技术领域technical field
本发明涉及通信技术领域,尤其涉及一种网络攻击模式的识别方法和装置。The invention relates to the field of communication technology, in particular to a method and device for identifying a network attack mode.
背景技术Background technique
随着网络应用在人们的学习、工作和生活中的地位越来越重要,黑客为了窃取用户信息或者破坏网络,会对网络发起网络攻击,比如利用网络中没有补丁的漏洞进行攻击的0day攻击,或者利用先进攻击手段对特定目标进行长期持续性网络攻击的APT(AdvancedPersistent Threat,高级持续性威胁)攻击等。As network applications become more and more important in people's study, work, and life, hackers will launch network attacks on the network in order to steal user information or destroy the network, such as 0day attacks that exploit unpatched vulnerabilities in the network. Or APT (Advanced Persistent Threat, Advanced Persistent Threat) attacks that use advanced attack methods to carry out long-term persistent network attacks on specific targets.
为了能够检测识别出黑客的各种网络攻击的攻击模式,一般通过传统边界安全网关设备来在网络边界进行数据捕捉,利用捕捉的数据与公有云中数据库的攻击模型的数据进行匹配,将公有云的数据库中具有与捕捉的数据能够匹配的攻击模式,作为捕捉的数据对应的网络攻击的攻击模式,实现网络攻击的攻击模式的识别。但是,对于与公有云中数据库的攻击模型不能够匹配的捕捉到的数据来说,无法识别捕捉到的数据对应的网络攻击的攻击模式,从而产生网络攻击漏报的情况,降低了网络的安全性。In order to be able to detect and identify the attack modes of various network attacks by hackers, traditional border security gateway devices are generally used to capture data at the network border, and use the captured data to match the data of the attack model of the database in the public cloud. The database has an attack pattern that can match the captured data, as the attack pattern of the network attack corresponding to the captured data, and realizes the identification of the attack pattern of the network attack. However, for the captured data that cannot match the attack model of the database in the public cloud, the attack mode of the network attack corresponding to the captured data cannot be identified, resulting in missed reports of network attacks and reducing network security. sex.
发明内容Contents of the invention
本发明实施例提供了一种网络攻击模式的识别方法和装置,能够避免网络攻击漏报的情况,提高网络的安全性。Embodiments of the present invention provide a method and device for identifying a network attack mode, which can avoid the situation of missed reporting of network attacks and improve the security of the network.
第一方面,本发明实施例提供了一种网络攻击模式的识别方法,包括:获取待测业务系统的日志信息和待测业务系统中预设的低交互蜜罐转发给高交互蜜罐的网络流量;从网络流量和待测业务系统的日志信息中获取攻击行为特征;判断攻击行为特征是否符合预设的正常行为条件,并根据判断结果得到攻击行为特征值集合,攻击行为特征值集合包括至少一种攻击行为特征的值;计算攻击行为特征值集合与多个已知攻击模式的特征值集合的相似度;获取与攻击行为特征值集合相似度最高的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。In the first aspect, an embodiment of the present invention provides a method for identifying a network attack pattern, including: obtaining log information of the business system to be tested and forwarding the preset low-interaction honeypot in the business system to be tested to a network of high-interaction honeypots traffic; obtain the attack behavior characteristics from the network traffic and the log information of the service system to be tested; judge whether the attack behavior characteristics meet the preset normal behavior conditions, and obtain the attack behavior characteristic value set according to the judgment result, and the attack behavior characteristic value set includes at least The value of an attack behavior feature; calculate the similarity between the attack behavior feature value set and the feature value set of multiple known attack patterns; Attack mode, which is an attack mode as a collection of attack behavior characteristic values.
结合第一方面,在第一方面的第一种可能中,待测业务系统的日志信息包括高交互蜜罐的日志信息。With reference to the first aspect, in the first possibility of the first aspect, the log information of the business system to be tested includes the log information of the high-interaction honeypot.
结合第一方面,在第一方面的第二种可能中,待测业务系统的日志信息包括高交互蜜罐的日志信息以及待测业务系统所在网络中的网络边界安全防护设备的告警日志。In combination with the first aspect, in the second possibility of the first aspect, the log information of the service system under test includes log information of a high-interaction honeypot and an alarm log of a network border security protection device in the network where the service system under test is located.
结合第一方面,在第一方面的第三种可能中,上述网络攻击模式的识别方法还包括:根据攻击行为特征值集合的攻击模式,生成对应的安全防护策略。With reference to the first aspect, in the third possibility of the first aspect, the above method for identifying network attack patterns further includes: generating a corresponding security protection strategy according to the attack pattern of the set of attack behavior characteristic values.
结合第一方面的第三种可能,在第一方面的第四种可能中,根据攻击行为特征值集合的攻击模式,生成对应的安全防护策略的步骤之后,还包括:将生成的安全防护策略下发至网络边界安全防护设备,和/或将所生成的安全防护策略在待测业务系统所在的网络中共享。In combination with the third possibility of the first aspect, in the fourth possibility of the first aspect, after the step of generating the corresponding security protection policy according to the attack mode of the attack behavior characteristic value set, it also includes: the generated security protection policy Send it to the network border security protection device, and/or share the generated security protection policy in the network where the service system to be tested is located.
结合第一方面,在第一方面的第五种可能中,上述网络攻击模式的识别方法还包括:利用低交互蜜罐构建虚拟主机,虚拟主机的网络协议IP地址与待测业务系统中的真实主机的IP地址一致;改写虚拟主机中的漏洞模拟代码,以修补虚拟主机中的漏洞;将待测业务系统接收的网络流量导入修补了漏洞后的虚拟主机。In combination with the first aspect, in the fifth possibility of the first aspect, the identification method of the above-mentioned network attack mode also includes: using a low-interaction honeypot to construct a virtual host, the network protocol IP address of the virtual host and the real The IP addresses of the hosts are consistent; the vulnerability simulation code in the virtual host is rewritten to repair the vulnerabilities in the virtual host; the network traffic received by the business system to be tested is imported into the virtual host after the vulnerability has been patched.
结合第一方面,在第一方面的第六种可能中,判断所述攻击行为特征是否符合预设的正常行为条件,并根据判断结果得到攻击行为特征值集合的步骤,包括:判断攻击行为特征是否符合预设的正常行为条件;将符合预设的正常行为条件的攻击行为特征的值赋为第一取值;将不符合预设的正常行为条件的攻击行为特征的值赋为第二取值;将赋为第一取值的攻击行为特征的值和/或赋为第二取值的攻击行为特征的值,组合成攻击行为特征值集合。In combination with the first aspect, in the sixth possibility of the first aspect, the step of judging whether the characteristics of the aggressive behavior meet the preset normal behavior conditions, and obtaining the set of characteristic values of the aggressive behavior according to the judgment result includes: judging the characteristics of the aggressive behavior Whether it meets the preset normal behavior conditions; assign the value of the aggressive behavior characteristics that meet the preset normal behavior conditions as the first value; assign the value of the aggressive behavior characteristics that do not meet the preset normal behavior conditions as the second choice value; combine the value of the attack behavior characteristic assigned as the first value and/or the value of the attack behavior characteristic assigned as the second value into an attack behavior characteristic value set.
结合第一方面的第六种可能,在第一方面的第七种可能中,针对所述攻击行为特征中的任一种,在判断攻击行为特征是否符合预设的正常行为条件的步骤之前,还包括:对攻击行为特征进行多次采集,得到多个攻击行为特征采集值;计算多个攻击行为特征采集值的平均值和标准误差;计算标准误差和预设的修正参数的积作为修正标准误差;计算在平均值的基础上浮动修正标准误差的范围,作为正常行为条件。In combination with the sixth possibility of the first aspect, in the seventh possibility of the first aspect, for any one of the aggressive behavior characteristics, before the step of judging whether the aggressive behavior characteristics meet the preset normal behavior conditions, It also includes: collecting multiple attack behavior characteristics to obtain multiple attack behavior characteristic collection values; calculating the average value and standard error of multiple attack behavior characteristic collection values; calculating the product of the standard error and the preset correction parameters as the correction standard Error; calculates the range of floating corrected standard errors based on the mean, as a condition of normal behavior.
结合第一方面,在第一方面的第八种可能中,计算攻击行为特征值集合与多个已知攻击模式的特征值集合的相似度的步骤包括:计算攻击行为特征值集合与已知攻击模式的特征值集合中的每一个集合的欧式距离;并且其中,获取与攻击行为特征值集合相似度最高的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式的步骤,包括:获取与攻击行为特征值集合的欧式距离最小的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。In combination with the first aspect, in the eighth possibility of the first aspect, the step of calculating the similarity between the attack behavior feature value set and the feature value sets of multiple known attack patterns includes: calculating the attack behavior feature value set and the known attack pattern The Euclidean distance of each set in the eigenvalue set of the pattern; and wherein the attack pattern corresponding to the eigenvalue set of the known attack pattern with the highest similarity with the attack behavior eigenvalue set is obtained as the attack pattern of the attack behavior eigenvalue set The step includes: acquiring an attack mode corresponding to a feature value set of a known attack mode whose Euclidean distance is the smallest to the attack behavior feature value set, as the attack mode of the attack behavior feature value set.
结合第一方面,在第一方面的第九种可能中,低交互蜜罐的网络协议IP地址与高交互蜜罐的IP地址相同。In combination with the first aspect, in the ninth possibility of the first aspect, the network protocol IP address of the low-interaction honeypot is the same as the IP address of the high-interaction honeypot.
第二方面,本发明实施例提供了一种网络攻击模式的识别装置,包括:日志获取模块,被配置为获取待测业务系统的日志信息和待测业务系统中预设的低交互蜜罐转发给高交互蜜罐的网络流量;特征获取模块,被配置为从网络流量和待测业务系统的日志信息中获取攻击行为特征;集合获取模块,被配置为判断攻击行为特征是否符合预设的正常行为条件,并根据判断结果得到攻击行为特征值集合,攻击行为特征值集合包括至少一种攻击行为特征的值;计算模块,被配置为计算攻击行为特征值集合与多个已知攻击模式的特征值集合的相似度;分析模块,被配置为获取与攻击行为特征值集合相似度最高的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。In the second aspect, the embodiment of the present invention provides an identification device for a network attack mode, including: a log acquisition module configured to acquire the log information of the business system under test and the preset low-interaction honeypot forwarding in the business system under test Network traffic for high-interaction honeypots; the feature acquisition module is configured to obtain attack behavior characteristics from network traffic and log information of the service system to be tested; the collection acquisition module is configured to determine whether the attack behavior characteristics meet the preset normal Behavior conditions, and according to the judgment result to obtain the attack behavior characteristic value set, the attack behavior characteristic value set includes at least one attack behavior characteristic value; the calculation module is configured to calculate the attack behavior characteristic value set and the characteristics of multiple known attack modes The similarity of the value set; the analysis module is configured to obtain the attack mode corresponding to the feature value set of the known attack mode with the highest similarity to the attack behavior feature value set, as the attack mode of the attack behavior feature value set.
