CN104954864A - Two-way set top box intrusion detection system and detection method thereof - Google Patents
Two-way set top box intrusion detection system and detection method thereof Download PDFInfo
- Publication number
- CN104954864A CN104954864A CN201510342856.1A CN201510342856A CN104954864A CN 104954864 A CN104954864 A CN 104954864A CN 201510342856 A CN201510342856 A CN 201510342856A CN 104954864 A CN104954864 A CN 104954864A
- Authority
- CN
- China
- Prior art keywords
- data
- top box
- user
- detection
- suspicious traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/43—Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
- H04N21/442—Monitoring of processes or resources, e.g. detecting the failure of a recording device, monitoring the downstream bandwidth, the number of times a movie has been viewed, the storage space available from the internal hard disk
- H04N21/44236—Monitoring of piracy processes or activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/23—Processing of content or additional data; Elementary server operations; Server middleware
- H04N21/24—Monitoring of processes or resources, e.g. monitoring of server load, available bandwidth, upstream requests
- H04N21/2407—Monitoring of transmitted content, e.g. distribution time, number of downloads
Landscapes
- Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Networks & Wireless Communication (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a two-way set top box intrusion detection system and a detection method thereof. The intrusion detection system comprises a former subsystem and a back-end subsystem, wherein the former subsystem is connected with an OLT (Optical Line Terminal) upstream two-way link and collects and processes two-way traffic in and out of the OLT upstream two-way link; the back-end subsystem carries out safety detection and data analysis on a data packet of the former subsystem. The intrusion detection system is arranged on the OLT upstream two-way link, so that the merged traffic is identified intelligently in real time, the former subsystem detects in real time, and vicious attack traffic is blocked and cleared; normal and continuous operation of an access network is ensured, the interruption problem probably caused by serial connection in the link is solved, and the smoothness of the link is ensured; the system has no IP (Internet Protocol) address detected by outside, is similar to a transparent transmission device of a physical layer and a section of optical fiber, has natural invisibility characteristic, can be prevented from being detected by attackers, and can ensure self-network safety.
Description
Technical field
The present invention relates to Broadcasting Cable Network security technology area, particularly a kind of bi-directional set-top box intruding detection system and detection method thereof.
Background technology
In August, 2014, Wenzhou Broadcasting Cable Network suffers assault, and legal program is interrupted, and a large amount of responsive picture appears in terminal, and make an extremely bad impression, this has beaten the alarm bell of Broadcasting Cable Network safety to us.In integration of three networks evolution, the part of the original safety of Broadcasting Cable Network may become no longer safe under new fusion situation.Bidirectional rebuilding is that domestic consumer brings independently, while individualized video viewing service, for malicious attacker provides attack path, this safe foundation stone of traditional CHINA RFTCOM Co Ltd one way propagation has not existed yet.Intelligent Terminal, TV networkization are also for Broadcasting Cable Network brings new potential safety hazard, the terminal operatings such as intelligentized Set Top Box, television set, home gateway are on various processor platform basis, the operating systems such as Android are installed, possess the bi-directional communication channels connecting external network, also just can become malicious attacker and implement the target of network attack or attack springboard.As shown in Figure 1, Broadcasting Cable Network network is divided into external network and internal network, and wherein internal network is divided into front end, transmission and terminal three parts.1) external network: corresponding to other public networks outside CHINA RFTCOM Co Ltd, as the Internet; 2) front network: corresponding to broadcasting service front network, two-way services front network and broadcasting and TV office network, front network is positioned at the front portion of carrier network, complete routine office work and broadcast, the function such as the program of two-way services, program are issued, EPG (Electronic Program Guide), BOSS/SMS, source part can be abstracted in whole CHINA RFTCOM Co Ltd model of communication system; 3) transmission network: after being positioned at front network, can be abstracted into channel strip in whole CHINA RFTCOM Co Ltd model of communication system; Comprise one-way broadcast transmissions network and transmitted in both directions network, from level, also can be divided into backbone network and access network, backbone network is connected and composed by P, and access network adopts PON+EOC (PON, Passive Optical Network usually; EOC, Ethernet over Coax) or other access waies; 4) terminal network: the home network formed with Novel STB or Household intelligent gateway, can be abstracted into terminal part in whole CHINA RFTCOM Co Ltd model of communication system.
