CN103944912A - Method for preventing various newly-developing and unknown aggressive behaviors in network - Google Patents
Method for preventing various newly-developing and unknown aggressive behaviors in network Download PDFInfo
- Publication number
- CN103944912A CN103944912A CN201410172952.1A CN201410172952A CN103944912A CN 103944912 A CN103944912 A CN 103944912A CN 201410172952 A CN201410172952 A CN 201410172952A CN 103944912 A CN103944912 A CN 103944912A
- Authority
- CN
- China
- Prior art keywords
- message
- network
- control model
- network control
- tuple
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a method for preventing various newly-developing and unknown aggressive behaviors in a network. The method is characterized by comprising the following steps of 1, establishing a network control model; 2, utilizing the network control model to study normal service flows in the network and establishing a service flow white environment of the network control model; 3, filtering network flows by means of the established service flow white environment of the network control model. The method has the advantages of being capable of preventing various newly-developing and unknown aggressive behaviors which cannot be prevented by a firewall and the intrusion detect technology, ensuring normal operation of an information system and security of the normal service flows in the network and preventing leakage of core data.
Description
Technical field
Thereby the present invention relates to a kind of method of taking precautions against various unknown attack behaviors and emerging attack that network traffics are filtered.
Background technology
Along with the develop rapidly of computer technology and network technology, attack emerges in an endless stream, and network sweep, virus, DDOS attack, various unknown attack (APT) etc. are at every moment being perplexed the normal operation of information system.Wherein intrusion detection can scan by guarding network, PAA product can be taken precautions against virus attack, fire compartment wall can be taken precautions against DDOS and attack, but gets up just very difficult for various unknown attacks and some emerging and unknown attack meanses and the above-mentioned three kinds of products of behavior and technological prevention.
Summary of the invention
The technical problem to be solved in the present invention is the method for various emerging attacks and unknown attack behavior on guarding network.
In order to solve the problems of the technologies described above, technical scheme of the present invention has been to provide the method for various emerging and unknown attack behaviors in a kind of guarding network, it is characterized in that, step is:
The first step, set up network control model, this network control model is organized in ltsh chain table mode, calculates a cryptographic Hash taking source IP, object IP, agreement, destination slogan four-tuple as basis, then taking this cryptographic Hash as basic organization ltsh chain table;
Second step, utilize network control model to learn the general traffics in network, set up the white environment of Business Stream of network control model, the steps include:
Step 2.1, judge whether the message receiving is TCP type message or UDP type message, if so, continues to enter step 2.1, if not, current message is let pass, enter step 2.4;
Source IP, object IP, agreement, the destination slogan four-tuple of step 2.2, extraction IP message, utilize this four-tuple to calculate a cryptographic Hash;
The cryptographic Hash that step 2.3 obtains taking step 2.2 is inquired about as parameter in the ltsh chain table of network control model, if inquire, the length of current IP message is updated in the statistical value of network traffics, enter step 2.4, if do not inquire, the protocol type that judges current message is TCP type message or UDP type message, if TCP type message, continue to judge whether the TCP message option of current message is SYN bag, if SYN bag, the chained list node that comprises four-tuple is added to ltsh chain table, and the statistical value of initialization network traffics, enter step 2.4, if not SYN bag, current message is let pass, enter step 2.4, if the protocol type of current message is UDP type message, the chained list node that comprises four-tuple is added to ltsh chain table, and the statistical value of initialization network traffics, enter step 2.4,
Step 2.4, judge whether learning time of reaching predetermined, if reach, to exit second step, if do not arrive, receive and return to step 2.1 after next message and again process;
The white environment of Business Stream of the network control model that the 3rd step, utilization are set up filters network traffics, the steps include:
Step 3.1, judge whether the message receiving is TCP type message or UDP type message, if so, enters step 3.2, if not, current message is let pass and receive and return to step 3.1 after next message and again process;
Step 3.2, extract the source IP of IP message, object IP, agreement, destination slogan four-tuple, utilize this four-tuple to calculate a cryptographic Hash, inquire about in the ltsh chain table of network control model taking this cryptographic Hash as parameter, if inquire the chained list node of coupling, real-time traffic statistics is added to the flow value that must make new advances after the flow of this message, by the statistical value comparison of new flow value and the network traffics that obtain by second step, if new flow value is larger than the statistical value of network traffics, after adopting large flow action to process current message, enter step 3.3, if new flow value is less than the statistical value of network traffics, upgrading the current message of clearance after real-time traffic statistics, enter step 3.3, if do not inquire the chained list node of coupling, enter step 3.3 after adopting the action of insincere flow to process current message,
If step 3.3 has next message, receive and return to step 3.1 after next message and again process, if there is no next message, jump out the 3rd step.
Preferably, describedly process current message and/or the insincere flow action of described employing according to the action of large flow to process current message be to carry out packet loss operation when current message is produced alarm or produces alarm.
The present invention does not rely on access control policy, do not rely on matching characteristic yet, but by study general traffics, form the white environmental model of Business Stream, thereby reach the normal Business Stream of only letting pass, stop as improper Business Streams such as various unknown attacks, therefore can well take precautions against the attack of various the unknowns and emerging attack.
Owing to having adopted above-mentioned technical scheme, the present invention has following advantage and good effect: can take precautions against emerging attack and various unknown attack that fire compartment wall and Intrusion Detection Technique can not be taken precautions against, can guarantee the normal operation of information system, ensure the safety of general traffics in network, take precautions against core data and divulge a secret.
Brief description of the drawings
Fig. 1 is that network control model of the present invention is set up white environment flow chart;
Fig. 2 is the flow chart of network control model filter message of the present invention.
Embodiment
For the present invention is become apparent, hereby with preferred embodiment, and coordinate accompanying drawing to be described in detail below.
The method that the invention provides various emerging and unknown attack behaviors in a kind of guarding network, the steps include:
The first step, set up network control model, network control model is organized in ltsh chain table mode, calculate a cryptographic Hash as basis taking source IP, object IP, agreement, destination slogan (service) four-tuple, then taking this cryptographic Hash as basic organization ltsh chain table.Network control model is only processed the message of two types of TCP and UDP, and all the other type messages acquiescences do not enter the processing of network control model.TCP type message if, only has the Hash node of the four-tuple of the SYN message of TCP type just can join in network control model, if the message of all the other TCP types has matched in network control model, and only New count more, otherwise do not process.UDP type message if, because UDP type message does not have dividing of type, so process all UDP messages.
Network control model is divided into mode of learning and mode of operation, and the action of network control model is divided into two types of large flow and insincere flows; Wherein the action of large flow comprises: alarm, packet loss+alarm, and the action of insincere flow also comprises: alarm, packet loss+alarm, these two actions are configurable, and the action of acquiescence adopts packet loss+alarm.Under mode of learning, learn general traffics, set up the white environment of network control model; Under mode of operation, by the white environment of Business Stream in Business Stream matching network control model, provide the handling suggestion to Business Stream according to matching result: by, warning, packet loss+warning.Network control model is taking source IP, object IP, agreement, destination slogan (service) four-tuple as Foundation, and model comprises the traffic statistics of the white environment of Business Stream and the traffic statistics information of mode of operation simultaneously.The network control model of setting up by four-tuple can be included the behavior of all IP messages, can simulate wherefrom (source IP), and what (agreement+destination interface) where (object IP), do.
Second step, utilize network control model to learn the general traffics in network, set up the white environment of Business Stream of network control model, network control model works in mode of learning, in conjunction with Fig. 1, the steps include:
Step 2.1, judge whether the message receiving is TCP type message or UDP type message, if so, continues to enter step 2.1, if not, current message is let pass, enter step 2.4;
Source IP, object IP, agreement, the destination slogan four-tuple of step 2.2, extraction IP message, utilize this four-tuple to calculate a cryptographic Hash;
The cryptographic Hash that step 2.3 obtains taking step 2.2 is inquired about as parameter in the ltsh chain table of network control model, if inquire, the length of current IP message is updated in the statistical value of network traffics, enter step 2.4, if do not inquire, the protocol type that judges current message is TCP type message or UDP type message, if TCP type message, continue to judge whether the TCP message option of current message is SYN bag, if SYN bag, the chained list node that comprises four-tuple is added to ltsh chain table, and the statistical value of initialization network traffics, enter step 2.4, if not SYN bag, current message is let pass, enter step 2.4, if the protocol type of current message is UDP type message, the chained list node that comprises four-tuple is added to ltsh chain table, and the statistical value of initialization network traffics, enter step 2.4,
Step 2.4, judge whether learning time of reaching predetermined, if reach, to exit second step, if do not arrive, receive and return to step 2.1 after next message and again process;
The white environment of Business Stream of the network control model that the 3rd step, utilization are set up filters network traffics, and network control model works in mode of operation, in conjunction with Fig. 2, the steps include:
Step 3.1, judge whether the message receiving is TCP type message or UDP type message, if so, enters step 3.2, if not, current message is let pass and receive and return to step 3.1 after next message and again process;
Step 3.2, extract the source IP of IP message, object IP, agreement, destination slogan four-tuple, utilize this four-tuple to calculate a cryptographic Hash, inquire about in the ltsh chain table of network control model taking this cryptographic Hash as parameter, if inquire the chained list node of coupling, real-time traffic statistics is added to the flow value that must make new advances after the flow of this message, by the statistical value comparison of new flow value and the network traffics that obtain by second step, if new flow value is larger than the statistical value of network traffics, after adopting large flow action to process current message, enter step 3.3, if new flow value is less than the statistical value of network traffics, upgrading the current message of clearance after real-time traffic statistics, enter step 3.3, if do not inquire the chained list node of coupling, enter step 3.3 after adopting the action of insincere flow to process current message,
If step 3.3 has next message, receive and return to step 3.1 after next message and again process, if there is no next message, jump out the 3rd step.
The method of various emerging and unknown attack behaviors in a kind of guarding network as claimed in claim 1, is characterized in that: describedly process current message and/or the insincere flow action of described employing according to large flow action to process current message be to carry out packet loss operation when current message is produced alarm or produces alarm.
Claims (2)
1. a method for various emerging and unknown attack behaviors in guarding network, is characterized in that, step is:
The first step, set up network control model, this network control model is organized in ltsh chain table mode, calculates a cryptographic Hash taking source IP, object IP, agreement, destination slogan four-tuple as basis, then taking this cryptographic Hash as basic organization ltsh chain table;
Second step, utilize network control model to learn the general traffics in network, set up the white environment of Business Stream of network control model, the steps include:
Step 2.1, judge whether the message receiving is TCP type message or UDP type message, if so, continues to enter step 2.1, if not, current message is let pass, enter step 2.4;
Source IP, object IP, agreement, the destination slogan four-tuple of step 2.2, extraction IP message, utilize this four-tuple to calculate a cryptographic Hash;
The cryptographic Hash that step 2.3 obtains taking step 2.2 is inquired about as parameter in the ltsh chain table of network control model, if inquire, the length of current IP message is updated in the statistical value of network traffics, enter step 2.4, if do not inquire, the protocol type that judges current message is TCP type message or UDP type message, if TCP type message, continue to judge whether the TCP message option of current message is SYN bag, if SYN bag, the chained list node that comprises four-tuple is added to ltsh chain table, and the statistical value of initialization network traffics, enter step 2.4, if not SYN bag, current message is let pass, enter step 2.4, if the protocol type of current message is UDP type message, the chained list node that comprises four-tuple is added to ltsh chain table, and the statistical value of initialization network traffics, enter step 2.4,
Step 2.4, judge whether learning time of reaching predetermined, if reach, to exit second step, if do not arrive, receive and return to step 2.1 after next message and again process;
The white environment of Business Stream of the network control model that the 3rd step, utilization are set up filters network traffics, the steps include:
Step 3.1, judge whether the message receiving is TCP type message or UDP type message, if so, enters step 3.2, if not, current message is let pass and receive and return to step 3.1 after next message and again process;
Step 3.2, extract the source IP of IP message, object IP, agreement, destination slogan four-tuple, utilize this four-tuple to calculate a cryptographic Hash, inquire about in the ltsh chain table of network control model taking this cryptographic Hash as parameter, if inquire the chained list node of coupling, real-time traffic statistics is added to the flow value that must make new advances after the flow of this message, by the statistical value comparison of new flow value and the network traffics that obtain by second step, if new flow value is larger than the statistical value of network traffics, after adopting large flow action to process current message, enter step 3.3, if new flow value is less than the statistical value of network traffics, upgrading the current message of clearance after real-time traffic statistics, enter step 3.3, if do not inquire the chained list node of coupling, enter step 3.3 after adopting the action of insincere flow to process current message,
If step 3.3 has next message, receive and return to step 3.1 after next message and again process, if there is no next message, jump out the 3rd step.
2. the method for various emerging and unknown attack behaviors in a kind of guarding network as claimed in claim 1, is characterized in that: describedly process current message and/or the insincere flow action of described employing according to large flow action to process current message be to carry out packet loss operation when current message is produced alarm or produces alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410172952.1A CN103944912B (en) | 2014-04-28 | 2014-04-28 | Method for preventing various newly-developing and unknown aggressive behaviors in network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410172952.1A CN103944912B (en) | 2014-04-28 | 2014-04-28 | Method for preventing various newly-developing and unknown aggressive behaviors in network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103944912A true CN103944912A (en) | 2014-07-23 |
| CN103944912B CN103944912B (en) | 2017-02-15 |
Family
ID=51192396
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410172952.1A Expired - Fee Related CN103944912B (en) | 2014-04-28 | 2014-04-28 | Method for preventing various newly-developing and unknown aggressive behaviors in network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103944912B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
| CN105939241A (en) * | 2016-03-10 | 2016-09-14 | 杭州迪普科技有限公司 | Connection disconnecting method and device |
| CN106899580A (en) * | 2017-02-10 | 2017-06-27 | 杭州迪普科技股份有限公司 | A kind of flow cleaning method and device |
| CN107528847A (en) * | 2017-09-01 | 2017-12-29 | 天津赞普科技股份有限公司 | A kind of guard method based on MAC shuntings |
| CN108900477A (en) * | 2018-06-08 | 2018-11-27 | 北京安控科技股份有限公司 | A method of external network interference is inhibited based on gateway |
| CN115622810A (en) * | 2022-12-14 | 2023-01-17 | 深圳市永达电子信息股份有限公司 | Business application identification system and method based on machine learning algorithm |
-
2014
- 2014-04-28 CN CN201410172952.1A patent/CN103944912B/en not_active Expired - Fee Related
Non-Patent Citations (2)
| Title |
|---|
| 吴迪,冯登国,连一峰,陈恺: "《一种给定脆弱环境下的安全措施效用评估模型》", 《软件学报》 * |
| 魏为民,袁仲雄: "《网络攻击与防御技术的研究与实践》", 《信息网络安全》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
| CN104901971B (en) * | 2015-06-23 | 2019-03-15 | 北京东方棱镜科技有限公司 | The method and apparatus that safety analysis is carried out to network behavior |
| CN105939241A (en) * | 2016-03-10 | 2016-09-14 | 杭州迪普科技有限公司 | Connection disconnecting method and device |
| CN105939241B (en) * | 2016-03-10 | 2019-03-15 | 杭州迪普科技股份有限公司 | Connection disconnects method and device |
| CN106899580A (en) * | 2017-02-10 | 2017-06-27 | 杭州迪普科技股份有限公司 | A kind of flow cleaning method and device |
| CN107528847A (en) * | 2017-09-01 | 2017-12-29 | 天津赞普科技股份有限公司 | A kind of guard method based on MAC shuntings |
| CN107528847B (en) * | 2017-09-01 | 2020-10-27 | 天津赞普科技股份有限公司 | Protection method based on MAC shunting |
| CN108900477A (en) * | 2018-06-08 | 2018-11-27 | 北京安控科技股份有限公司 | A method of external network interference is inhibited based on gateway |
| CN115622810A (en) * | 2022-12-14 | 2023-01-17 | 深圳市永达电子信息股份有限公司 | Business application identification system and method based on machine learning algorithm |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103944912B (en) | 2017-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103944912A (en) | Method for preventing various newly-developing and unknown aggressive behaviors in network | |
| EP2382512B1 (en) | Communication module with network isolation and communication filter | |
| Yang et al. | Intrusion detection system for IEC 60870-5-104 based SCADA networks | |
| TWI528761B (en) | Network traffic processing system | |
| Yang et al. | Rule-based intrusion detection system for SCADA networks | |
| US9130983B2 (en) | Apparatus and method for detecting abnormality sign in control system | |
| CN109829310A (en) | Defence method and device, system, storage medium, the electronic device of similar attack | |
| US20150341380A1 (en) | System and method for detecting abnormal behavior of control system | |
| CN104967588B (en) | Protection method, apparatus and system for distributed denial of service DDoS (distributed denial of service) attack | |
| WO2018108052A1 (en) | Ddos attack defense method, system and related equipment | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN104506531A (en) | Security defending system and security defending method aiming at flow attack | |
| CN106034056A (en) | Service safety analysis method and system thereof | |
| CN103746885A (en) | Test system and test method oriented to next-generation firewall | |
| US20160094517A1 (en) | Apparatus and method for blocking abnormal communication | |
| CN104683333A (en) | Method for implementing abnormal traffic interception based on SDN | |
| CN106506486A (en) | A kind of intelligent industrial-control network information security monitoring method based on white list matrix | |
| CN104639504A (en) | Network cooperative defense method, device and system | |
| CN106161426A (en) | A kind of vulnerability scanning method being applied to industry Internet of Things | |
| RU2475836C1 (en) | Method for protection of computer networks | |
| CN109587167A (en) | A kind of method and apparatus of Message processing | |
| CN104883346A (en) | Network equipment behavior analysis method and system | |
| CN106411863A (en) | Virtualization platform for processing network traffic of virtual switches in real time | |
| CN105959289A (en) | Self-learning-based safety detection method for OPC Classic protocol | |
| CN107579993A (en) | The security processing and device of a kind of network data flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170215 Termination date: 20200428 |