结合第二方面,在第二方面的第一种可能中,待测业务系统的日志信息包括高交互蜜罐的日志信息。With reference to the second aspect, in the first possibility of the second aspect, the log information of the service system to be tested includes the log information of the high-interaction honeypot.
结合第二方面,在第二方面的第二种可能中,待测业务系统的日志信息包括高交互蜜罐的日志信息以及待测业务系统所在网络中的网络边界安全防护设备的告警日志。With reference to the second aspect, in the second possibility of the second aspect, the log information of the service system under test includes log information of the high-interaction honeypot and the alarm log of the network border security protection device in the network where the service system under test is located.
结合第二方面,在第二方面的第三种可能中,上述网络攻击模式的识别装置还包括:策略生成模块,被配置为根据攻击行为特征值集合的攻击模式,生成对应的安全防护策略。With reference to the second aspect, in the third possibility of the second aspect, the above-mentioned device for identifying network attack patterns further includes: a policy generation module configured to generate a corresponding security protection policy according to the attack pattern of the attack behavior characteristic value set.
结合第二方面的第三种可能,在第二方面的第四种可能中,上述网络攻击模式的识别装置还包括:策略下发模块,被配置为将生成的安全防护策略下发至网络边界安全防护设备,和/或策略共享模块,被配置为将生成的安全防护策略在待测业务系统所在的网络中共享。In combination with the third possibility of the second aspect, in the fourth possibility of the second aspect, the above-mentioned device for identifying the network attack mode further includes: a policy delivery module configured to deliver the generated security protection policy to the network boundary The security protection device, and/or the policy sharing module is configured to share the generated security protection policy in the network where the service system to be tested is located.
结合第二方面,在第二方面的第五种可能中,上述网络攻击模式的识别装置还包括:虚拟主机构建模块,被配置为利用低交互蜜罐构建虚拟主机,虚拟主机的网络协议IP地址与待测业务系统中的真实主机的IP地址一致;漏洞修补模块,被配置为改写虚拟主机中的漏洞模拟代码,以修补虚拟主机中的漏洞;流量导入模块,被配置为将待测业务系统接收的网络流量导入修补了漏洞后的虚拟主机。In conjunction with the second aspect, in the fifth possibility of the second aspect, the above-mentioned identification device for the network attack mode further includes: a virtual host building module configured to utilize a low-interaction honeypot to construct a virtual host, and the network protocol IP address of the virtual host It is consistent with the IP address of the real host in the business system to be tested; the vulnerability repair module is configured to rewrite the vulnerability simulation code in the virtual host to repair the loopholes in the virtual host; the flow import module is configured to convert the business system to be tested The received network traffic is imported into the virtual host after the vulnerability has been patched.
结合第二方面,在第二方面的第六种可能中,集合获取模块被配置为:判断攻击行为特征是否符合预设的正常行为条件;将符合预设的正常行为条件的攻击行为特征的值赋为第一取值;将不符合预设的正常行为条件的攻击行为特征的值赋为第二取值;将赋为第一取值的攻击行为特征的值和/或赋为第二取值的攻击行为特征的值,组合成攻击行为特征值集合。In combination with the second aspect, in the sixth possibility of the second aspect, the collection acquisition module is configured to: determine whether the attack behavior characteristics meet the preset normal behavior conditions; determine the value of the attack behavior characteristics that meet the preset normal behavior conditions Assign the first value; assign the value of the aggressive behavior characteristic that does not meet the preset normal behavior conditions as the second value; assign the value of the offensive behavior characteristic that is assigned the first value and/or assign the second value The values of the attack behavior characteristics of the value are combined into a set of attack behavior characteristic values.
结合第二方面的第六种可能,在第二方面的第七种可能中,上述网络攻击模式的识别装置还包括条件设定模块,条件设定模块被配置为:对攻击行为特征进行多次采集,得到多个攻击行为特征采集值;计算多个攻击行为特征采集值的平均值和标准误差;计算标准误差和预设的修正参数的积作为修正标准误差;计算在平均值的基础上浮动修正标准误差的范围,作为正常行为条件。In combination with the sixth possibility of the second aspect, in the seventh possibility of the second aspect, the above-mentioned identification device for the network attack pattern further includes a condition setting module, and the condition setting module is configured to: conduct multiple times on the attack behavior characteristics Acquisition, to obtain multiple collection values of attack behavior characteristics; calculate the average value and standard error of multiple collection values of attack behavior characteristics; calculate the product of the standard error and the preset correction parameters as the correction standard error; calculate floating on the basis of the average value Correct the range of standard errors as normal behavior conditions.
结合第二方面,在第二方面的第八种可能中,计算模块具体被配置为计算攻击行为特征值集合与已知攻击模式的特征值集合中的每一个集合的欧式距离;分析模块具体被配置为获取与攻击行为特征值集合欧式距离最小的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。In combination with the second aspect, in the eighth possibility of the second aspect, the calculation module is specifically configured to calculate the Euclidean distance between the attack behavior feature value set and each set of known attack pattern feature value sets; the analysis module is specifically configured to It is configured to obtain the attack mode corresponding to the feature value set of the known attack mode with the minimum Euclidean distance of the attack behavior feature value set, as the attack mode of the attack behavior feature value set.
结合第二方面,在第二方面的第九种可能中,低交互蜜罐的网络协议IP地址与高交互蜜罐的IP地址相同。In combination with the second aspect, in the ninth possibility of the second aspect, the network protocol IP address of the low-interaction honeypot is the same as the IP address of the high-interaction honeypot.
本发明实施例提供的网络攻击模式的识别方法和装置,可以从待测业务系统的日志信息和网络流量中提取攻击行为特征,判断攻击行为特征是否符合预设的正常行为条件,根据判断结构得到攻击行为特征值集合,通过计算攻击行为特征值集合与多个已知攻击模式的特征值集合的相似度,判断攻击行为特征值的攻击模式。将与攻击行为特征值集合的相似度最高的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。针对待测业务系统接收到的网络攻击,都可以根据网络攻击的攻击行为特征找到与其最接近的攻击模式,不会出现现有技术中公有云数据库中无匹配的攻击模式的情况,从而可以识别未知的攻击模式,避免网络攻击漏报的情况,从而提高网络的安全性。The method and device for identifying network attack patterns provided by the embodiments of the present invention can extract attack behavior characteristics from the log information and network traffic of the service system to be tested, and judge whether the attack behavior characteristics meet the preset normal behavior conditions, and obtain The attack behavior feature value set is used to determine the attack mode of the attack behavior feature value set by calculating the similarity between the attack behavior feature value set and the feature value sets of multiple known attack modes. The attack mode corresponding to the feature value set of the known attack mode with the highest similarity to the attack behavior feature value set is used as the attack mode of the attack behavior feature value set. For the network attacks received by the business system to be tested, the closest attack pattern can be found according to the attack behavior characteristics of the network attack, and there will be no matching attack pattern in the public cloud database in the prior art, so that it can be identified Unknown attack mode avoids under-reporting of network attacks, thereby improving network security.
附图说明Description of drawings
从下面结合附图对本发明的具体实施方式的描述中可以更好地理解本发明其中,相同或相似的附图标记表示相同或相似的特征。The present invention can be better understood from the following description of specific embodiments of the present invention in conjunction with the accompanying drawings, wherein the same or similar reference numerals represent the same or similar features.
图1为本发明一实施例中的网络攻击模式的识别方法的流程图;Fig. 1 is the flowchart of the identification method of the network attack pattern in one embodiment of the present invention;
图2为本发明另一实施例中的网络攻击模式的识别方法的流程图;FIG. 2 is a flowchart of a method for identifying a network attack pattern in another embodiment of the present invention;
图3为本发明又一实施例中的网络攻击模式的识别方法的流程图;FIG. 3 is a flowchart of a method for identifying a network attack pattern in another embodiment of the present invention;
图4为本发明一实施例提供的网络攻击模式的识别装置的结构示意图;FIG. 4 is a schematic structural diagram of an identification device for a network attack mode provided by an embodiment of the present invention;
图5为本发明另一实施例中网络攻击模式的识别装置的结构示意图;5 is a schematic structural diagram of an identification device for a network attack pattern in another embodiment of the present invention;
图6为本发明又一实施例中网络攻击模式的识别装置的结构示意图;6 is a schematic structural diagram of an identification device for a network attack pattern in another embodiment of the present invention;
图7为本发明再一实施例中网络攻击模式的识别装置的结构示意图。FIG. 7 is a schematic structural diagram of an identification device for a network attack pattern in yet another embodiment of the present invention.
具体实施方式Detailed ways
下面将详细描述本发明的各个方面的特征和示例性实施例。在下面的详细描述中,提出了许多具体细节,以便提供对本发明的全面理解。但是,对于本领域技术人员来说很明显的是,本发明可以在不需要这些具体细节中的一些细节的情况下实施。下面对实施例的描述仅仅是为了通过示出本发明的示例来提供对本发明的更好的理解。本发明决不限于下面所提出的任何具体配置和算法,而是在不脱离本发明的精神的前提下覆盖了元素、部件和算法的任何修改、替换和改进。在附图和下面的描述中,没有示出公知的结构和技术,以便避免对本发明造成不必要的模糊。Features and exemplary embodiments of various aspects of the invention will be described in detail below. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is only to provide a better understanding of the present invention by showing examples of the present invention. The present invention is by no means limited to any specific configurations and algorithms presented below, but covers any modification, substitution and improvement of elements, components and algorithms without departing from the spirit of the invention. In the drawings and the following description, well-known structures and techniques have not been shown in order to avoid unnecessarily obscuring the present invention.
图1为本发明一实施例中的网络攻击模式的识别方法的流程图。如图1所示,本实施例的网络攻击模式的识别方法包括步骤101-步骤105。FIG. 1 is a flowchart of a method for identifying network attack patterns in an embodiment of the present invention. As shown in FIG. 1 , the method for identifying a network attack mode in this embodiment includes steps 101 - 105 .
在步骤101中,获取待测业务系统的日志信息和待测业务系统中预设的低交互蜜罐转发给高交互蜜罐的网络流量。In step 101, the log information of the service system under test and the network traffic forwarded by the low-interaction honeypot preset in the test service system to the high-interaction honeypot are acquired.