The network security border of CHINA RFTCOM Co Ltd comprises the zone boundary of the zone boundary between external network and front network, front network and transmission network, the border of transmission network and terminal network.At present, Broadcasting Cable Network has installed the convention security safeguard such as fire compartment wall, IDS, IPS (Intrusion Prevention System) additional in front network and external network border, front network and transmission network border, launch a offensive to broadcasting and TV front network from external network or office network to take precautions against assailant, security from attacks person launches a offensive from transmitted in both directions network or terminal network to broadcasting and TV front network.Comparatively speaking, on the border of transmission network to terminal network, rare corresponding Networked RAID technology proposes and implements so far.The Network Security Construction of Broadcasting Cable Network needs to implement security hardening to overall network, ignore " short slab " that may cause safe wooden barrel to the security protection on transmission network and terminal network border, namely the general safety of network is not determined by that part that fail safe is the strongest, and is often determined by the part that fail safe is minimum.
In internet arena, Access Network is the emphasis cloth defence area of security protection, the specialized security device such as fire compartment wall, vulnerability scanning, IDS, IPS is widely deployed, and in terminal PC in linking Internet net, also have the software of anti-virus and so on, operating system is also all that regularly upgrading carrys out the security breaches of up operation system with this.Obviously, in the Internet, now there is relatively three-dimensional security protection system.Compare the Internet, broadcasting and TV Access Network lacks relatively three-dimensional security system at present, there is no the similar special secure private equipment for broadcasting and TV, broadcasting and TV Access Network end be comparatively speaking " naked " safety state, assailant easily can enter network pellucidly and directtissima to Set Top Box.Like this, even if all kinds of secure firmware is installed in Set Top Box inside, the attack difficulty of assailant is also little.
There is the potential safety hazard that safety " short slab " may bring and have in Access Network: the up attack that (1) assailant can initiate front network from terminal network.The security breaches that Intelligent set top box is hiding in terminal network are seldom concerned, in fact, a lot of Intelligent set top box is due to scaling difficulty, add the consciousness weakness of people to Set Top Box safety and " mourning in silence " characteristic of Set Top Box itself, Set Top Box potential safety hazard is made to have longer latency period, easily by malicious attacker on a large scale, extensive long-term control, serious consequence of failure may be caused.(2) Access Network non-boundary protection, assailant can from the descending attack of front network initiation to terminal network.Fermenting security incident on a large scale by controlling a large amount of Set Top Box, utilizing Set Top Box characteristic of mourning in silence to cause Set Top Box downloaded stored illegally to apply, playing invalid information.(3) Access Network non-boundary protection, illegal terminal may enter network easily with the identity of personation, carries out various destructive activity; The terminal of legal identity, also may the various Internet resources of unauthorized access after entering network.
Summary of the invention
For deficiency of the prior art, the invention provides a kind of bi-directional set-top box intruding detection system and detection method thereof, the safety problem that Broadcasting Cable Network faces now can be tackled, improve Broadcasting Cable Network security protection ability, compensate for the problem of Broadcasting Cable Network Access Network security mechanism disappearance, be embodied as the protection of broadcasting and TV Access Network and a kind of effective method for protecting is provided, ensure that can not being stealthy of attack traffic.
According to design provided by the present invention, a kind of bi-directional set-top box intruding detection system, comprises front terminal system and backend systems, front terminal system, be connected with OLT upstream two-way link, acquisition and processing is carried out to the bidirectional traffics of in/out OLT upstream two-way link; Backend systems, carries out safety detection and data analysis to the packet of front terminal system.
Above-mentioned, described backend systems also comprises safety detection module, and safety detection module to be compared detection to security threat according to security threat storehouse, and real-time informing front terminal system.
Above-mentioned, also comprise linear speed serial connection light/TURP and change protection module, linear speed serial connection light/TURP changes protection module process and is connected on disruption in the two-way link of OLT upstream, ensures the unimpeded of link.
A kind of bi-directional set-top box intrusion detection method, comprises following steps:
The bidirectional traffics of step 1. front terminal system to in/out OLT upstream two-way link carry out screening collection, reject the known data on flows determining nothing harm, gather remaining suspicious traffic data and transfer to backend systems;
Whether step 2. backend systems comprises known threat characteristics according to the suspicious traffic data judging received, if comprise, then threaten storehouse that the suspicious traffic data received are carried out to security threat detection and removed according to known safe, otherwise, by adding up behavioural characteristic and carrying out security threat detection according to large data relation analysis method to these suspicious traffic data, and signature analysis is carried out to the security threat detected, analysis result is added known safe and threaten in storehouse.
