| CN104767757B (en) | Various dimensions safety monitoring method and system based on WEB service | |
| Wan et al. | Feature-selection-based ransomware detection with machine learning of data analysis | |
| CN112383538B (en) | A hybrid high-interaction industrial honeypot system and method | |
| CN109936578A (en) | A detection method for HTTPS tunnel traffic in the network | |
| Khan et al. | Digital forensics and cyber forensics investigation: security challenges, limitations, open issues, and future direction | |
| CN110933060A (en) | Excavation Trojan detection system based on flow analysis | |
| Jia et al. | Big-data analysis of multi-source logs for anomaly detection on network-based system | |
| CN105743880A (en) | Data analysis system | |
| CN115134250B (en) | Network attack tracing evidence obtaining method | |
| CN117478403A (en) | Whole scene network security threat association analysis method and system | |
| CN106790062A (en) | A kind of method for detecting abnormality and system based on the polymerization of inverse dns nailing attribute | |
| CN115883223A (en) | Method and device for generating user risk profile, electronic device, storage medium | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| Hareesh et al. | Anomaly detection system based on analysis of packet header and payload histograms | |
| CN107454068B (en) | A Honeynet Security Situational Awareness Method Combined with Immune Danger Theory | |
| Singh et al. | An approach to understand the end user behavior through log analysis | |
| CN117609990B (en) | An adaptive security protection method and device based on scene correlation analysis engine | |
| Tellenbach | Detection, classification and visualization of anomalies using generalized entropy metrics | |
| Li et al. | Web application-layer DDoS attack detection based on generalized Jaccard similarity and information entropy | |
| CN115834097B (en) | HTTPS malicious software flow detection system and method based on multiple views | |
| Liu et al. | Automated behavior identification of home security camera traffic | |
| Yang et al. | A Multi-step Attack Detection Framework for the Power System Network | |
| CN114338214B (en) | Risk control method and system | |
| Zhang | Simulation of network forensics model based on wireless sensor networks and inference technology |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication | Application publication date:20170517 |