本发明实施例中提到的网络攻击可以为确实的网络攻击,也可以是疑似网络攻击等有可能会对网络造成伤害的威胁。网络中存在至少一个业务系统,每个业务系统中均可以模拟出低交互蜜罐,比如honeyd蜜罐。由于低交互蜜罐对主机资源的占用极低,在一个业务系统中可以模拟出多个低交互蜜罐,具体的,可以模拟出多个不同操作系统的低交互蜜罐。比如:不同的低交互蜜罐分别支持windows、linux、solaris等操作系统。低交互蜜罐可以使用业务系统占用的网段内的空闲状态的真实IP(Internet Protocol,网络协议)地址。为了提高低交互蜜罐模拟出的虚拟主机的真实度,可以为低交互蜜罐虚拟出各种带有安全漏洞的服务,从而吸引网络入侵者的网络攻击。由于低交互蜜罐只能模拟出网络连接的简单指纹信息以及各种服务的banner信息(标题信息),而高交互蜜罐能够捕捉更多、更详细的网络入侵信息,从网络入侵信息中提取攻击特征。因此低交互蜜罐会将接受到的网络流量转发给高交互蜜罐,以便于收集并分析网络入侵者的各种攻击行为。高交互蜜罐也可以称为物理蜜罐。具体的,可以利用策略路由结合GRE(Generic Routing Encapsulation,通用路由封装)通道技术,使得低交互蜜罐的IP地址与高交互蜜罐的IP地址相同,从而使得发送至低交互蜜罐的网络流量转发至高交互蜜罐。The network attack mentioned in the embodiment of the present invention may be a real network attack, or a threat that may cause harm to the network, such as a suspected network attack. There is at least one business system in the network, and each business system can simulate a low-interaction honeypot, such as a honeyd honeypot. Because low-interaction honeypots occupy very little host resources, multiple low-interaction honeypots can be simulated in one business system, specifically, multiple low-interaction honeypots of different operating systems can be simulated. For example: different low-interaction honeypots support windows, linux, solaris and other operating systems respectively. The low-interaction honeypot can use a real IP (Internet Protocol, network protocol) address in an idle state within the network segment occupied by the business system. In order to improve the authenticity of the virtual host simulated by the low-interaction honeypot, various services with security holes can be virtualized for the low-interaction honeypot, so as to attract network attacks from network intruders. Since low-interaction honeypots can only simulate simple fingerprint information of network connections and banner information (title information) of various services, high-interaction honeypots can capture more and more detailed network intrusion information and extract information from network intrusion information. attack characteristics. Therefore, the low-interaction honeypot will forward the received network traffic to the high-interaction honeypot, so as to collect and analyze various attack behaviors of network intruders. High-interaction honeypots can also be called physical honeypots. Specifically, policy routing can be combined with GRE (Generic Routing Encapsulation, general routing encapsulation) channel technology to make the IP address of the low-interaction honeypot the same as the IP address of the high-interaction honeypot, so that the network traffic sent to the low-interaction honeypot Forward to a high-interaction honeypot.
低交互蜜罐接收的网络流量可以包括非授权用户的操作信息。待测业务系统可以针对高交互蜜罐进行基线建模,从用户基线、端口基线、进程基线、服务基线、关键文件、网络流量基线等能够获取待测业务的系统日志信息中的具体信息。具体的,待测业务系统的日志信息可以包括高交互蜜罐的日志信息,还可以包括待测业务系统所在网络中的网络边界安全防护设备的告警日志。The network traffic received by the low-interaction honeypot may include operation information of unauthorized users. The business system under test can conduct baseline modeling for high-interaction honeypots, and obtain specific information in the system log information of the business under test from user baselines, port baselines, process baselines, service baselines, key files, and network traffic baselines. Specifically, the log information of the service system to be tested may include log information of a high-interaction honeypot, and may also include alarm logs of network border security protection devices in the network where the service system to be tested is located.
在步骤102中,从网络流量和待测业务系统的日志信息中获取攻击行为特征。In step 102, attack behavior characteristics are obtained from network traffic and log information of the service system to be tested.
其中,根据网络流量和待测业务系统的日志信息,能够判断业务系统是否存在增删账号异常行为,端口、进程、服务启动或异常行为,关键文件修改以及异常外联等行为。待测业务系统的日志信息中包含日志的时间戳信息,具体可以通过sebek这种数据捕获工具来收集网络流量以及网络边界安全防护设备的告警日志。网络边界安全防护设备可以包括防火墙、IDS(Intrusion Detection Systems,入侵检测系统)、IPS(Intrusion PreventionSystem,入侵防御系统)、WAF(Web Application Firewall,网站应用防护系统)、流量清洗设备等。Among them, according to the network traffic and the log information of the business system to be tested, it is possible to determine whether the business system has abnormal behaviors such as adding and deleting accounts, ports, processes, service startup or abnormal behaviors, key file modifications, and abnormal outreach behaviors. The log information of the business system to be tested includes the timestamp information of the log. Specifically, the data capture tool such as sebek can be used to collect network traffic and alarm logs of network border security protection devices. Network border security protection equipment may include firewalls, IDS (Intrusion Detection Systems, Intrusion Detection System), IPS (Intrusion Prevention System, Intrusion Prevention System), WAF (Web Application Firewall, website application protection system), traffic cleaning equipment, etc.
从接收的网络流量(可以由入侵检测系统snort进行检测,由sebek数据捕获工具记录)和待测业务系统的日志信息中,可以获取到攻击行为特征。具体的,可以获取到多种攻击行为特征,比如过多的出站流量(简称为EOT)、过多的入站流量(简称为EIT)、非工作时间登录(简称为LI)、防火墙接受(简称为FWA)、防火墙拒绝(简称为FWD)、内网登录(简称为LOIN)、连续多次登录失败(简称为MFL)、至少1次成功登录(简称为SL)、单一源探查多个目标IP(简称为SSPMD)、单一来源探查多个目标IP和端口(简称为SSPMDP)、新建账号(简称为MU)、文件操作(简称为MF)、进程操作(简称为MP)、端口操作(简称为PP)中的一项或多项。Attack behavior characteristics can be obtained from the received network traffic (which can be detected by the intrusion detection system snort and recorded by the sebek data capture tool) and the log information of the service system to be tested. Specifically, a variety of attack behavior characteristics can be obtained, such as excessive outbound traffic (abbreviated as EOT), excessive inbound traffic (abbreviated as EIT), non-working hours login (abbreviated as LI), firewall acceptance ( Referred to as FWA), firewall denial (referred to as FWD), intranet login (referred to as LOIN), consecutive failed logins (referred to as MFL), at least one successful login (referred to as SL), and single-source detection of multiple targets IP (abbreviated as SSPMD), single-source detection of multiple target IPs and ports (abbreviated as SSPMDP), new account (abbreviated as MU), file operation (abbreviated as MF), process operation (abbreviated as MP), port operation (abbreviated as is one or more of PP).
在步骤103中,判断攻击行为特征是否符合预设的正常行为条件,并根据判断结果得到攻击行为特征值集合。In step 103, it is judged whether the characteristics of the aggressive behavior meet the preset normal behavior conditions, and a set of characteristic values of the aggressive behavior is obtained according to the judgment result.
其中,针对一种攻击行为特征,可以具有不同的值。比如,攻击行为特征为过多的出站流量,若出站流量不符合预设的正常行为条件,则具有过多的出站流量的情况,可以将过多的出站流量的值记为yes或1,若出站流量符合预设的正常行为条件,则不具有过多的出站流量的情况,可以将过多的出站流量的值记为no或0。在上述网络流量和待测业务系统的日志信息中可获取到至少一种攻击行为特征,根据获取到的至少一种攻击行为特征,能够得到攻击行为特征的值组成的攻击行为特征值集合,攻击行为特征值集合包括至少一种攻击行为特征的值。比如,攻击行为特征为过多的出站流量、过多的入站流量、非工作时间登录、防火墙接受、防火墙拒绝、内网登录、连续多次登录失败、至少1次成功登录、单一源探查多个目标IP、单一来源探查多个目标IP和端口、新建账号、文件操作、进程操作、端口操作,其中,出现了过多的入站流量、内网登录、连续多次登录失败和至少1次成功登录的情况,则对应的攻击行为特征值集合为{no,yes,no,no,no,yes,yes,yes,no,no,no,no,no,no}或者{0,1,0,0,0,1,1,1,0,0,0,0,0,0}。Wherein, for one attack behavior feature, it may have different values. For example, the attack behavior is characterized by excessive outbound traffic. If the outbound traffic does not meet the preset normal behavior conditions, there is excessive outbound traffic. You can record the value of the excessive outbound traffic as yes Or 1, if the outbound traffic meets the preset normal behavior conditions, then there is no excessive outbound traffic, and the value of the excessive outbound traffic can be recorded as no or 0. At least one attack behavior feature can be obtained from the above-mentioned network traffic and log information of the service system to be tested. According to the obtained at least one attack behavior feature, an attack behavior feature value set composed of attack behavior feature values can be obtained. The behavior feature value set includes at least one attack behavior feature value. For example, the attack behavior is characterized by excessive outbound traffic, excessive inbound traffic, non-working hours login, firewall acceptance, firewall rejection, intranet login, multiple consecutive login failures, at least 1 successful login, single source detection Multiple target IPs, single-source detection of multiple target IPs and ports, new account creation, file operations, process operations, and port operations, among them, excessive inbound traffic, intranet logins, multiple consecutive login failures, and at least 1 In the case of successful login times, the corresponding set of attack behavior feature values is {no, yes, no, no, no, yes, yes, yes, no, no, no, no, no, no} or {0, 1, 0,0,0,1,1,1,0,0,0,0,0,0}.
在步骤104中,计算攻击行为特征值集合与多个已知攻击模式的特征值集合的相似度。In step 104, the similarity between the attack behavior feature value set and the feature value sets of multiple known attack patterns is calculated.
其中,可以在待测业务系统所在的网络中预先设置多个已知攻击模式的特征值集合,每个已知攻击模式的特征值集合对应一种攻击模式,可以通过计算得到的攻击行为特征值集合与各个已知攻击模式的特征值集合的相似度,查找得到与攻击行为特征值集合最相似的已知攻击模式的特征值集合,将最相似的已知攻击模式的特征值集合对应的攻击模式作为攻击行为特征值集合的攻击模式。Among them, a plurality of characteristic value sets of known attack modes can be preset in the network where the business system to be tested is located, and each characteristic value set of known attack modes corresponds to an attack mode, and the attack behavior characteristic value obtained by calculation can be The similarity between the set and the characteristic value set of each known attack pattern is found, and the characteristic value set of the known attack pattern that is most similar to the attack behavior characteristic value set is found, and the attack corresponding to the characteristic value set of the most similar known attack pattern Mode is an attack mode as a set of attack behavior characteristic values.
相似度可以利用欧式距离来计算,也就是说,可以通过计算攻击行为特征值集合与已知攻击模式的特征值集合中的每一个集合的欧式距离,来计算攻击行为特征值集合与已知攻击模式的特征值集合中的每一个集合的相似度,欧氏距离越小表示相似度越高。具体的,可以利用下面的公式(1)来计算欧式距离。The similarity can be calculated using the Euclidean distance, that is, the Euclidean distance between the attack behavior feature value set and the known attack pattern feature value set can be calculated to calculate the attack behavior feature value set and the known attack pattern The similarity of each set in the feature value set of the pattern, the smaller the Euclidean distance means the higher the similarity. Specifically, the following formula (1) can be used to calculate the Euclidean distance.
其中,se为欧式距离,i为正整数,n为攻击行为特征值集合中的攻击行为特征的值的个数,pi为一段时间内针对某一IP地址的未知的攻击行为特征值集合中的第i个元素,qi为已知攻击模式的特征值集合中的第i个元素。需要说明的是,其他计算相似度的方法也适用于本发明实施例,也属于本发明实施例的保护范围内。Among them, se is the Euclidean distance, i is a positive integer, n is the number of attack behavior characteristic values in the attack behavior characteristic value set, pi is the unknown attack behavior characteristic value set for a certain IP address within a period of time The i-th element in , qi is the i-th element in the eigenvalue set of known attack patterns. It should be noted that other similarity calculation methods are also applicable to the embodiments of the present invention, and also belong to the protection scope of the embodiments of the present invention.
在步骤105中,获取与攻击行为特征值集合相似度最高的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。In step 105, the attack pattern corresponding to the characteristic value set of the known attack pattern with the highest similarity to the attack behavior characteristic value set is obtained as the attack pattern of the attack behavior characteristic value set.
其中,若利用欧式距离来表示相似度,则获取与攻击行为特征值集合的欧氏距离最小的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。Wherein, if the Euclidean distance is used to represent the similarity, the attack pattern corresponding to the characteristic value set of the known attack pattern with the smallest Euclidean distance of the attack behavior characteristic value set is obtained as the attack pattern of the attack behavior characteristic value set.
比如,已知攻击模式的特征值集合如表一所示,未知网络攻击的攻击行为特征值集合如表二所示,其中,攻击行为特征值集合以及已知攻击模式的特征值集合中的yes用Y表示,no用N表示,经过相似度计算,可以得知表二中的攻击行为特征值集合1对应的攻击模式为表一中的可能的暴力破解登录,表二中的攻击行为特征值集合2对应的攻击模式为表一中的端口扫描,表二中的攻击行为特征值集合3对应的攻击模式为表一中的恶意软件安装,表二中的攻击行为特征值集合4对应的攻击模式为表一中的可能的渗透攻击。从而识别未知网络攻击的攻击模式。For example, the eigenvalue set of known attack patterns is shown in Table 1, and the attack behavior eigenvalue set of unknown network attacks is shown in Table 2, wherein, yes It is represented by Y, and no is represented by N. After similarity calculation, it can be known that the attack mode corresponding to the attack behavior characteristic value set 1 in Table 2 is the possible brute force login in Table 1, and the attack behavior characteristic value in Table 2 The attack mode corresponding to set 2 is port scanning in Table 1, the attack mode corresponding to attack behavior feature value set 3 in Table 1 is malware installation in Table 1, and the attack mode corresponding to attack behavior feature value set 4 in Table 2 The patterns are the possible penetration attacks in Table 1. Thereby identifying attack patterns of unknown network attacks.
表一Table I
表二Table II
本发明实施例提供的网络攻击模式的识别方法,可以从待测业务系统的日志信息和网络流量中提取攻击行为特征,判断攻击行为特征是否符合预设的正常行为条件,根据判断结果得到攻击行为特征值集合,通过计算攻击行为特征值集合与多个已知攻击模式的特征值集合的相似度,判断攻击行为特征值的攻击模式。将与攻击行为特征值集合的相似度最高的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。针对待测业务系统接收到的网络攻击,都可以根据网络攻击的攻击行为特征找到与其最接近的攻击模式,不会出现现有技术中公有云数据库中无匹配的攻击模式的情况,从而可以识别未知的攻击模式,避免网络攻击漏报的情况,从而提高网络的安全性。The method for identifying network attack patterns provided by the embodiments of the present invention can extract attack behavior characteristics from the log information and network traffic of the service system to be tested, judge whether the attack behavior characteristics meet the preset normal behavior conditions, and obtain the attack behavior according to the judgment result. The feature value set, by calculating the similarity between the attack behavior feature value set and the feature value sets of multiple known attack modes, determines the attack mode of the attack behavior feature value. The attack mode corresponding to the feature value set of the known attack mode with the highest similarity to the attack behavior feature value set is used as the attack mode of the attack behavior feature value set. For the network attacks received by the business system to be tested, the closest attack pattern can be found according to the attack behavior characteristics of the network attack, and there will be no matching attack pattern in the public cloud database in the prior art, so that it can be identified Unknown attack mode avoids under-reporting of network attacks, thereby improving network security.
图2为本发明另一实施例中的网络攻击模式的识别方法的流程图,图2中的步骤101-步骤105与图1中的步骤101-步骤105基本相同。不同之处在于,图2所示的网络攻击模式的识别方法还可以包括步骤106-步骤108。FIG. 2 is a flowchart of a method for identifying a network attack pattern in another embodiment of the present invention, and steps 101 to 105 in FIG. 2 are basically the same as steps 101 to 105 in FIG. 1 . The difference is that the method for identifying network attack patterns shown in FIG. 2 may further include steps 106-108.
在步骤106中,根据攻击行为特征值集合的攻击模式,生成对应的安全防护策略。In step 106, according to the attack mode of the attack behavior characteristic value set, a corresponding security protection policy is generated.
其中,针对不同的攻击模式可以生成不同的安全防护策略。比如,可以生成防火墙策略,针对防火墙下发的安全防护策略,一般是临时性的安全防护策略,如远程漏洞扫描攻击的阻断、口令猜测破解攻击的阻断、非授权远程管理访问。源IP地址并不会大范围变化,短时间关闭某一源IP地址到目的IP地址的访问,对待测业务系统不会产生太多影响。下发给防火墙的安全防护策略具体格式可以为Sip+Sport+Dip+Dport+(permit,deny),其中Sip指源IP地址,Sport指源端口,Dip指目的IP地址,Dport指目的端口,permit指允许通信,deny指不允许通信。Among them, different security protection policies can be generated for different attack modes. For example, a firewall policy can be generated. The security protection policy issued by the firewall is generally a temporary security protection policy, such as blocking remote vulnerability scanning attacks, blocking password guessing attacks, and unauthorized remote management access. The source IP address will not change in a large range. Closing the access from a source IP address to the destination IP address for a short time will not have much impact on the business system under test. The specific format of the security protection policy issued to the firewall can be Sip+Sport+Dip+Dport+(permit, deny), where Sip refers to the source IP address, Sport refers to the source port, Dip refers to the destination IP address, Dport refers to the destination port, and permit refers to Communication is allowed, and deny means that communication is not allowed.
再比如,可以生成IDS策略,针对IDS设备下发的安全防护策略,一般是远程溢出攻击防护策略,在识别出网络流量中的攻击后,会自动与CVE(Common Vulnerabilities&Exposures,公共漏洞和暴露)漏洞库进行关联,因此在将IDS的安全防护策略下发给网络中已有的IDS设备时,需要将攻击漏洞的CVE编号一起下发给IDS设备,并由IDS设备调用相应的安全防护策略进行防护。下发给IDS设备的安全防护策略具体格式可以为Sip+Sport+Dip+Dport+(漏洞编号),其中Sip指源IP地址,Sport指源端口,Dip指目的IP地址,Dport指目的端口。For another example, IDS policies can be generated. The security protection policies issued by IDS devices are generally remote overflow attack protection policies. Therefore, when delivering the IDS security protection policy to the existing IDS devices in the network, the CVE number of the attack vulnerability needs to be delivered to the IDS device together, and the IDS device will call the corresponding security protection policy for protection . The specific format of the security protection policy issued to the IDS device can be Sip+Sport+Dip+Dport+(vulnerability number), where Sip refers to the source IP address, Sport refers to the source port, Dip refers to the destination IP address, and Dport refers to the destination port.
又比如,可以生成流量清洗设备策略,针对流量清洗设备下发的安全防护策略,一般是DDOS(Distributed Denial of Service,分布式拒绝服务)流量攻击类的安全防护策略,在识别出网络流量中的网络攻击后,会自动区分网络攻击的类型,包括syn-flood(拒绝服务攻击)、udp-flood(流量型拒绝服务攻击)、ack-flood(确认字符攻击)等,因此在将安全防护策略下发给网络中已有的流量清洗设备时,需要将攻击类型一起下发给流量清洗设备,并由流量清洗设备调用相应的安全防护策略进行防护。下发给流量清洗设备的安全防护策略具体格式可以为Sip+Sport+Dip+Dport+(攻击类型),其中Sip指源IP地址,Sport指源端口,Dip指目的IP地址,Dport指目的端口。For another example, a traffic cleaning device policy can be generated. The security protection policy issued by the traffic cleaning device is generally a security protection policy for DDOS (Distributed Denial of Service, Distributed Denial of Service) traffic attacks. After a network attack, it will automatically distinguish the types of network attacks, including syn-flood (denial of service attack), udp-flood (traffic type denial of service attack), ack-flood (confirmation character attack), etc. Therefore, under the security protection strategy When sending to an existing traffic cleaning device in the network, it is necessary to send the attack type to the traffic cleaning device together, and the traffic cleaning device invokes the corresponding security protection policy for protection. The specific format of the security protection policy delivered to the traffic cleaning device can be Sip+Sport+Dip+Dport+(attack type), where Sip refers to the source IP address, Sport refers to the source port, Dip refers to the destination IP address, and Dport refers to the destination port.
网络中还存在一些特殊用途的安全防护设备,如DNS(Domain Name System,域名系统)前端部署的攻击防护系统、门户网站前端部署的WAF设备,可以提供详细的攻击行为特征,接收维护人员的安全防护策略调整指令。There are also some special-purpose security protection devices in the network, such as the attack protection system deployed on the front end of the DNS (Domain Name System, Domain Name System) and the WAF device deployed on the front end of the portal website, which can provide detailed attack behavior characteristics and ensure the safety of maintenance personnel. Protection policy adjustment instruction.
在步骤107中,将生成的安全防护策略下发至网络边界安全防护设备。In step 107, deliver the generated security protection policy to the network border security protection device.
将安全防护策略下发至网络边界安全防护设备,以实现对未知网络攻击的纵深防御。具体的,可以将生成的安全防护策略以工单形式下发给维护人员的终端设备中。需要说明的是,维护人员的终端设备还可以接收维护人员输入的策略调整指令,从而调整安全防护策略。Send security protection policies to network border security protection devices to achieve in-depth defense against unknown network attacks. Specifically, the generated security protection policy may be sent to the terminal device of the maintenance personnel in the form of a work order. It should be noted that the terminal device of the maintenance personnel may also receive a policy adjustment instruction input by the maintenance personnel, so as to adjust the security protection policy.
在步骤108中,将所生成的安全防护策略在待测业务系统所在的网络中共享。In step 108, the generated security protection policy is shared in the network where the service system to be tested is located.
在生成对应的安全防护策略后,可以将安全防护策略在待测业务系统所在的网络中共享,使得网络中的其他业务系统也可以获取生成的安全防护策略,从而实现网络攻击的多路径阻断,提高全网络的网络攻击预警和防护能力。需要说明的是,在步骤106之后,可以只执行步骤107,也可以只执行步骤108,还可以执行步骤107和步骤108。若在步骤106之后执行步骤107和步骤108,则在这里并不限定步骤107与步骤108的先后执行时序。After the corresponding security protection policy is generated, the security protection policy can be shared in the network where the business system to be tested is located, so that other business systems in the network can also obtain the generated security protection policy, thereby realizing multi-path blocking of network attacks , Improve network-wide network attack early warning and protection capabilities. It should be noted that after step 106, only step 107 may be performed, or only step 108 may be performed, or both step 107 and step 108 may be performed. If step 107 and step 108 are executed after step 106, the execution sequence of step 107 and step 108 is not limited here.
图3为本发明又一实施例中的网络攻击模式的识别方法的流程图,图3中的步骤101-步骤105与图1中的步骤101-步骤105基本相同。不同之处在于,图3所示的网络攻击模式的识别方法还可以包括步骤109-步骤111。FIG. 3 is a flow chart of a method for identifying a network attack pattern in another embodiment of the present invention, and steps 101 to 105 in FIG. 3 are basically the same as steps 101 to 105 in FIG. 1 . The difference is that the method for identifying network attack patterns shown in FIG. 3 may further include Step 109-Step 111.
在步骤109中,利用低交互蜜罐构建虚拟主机。In step 109, a virtual host is constructed using a low-interaction honeypot.
其中,虚拟主机的IP地址与待测业务系统中的真实主机的IP地址一致。可以将真实主机的漏洞模拟至虚拟主机中,使得虚拟主机与真实主机具有相同的漏洞。利用低交互蜜罐的TCP/IP(Transmission Control Protocol/Internet Protocol,传输控制协议/因特网互联协议)指纹模拟和操作系统指纹模拟功能,来保证虚拟主机的真实性。Wherein, the IP address of the virtual host is consistent with the IP address of the real host in the service system to be tested. The vulnerabilities of the real host can be simulated into the virtual host, so that the virtual host has the same vulnerabilities as the real host. Use the TCP/IP (Transmission Control Protocol/Internet Protocol, Transmission Control Protocol/Internet Protocol) fingerprint simulation and operating system fingerprint simulation functions of the low-interaction honeypot to ensure the authenticity of the virtual host.
在步骤110中,改写虚拟主机中的漏洞模拟代码,以修补虚拟主机中的漏洞。In step 110, the vulnerability simulation code in the virtual host is rewritten to repair the vulnerability in the virtual host.
改写虚拟主机中的漏洞模拟代码,以保证虚拟出的虚拟主机以及该虚拟主机上的应用已完成所有漏洞的修补。Rewrite the vulnerability simulation code in the virtual host to ensure that the virtualized virtual host and the applications on the virtual host have completed all the patching of vulnerabilities.
在步骤111中,将待测业务系统接收的网络流量导入修补了漏洞后的虚拟主机。In step 111, the network traffic received by the service system to be tested is imported into the virtual host after the vulnerability has been repaired.
具体的,可以利用策略路由功能,将去往真实主机的网络流量导入虚拟主机,网络流量中可能会包含网络攻击流量,从而实现对真实主机的“虚拟补丁”功能,有效的隐藏各类漏洞,提高了业务系统的安全性。通过“虚拟补丁”功能,还能够检测对漏洞的修补是否合适,并不会危及到真实主机的网络安全。Specifically, the policy routing function can be used to import the network traffic destined for the real host into the virtual host. The network traffic may contain network attack traffic, so as to realize the "virtual patch" function on the real host and effectively hide various vulnerabilities. The security of the business system is improved. Through the "virtual patch" function, it is also possible to detect whether the patching of the vulnerability is appropriate, and will not endanger the network security of the real host.
值得一提的是,在本发明实施例中,并不限定步骤109-步骤111与步骤101-步骤105之间的执行时序关系,图3所示的只是其中一种步骤109-步骤111与步骤101-步骤105的执行时序关系,步骤109-步骤111与步骤101-步骤105之间其他可行的执行时序关系也属于本发明实施例的保护范围内。It is worth mentioning that, in the embodiment of the present invention, the execution timing relationship between step 109-step 111 and step 101-step 105 is not limited. What is shown in FIG. 3 is only one of step 109-step 111 and step 101-the execution sequence relationship of step 105, and other feasible execution sequence relationships between step 109-step 111 and step 101-step 105 also fall within the scope of protection of the embodiments of the present invention.
需要说明的是,上述实施例中的步骤103的内容可以具体细化为步骤1031-步骤1034的内容。It should be noted that the content of step 103 in the above embodiment may be specifically detailed as the content of step 1031-step 1034.
在步骤1031中,判断攻击行为特征是否符合预设的正常行为条件。In step 1031, it is judged whether the characteristics of the aggressive behavior meet the preset normal behavior conditions.
其中,待测业务系统所在的网络中预先设置了正常行为条件,正常行为条件是攻击行为特征是否有可能属于网络攻击的判断条件。Among them, the normal behavior condition is pre-set in the network where the service system to be tested is located, and the normal behavior condition is the judgment condition of whether the attack behavior characteristic may belong to a network attack.
在步骤1032中,将符合预设的正常行为条件的攻击行为特征的值赋为第一取值。In step 1032, the value of the characteristic of the aggressive behavior meeting the preset normal behavior condition is assigned as the first value.
在步骤1033中,将不符合预设的正常行为条件的攻击行为特征的值赋为第二取值。In step 1033, the value of the aggressive behavior feature that does not meet the preset normal behavior condition is assigned as the second value.
其中,第一取值与第二取值不等。第一取值和第二取值可以为数字、字母、符号等字符,在此并不限定。若利用欧氏距离等具有具体数值的计算方法表示相似度,则第一取值和第二取值设置为数字较好,便于计算欧式距离。Wherein, the first value is not equal to the second value. The first value and the second value may be numbers, letters, symbols and other characters, which are not limited here. If the calculation method with specific numerical values such as Euclidean distance is used to represent the similarity, it is better to set the first value and the second value to numbers, which is convenient for calculating the Euclidean distance.
在步骤1034中,将赋为第一取值的攻击行为特征的值和/或赋为第二取值的攻击行为特征的值,组合成攻击行为特征值集合。In step 1034, the value of the attack behavior feature assigned as the first value and/or the value of the attack behavior feature assigned as the second value are combined into an attack behavior feature value set.
若攻击行为特征符合预设的正常行为条件,将该攻击行为特征的值赋为第一取值,若攻击行为特征不符合预设的正常行为条件,将该攻击行为特征的值赋为第二取值,从而得到攻击行为特征值集合。比如,攻击行为特征为过多的出站流量、过多的入站流量、非工作时间登录、防火墙接受、防火墙拒绝、内网登录、连续多次登录失败、至少1次成功登录、单一源探查多个目标IP、单一来源探查多个目标IP和端口、新建账号、文件操作、进程操作、端口操作,其中,过多的入站流量、内网登录、连续多次登录失败和至少1次成功登录均不符合预设的正常行为条件,除过多的入站流量、内网登录、连续多次登录失败和至少1次成功登录以外的攻击行为特征符合预设的正常行为条件,设置第一取值为0,第二取值为1,则对应的攻击行为特征值集合为{0,1,0,0,0,1,1,1,0,0,0,0,0,0}。If the aggressive behavior characteristics meet the preset normal behavior conditions, assign the value of the aggressive behavior characteristics to the first value; if the aggressive behavior characteristics do not meet the preset normal behavior conditions, assign the value of the aggressive behavior characteristics to the second value. value, so as to obtain the attack behavior characteristic value set. For example, the attack behavior is characterized by excessive outbound traffic, excessive inbound traffic, non-working hours login, firewall acceptance, firewall rejection, intranet login, multiple consecutive login failures, at least 1 successful login, single source detection Multiple target IPs, single-source detection of multiple target IPs and ports, new accounts, file operations, process operations, port operations, among which, excessive inbound traffic, intranet login, multiple consecutive login failures and at least one success None of the logins meet the preset normal behavior conditions, and the attack behavior characteristics other than excessive inbound traffic, intranet login, multiple consecutive login failures, and at least one successful login meet the preset normal behavior conditions, set the first If the value is 0, and the second value is 1, then the corresponding attack behavior characteristic value set is {0, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0} .
还需要说明的是,在判断攻击特征是否符合预设的异常条件之前,可以设置正常行为条件,可以利用机器学习的方法来设置正常行为条件,设置正常行为条件的步骤可以包括步骤1035-步骤1038。It should also be noted that before judging whether the attack feature meets the preset abnormal conditions, normal behavior conditions can be set, and machine learning methods can be used to set normal behavior conditions. The steps of setting normal behavior conditions can include steps 1035-step 1038 .
在步骤1035中,对攻击行为特征进行多次采集,得到多个攻击行为特征采集值。具体的,可以在一段时间内,对攻击行为特征进行周期性采集。In step 1035, the attack behavior features are collected multiple times to obtain multiple attack behavior feature collection values. Specifically, the attack behavior characteristics may be collected periodically within a period of time.
在步骤1036中,计算多个攻击行为特征采集值的平均值和标准误差。In step 1036, the average value and standard error of the collection values of multiple attack behavior characteristics are calculated.
在步骤1037中,计算标准误差和预设的修正参数的积作为修正标准误差。In step 1037, the product of the standard error and the preset correction parameter is calculated as the corrected standard error.
在步骤1038中,计算在平均值的基础上浮动修正标准误差的范围,作为正常行为条件。In step 1038, the range of standard errors of floating corrections based on the mean value is calculated as the normal behavior condition.
比如,在一段时间内,如4-6周的时间内通过对从待测业务系统日志信息获取的攻击特征进行采样,具体可采用周期式采样,得到多个攻击特征采集值。根据采集得到的多个攻击特征采集值,能够计算得到攻击特征采集值的平均值、标准偏差以及标准误差。为了使得后面设置的正常行为条件判断网络攻击能够更加精准,引入修正参数,修正参数具体可以根据置信度计算得到。利用标准误差和修正参数得到修正标准误差,从而根据平均值和修正标准误差,得到正常行为条件。For example, within a period of time, such as 4-6 weeks, the attack characteristics obtained from the log information of the service system to be tested are sampled. Specifically, periodic sampling may be used to obtain multiple attack characteristic collection values. According to the collected multiple attack feature collection values, the average value, standard deviation and standard error of the attack feature collection values can be calculated. In order to make the judgment of network attacks by the normal behavior conditions set later more accurate, a correction parameter is introduced, and the correction parameter can be calculated according to the confidence level. The corrected standard error is obtained using the standard error and the corrected parameter, so that the normal behavior condition is obtained from the mean value and the corrected standard error.
下面以过多的出站流量为例进行说明。在一段时间内N次采集出站流量,得到N个出站流量采集值。根据下列公式(2)至公式(4)进行计算,最终计算到出站流量的基线阀值范围,并将基线阀值范围作为正常行为条件。Let's take excessive outbound traffic as an example to illustrate. Collect outbound traffic N times within a period of time to obtain N outbound traffic collection values. Calculate according to the following formula (2) to formula (4), and finally calculate the baseline threshold range of outbound traffic, and use the baseline threshold range as a normal behavior condition.
其中,xk为N个出站流量采集值中的第k个值,k为正整数,μ为平均值,σ为标准偏差,s为标准误差,N为正整数。Among them, xk is the kth value among the N outbound traffic collection values, k is a positive integer, μ is the average value, σ is the standard deviation, s is the standard error, and N is a positive integer.
设置置信度为95%,则根据置信度得到的修正参数为1.96,1.96×s为修正标准误差,所以基线阀值范围为(μ-1.96×s,μ+1.96×s],也就是说,过多的出站流量对应的正常行为条件为(μ-1.96×s,μ+1.96×s],当过多的出站流量在(μ-1.96×s,μ+1.96×s]这个范围内时,过多的出站流量的值赋为第一取值,当过多的出站流量在(μ-1.96×s,μ+1.96×s]这个范围外时,过多的出站流量的值赋为第二取值。If the confidence level is set to 95%, the corrected parameter obtained according to the confidence level is 1.96, and 1.96×s is the corrected standard error, so the baseline threshold range is (μ-1.96×s, μ+1.96×s], that is to say, The normal behavior condition corresponding to excessive outbound traffic is (μ-1.96×s, μ+1.96×s], when the excessive outbound traffic is in the range of (μ-1.96×s, μ+1.96×s] When the value of the excessive outbound traffic is assigned as the first value, when the excessive outbound traffic is outside the range of (μ-1.96×s, μ+1.96×s], the value of the excessive outbound traffic The value is assigned as the second value.
需要说明的是,有些攻击行为特征没有具体的数值量,其正常行为条件可以直接判断,比如防火墙接受,可根据实际情况中防火墙是否能够接受,用“是”或“否”或者其他字符来表明,如若防火墙接受,则可设定防火墙接受的值为yes或1,若防火墙不接受,则可设定防火墙接受的值为no或0。It should be noted that some attack behavior characteristics do not have specific numerical values, and their normal behavior conditions can be directly judged. For example, if the firewall accepts it, it can be indicated by "yes" or "no" or other characters according to whether the firewall can accept it in the actual situation. , if the firewall accepts, you can set the value accepted by the firewall to yes or 1; if the firewall does not accept it, you can set the value accepted by the firewall to no or 0.
图4为本发明一实施例提供的网络攻击模式的识别装置的结构示意图,图4所示的网络攻击模式的识别装置200包括日志获取模块201、特征获取模块202、集合获取模块203、计算模块204和分析模块205。FIG. 4 is a schematic structural diagram of an identification device for network attack patterns provided by an embodiment of the present invention. The identification device 200 for network attack modes shown in FIG. 4 includes a log acquisition module 201, a feature acquisition module 202, a set acquisition module 203, and a calculation module 204 and analysis module 205.
其中,日志获取模块201,可被配置为获取待测业务系统的日志信息和待测业务系统中预设的低交互蜜罐转发给高交互蜜罐的网络流量。Wherein, the log acquisition module 201 may be configured to acquire log information of the service system under test and network traffic forwarded from the low-interaction honeypot preset in the test service system to the high-interaction honeypot.
特征获取模块202,可被配置为从网络流量和待测业务系统的日志信息中获取攻击行为特征。The feature acquisition module 202 may be configured to acquire attack behavior features from network traffic and log information of the service system to be tested.
集合获取模块205,被配置为判断攻击行为特征是否符合预设的正常行为条件,并根据判断结果得到攻击行为特征值集合,攻击行为特征值集合包括至少一种攻击行为特征的值。The set acquisition module 205 is configured to judge whether the attack behavior characteristics meet the preset normal behavior conditions, and obtain a set of attack behavior characteristic values according to the judgment result, and the attack behavior characteristic value set includes at least one value of the attack behavior characteristics.
计算模块204,可被配置为计算攻击行为特征值集合与多个已知攻击模式的特征值集合的相似度。The calculation module 204 may be configured to calculate the similarity between the attack behavior feature value set and multiple known attack pattern feature value sets.
分析模块205,可被配置为获取与攻击行为特征值集合相似度最高的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。The analysis module 205 may be configured to obtain the attack pattern corresponding to the characteristic value set of the known attack pattern with the highest similarity to the attack behavior characteristic value set, as the attack pattern of the attack behavior characteristic value set.
需要说明的是,待测业务系统的日志信息可以包括高交互蜜罐的日志信息。待测业务系统的日志信息也可以包括高交互蜜罐的日志信息以及待测业务系统所在网络中的网络边界安全防护设备的告警日志。上述低交互蜜罐的网络协议IP地址与上述高交互蜜罐的IP地址相同。It should be noted that the log information of the service system to be tested may include the log information of the high-interaction honeypot. The log information of the service system to be tested may also include the log information of the high-interaction honeypot and the alarm log of the network border security protection device in the network where the service system to be tested is located. The network protocol IP address of the above-mentioned low-interaction honeypot is the same as the IP address of the above-mentioned high-interaction honeypot.
本发明实施例提供的网络攻击模式的识别装置200,可以从待测业务系统的日志信息和网络流量中提取攻击行为特征,判断攻击行为特征是否符合预设的正常行为条件,根据判断结果,得到攻击行为特征值集合,通过计算攻击行为特征值集合与多个已知攻击模式的特征值集合的相似度,判断攻击行为特征值的攻击模式。将与攻击行为特征值集合的相似度最高的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。针对待测业务系统接收到的网络攻击,都可以根据网络攻击的攻击行为特征找到与其最接近的攻击模式,不会出现现有技术中公有云数据库中无匹配的攻击模式的情况,从而可以识别未知的攻击模式,避免网络攻击漏报的情况,从而提高网络的安全性。The network attack mode identification device 200 provided by the embodiment of the present invention can extract the attack behavior characteristics from the log information and network traffic of the service system to be tested, judge whether the attack behavior characteristics meet the preset normal behavior conditions, and obtain The attack behavior feature value set is used to determine the attack mode of the attack behavior feature value set by calculating the similarity between the attack behavior feature value set and the feature value sets of multiple known attack modes. The attack mode corresponding to the feature value set of the known attack mode with the highest similarity to the attack behavior feature value set is used as the attack mode of the attack behavior feature value set. For the network attacks received by the business system to be tested, the closest attack pattern can be found according to the attack behavior characteristics of the network attack, and there will be no matching attack pattern in the public cloud database in the prior art, so that it can be identified Unknown attack mode avoids under-reporting of network attacks, thereby improving network security.
图5为本发明另一实施例中网络攻击模式的识别装置的结构示意图,图5中的日志获取模块201、特征获取模块202、集合获取模块203、计算模块204和分析模块205与图4中的日志获取模块201、特征获取模块202、集合获取模块203、计算模块204和分析模块205基本相同。不同之处在于,图5所示的网络攻击模式的识别装置200还包括策略生成模块206、策略下发模块207和策略共享模块208。FIG. 5 is a schematic structural diagram of an identification device for a network attack pattern in another embodiment of the present invention. The log acquisition module 201, feature acquisition module 202, collection acquisition module 203, calculation module 204, and analysis module 205 in FIG. 5 are the same as those in FIG. The log acquisition module 201, feature acquisition module 202, collection acquisition module 203, calculation module 204, and analysis module 205 of the are basically the same. The difference is that the apparatus 200 for identifying network attack patterns shown in FIG. 5 further includes a policy generation module 206 , a policy delivery module 207 and a policy sharing module 208 .
其中,策略生成模块206,可被配置为根据攻击行为特征值集合的攻击模式,生成对应的安全防护策略。Wherein, the policy generating module 206 may be configured to generate a corresponding security protection policy according to the attack mode of the attack behavior characteristic value set.
策略下发模块207,可被配置为将生成的安全防护策略下发至网络边界安全防护设备。The policy delivery module 207 may be configured to deliver the generated security protection policy to the network border security protection device.
策略共享模块208,可被配置为将所生成的安全防护策略在待测业务系统所在的网络中共享。The policy sharing module 208 may be configured to share the generated security protection policy in the network where the service system to be tested is located.
在本发明实施例中,策略下发模块207将安全防护策略下发至网络边界安全防护设备,以实现对未知网络攻击的纵深防御。策略共享模块208可以将安全防护策略在待测业务系统所在的网络中共享,使得网络中的其他业务系统也可以获取生成的安全防护策略,从而实现网络攻击的多路径阻断,提高全网络的网络攻击预警和防护能力。需要说明的是,在本发明实施例中,网络攻击模式的识别装置200可以包括策略下发模块207和策略共享模块208,也可以只包括策略下发模块207和策略共享模块208中的一个功能模块,在此并不限定。In the embodiment of the present invention, the policy delivery module 207 delivers the security protection policy to the network border security protection device, so as to realize in-depth defense against unknown network attacks. The policy sharing module 208 can share the security protection policy in the network where the business system to be tested is located, so that other business systems in the network can also obtain the generated security protection policy, thereby realizing multi-path blocking of network attacks and improving the security of the entire network. Network attack early warning and protection capabilities. It should be noted that, in the embodiment of the present invention, the apparatus 200 for identifying network attack patterns may include a policy issuing module 207 and a policy sharing module 208, or may only include one of the functions of the policy issuing module 207 and the policy sharing module 208 The module is not limited here.
图6为本发明又一实施例中网络攻击模式的识别装置的结构示意图,图6中的日志获取模块201、特征获取模块202、集合获取模块203、计算模块204和分析模块205与图4中的日志获取模块201、特征获取模块202、集合获取模块203、计算模块204和分析模块205基本相同。不同之处在于,图6所示的网络攻击模式的识别装置200还包括虚拟主机构建模块209、漏洞修补模块210和流量导入模块211。FIG. 6 is a schematic structural diagram of an identification device for a network attack pattern in another embodiment of the present invention. The log acquisition module 201, feature acquisition module 202, collection acquisition module 203, calculation module 204, and analysis module 205 in FIG. 6 are the same as those in FIG. The log acquisition module 201, feature acquisition module 202, collection acquisition module 203, calculation module 204, and analysis module 205 of the are basically the same. The difference is that the network attack pattern recognition apparatus 200 shown in FIG.
其中,虚拟主机构建模块209,可被配置为利用低交互蜜罐构建虚拟主机,虚拟主机的网络协议IP地址与待测业务系统中的真实主机的IP地址一致。Wherein, the virtual host building module 209 can be configured to use a low-interaction honeypot to build a virtual host, and the network protocol IP address of the virtual host is consistent with the IP address of the real host in the service system to be tested.
漏洞修补模块210,可被配置为改写虚拟主机中的漏洞模拟代码,以修补虚拟主机中的漏洞。The vulnerability repairing module 210 can be configured to rewrite the vulnerability simulation code in the virtual host to repair the vulnerability in the virtual host.
流量导入模块211,可被配置为将待测业务系统接收的网络流量导入修补了漏洞后的虚拟主机。The traffic import module 211 can be configured to import the network traffic received by the service system to be tested into the virtual host after the vulnerability has been repaired.
本发明实施例可以实现对真实主机的“虚拟补丁”功能,有效的隐藏各类漏洞,提高了业务系统的安全性。通过“虚拟补丁”功能,还能够检测对漏洞的修补是否合适,并不会危及到真实主机的网络安全。The embodiment of the present invention can realize the "virtual patch" function for the real host, effectively hide various loopholes, and improve the security of the business system. Through the "virtual patch" function, it is also possible to detect whether the patching of the vulnerability is appropriate, and will not endanger the network security of the real host.
图7为本发明再一实施例中网络攻击模式的识别装置的结构示意图,图7中的日志获取模块201、特征获取模块202、集合获取模块203、计算模块204和分析模块205与图4中的日志获取模块201、特征获取模块202、集合获取模块203、计算模块204和分析模块205基本相同。不同之处在于,图7所示的网络攻击模式的识别装置200还包括条件设定模块212。FIG. 7 is a schematic structural diagram of an identification device for a network attack pattern in another embodiment of the present invention. The log acquisition module 201, feature acquisition module 202, collection acquisition module 203, calculation module 204, and analysis module 205 in FIG. 7 are the same as those in FIG. 4 The log acquisition module 201, feature acquisition module 202, collection acquisition module 203, calculation module 204, and analysis module 205 of the are basically the same. The difference is that the network attack mode identification device 200 shown in FIG. 7 further includes a condition setting module 212 .
其中,条件设定模块212可被配置为:对攻击行为特征进行多次采集,得到多个攻击行为特征采集值;计算多个攻击行为特征采集值的平均值和标准误差;计算标准误差和预设的修正参数的积作为修正标准误差;计算在平均值的基础上浮动修正标准误差的范围,作为正常行为条件。Among them, the condition setting module 212 can be configured to: collect the attack behavior characteristics multiple times to obtain a plurality of attack behavior characteristic collection values; calculate the average value and standard error of the plurality of attack behavior characteristic collection values; calculate the standard error and forecast The product of the corrected parameters is taken as the corrected standard error; the range of the floating corrected standard error calculated on the basis of the average value is used as the normal behavior condition.
需要说明的是,上述实施例中的集合获取模块203具体可被配置为:判断攻击行为特征是否符合预设的正常行为条件;将符合预设的正常行为条件的攻击行为特征的值赋为第一取值;将不符合预设的正常行为条件的攻击行为特征的值赋为第二取值;将赋为第一取值的攻击行为特征的值和/或赋为第二取值的攻击行为特征的值,组合成攻击行为特征值集合。It should be noted that the set acquisition module 203 in the above-mentioned embodiment may be specifically configured to: determine whether the attack behavior characteristics meet the preset normal behavior conditions; assign the value of the attack behavior characteristics that meet the preset normal behavior conditions as the first One value; assign the value of the aggressive behavior characteristic that does not meet the preset normal behavior conditions as the second value; assign the value of the aggressive behavior characteristic assigned as the first value and/or assign the attack behavior of the second value The values of behavior characteristics are combined into a set of attack behavior characteristic values.
上述实施例中的计算模块204具体可被配置为计算攻击行为特征值集合与已知攻击模式的特征值集合中的每一个集合的欧式距离。The calculation module 204 in the above embodiment may be specifically configured to calculate the Euclidean distance between the attack behavior feature value set and each set of known attack pattern feature value sets.
分析模块205具体可被配置为获取与攻击行为特征值集合欧式距离最小的已知攻击模式的特征值集合对应的攻击模式,作为攻击行为特征值集合的攻击模式。The analysis module 205 may be specifically configured to obtain the attack pattern corresponding to the characteristic value set of the known attack pattern with the smallest Euclidean distance of the attack behavior characteristic value set, as the attack pattern of the attack behavior characteristic value set.
需要明确的是,本发明并不局限于上文所描述并在图中示出的特定配置和处理。并且,为了简明起见,这里省略对已知方法技术的详细描述。在上述实施例中,描述和示出了若干具体的步骤作为示例。但是,本发明的方法过程并不限于所描述和示出的具体步骤,本领域的技术人员可以在领会本发明的精神之后,作出各种改变、修改和添加,或者改变步骤之间的顺序。It is to be understood that the invention is not limited to the specific arrangements and processes described above and shown in the drawings. Also, for the sake of brevity, detailed descriptions of known methods and techniques are omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method process of the present invention is not limited to the specific steps described and shown, and those skilled in the art can make various changes, modifications and additions, or change the order of the steps after understanding the spirit of the present invention.
以上所述的结构示意图中所示的功能模块可以实现为硬件、软件、固件或者它们的组合。当以硬件方式实现时,其可以例如是电子电路、专用集成电路(ASIC)、适当的固件、插件、功能卡等等。当以软件方式实现时,本发明的元素是被用于执行所需任务的程序或者代码段。程序或者代码段可以存储在机器可读介质中,或者通过载波中携带的数据信号在传输介质或者通信链路上传送。“机器可读介质”可以包括能够存储或传输信息的任何介质。机器可读介质的例子包括电子电路、半导体存储器设备、ROM、闪存、可擦除ROM(EROM)、软盘、CD-ROM、光盘、硬盘、光纤介质、射频(RF)链路,等等。代码段可以经由诸如因特网、内联网等的计算机网络被下载。The functional modules shown in the above structural diagrams may be implemented as hardware, software, firmware or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the invention are the programs or code segments employed to perform the required tasks. Programs or code segments can be stored in machine-readable media, or transmitted over transmission media or communication links by data signals carried in carrier waves. "Machine-readable medium" may include any medium that can store or transmit information. Examples of machine-readable media include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, and the like. Code segments may be downloaded via a computer network such as the Internet, an Intranet, or the like.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611062203.9ACN108092948B (en) | 2016-11-23 | 2016-11-23 | A method and device for identifying a network attack pattern |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611062203.9ACN108092948B (en) | 2016-11-23 | 2016-11-23 | A method and device for identifying a network attack pattern |
| Publication Number | Publication Date |
|---|---|
| CN108092948Atrue CN108092948A (en) | 2018-05-29 |
| CN108092948B CN108092948B (en) | 2021-04-02 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611062203.9AActiveCN108092948B (en) | 2016-11-23 | 2016-11-23 | A method and device for identifying a network attack pattern |
| Country | Link |
|---|---|
| CN (1) | CN108092948B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109167767A (en)* | 2018-08-17 | 2019-01-08 | 苏州亮磊知识产权运营有限公司 | A kind of working method of the ddos attack system of defense for DHCP framework |
| CN109302401A (en)* | 2018-10-25 | 2019-02-01 | 国家电网有限公司 | Information security protection method and device |
| CN109361670A (en)* | 2018-10-21 | 2019-02-19 | 北京经纬信安科技有限公司 | Utilize the device and method of the targeted Dynamical Deployment capture malice sample of honey jar |
| CN109818984A (en)* | 2019-04-10 | 2019-05-28 | 吉林亿联银行股份有限公司 | The defence method and device of loophole |
| CN110351237A (en)* | 2019-05-23 | 2019-10-18 | 中国科学院信息工程研究所 | Honey jar method and device for numerically-controlled machine tool |
| CN110751570A (en)* | 2019-09-16 | 2020-02-04 | 中国电力科学研究院有限公司 | A method and system for identifying attacks on power service packets based on business logic |
| CN110830457A (en)* | 2019-10-25 | 2020-02-21 | 腾讯科技(深圳)有限公司 | Attack sensing method, device, equipment and medium based on honeypot induction |
| CN110839088A (en)* | 2018-08-16 | 2020-02-25 | 深信服科技股份有限公司 | Detection method, system, device and storage medium for dug by virtual currency |
| CN111447168A (en)* | 2019-01-16 | 2020-07-24 | 河南信安通信技术股份有限公司 | Multidimensional network security prediction method |
| CN111726264A (en)* | 2020-06-18 | 2020-09-29 | 中国电子科技集团公司第三十六研究所 | Network protocol variant detection method, device, electronic device and storage medium |
| CN111835777A (en)* | 2020-07-20 | 2020-10-27 | 深信服科技股份有限公司 | Abnormal flow detection method, device, equipment and medium |
| CN112165459A (en)* | 2020-09-08 | 2021-01-01 | 广州锦行网络科技有限公司 | Application method for automatically switching to host honeypot based on alarm honeypot information analysis |
| CN112333196A (en)* | 2020-11-10 | 2021-02-05 | 恒安嘉新(北京)科技股份公司 | Attack event tracing method and device, electronic equipment and storage medium |
| CN112367307A (en)* | 2020-10-27 | 2021-02-12 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-grade honey pot group |
| CN112632531A (en)* | 2020-12-15 | 2021-04-09 | 平安科技(深圳)有限公司 | Malicious code identification method and device, computer equipment and medium |
| CN112910895A (en)* | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Network attack behavior detection method and device, computer equipment and system |
| CN113395288A (en)* | 2021-06-24 | 2021-09-14 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN113422787A (en)* | 2021-08-24 | 2021-09-21 | 广州乐盈信息科技股份有限公司 | Intelligent anti-attack method for passive optical network system |
| CN114006766A (en)* | 2021-11-04 | 2022-02-01 | 杭州安恒信息安全技术有限公司 | Network attack detection method, device, electronic device and readable storage medium |
| CN114205127A (en)* | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
| CN114866349A (en)* | 2022-07-06 | 2022-08-05 | 深圳市永达电子信息股份有限公司 | Network information filtering method |
| CN115529145A (en)* | 2021-06-25 | 2022-12-27 | 中国移动通信集团广东有限公司 | Network security intrusion detection and protection system and method |
| CN116781396A (en)* | 2023-07-20 | 2023-09-19 | 北京火山引擎科技有限公司 | Methods, devices, equipment and storage media for attack behavior detection |
| CN117811802A (en)* | 2023-12-28 | 2024-04-02 | 莆田市睿光信息技术有限公司 | Network security monitoring system |
| CN118250097A (en)* | 2024-05-27 | 2024-06-25 | 中国电子科技集团公司第三十研究所 | Heterogeneous Internet of things access safety protection device and method |
| WO2025024971A1 (en)* | 2023-07-28 | 2025-02-06 | Huawei Technologies Co., Ltd. | Methods, systems, apparatuses, and computer-readable media for detecting vulnerabilities in computer code |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101102314A (en)* | 2007-06-21 | 2008-01-09 | 北京联合大学 | A Three-Level Modular Intrusion Detection System Based on Danger Model |
| CN103971054A (en)* | 2014-04-25 | 2014-08-06 | 天津大学 | Detecting method of browser extension loophole based on behavior sequence |
| US20150271199A1 (en)* | 2014-03-19 | 2015-09-24 | International Business Machines Corporation | Generating Accurate Preemptive Security Device Policy Tuning Recommendations |
| CN105245495A (en)* | 2015-08-27 | 2016-01-13 | 哈尔滨工程大学 | A fast detection method for malicious shellcode based on similarity matching |
| CN105488394A (en)* | 2014-12-27 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for carrying out intrusion behavior identification and classification on hotpot system |
| CN105721416A (en)* | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101102314A (en)* | 2007-06-21 | 2008-01-09 | 北京联合大学 | A Three-Level Modular Intrusion Detection System Based on Danger Model |
| US20150271199A1 (en)* | 2014-03-19 | 2015-09-24 | International Business Machines Corporation | Generating Accurate Preemptive Security Device Policy Tuning Recommendations |
| CN103971054A (en)* | 2014-04-25 | 2014-08-06 | 天津大学 | Detecting method of browser extension loophole based on behavior sequence |
| CN105488394A (en)* | 2014-12-27 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for carrying out intrusion behavior identification and classification on hotpot system |
| CN105245495A (en)* | 2015-08-27 | 2016-01-13 | 哈尔滨工程大学 | A fast detection method for malicious shellcode based on similarity matching |
| CN105721416A (en)* | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110839088A (en)* | 2018-08-16 | 2020-02-25 | 深信服科技股份有限公司 | Detection method, system, device and storage medium for dug by virtual currency |
| CN109167767A (en)* | 2018-08-17 | 2019-01-08 | 苏州亮磊知识产权运营有限公司 | A kind of working method of the ddos attack system of defense for DHCP framework |
| CN109361670A (en)* | 2018-10-21 | 2019-02-19 | 北京经纬信安科技有限公司 | Utilize the device and method of the targeted Dynamical Deployment capture malice sample of honey jar |
| CN109361670B (en)* | 2018-10-21 | 2021-05-28 | 北京经纬信安科技有限公司 | Device and method for capturing malicious sample by utilizing targeted dynamic deployment of honeypots |
| CN109302401A (en)* | 2018-10-25 | 2019-02-01 | 国家电网有限公司 | Information security protection method and device |
| CN109302401B (en)* | 2018-10-25 | 2021-07-09 | 国家电网有限公司 | Information security protection method and device |
| CN111447168A (en)* | 2019-01-16 | 2020-07-24 | 河南信安通信技术股份有限公司 | Multidimensional network security prediction method |
| CN111447168B (en)* | 2019-01-16 | 2022-05-24 | 河南信安通信技术股份有限公司 | Multidimensional network security prediction method |
| CN109818984A (en)* | 2019-04-10 | 2019-05-28 | 吉林亿联银行股份有限公司 | The defence method and device of loophole |
| CN110351237A (en)* | 2019-05-23 | 2019-10-18 | 中国科学院信息工程研究所 | Honey jar method and device for numerically-controlled machine tool |
| CN110751570A (en)* | 2019-09-16 | 2020-02-04 | 中国电力科学研究院有限公司 | A method and system for identifying attacks on power service packets based on business logic |
| CN110830457A (en)* | 2019-10-25 | 2020-02-21 | 腾讯科技(深圳)有限公司 | Attack sensing method, device, equipment and medium based on honeypot induction |
| CN110830457B (en)* | 2019-10-25 | 2022-06-21 | 腾讯科技(深圳)有限公司 | Attack sensing method, device, equipment and medium based on honeypot induction |
| CN111726264A (en)* | 2020-06-18 | 2020-09-29 | 中国电子科技集团公司第三十六研究所 | Network protocol variant detection method, device, electronic device and storage medium |
| CN111726264B (en)* | 2020-06-18 | 2021-11-19 | 中国电子科技集团公司第三十六研究所 | Network protocol variation detection method, device, electronic equipment and storage medium |
| CN111835777B (en)* | 2020-07-20 | 2022-09-30 | 深信服科技股份有限公司 | Abnormal flow detection method, device, equipment and medium |
| CN111835777A (en)* | 2020-07-20 | 2020-10-27 | 深信服科技股份有限公司 | Abnormal flow detection method, device, equipment and medium |
| CN112165459B (en)* | 2020-09-08 | 2021-06-11 | 广州锦行网络科技有限公司 | Application method for automatically switching to host honeypot based on alarm honeypot information analysis |
| CN112165459A (en)* | 2020-09-08 | 2021-01-01 | 广州锦行网络科技有限公司 | Application method for automatically switching to host honeypot based on alarm honeypot information analysis |
| CN112367307A (en)* | 2020-10-27 | 2021-02-12 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-grade honey pot group |
| CN112367307B (en)* | 2020-10-27 | 2023-05-23 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-level honey pot group |
| CN112333196B (en)* | 2020-11-10 | 2023-04-04 | 恒安嘉新(北京)科技股份公司 | Attack event tracing method and device, electronic equipment and storage medium |
| CN112333196A (en)* | 2020-11-10 | 2021-02-05 | 恒安嘉新(北京)科技股份公司 | Attack event tracing method and device, electronic equipment and storage medium |
| CN112632531A (en)* | 2020-12-15 | 2021-04-09 | 平安科技(深圳)有限公司 | Malicious code identification method and device, computer equipment and medium |
| CN112910895A (en)* | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Network attack behavior detection method and device, computer equipment and system |
| CN112910895B (en)* | 2021-02-02 | 2022-11-15 | 杭州安恒信息技术股份有限公司 | Network attack behavior detection method and device, computer equipment and system |
| CN113395288A (en)* | 2021-06-24 | 2021-09-14 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN115529145A (en)* | 2021-06-25 | 2022-12-27 | 中国移动通信集团广东有限公司 | Network security intrusion detection and protection system and method |
| CN113422787A (en)* | 2021-08-24 | 2021-09-21 | 广州乐盈信息科技股份有限公司 | Intelligent anti-attack method for passive optical network system |
| CN113422787B (en)* | 2021-08-24 | 2021-11-09 | 广州乐盈信息科技股份有限公司 | Intelligent anti-attack method for passive optical network system |
| CN114006766A (en)* | 2021-11-04 | 2022-02-01 | 杭州安恒信息安全技术有限公司 | Network attack detection method, device, electronic device and readable storage medium |
| CN114205127A (en)* | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
| CN114866349B (en)* | 2022-07-06 | 2022-11-15 | 深圳市永达电子信息股份有限公司 | Network information filtering method |
| CN114866349A (en)* | 2022-07-06 | 2022-08-05 | 深圳市永达电子信息股份有限公司 | Network information filtering method |
| CN116781396A (en)* | 2023-07-20 | 2023-09-19 | 北京火山引擎科技有限公司 | Methods, devices, equipment and storage media for attack behavior detection |
| WO2025024971A1 (en)* | 2023-07-28 | 2025-02-06 | Huawei Technologies Co., Ltd. | Methods, systems, apparatuses, and computer-readable media for detecting vulnerabilities in computer code |
| CN117811802A (en)* | 2023-12-28 | 2024-04-02 | 莆田市睿光信息技术有限公司 | Network security monitoring system |
| CN118250097A (en)* | 2024-05-27 | 2024-06-25 | 中国电子科技集团公司第三十研究所 | Heterogeneous Internet of things access safety protection device and method |
| Publication number | Publication date |
|---|---|
| CN108092948B (en) | 2021-04-02 |
| Publication | Publication Date | Title |
|---|---|---|
| CN108092948A (en) | A kind of recognition methods of network attack mode and device | |
| CN111245787B (en) | A method and device for identifying lost equipment and evaluating the lost degree of equipment | |
| US11606385B2 (en) | Behavioral DNS tunneling identification | |
| US10277614B2 (en) | Information processing apparatus, method for determining activity and computer-readable medium | |
| Vukalović et al. | Advanced persistent threats-detection and defense | |
| CN101753562B (en) | Detection methods, device and network security protecting device for botnet | |
| US7953969B2 (en) | Reduction of false positive reputations through collection of overrides from customer deployments | |
| Hofstede et al. | SSH compromise detection using NetFlow/IPFIX | |
| US8707440B2 (en) | System and method for passively identifying encrypted and interactive network sessions | |
| Osanaiye | Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing | |
| US20120023572A1 (en) | Malicious Attack Response System and Associated Method | |
| US10652259B2 (en) | Information processing apparatus, method and medium for classifying unauthorized activity | |
| WO2018116123A1 (en) | Protecting against unauthorized access to iot devices | |
| Bou-Harb et al. | A novel cyber security capability: Inferring internet-scale infections by correlating malware and probing activities | |
| Osanaiye et al. | TCP/IP header classification for detecting spoofed DDoS attack in Cloud environment | |
| Mandal et al. | A survey on network security tools for open source | |
| Lee et al. | Study of detection method for spoofed IP against DDoS attacks | |
| US11924228B2 (en) | Messaging server credentials exfiltration based malware threat assessment and mitigation | |
| Hindy et al. | A taxonomy of malicious traffic for intrusion detection systems | |
| Oktivasari et al. | Analysis of effectiveness of iptables on web server from slowloris attack | |
| Chamotra et al. | Deployment of a low interaction honeypot in an organizational private network | |
| Singh et al. | Where The Wild Things Are:{Brute-Force}{SSH} Attacks In The Wild And How To Stop Them | |
| Yang et al. | Cyber threat detection and application analysis | |
| Gasser et al. | Digging for Dark IPMI Devices: Advancing BMC Detection and Evaluating Operational Security. | |
| Chen et al. | Defense joint attacks based on stochastic discrete sequence anomaly detection |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |