CN103561003A - Cooperative type active defense method based on honeynets - Google Patents

Abstract

The invention relates to a cooperative type active defense method based on honeynets. The cooperative type active defense method includes the steps of data preprocessing, correlation degree analyzing, threat degree analyzing, fragility degree analyzing and blacklist generating. The cooperative type active defense method takes information of attackers suffered by the distributed honeynets distributed in different subnets as a data source, and finally predicts a personalized list (namely a high-predictability blacklist) of the attackers who most possibly attack the subnet for each subnet based on fusion analysis by adoption of a cooperative type defense thought through the correlation degree analyzing, the threat degree analyzing and the fragility degree analyzing among the different subnets and the attackers. The cooperative type active defense method not only has a very high defense rate, a high hit rate, high instantaneity and high predictability and can reach a very low defense missing rate and a very low false defense rate, but also can not affect normal communication of a common user or invade privacy of the user because the information of the attackers is captured by the adoption of the honeynets and the common user does not need to report the hostile attackers.

Description

A kind of cooperating type active defense method based on honey net

Technical field

The present invention relates to computer network security field, relate in particular to a kind of cooperating type active defense method based on honey net.

Background technology

Along with the development of the Internet, network security is faced with more and more serious threat.Traditional Passive Defence method based on behavioural characteristic has been difficult to the safety of protecting network.Intrusion detection model in practical application only can be processed a kind of special Audit data source, update cost is higher, speed is also slower, therefore the firewall technology based on sweet net (honeynet) will become a kind of brand-new more automatic and efficient method that solves network security threats.

Honey jar (honeypot) is a kind of secure resources, and its value is to be scanned, attacks and captures.The network traffics of all inflows, outflow honey jar all may indicate scanning, attack and capture.Honey net has formed a hacker and has traped network architectural framework, comprises one or more honey jars, has guaranteed the high controllability of network simultaneously, and provides multiple types of tools to facilitate attacking collection and the analysis of information.Utilize sweet net can effectively change the information asymmetry between defender and attack source.At present, high mutual sweet net is mainly used in extraction, analysis and the research of the attack data of data, mainly the data of extracting by a large amount of manual analysis honey nets, draw attack strategies, attack code and attack position that attack source is used etc., although finally can reach the object of defence, but often there is hysteresis quality, major embodiment the researching value of sweet net, but be difficult to the product as a functionalization.

In order to realize Initiative Defense, fire compartment wall or be absolutely necessary with the router of firewall functionality.The major function of firewall technology is that the unauthorized access of protected network is controlled; it is by the data flow of supervision, restriction, changed network; shield as far as possible on the one hand the topological structure of in-house network; on the other hand to the outside dangerous website of inner shield, in order to take precautions against outer internal, interior external unauthorized access.

At present, utilize blacklist to be on the defensive to be the defence policies of main packet filter firewall or state-inspection firewall, and protection effect depends on the method that generates blacklist from sweet net or user network in the attack information of obtaining.Under information fusion, the generation method of blacklist mainly contains:

GWOL (Global Worst Offender List): the worst overall attack source list.In comprehensive calculation server, sorted according to threaten degree in the attack source meeting with of all-ones subnet, for all-ones subnet, all according to this, sequentially get former positions as blacklist.

LWOL (Local Worst Offender List): the worst local attack source list.According to each subnet by attack condition, sort according to threaten degree in the attack source that it is met with, for each subnet generates specific blacklist.

But two kinds of mechanism respectively have pluses and minuses.For GWOL, although it has defendd those most threatening attack sources for each subnet, but selecting to attack, possible some attack source has stronger purpose, only can attack more specific subnets, so being the attack source of defending in subnet blacklist, the situation that may cause perhaps can not attack him, and these attack sources have occupied blacklist, to such an extent as to really the attack source of this defence is not defendd.And for LWOL, although it has made up the above-mentioned shortcoming of GWOL, because it can only enumerate blacklist according to situation under fire, thus can not reach the prediction to attacking, cannot Initiative Defense.

Summary of the invention

For the deficiencies in the prior art, the present invention proposes a kind of composite defense method based on honey net.It relies on sweet network technology, adopts cooperating type defence thought, can realize the Initiative Defense of network layer, is mainly applicable to large scale business enterprise's net.

For realizing above goal of the invention, technical scheme of the present invention is:

A kind of blacklist generation method with high predictability, is characterized in that, comprises the following steps:

Step 1: data preliminary treatment

Resolve in packet header to the packet capturing, therefrom extracts attack attribute five-tuple, and described attack attribute five-tuple is attack source IP, the subnet network address of being injured, the port of being injured, attack duration and packet accumulated size;

Step 2: correlation analysis

First utilize attack source the attack relationship graph G=(V, E) of the subnet of being injured to be calculated to the incidence matrices W being respectively injured between subnet, V={v1 wherein, v2, ..., v10}, i.e. each node in attack relationship graph, represent each subnet, E by node to the set forming, the matrix element of matrix W

represent the similarity degree of subnet vi and subnet vj, wherein, mi is the number of times that subnet vi is attacked, and mj is the number of times that subnet vj is attacked, and mij is the number of times that vi and vj are attacked by identical attack source s;

Then calculate each attack source and the correlation degree of the subnet of being respectively injured, computing formula is as follows:

r ^s＝[(I-aW) ^-1-I]·b ^s

R wherein ^sthe correlation degree vector that represents attack source s and all subnets of being injured, b ^srepresent to describe attack source s and attack the boolean vector of relation with the subnet of being injured, a is attenuation coefficient, represents take to capture the feasibility criterion that the sub network host computer of being injured is attacked to other subnets as springboard, and W is incidence matrices, and I is unit matrix;

Step 3: Threat analysis

The four-tuple of each attack source is carried out to centralization, standardization and weighting, draw the Threat of each attack source, wherein, the four-tuple of described attack source is the subnet number of being injured, the port number of being injured, average attack time and average data bag accumulated size;

Step 4: fragile degree analysis

The four-tuple of each subnet of being injured is carried out to centralization, standardization and weighting, draws the fragile degree of each subnet of being injured, wherein, described in be injured the four-tuple of subnet for attacking IP number, the port number of being injured, average attack time and average data bag accumulated size;

Step 5: blacklist generates

For each subnet of being injured, comprehensively itself and each degree of association of attack source is, the fragile degree of the Threat of attack source, subnet self is that it generates blacklist.

The present invention has following beneficial effect:

1, subnet not only can independently be on the defensive but also can help all the other the subnet defence in same enterprise network, has illustrated that it has the not available predictability of traditional blacklist generation technique.

2, by experiment, IHPB blacklist generation method has the highest fielding percentage, hit rate, composite defense rate and the minimum anti-rate of collaborative mistake, has illustrated that it has the highest predictability at present.

3, take into full account different sub-network otherness and similitude, for each subnet, formulated respectively different separately Active defense strategies, reduced the blacklist length of the subnet that fragile degree is high, lowered firewall load, improved network transmission efficiency.

4, the mutual sweet net of height adopt distributing, the data of collection have high reliability and controllability, low-cost and do not need reporting of user, can not affect user's proper communication, more can not reveal privacy of user.

Accompanying drawing explanation

Explanation with reference to below, by reference to the accompanying drawings, can have best understanding to the present invention.In the accompanying drawings, identical part can be represented by identical label.

Fig. 1 is system deployment diagram of the present invention;

Fig. 2 is data processing frame diagram of the present invention.

Embodiment

In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and exemplary embodiment, the present invention is further elaborated.Should be appreciated that exemplary embodiment described herein is only in order to explain the present invention, the scope of application being not intended to limit the present invention.

Different from honeynet system in the past, information sharing between system utilization honey net of the present invention realizes composite defense, the sweet net of soon arranging in each subnet information under fire merges, after analyzing data, for each subnet, formulate the blacklist with height predictability, directly carry out effective Initiative Defense.

As shown in Figure 1, HCDF of the present invention (honeynet-based collaborative defense framework) has three modules: data capture module, data analysis module and Data Control module.

Data capture module comprises honey jar main frame and sweet wall server; Data analysis module comprises data center server; Data Control module comprises fire compartment wall, router etc.Whole enterprise network is divided a plurality of subnets according to the network segment of C net, arranges a sweet net in each subnet, comprises 3 honey jar main frames and a sweet wall server.The sweet wall server of each honey net mails to data center server in confidence by all attack traffics.Data center is automatically to all data analysis, and according to the defence policies of formulating, according to the blacklist generating, packet filtering strategy or the antithetical phrase network users of revising each fire compartment wall carry out alert notice, have finally reached the object of each subnet composite defense.

As shown in Figure 2, in order to realize the data analysis function of data center, the present invention is based on HPB (Highly Predictive Blacklisting), in conjunction with the data characteristics of system of the present invention, improved high predictability blacklist generation method has been proposed--IHPB (Improved HighlyPredictive Blacklisting).It has taken into full account different sub-network otherness, considers again the high similarity of the subscriber's main station in same subnet, for each subnet, formulates respectively different separately Active defense strategies, has higher predictability.Below be described in detail.

One, data preliminary treatment

Any data on flows in honey net because having limited the external active of sweet net, sweet wall connects, therefore all can be considered attack data.

(1) the header packet information data granularity of original packet is meticulous, is generalized as attack sequence and can reduces data volume, improves operation efficiency.Attack is defined as follows: the zero hour that is considered as to internal attack the moment that in the training time, arbitrarily IP sends first packet to honey jar IP, if do not carrying out data interaction apart from attacking setting threshold constantly last time in the time between identical attack host ip and identical honey jar IP, the moment of their last data interactions is considered as the finish time of this attack.The attack attribute extracting from packet header packet information comprises attack source IP, the subnet network address of being injured, and the port of being injured, attacks the duration, packet accumulated size.

(2) in correlation analysis, the present invention is generalization data further, only consider attack source IP and the subnet network address of being injured, so simplifying is because the present invention in training process payes attention to the correlation degree (being the possibility that attack source is attacked subnet) between attack source and each subnet, does not pay close attention to concrete attack mode.

(3) in Threat is analyzed, the present invention merges the attribute of same attack source from attack sequence, and modification attribute is the subnet number of being injured, the port number of being injured, average attack time, average data bag accumulated size.

(4) in fragile degree is analyzed, the present invention merges the attribute of the same subnet of being injured from attack sequence, revises attribute for attacking IP number, the port number of being injured, average attack time, average data bag accumulated size.

Two, correlation analysis

In order to illustrate the realization of final blacklist in training process, using these subnets as victim, (victim) is numbered respectively v ₁, v ₂, v ₃... v _k.For ease of explanation, the present invention's hypothesis has 10 subnets, i.e. k=10.After a training time finishes, can obtain shape as the data of following table:

Table 1 attack condition example

v1

v2

v3

v4

v5

v6

v7

v8

v9

v10

s1

◎

◎

s2

◎

◎

◎

s3

◎

◎

s4

◎

◎

◎

◎

s5

◎

◎

◎

[0048]

s6

◎

◎

◎

s7

◎

◎

s8

◎

◎

Below employing table 1 as sample, carry out the description of algorithm.If the corresponding row of vi and the corresponding row of si intersection markedness " ◎ " exist, illustrate that vi was attacked by sj.

First, use a non-directed graph G=(V, E) to describe the similarity degree between each subnet, wherein V={v1, v2, ..., v10}, i.e. each node in figure, represent each subnet, E to the set forming, has limit to be connected by node between two between node, the weights on limit represent the similarity degree of connect two subnets.

W is the adjacency matrix of similarity degree between each subnet of representative, and element wij wherein has just represented the similarity degree of vi and vj.Making mi is the number of times that vi is attacked, and mj is the number of times that vj is attacked, and mij is the number of times that vi and vj are attacked by identical s.To have represented that for vj vi has more important for the ratio of mij/mi, and it is more important that mij/mj has represented that for vj vi has, like this,

just can be used for having characterized the similarity degree of vi and vj.Obvious wii=1, i=1,2...n, each subnet and the similarity degree of self are 1.

The W that following matrix utilizes table 1 data to calculate.

$W=\left(\begin{array}{cccccccccc}1& 0.4444& 0& 0& 0.4444& 0& 0& 0& 0.1667& 0\\ 0.4444& 1& 0& 0& 0.1111& 0& 0& 0.1667& 0.1667& 0\\ 0& 0& 1& 0.5000& 0& 0.2500& 0.5000& 0.2500& 0& 0.2500\\ 0& 0& 0.5000& 1& 0& 0& 1.0000& 0& 0& 0.5000\\ 0.4444& 0.1111& 0& 0& 1& 0& 0& 0& 0.1667& 0\\ 0& 0& 0.2500& 0& 0& 1& 0& 0.2500& 0& 0.2500\\ 0& 0& 0.5000& 1.0000& 0& 0& 1& 0& 0& 0.5000\\ 0& 0.1667& 0.2500& 0& 0& 0.2500& 0& 1& 0& 0\\ 0.1667& 0.1667& 0& 0& 0.1667& 0& 0& 0& 1& 0\\ 0& 0& 0.2500& 0.5000& 0& 0.2500& 0.5000& 0& 0& 1\end{array}\right)$

Due to what finally will obtain, be the correlation degree between attack source and subnet, therefore now consider attack source s.Make b ^s={ b ₁ ^s, b ₂ ^s..., b _n ^srepresent which v s has attacked.If b _i ^s=1, vi is attacked by s; If b _i ^s=0, vi is not attacked by s.Final result is by r ^scharacterize, i.e. r ^s={ r ₁ ^s, r ₂ ^s..., r _n ^s, r wherein _i ^spointed out the degree of association of i.If consider the propagation of the first level, r ^scan obtain by following formula:

r ^s＝W·b ^s

If add one deck, consider, can obtain

r ^s＝W·b ^S+W·W·b ^S

What in fact should consider is the propagation of infinite level, but the every increase one deck of communication process, for the impact of final result, will decay to some extent, considers attenuation coefficient a=0.5, and final result should be

$r^s=\underset{i=1}{\overset{\∞}{\mathrm{\Σ}}}{\left(\mathrm{aW}\right)}^i\·b^s$

Because each element in W all meets 0≤W _ij< 1, therefore final r ^scan abbreviation be

r ^s＝[(I-aW) ^-1-I]·b ^s

Below the attack source that calculates and the correlation degree between each subnet.

For each subnet, each attack source and its correlation degree sort from big to small (in form, sequence number i represents attack source si) as follows:

Table 2 attack source is by sorting with subnet correlation degree

v1	v2	v3	v4	v5	v6	v7	v8	v9	v10
										2	2	4	4	6	4	4	4	2	4
6	6	5	5	2	5	5	5	6	5
										3	8	7	7	8	7	7	7	8	7
8	3	1	1	3	1	1	1	3	1
										1	1	2	2	1	2	2	2	1	2
5	5	6	6	5	6	6	6	5	6
										4	4	8	8	4	8	8	8	4	8
7	7	3	3	7	3	3	3	7	3

Three, attack source Threat is analyzed

According to the data message obtaining in comprehensive calculation server, the threaten degree of attack source s mainly reflects by attacking breadth and depth in the training time, comprises following four factors:

1. the IP quantity I (s) that s attacks within the training time;

2. the port number P (s) that s attacks within the training time;

3. within the training time, s sends the mean value B (s) of the total size of packet to each IP;

4. the mean value T (s) of s to each IP attack total duration within the training time.

Wherein I (s), P (s) have reflected the range of attacking, and are called the range attribute of attack.B (s), T (s) have reflected the degree of depth of attacking, and are called the depth attribute of attack.

For above four attributes, there is different metric forms, it is very greatly different that its measured value also can differ.Like this, its impact of variable that absolute value is large can fall into oblivion the little variable of absolute value, makes the due effect of the latter can not get reflection.Status in order to ensure each variable in analysis is identical. can carry out centralization and standardized transformation to discrete variable.Data transformation will impose on each variable

$\begin{array}{c}{r}^{s1}=\{\begin{array}{cccccccccc}0.3070& 0.1849& 0.3299& 0.2654& 0.1454& 0.2121& 0.2651& 0.1665& 0.1364& 0.2003\}\end{array}\\ r^{s2}=\{\begin{array}{cccccccccc}0.6988& 0.5042& 0.0376& 0.0302& 0.4937& 0.0242& 0.0302& 0.1331& 0.3914& 0.0229\}\end{array}\\ r^{s3}=\{\begin{array}{cccccccccc}0.4216& 0.2589& 0.0065& 0.0052& 0.2045& 0.0042& 0.0052& 0.0229& 0.1571& 0.0039\}\end{array}\\ r^{s4}=\{\begin{array}{cccccccccc}0.0227& 0.0876& 5.0933& 7.0393& 0.0107& 1.6314& 7.0393& 0.9729& 0.0101& 4.9852\}\end{array}\\ r^{s5}=\{\begin{array}{cccccccccc}0.0365& 0.1411& 1.7059& 2.1744& 0.0173& 0.7395& 2.1744& 0.5674& 0.0162& 1.6429\}\end{array}\\ r^{s6}=\{\begin{array}{cccccccccc}0.5603& 0.4960& 0.0374& 0.0301& 0.5381& 0.0241& 0.0301& 0.1324& 0.2995& 0.0227\}\end{array}\\ r^{s7}=\{\begin{array}{cccccccccc}0.0088& 0.0340& 1.4807& 1.9042& 0.0042& 0.5233& 1.9042& 0.3783& 0.0039& 1.3276\end{array}\}\\ r^{s8}=\{\begin{array}{cccccccccc}0.4168& 0.4156& 0.0104& 0.0084& 0.3601& 0.0067& 0.0084& 0.0368& 0.2660& 0.0063\}\end{array}\end{array}$ Measured value on each record, conversion process is as follows:

1. centralization

Centralization is to make the measured value of various variablees have identical basic point, normally in measured value, deducts the mean value of relevant variable, to the donor centerization conversion factually of the n number of attribute f:

X′ _if＝X _if-m _f i＝1，2，...，n

X wherein _1f..., X _nfn the characteristic value of attribute f, m _fthe mean value of attribute f,

$m_f=\frac{1}{n}\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{X}_{\mathrm{if}}$

2. standardization

Standardization is to remake conversion on the basis of centralization, and it equates the excursion of various variablees. adopt the standardized method of standard deviation here:

$S_f=\sqrt{\frac{1}{n-1}\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{{X^{\&prime;}}_{\mathrm{if}}}^2}$

Standardized characteristic attribute value

$Z_{\mathrm{if}}=\frac{X_{\mathrm{if}}-m_f}{S_f}$

3. weighted sum

According to four attributes, for the size of final result contribution, give respectively different weights.To each element, each property value is multiplied by weights and also sues for peace and can calculate final result.If the weight table of I (s), B (s), P (s), T (s) is shown α _f(f=1,2,3,4).

Four attribute weights and be

$1=\underset{f=1}{\overset{4}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_f$

α _fbetween ratio reflected the weight of each attribute for threaten degree, it is large that I (s), B (s) weight ratio P (s), T (s) want.I (s), B (s) have reflected the range of attacking, and P (s), T (s) have reflected the degree of depth of attacking.

Final result is

$F\left(s\right)=\underset{f=1}{\overset{4}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_f{Z}_{\mathrm{if}}$

In formula, F (s) has represented the threaten degree of attack source.

Data handling procedure is below described by way of example.

Following table is 4 property values that 8 attack sources have respectively.

Table 3 attack source property value

	S1	S2	S3	S4	S5	S6	S7	S8
									Attribute 1:I (s)	6	5	3	4	4	6	3	2
Attribute 2:P (s)	3	10	4	1	3	2	5	8
									Attribute 3:B (s)/kB	10000	50	1000	30	400	50	100	200
Attribute 4:T (s)/s	10	0	0	0	100	0	0	0

1. centralization

M1=4.125 after mean value calculation, m2=4.5, m3=1478.75, m4=13.75.Therefore can obtain following table:

Table 4 centralization result

	S1	S2	S3	S4	S5	S6	S7	S8
									X′ i1	1.875	0.875	-1.125	-0.125	-0.125	1.875	-1.125	-2.125
X′ i2	-1.5	5.5	-0.5	-3.5	-1.5	-2.5	0.5	3.5
									X′ i3	8521.25	-1428.75	-478.75	-1448.75	-1078.75	-1428.75	-1378.75	-1278.75
X′ i4	-3.75	-13.75	-13.75	-13.75	86.25	-13.75	-13.75	-13.75

2. standardization

After standardized calculation, can obtain S1=14.875, S2=66, S3=83722288, S4=8587.5.

3. standardized characteristic attribute value

After calculating, can obtain following table

Table 5 standardization result

	S1	S2	S3	S4	S5	S6	S7	S8
									Z i1	1.28624	0.60025	-0.77174	-0.08575	-0.08575	1.286239	-0.77174	-1.45774
Z i2	-0.48850	1.791182	-0.16284	-1.13984	-0.48850	-0.81417	0.162835	1.139843
									Z i3	2.46395	-0.41313	-0.13843	-0.41891	-0.31192	-0.41313	-0.39867	-0.36976
Z i4	-0.10707	-0.39257	-0.39257	-0.39257	2.462492	-0.39257	-0.39257	-0.39257

4. weighted sum

The present invention gets α ₁=0.3, α ₂=0.3, α ₃=0.2, α ₄=0.2, the threaten degree coefficient that can obtain after summation is finally as shown in the table:

Table 6 is attacked threaten degree coefficient F

	s1	s2	s3	s4	s5	s6	s7	s8
									Fi	1.0059	0.3359	-0.3841	-0.4579	0.2755	0.0206	-0.3971	-0.3988

Sort as S1 from big to small according to threaten degree in these 8 attack sources, S2, S5, S6, S3, S7, S8, S4.

Four, the subnet fragility degree analysis of being injured

The fragile degree of subnet can be determined by the under fire intensity in predicted time.If in actual environment each subnet under fire intensity there are differences, can consider each subnet to enumerate the blacklist of different length.Determine subnet under fire the method for intensity can be completely with reference to the analytical method of attack source Threat above, Consideration is as follows:

1. within the training time, attack the IP quantity I (v) of v;

2. the port number P (v) that v is attacked within the training time;

3. within the training time, v receives the mean value B (v) of total size of packet from each attack source;

4. within the training time, v is attacked the mean value T (v) of total duration by each attack source.

From comprehensive calculation server, extract example subnet property value as shown in table 7, above employing, " analysis of attack source Threat " same algorithm, can show that the final fragile degree coefficient of each subnet is as shown in table 8.

Table 7 subnet property value

Subnet v	v1	v2	v3	v4	v5	v6	v7	v8	v9	v10
											Attribute 1:I (V)	6	5	3	4	4	6	3	2	8	1
Attribute 2:P (V)	3	10	4	1	3	2	5	8	10	1
											Attribute 3:B (v)/kB	10000	50	1000	30	400	50	100	200	10000	10
Attribute 4:T (v)/s	10	0	0	0	100	0	0	0	100	0

Table 8 subnet fragility degree coefficient V

Five, final blacklist generates

For each subnet of being injured, the comprehensive serious coefficient of each attack source and its degree of association and attack source self, for it enumerates blacklist.Step is as follows:

(1), to each subnet, from its short-list, remove the attack main frame of this subnet inside, because fire compartment wall cannot be tackled the packet of subnet inside.(but this is not unworthy data, utilizes these data can effectively detect the health status of main frame in this subnet, and notifies in time this sub network host computer.)

(2), to each subnet, after sorting from big to small according to each attack source and its degree of association, get front c*Ls.Wherein, Ls is called desirable blacklist length, and c is the first intercepting factor.

(3) to this front c*Ls attack source, consider its threaten degree, rearrangement.

If the ordinal number of attack source s in subnet v is k (v, s), by deducting threaten degree coefficient, revise:

F(v，s)＝k(v，s)-α×Ls×F(s) (8)

In above formula, F (s) represents the threaten degree of attack source s, F (v, s) represent the threaten degree of attack source s to subnet v, α > 0, reflected threaten degree with respect to correlation degree the weight to final result, be called threat weight coefficient.α can be by centralization parameter m _fdetermine.Work as m _fwhen larger, illustrate that threaten degree is larger, should increase the weight of threaten degree in final result, α is also correspondingly larger.In this example,

(retaining a decimal).

For each subnet of being injured,, according to the value size of F (v, s), sorted from small to large in attack source.

(4) utilize subnet fragility degree to determine different blacklist length L (v).

Known desirable blacklist length L _s, establishing the shortest acceptable blacklist length is Lmin, and the longest acceptable blacklist length is Lmax, and blacklist contraction-expansion factor is δ (0 < δ < 1).In order to meet blacklist average length, be L _s, the present invention can adopt following formula to determine the longest blacklist length and the shortest blacklist length:

Lmax＝round(Ls(1+δ))

Lmin＝round(Ls(1-δ))

Round in above formula (x) represents x to carry out round.Note subnet fragility degree coefficient V maximum is Vmax, and minimum value is Vmin, and the relevant blacklist length of fragile degree that the present invention can adopt min-max standardization to make is L (v).

$L\left(v\right)=\mathrm{round}\left((V\left(v\right)-V\min )\frac{L\max -L\min }{V\max -V\min }\right)+L\min ---\left(9\right)$

By above formula, the present invention by interval [Vmin, the Vmax] Linear Mapping of subnet fragility degree to acceptable blacklist length of interval [Lmin, Lmax], for the subnet of the fragile degree of difference, effectively to distinguish, fragile degree is higher, blacklist is longer, and fragile degree is lower, and blacklist is shorter.

In this example, get L _s=3, δ=50%, Lmin=Found (3* (1-50%))=2 so, Lmax=round (3* (1+50%b))=6.Utilize data in table 8 by formula (9) each subnet blacklist length is as shown in table 9

Table 9 subnet blacklist length L

v1	v2	v3	v4	v5	v6	v7	v8	v9	v10	Average length
											2	2	2	1	3	2	2	2	5	1	2.2

Blacklist average length and desirable blacklist length L after standardization _sbe more or less the same.As shown in table 9, subnet blacklist average length is 2.2, is less than ideal length 3.In the situation that defence cost is substantially constant, greatly reduced the anti-rate of mistake, improved hit rate.

With regard to this example, if desirable blacklist length L _sbe 3, intercepting for the first time factor c is 2.For subnet v1, can be first according to correlation degree choose front 6 with its correlation degree maximum, i.e. S2, S6, S3, S8, S1, S5; Then according to formula (8), consider after threaten degree that these 6 attack sources itself have that sequence is S2 from small to large, S1, S5, S4, S3, S8; Get again first 2, i.e. S2, S1.For subnet v9, can be first according to correlation degree choose front 6 with its correlation degree maximum, i.e. S2, S6, S8, S3, S1, S5; Then consider after threaten degree that these 6 attack sources itself have that sequence is S5 from small to large, S3, S8, S1, S6, S2; Get again first 5, i.e. S5, S3, S8, S1, S6.

Six, index system determines

Defence number is defined as: whole network success defensive attack event number within observing time.

Fielding percentage is defined as: the ratio of whole network success defensive attack event number and general offensive event number within the testing time.

Hit rate is defined as: the part that all blacklists come into force within the testing time accounts for the ratio of whole blacklist.

Composite defense rate is defined as: within the testing time, and can composite defense but cannot Autonomous Defense attack number account for the ratio of general offensive event number.With I, representing the attack that IHPB successfully defends, with L, represent the attack that LWOL successfully defends, use | .| represents the radix of collection:

Collaborative lose anti-rate and be defined as: in the testing time, can Autonomous Defense but cannot composite defense attack number account for the ratio of general offensive event number.That is:

Approximately 200,000 attack data after pretreatment that the present invention adopts the mutual sweet net of height of the CERNET northwest net backbone network of Xi'an Communications University's intelligent network and key lab of the network security Ministry of Education to collect, verified by experiment: in most cases, contrast existing several blacklist defence method, IHPB blacklist generation method of the present invention has higher fielding percentage, hit rate, composite defense rate and the lower anti-rate of collaborative mistake.Subnet not only can independently be on the defensive, and can help all the other the subnet defence in same enterprise network, has very high predictability.

The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any modifications of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.

Claims (5)

1. a blacklist generation method with high predictability, is characterized in that, comprises the following steps:

Step 1: data preliminary treatment

Resolve in packet header to the packet capturing, therefrom extracts attack attribute five-tuple, and described attack attribute five-tuple is attack source IP, the subnet network address of being injured, the port of being injured, attack duration and packet accumulated size;

Step 2: correlation analysis

First utilize attack source the attack relationship graph G=(V, E) of the subnet of being injured to be calculated to the incidence matrices W being respectively injured between subnet, wherein V={v ₁, v ₂..., v _k, each node in attack relationship graph, represents each subnet, k is the number of subnet of being injured, E by node to the set forming, the matrix element of matrix W

represent the similarity degree of subnet vi and subnet vj, wherein, mi is the number of times that subnet vi is attacked, and mj is the number of times that subnet vj is attacked, and mij is the number of times that vi and vj are attacked by identical attack source s;

Then calculate each attack source and the correlation degree of the subnet of being respectively injured, computing formula is as follows:

r ^s＝[(I-aW) ^-1-I]·b ^s

R wherein ^sthe correlation degree vector that represents attack source s and all subnets of being injured, b ^srepresent to describe attack source s and attack the boolean vector of relation with the subnet of being injured, a is attenuation coefficient, represents take to capture the feasibility criterion that the sub network host computer of being injured is attacked to other subnets as springboard, and W is incidence matrices, and I is unit matrix;

Step 3: Threat analysis

The four-tuple of each attack source is carried out to centralization, standardization and weighting, draw the Threat of each attack source, wherein, the four-tuple of described attack source is the subnet number of being injured, the port number of being injured, average attack time and average data bag accumulated size;

Step 4: fragile degree analysis

The four-tuple of each subnet of being injured is carried out to centralization, standardization and weighting, draws the fragile degree of each subnet of being injured, wherein, described in be injured the four-tuple of subnet for attacking IP number, the port number of being injured, average attack time and average data bag accumulated size;

Step 5: blacklist generates

For each subnet of being injured, comprehensively itself and each degree of association of attack source is, the fragile degree of the Threat of attack source, subnet self is that it generates blacklist.

2. step according to claim 1, described step 5 is specially:

To each subnet, from its short-list, remove the attack main frame of this subnet inside;

To each subnet, after sorting from big to small according to each attack source and its correlation degree, get a front c*Ls attack source, wherein, Ls is called desirable blacklist length, and c is the first intercepting factor;

To this front c*Ls attack source, consider its Threat, resequence;

Utilize subnet fragility degree for the definite blacklist length L (v) separately of each subnet v;

Finally, for each subnet v, according to described blacklist length L (v), from attack source corresponding with this subnet, after rearrangement, select the individual attack source of front L (v), generate thus the blacklist of this subnet.

3. method according to claim 2, is characterized in that, described in the step of resequencing be specially:

If the ordinal number of attack source s in subnet v is k (v, s), by following formula, ordinal number is revised:

F(v，s)＝k(v，s)-α×Ls×F(s)

Wherein, F (v, s) represents the threaten degree of attack source s to subnet v, and F (s) represents the threaten degree of attack source s, and α > 0, is called threat weight coefficient, reflected threaten degree with respect to correlation degree the weight to final result,

For each subnet of being injured,, according to the value size of F (v, s), resequenced from small to large in attack source.

4. method as claimed in claim 2, is characterized in that, the described subnet fragility degree that utilizes is specially for each subnet v determines the step of blacklist length L (v) separately:

Adopt min-max standardization to formulate the relevant blacklist length of fragile degree:

$L\left(v\right)=\mathrm{round}\left((V\left(v\right)-V\min )\frac{L\max -L\min }{V\max -V\min }\right)+L\min ---\left(9\right)$

In above formula (9), round (x) represents x to carry out round, Vmax is the maximum of subnet fragility degree coefficient V, Vmin is the minimum value of subnet fragility degree coefficient V, and Lmin is the shortest acceptable blacklist length, and Lmax is the longest acceptable blacklist length.

5. method as claimed in claim 4, is characterized in that, adopts following formula to determine the longest blacklist length and the shortest blacklist length:

Lmax=round (L (10 δ))

Lmin＝round(L(1-δ))

In above formula, δ is blacklist contraction-expansion factor, 0 < δ < 1.

Images