Above-mentioned bi-directional set-top box intrusion detection method, described step 1 specifically comprises following steps:
According to the feature of Broadcasting Cable Network flow, step 1.1. judges whether the bidirectional traffics of in/out OLT upstream two-way link are known legitimate audio-video frequency contents, if so, then reject, otherwise carry out next step, be then judged to be suspicious traffic data;
Step 1.2. gathers suspicious traffic data;
The suspicious traffic transfer of data collected is carried out analyzing and processing to backend systems by step 1.3.;
The analysis of step 1.4. backend systems judges these suspicious traffic data whether as attack traffic data by analyzing, and if so, then carries out next step, otherwise, rejecting;
Step 1.5. is by backend systems to after Data Analysis Services, and front terminal system sends response processing command, enters step 1.6;
Step 1.6. is according to response command, and front terminal system makes respective handling to these attack traffic data.
Above-mentioned bi-directional set-top box intrusion detection method, described step 2 specifically comprises following steps:
Step 2.1. receives suspicious traffic data, by this suspicious traffic transfer of data to safety detection module;
Step 2.2. safety detection module, by comparison known safe threat characteristics storehouse, judges whether suspicious traffic data exist known safe and threaten, if exist, then forward end subsystem sends exception handling instruction, otherwise, enter next step 2.3;
Step 2.3. detects suspicious traffic data according to large data relation analysis method, judges whether suspicious traffic data exist unknown security threat, if exist, then forward end subsystem sends exception handling instruction, otherwise, perform step 2.4;
The suspicious traffic data detected are sent to corresponding light line terminal by step 2.4..
Above-mentioned bi-directional set-top box intrusion detection method, described step 2 also comprises Broadcasting Cable Network passback flow detection, described Broadcasting Cable Network passback flow detection specifically comprises following content: detect customer flow, extensive flow whether is had to return, if do not had, then judge to belong to normal behaviour, if had, whether the time then detecting the passback of extensive flow is the timing node of arranging, if so, then judge to belong to normal discharge passback behavior, otherwise, be judged to be intrusion behavior, and intrusion response is taked to intrusion behavior.
Above-mentioned bi-directional set-top box intrusion detection method, by adding up behavioural characteristic and carrying out security threat detection according to large data relation analysis method to these suspicious traffic data in described step 2, and signature analysis is carried out to the security threat detected, specifically comprise following steps: step (1) takes out user's historical data from shielded operation system, historical data is carried out being converted to the corresponding data for bi-directional set-top box intruding detection system; Step (2) generates user's normal behaviour normative model according to the corresponding data be converted to, in bi-directional set-top box intruding detection system, user's normal behaviour specification is generated, for as detecting the standard whether user current behavior is normal behaviour according to network security technology; Step (3) detects user's current behavior, the current behavior data needing to carry out the user detected are extracted from shielded operation system, according to the user's normal behaviour specification generated in step (2), carry out detection comparative analysis, if the difference of current behavior data and normal behaviour data is greater than defined threshold, then judge that user's current behavior is abnormal, have security risk, bi-directional set-top box intruding detection system sends by the safety alarm of illegal invasion; If current behavior data fit normal behaviour data standard, then judge that user's current behavior is as normal behaviour; Step (4) takes out user's current behavior data from shielded operation system, and user's current behavior data changed by algorithm, for bi-directional set-top box intruding detection system, keeper carries out data analysis; Step (5) transfers active user's behavioral data to user historical data, for the analysis of subsequent user behavioral value.
Beneficial effect of the present invention:
1. bi-directional set-top box intruding detection system of the present invention is deployed in OLT upstream two-way link, completes real-time, Intelligent Recognition to converging flow, realizes the correct process to converging flow; Under serial connection deployment way, system can detect security threat and can detect in real time and block, clean malicious attack flow; System linear speed serial connection light/TURP changes resist technology, when fault occurs can in real time by link switching to transparent transmission pattern, automatically keep away around fault point in real time, thus ensure that Access Network normally runs without interruption, adopt linear speed serial connection light/TURP to change resist technology to be processed its issuable disruption in a link of connecting, ensure the unimpeded of link; Adopt deployment and the working method of " non-cooperation ", Account Dept is deployed in after the two-way link of OLT upstream can independent operating, known safe traffic is forwarded in real time, real-time blocking is carried out to the security threat of known features, carry out association analysis to the suspicious traffic of unknown characteristics, judge its security attribute and carry out respective handling, whole service process does not need the cooperation of domestic consumer, do not need the cooperation of the intelligent terminal manufacturers such as Set Top Box, do not need the cooperation of operator's front network operation system yet; Be deployed in OLT upstream two-way link, system itself, without outside observable IP address, is similar to the transparent transmission device of physical layer, and similar one section of optical fiber has natural " stealth " characteristic, can exempt assailant and detect it, guarantee own net safety.
2. in bi-directional set-top box intrusion detection method of the present invention, the process of front terminal system to flow mainly comprises two parts: data acquisition and data processing, function carries out process to the data collected according to " discharge " principle to judge, namely pick out the known data such as video, audio frequency determined without harm, back-end system is sent in remaining suspicious traffic collection.The dependent instruction passed back according to backend systems again processes accordingly to flow; Backend systems carries out further analyzing and processing to the packet that front terminal screening system goes out, on the one hand, by analyzing collection flow, intuitively can represent interactive service, Internet service, the live broadcast service of radio and TV operator, and user's service condition and situation of Profit, comprise content focus, all types of URL visiting frequency, channel number of users, customer flow analysis etc.; On the other hand, arrange safety detection module in system, after security threat arrives, this module can be compared detections according to the security threat of security threat storehouse to known threat characteristics, finds to threaten real-time informing front end system afterwards to carry out the process such as blocking-up; And for the unknown characteristics security threat that 0-DAY attack etc. needs aposterior knowledge to determine, safety detection module based on the full dimension data of front terminal system acquisition, can detect unknown threat by the large data relation analysis method of statistics behavior characteristic use.
3. bi-directional set-top box intrusion detection method of the present invention makes full use of the design feature that system distinguishes front and back end, about subtracts flow to be detected layer by layer, complete detection according to complexity size by easy and difficulty; First, front terminal system can filter out most of known conjunction rule video frequency program flow, and this flow just making native system to detect, much smaller than input flow rate, larger about having subtracted flow to be detected, improves accuracy of detection; Mixed traffic composition in broadcasting and TV bilateral construction network chain road and internet traffic form a great difference, and wherein existing radio and TV operator much has the flow that business produces by oneself, has again the operation interactive information of radio and TV operator's uniqueness.This just makes Broadcasting Cable Network traffic security detect and is different from the Internet, in known safe threat storehouse except conventional known safe threat characteristics, also has the distinctive known safe feature for Broadcasting Cable Network flow, the regular back information of such as Set Top Box detects, because Broadcasting Cable Network operator needs to add up (such as audience ratings to programme information, program request rate etc.), have a large amount of data in the time period of certain agreement to return from Intelligent set top box to server, except program request flow, a large amount of flow passback phenomenon is not had in other times section, if also have a large amount of passback flows in other times section, may be attacked, need to process it, in addition, carry out association analysis when tackling unknown security threat by behavioural analysis to image data, by expanding detected territory, the detection real-time detection based on single time point, single attack changed into based on historical time window finds to attack, due to Broadcasting Cable Network flow, according to the peculiar behavioural characteristic of Broadcasting Cable Network analysis modeling in addition, Set Top Box APP update data stream needs corresponding transmission standard, in the NIT that network sends, the linkage descriptor of Loader contains identification parameters such as upgrading Set Top Box manufacturer's number, hardware version numbers, software version number and product ID, and the update data stream that hacker forges often cannot mate completely, also can be used as one and attack distinguishing rule, when cutting channel and changing, there are certain interval and rule the time of the manual switching channels of people, and the switching of hacker is difficult to imitate, and also attacks distinguishing rule as one.
accompanying drawing illustrates:
Fig. 1 is CHINA RFTCOM Co Ltd hierarchical relationship schematic diagram;
Fig. 2 is that the Internet and Broadcasting Cable Network current capacity contrast scheme;
Fig. 3 is bi-directional set-top box intruding detection system structural representation of the present invention;
Fig. 4 is that bi-directional set-top box intruding detection system of the present invention disposes schematic diagram;
Fig. 5 is safety detection module structured flowchart of the present invention;
Fig. 6 is front terminal flow system flow process chart of the present invention;
Fig. 7 is safety detection module handling process of the present invention;
Fig. 8 is Broadcasting Cable Network of the present invention passback flow detection schematic flow sheet;
Fig. 9 is personal behavior model testing process schematic diagram of the present invention.
embodiment:
Below in conjunction with accompanying drawing and technical scheme, the present invention is further detailed explanation, and describe embodiments of the present invention in detail by preferred embodiment, but embodiments of the present invention are not limited to this.
Embodiment one, shown in Fig. 2 ~ 4, Fig. 2 gives the current capacity contrast figure of the Internet and Broadcasting Cable Network, in the Internet flow composition quite complicated, apply various, flow is regular poor, this also impels and the detection method of multiple relative complex must be adopted to detect attack at linking Internet net end, guarantees safety; Be different from the Internet, Broadcasting Cable Network flow is few and its composition is relatively simple, main just some video flowings, client's program request stream and operator need the set-top box recording stream reclaimed in certain hour section, and these foreseeable Broadcasting Cable Network flows deal with and so complicated unlike the Internet; Therefore Broadcasting Cable Network Access Network there is no need the security mechanism following linking Internet net, and it directly can complete the safety detection of corresponding incoming end by a kind of simpler detection system or method.Fig. 3 and Fig. 4 is this bi-directional set-top box intruding detection system overall structure and disposes schematic diagram, a kind of bi-directional set-top box intruding detection system, comprise front terminal system and backend systems, front terminal system, be connected with OLT upstream two-way link, acquisition and processing is carried out to the bidirectional traffics of in/out OLT upstream two-way link; Backend systems, carries out safety detection and data analysis to the packet of front terminal system.
Embodiment two, shown in Figure 5, substantially identical with embodiment one, difference is: described backend systems also comprises safety detection module, and safety detection module to be compared detection to security threat according to security threat storehouse, and real-time informing front terminal system.Back-end system arranges safety detection module, comprises the safety detection module of known threat characteristics and the safety detection module of unknown threat characteristics.The various security threat storehouses that the safety detection module maintenance features of known threat characteristics is known, and according to known features, security threat detection is carried out to input flow rate.The safety detection module of unknown threat characteristics utilizes the method for the large data relation analysis just proposed in recent years to detect security threat, to impend signature analysis, and analysis result is added known threat characteristics storehouse to the threat detected.The suspected attack flow that front end system gathers is first by the safety detection module of known threat characteristics, and known safe threat detection removed by this module, remaining unknown flow rate sends into unknown threat characteristics detection module, further analyzing and testing.
Embodiment three; substantially identical with embodiment one; difference is: this bi-directional set-top box intruding detection system also comprises linear speed serial connection light/TURP and changes protection module; linear speed serial connection light/TURP changes protection module process and is connected on disruption in the two-way link of OLT upstream; ensure the unimpeded of link; when fault occurs can in real time by link switching to transparent transmission pattern, automatically keep away in real time around fault point, thus ensure Access Network normally run without interruption.
Embodiment four, a kind of bi-directional set-top box intrusion detection method, comprises following steps:
The bidirectional traffics of step 1. front terminal system to in/out OLT upstream two-way link carry out screening collection, reject the known data on flows determining nothing harm, gather remaining suspicious traffic data and transfer to backend systems;
Whether step 2. backend systems comprises known threat characteristics according to the suspicious traffic data judging received, if comprise, then threaten storehouse that the suspicious traffic data received are carried out to security threat detection and removed according to known safe, otherwise, by adding up behavioural characteristic and carrying out security threat detection according to large data relation analysis method to these suspicious traffic data, and signature analysis is carried out to the security threat detected, analysis result is added known safe and threaten in storehouse.
Embodiment five, shown in Figure 6, substantially identical with embodiment four, difference is: described step 1 specifically comprises following steps:
According to the feature of Broadcasting Cable Network flow, step 1.1. judges whether the bidirectional traffics of in/out OLT upstream two-way link are known legitimate audio-video frequency contents, if so, then reject, otherwise carry out next step, be then judged to be suspicious traffic data;
Step 1.2. gathers suspicious traffic data;
The suspicious traffic transfer of data collected is carried out analyzing and processing to backend systems by step 1.3.;
The analysis of step 1.4. backend systems judges these suspicious traffic data whether as attack traffic data by analyzing, and if so, then carries out next step, otherwise, rejecting;
Step 1.5. is by backend systems to after Data Analysis Services, and front terminal system sends response processing command, enters step 1.6;
Step 1.6. is according to response command, and front terminal system makes respective handling to these attack traffic data.
Embodiment six, shown in Figure 7, substantially identical with embodiment four, difference is: described step 2 specifically comprises following steps:
Step 2.1. receives suspicious traffic data, by this suspicious traffic transfer of data to safety detection module;
Step 2.2. safety detection module, by comparison known safe threat characteristics storehouse, judges whether suspicious traffic data exist known safe and threaten, if exist, then forward end subsystem sends exception handling instruction, otherwise, enter next step 2.3;
Step 2.3. detects suspicious traffic data according to large data relation analysis method, judges whether suspicious traffic data exist unknown security threat, if exist, then forward end subsystem sends exception handling instruction, otherwise, perform step 2.4;
The suspicious traffic data detected are sent to corresponding light line terminal by step 2.4..
Embodiment seven, shown in Figure 8, substantially identical with embodiment four, difference is: described step 2 also comprises Broadcasting Cable Network passback flow detection, described Broadcasting Cable Network passback flow detection specifically comprises following content: detect customer flow, extensive flow whether is had to return, if no, then judge to belong to normal behaviour, if had, whether the time then detecting the passback of extensive flow is the timing node of arranging, if so, then judge to belong to normal discharge passback behavior, otherwise, be judged to be intrusion behavior, and intrusion response is taked to intrusion behavior.
Embodiment eight, shown in Figure 9, substantially identical with embodiment four, difference is: by adding up behavioural characteristic and carrying out security threat detection according to large data relation analysis method to these suspicious traffic data in described step 2, and signature analysis is carried out to the security threat detected, specifically comprise following steps: step (1) takes out user's historical data from shielded operation system, historical data is carried out being converted to the corresponding data for bi-directional set-top box intruding detection system; Step (2) generates user's normal behaviour normative model according to the corresponding data be converted to, in bi-directional set-top box intruding detection system, user's normal behaviour specification is generated, for as detecting the standard whether user current behavior is normal behaviour according to network security technology; Step (3) detects user's current behavior, the current behavior data needing to carry out the user detected are extracted from shielded operation system, according to the user's normal behaviour specification generated in step (2), carry out detection comparative analysis, if the difference of current behavior data and normal behaviour data is greater than defined threshold, then judge that user's current behavior is abnormal, have security risk, bi-directional set-top box intruding detection system sends by the safety alarm of illegal invasion; If current behavior data fit normal behaviour data standard, then judge that user's current behavior is as normal behaviour; Step (4) takes out user's current behavior data from shielded operation system, and user's current behavior data changed by algorithm, for bi-directional set-top box intruding detection system, keeper carries out data analysis; Step (5) transfers active user's behavioral data to user historical data, for the analysis of subsequent user behavioral value.
The present invention is not limited to above-mentioned embodiment, and those skilled in the art also can make multiple change accordingly, but to be anyly equal to the present invention or similar change all should be encompassed in the scope of the claims in the present invention.
Claims (8)
1. a bi-directional set-top box intruding detection system, is characterized in that: comprise front terminal system and backend systems, front terminal system, is connected with OLT upstream two-way link, carries out acquisition and processing to the bidirectional traffics of in/out OLT upstream two-way link; Backend systems, carries out safety detection and data analysis to the packet of front terminal system.
2. bi-directional set-top box intruding detection system according to claim 1, it is characterized in that: described backend systems also comprises safety detection module, safety detection module to be compared detection to security threat according to security threat storehouse, and real-time informing front terminal system.
3. bi-directional set-top box intruding detection system according to claim 1; it is characterized in that: also comprise linear speed serial connection light/TURP and change protection module; linear speed serial connection light/TURP changes protection module process and is connected on disruption in the two-way link of OLT upstream, ensures the unimpeded of link.
4. a bi-directional set-top box intrusion detection method, is characterized in that: comprise following steps:
The bidirectional traffics of step 1. front terminal system to in/out OLT upstream two-way link carry out screening collection, reject the known data on flows determining nothing harm, gather remaining suspicious traffic data and transfer to backend systems;
Whether step 2. backend systems comprises known threat characteristics according to the suspicious traffic data judging received, if comprise, then threaten storehouse that the suspicious traffic data received are carried out to security threat detection and removed according to known safe, otherwise, by adding up behavioural characteristic and carrying out security threat detection according to large data relation analysis method to these suspicious traffic data, and signature analysis is carried out to the security threat detected, analysis result is added known safe and threaten in storehouse.
5. bi-directional set-top box intrusion detection method according to claim 4, is characterized in that: described step 1 specifically comprises following steps:
According to the feature of Broadcasting Cable Network flow, step 1.1. judges whether the bidirectional traffics of in/out OLT upstream two-way link are known legitimate audio-video frequency contents, if so, then reject, otherwise carry out next step, be then judged to be suspicious traffic data;
Step 1.2. gathers suspicious traffic data;
The suspicious traffic transfer of data collected is carried out analyzing and processing to backend systems by step 1.3.;
The analysis of step 1.4. backend systems judges these suspicious traffic data whether as attack traffic data by analyzing, and if so, then carries out next step, otherwise, rejecting;
Step 1.5. is by backend systems to after Data Analysis Services, and front terminal system sends response processing command, enters step 1.6;
Step 1.6. is according to response command, and front terminal system makes respective handling to these attack traffic data.
6. bi-directional set-top box intrusion detection method according to claim 4, is characterized in that: described step 2 specifically comprises following steps:
Step 2.1. receives suspicious traffic data, by this suspicious traffic transfer of data to safety detection module;
Step 2.2. safety detection module, by comparison known safe threat characteristics storehouse, judges whether suspicious traffic data exist known safe and threaten, if exist, then forward end subsystem sends exception handling instruction, otherwise, enter next step 2.3;
Step 2.3. detects suspicious traffic data according to large data relation analysis method, judges whether suspicious traffic data exist unknown security threat, if exist, then forward end subsystem sends exception handling instruction, otherwise, perform step 2.4;
The suspicious traffic data detected are sent to corresponding light line terminal by step 2.4..
7. bi-directional set-top box intrusion detection method according to claim 4, it is characterized in that: described step 2 also comprises Broadcasting Cable Network passback flow detection, described Broadcasting Cable Network passback flow detection specifically comprises following content: detect customer flow, extensive flow whether is had to return, if do not had, then judge to belong to normal behaviour, if had, whether the time then detecting the passback of extensive flow is the timing node of arranging, if so, then judge to belong to normal discharge passback behavior, otherwise, be judged to be intrusion behavior, and intrusion response is taked to intrusion behavior.
8. bi-directional set-top box intrusion detection method according to claim 4, it is characterized in that: by adding up behavioural characteristic and carrying out security threat detection according to large data relation analysis method to these suspicious traffic data in described step 2, and signature analysis is carried out to the security threat detected, specifically comprise following steps: step (1) takes out user's historical data from shielded operation system, historical data is carried out being converted to the corresponding data for bi-directional set-top box intruding detection system; Step (2) generates user's normal behaviour normative model according to the corresponding data be converted to, in bi-directional set-top box intruding detection system, user's normal behaviour specification is generated, for as detecting the standard whether user current behavior is normal behaviour according to network security technology; Step (3) detects user's current behavior, the current behavior data needing to carry out the user detected are extracted from shielded operation system, according to the user's normal behaviour specification generated in step (2), carry out detection comparative analysis, if the difference of current behavior data and normal behaviour data is greater than defined threshold, then judge that user's current behavior is abnormal, have security risk, bi-directional set-top box intruding detection system sends by the safety alarm of illegal invasion; If current behavior data fit normal behaviour data standard, then judge that user's current behavior is as normal behaviour; Step (4) takes out user's current behavior data from shielded operation system, and user's current behavior data changed by algorithm, for bi-directional set-top box intruding detection system, keeper carries out data analysis; Step (5) transfers active user's behavioral data to user historical data, for the analysis of subsequent user behavioral value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510342856.1A CN104954864B (en) | 2015-06-19 | 2015-06-19 | Bi-directional set-top box intruding detection system and its detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510342856.1A CN104954864B (en) | 2015-06-19 | 2015-06-19 | Bi-directional set-top box intruding detection system and its detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104954864A true CN104954864A (en) | 2015-09-30 |
| CN104954864B CN104954864B (en) | 2019-03-01 |
Family
ID=54169150
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510342856.1A Active CN104954864B (en) | 2015-06-19 | 2015-06-19 | Bi-directional set-top box intruding detection system and its detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104954864B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107294666A (en) * | 2017-06-02 | 2017-10-24 | 沈阳航空航天大学 | Broadcast packet transmission flow and Poewr control method applied to wireless ad hoc network |
| CN107404466A (en) * | 2016-05-20 | 2017-11-28 | 中国移动通信集团上海有限公司 | A kind of SDN network safety protection method and device |
| CN110113204A (en) * | 2019-05-05 | 2019-08-09 | 江苏阳廷电气科技有限公司 | A method of realizing application program management on intelligent gateway |
| CN111355687A (en) * | 2018-12-21 | 2020-06-30 | 国家新闻出版广电总局广播科学研究院 | Broadcasting and television convergence service system |
| CN116346774A (en) * | 2023-02-16 | 2023-06-27 | 北京有元科技有限公司 | Network flow data query system based on DNS (Domain name System) route |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968409A (en) * | 2006-06-28 | 2007-05-23 | 华为技术有限公司 | User terminal equipment for stream media content checking and checking method |
| CN101321171A (en) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | Method and apparatus for detecting distributed refusal service attack |
| CN101729873A (en) * | 2009-12-11 | 2010-06-09 | 浪潮电子信息产业股份有限公司 | Network platform for realizing fusion and access of multimedia services |
| CN101854275A (en) * | 2010-05-25 | 2010-10-06 | 军工思波信息科技产业有限公司 | Method and device for detecting Trojans by analyzing network behaviors |
| US20130227689A1 (en) * | 2012-02-17 | 2013-08-29 | Tt Government Solutions, Inc. | Method and system for packet acquisition, analysis and intrusion detection in field area networks |
| CN103312693A (en) * | 2013-05-08 | 2013-09-18 | 华迪计算机集团有限公司 | Video and audio access control gateway equipment |
| CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
-
2015
- 2015-06-19 CN CN201510342856.1A patent/CN104954864B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968409A (en) * | 2006-06-28 | 2007-05-23 | 华为技术有限公司 | User terminal equipment for stream media content checking and checking method |
| CN101321171A (en) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | Method and apparatus for detecting distributed refusal service attack |
| CN101729873A (en) * | 2009-12-11 | 2010-06-09 | 浪潮电子信息产业股份有限公司 | Network platform for realizing fusion and access of multimedia services |
| CN101854275A (en) * | 2010-05-25 | 2010-10-06 | 军工思波信息科技产业有限公司 | Method and device for detecting Trojans by analyzing network behaviors |
| US20130227689A1 (en) * | 2012-02-17 | 2013-08-29 | Tt Government Solutions, Inc. | Method and system for packet acquisition, analysis and intrusion detection in field area networks |
| CN103312693A (en) * | 2013-05-08 | 2013-09-18 | 华迪计算机集团有限公司 | Video and audio access control gateway equipment |
| CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107404466A (en) * | 2016-05-20 | 2017-11-28 | 中国移动通信集团上海有限公司 | A kind of SDN network safety protection method and device |
| CN107294666A (en) * | 2017-06-02 | 2017-10-24 | 沈阳航空航天大学 | Broadcast packet transmission flow and Poewr control method applied to wireless ad hoc network |
| CN107294666B (en) * | 2017-06-02 | 2020-01-31 | 沈阳航空航天大学 | broadcast packet transmission flow and power control method applied to wireless ad hoc network |
| CN111355687A (en) * | 2018-12-21 | 2020-06-30 | 国家新闻出版广电总局广播科学研究院 | Broadcasting and television convergence service system |
| CN110113204A (en) * | 2019-05-05 | 2019-08-09 | 江苏阳廷电气科技有限公司 | A method of realizing application program management on intelligent gateway |
| CN116346774A (en) * | 2023-02-16 | 2023-06-27 | 北京有元科技有限公司 | Network flow data query system based on DNS (Domain name System) route |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104954864B (en) | 2019-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104954864A (en) | Two-way set top box intrusion detection system and detection method thereof | |
| US8769682B2 (en) | Mechanism for identifying malicious content, DoS attacks, and illegal IPTV services | |
| CN101087196B (en) | Multi-layer honey network data transmission method and system | |
| CN101350745B (en) | Intrude detection method and device | |
| CN109246108B (en) | Simulated honeypot fingerprint obfuscation system and SDN network architecture thereof | |
| CN106850690B (en) | Honeypot construction method and system | |
| KR102045468B1 (en) | Apparatus for detection of anomalous connection behavior based on network data analytics and method using the same | |
| CN101217547B (en) | A flood request attaching filtering method based on the stateless open source core | |
| CN106992955A (en) | APT fire walls | |
| US8201250B2 (en) | System and method for controlling abnormal traffic based on fuzzy logic | |
| CN105024977A (en) | Network tracking system based on digital watermarking and honeypot technology | |
| CN104883364B (en) | A kind of method and device for judging user access server exception | |
| CN104144164A (en) | Extension defense method based on network intrusion | |
| CN106412498A (en) | Monitoring data acquisition method, and cloud terminal | |
| KR101214616B1 (en) | System and method of forensics evidence collection at the time of infringement occurrence | |
| KR101400062B1 (en) | System of security management for iptv set top box | |
| KR101923054B1 (en) | Wire and wireless gateway for detecting malignant action autonomously based on signature and method thereof | |
| KR20070119382A (en) | Intrusion prevention system and controlling method | |
| KR20130033161A (en) | Intrusion detection system for cloud computing service | |
| KR20120000942A (en) | Bot-infected host detection apparatus and method based on blacklist access statistics | |
| KR101069341B1 (en) | Apparatus for preventing distributed denial of service attack creation | |
| Mudgal et al. | Spark-Based Network Security Honeypot System: Detailed Performance Analysis | |
| KR20050075950A (en) | Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices | |
| EP3618395B1 (en) | Method and device for protecting against http flood attack | |
| KR101153115B1 (en) | Method, server and device for detecting hacking tools |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |