CN104954864B - Bi-directional set-top box intruding detection system and its detection method - Google Patents

Bi-directional set-top box intruding detection system and its detection method Download PDF

Info

Publication number
CN104954864B
CN104954864B CN201510342856.1A CN201510342856A CN104954864B CN 104954864 B CN104954864 B CN 104954864B CN 201510342856 A CN201510342856 A CN 201510342856A CN 104954864 B CN104954864 B CN 104954864B
Authority
CN
China
Prior art keywords
data
detection
user
top box
traffic data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510342856.1A
Other languages
Chinese (zh)
Other versions
CN104954864A (en
Inventor
李玉峰
张明明
李康士
于松林
王文功
陈博
张传浩
杜飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201510342856.1A priority Critical patent/CN104954864B/en
Publication of CN104954864A publication Critical patent/CN104954864A/en
Application granted granted Critical
Publication of CN104954864B publication Critical patent/CN104954864B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/442Monitoring of processes or resources, e.g. detecting the failure of a recording device, monitoring the downstream bandwidth, the number of times a movie has been viewed, the storage space available from the internal hard disk
    • H04N21/44236Monitoring of piracy processes or activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/24Monitoring of processes or resources, e.g. monitoring of server load, available bandwidth, upstream requests
    • H04N21/2407Monitoring of transmitted content, e.g. distribution time, number of downloads

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention relates to a kind of bi-directional set-top box intruding detection system and its detection methods, its intruding detection system includes front end subsystem and backend systems, front end subsystem, it is connect with the upstream OLT two-way link, the bidirectional traffics of the upstream in/out OLT two-way link is acquired and is handled;Backend systems carry out safety detection to the data packet of front end subsystem and data are analyzed.The present invention is deployed in the upstream OLT two-way link, to convergence flow realize in real time, intelligent recognition, and real-time detection and block, clean malicious attack flow;Guarantee that access net is normal to run without interruption, issuable disruption in a link of connecting to it is pocessed, and guarantees the unimpeded of link;System itself is without external observable IP address, and similar to the transparent transmission device of physical layer, similar one section of optical fiber has natural " stealth " characteristic, can exempt attacker and detect to it, it is ensured that own net safety.

Description

Bi-directional set-top box intruding detection system and its detection method
Technical field
The present invention relates to Broadcasting Cable Network security technology area, in particular to a kind of bi-directional set-top box intruding detection system and its inspection Survey method.
Background technique
In August, 2014, Wenzhou Broadcasting Cable Network are interrupted by hacker attack, legal program, and a large amount of sensitive pictures occurs in terminal, It makes an extremely bad impression, this has beaten the alarm bell of Broadcasting Cable Network safety to us.In integration of three networks evolution, Broadcasting Cable Network was pacified originally Full part may become no longer safe under new fusion situation.Bidirectional rebuilding is that ordinary user brings autonomous, personalized view While frequency viewing service, attack path, this safe base of traditional CHINA RFTCOM Co Ltd one way propagation also are provided for malicious attacker Stone has not existed.Intelligent Terminal, TV networkization are also that Broadcasting Cable Network brings new security risk, intelligentized set-top box, electricity Depending on terminal operatings such as machine, home gateways on the basis of various processor platforms, the operating systems such as Android are installed, have connection The bi-directional communication channels of external network can also become target or attack springboard that malicious attacker implements network attack. As shown in Figure 1, Broadcasting Cable Network network is divided into external network and internal network, wherein internal network is divided into front end, transmission and terminal three It is most of.1) external network: corresponding to other public networks except CHINA RFTCOM Co Ltd, such as internet;2) front network: correspond to Broadcasting service front network, two-way services front network and broadcasting and TV office network, front network are located at the front of carrier network, Complete routine office work and broadcast, the program of two-way services, program publication, EPG (Electronic Program Guide), The functions such as BOSS/SMS can be abstracted into source part in entire CHINA RFTCOM Co Ltd model of communication system;3) transmission network: before being located at After holding network, channel strip can be abstracted into entire CHINA RFTCOM Co Ltd model of communication system;Including one-way broadcast transmissions network With transmitted in both directions network, backbone network and access network can be also divided into from level, backbone network connects structure by backbone router At access network generallys use PON+EOC (PON, Passive Optical Network; EOC, Ethernet over ) or other access ways Coax;4) terminal network: the home network formed with Novel STB or Household intelligent gateway, whole Terminal part can be abstracted into a CHINA RFTCOM Co Ltd model of communication system.
The network security boundary of CHINA RFTCOM Co Ltd includes the zone boundary between external network and front network, front network with The boundary of the zone boundary of transmission network, transmission network and terminal network.Currently, Broadcasting Cable Network is in front network and external network Boundary, front network and transmission network boundary have installed firewall, IDS, IPS (Intrusion Prevention System) additional Equal convention securities safeguard, launches a offensive to broadcasting and TV front network with taking precautions against attacker from external network or office network, prevents Model attacker launches a offensive to broadcasting and TV front network from transmitted in both directions network or terminal network.In comparison, in transmission network It proposes and implements with corresponding Networked RAID technology rare so far on the boundary of terminal network.The network security of Broadcasting Cable Network is built If needing to network whole implementation security hardening, ignorance is likely to result in transmission network and the security protection on terminal network boundary " short slab " of safe wooden barrel, i.e. the general safety of network is not to be determined by that strongest a part of safety, and often by pacifying The minimum part of full property determines.
In internet area, access net is the emphasis cloth defence area of security protection, firewall, vulnerability scanning, IDS, IPS etc. Specialized security device is widely deployed, and in the terminal PC in linking Internet net, also there is the software of anti-virus etc, Operating system is also all the security breaches that regular upgrading carrys out up operation system with this.Obviously, there is phase in internet To three-dimensional security protection system.Compared to internet, lack relatively three-dimensional security system before broadcasting and TV access mesh, without similar The secure private equipment specifically for broadcasting and TV, comparatively broadcasting and TV access net end is the state of " naked " safety, attacker can be with Easily pellucidly enter network and set-top box is arrived in directly attack.In this way, even if installing all kinds of secure firmwares inside set-top box, attack The attack difficulty of person is also little.
Access net has safety " short slab " possible security risk and has: (1) attacker can be from terminal network initiation pair The uplink of front network is attacked.The hiding security breaches of Intelligent set top box are seldom concerned in terminal network, in fact, very much Intelligent set top box is due to scaling difficulty, along with consciousness of the people to set-top box safety is weak and " silence " of set-top box itself Characteristic is easy a wide range of by malicious attacker, extensive long-term control so that set-top box security risk has longer latency period System, may cause serious consequence of failure.(2) access net non-boundary protection, attacker can initiate from front network to terminal network The downlink of network is attacked.A wide range of safety accident is fermented by controlling a large amount of set-top boxes, causes machine top using set-top box silence characteristic Box downloading storage illegal application, plays invalid information.(3) access net non-boundary protection, illegal terminal may be with the body of personation Part enters network easily, carries out various destructive activities;The terminal of legal identity is after entering network, it is also possible to which unauthorized access is various Internet resources.
Summary of the invention
Aiming at the shortcomings in the prior art, the present invention provides a kind of bi-directional set-top box intruding detection system and its detection side Method copes with the safety problem that Broadcasting Cable Network faces now, improves broadcasting and TV net safety protective ability, compensates for Broadcasting Cable Network access The problem of net security mechanism lacks is embodied as broadcasting and TV access net protection and provides a kind of effective method for protecting, ensure that and attack Hit can not being stealthy for flow.
According to design scheme provided by the present invention, a kind of bi-directional set-top box intruding detection system includes front end subsystem And backend systems, front end subsystem are connect with the upstream OLT two-way link, to the bidirectional flow of the upstream in/out OLT two-way link Amount is acquired and handles, and picks out known determining non-hazardous data, remaining suspicious traffic is acquired and is sent into rear end subsystem System;Backend systems carry out safety detection to the data packet of front end subsystem and data are analyzed.
Above-mentioned, the backend systems also include safety detection module, and safety detection module is according to security threat library pair Detection, and real-time informing front end subsystem is compared in security threat.
Above-mentioned, optical electrical switch protecting module also is concatenated comprising linear speed, linear speed concatenates optical electrical switch protecting resume module The disruption being connected in the two-way link of the upstream OLT, guarantees the unimpeded of link.
A kind of bi-directional set-top box intrusion detection method, comprises the following steps:
Step 1. front end subsystem carries out screening acquisition to the bidirectional traffics of the upstream in/out OLT two-way link, known to rejecting It determines non-hazardous data on flows, acquire remaining suspicious traffic data and is transmitted to backend systems;
Whether step 2. backend systems include known threat characteristics according to the suspicious traffic data judging received, if Include, then threaten library to carry out security threat detection to the suspicious traffic data received according to known safe and remove, otherwise, leads to It crosses statistics behavioural characteristic and security threat detection is carried out to the suspicious traffic data according to big data association analysis method, and to inspection The security threat measured carries out signature analysis, and known safe is added in analysis result and is threatened in library.
Above-mentioned bi-directional set-top box intrusion detection method, the step 1 specifically include the following steps:
Step 1.1. according to the characteristics of Broadcasting Cable Network flow judge the upstream in/out OLT two-way link bidirectional traffics whether be Otherwise known legitimate audio-video frequency content carries out in next step, being then determined as suspicious traffic data if so, rejecting;
Step 1.2. is acquired suspicious traffic data;
Collected suspicious traffic data are transmitted to backend systems and are analyzed and processed by step 1.3.;
The analysis of step 1.4. backend systems determines whether the suspicious traffic data are attack traffic data by analysis, if It is then to carry out in next step, otherwise, rejects;
After step 1.5. passes through backend systems to Data Analysis Services, front end subsystem sends response processing order, into Enter step 1.6;
Step 1.6. is ordered according to response, and front end subsystem makes respective handling to the attack traffic data.
Above-mentioned bi-directional set-top box intrusion detection method, the step 2 specifically include the following steps:
Step 2.1. receives suspicious traffic data, which is transmitted to safety detection module;
Step 2.2. safety detection module judges whether suspicious traffic data deposit by comparing known safe threat characteristics library It is threatened in known safe, and if it exists, then terminal system sends exception handling instruction forward, otherwise, into next step 2.3;
Step 2.3. detects suspicious traffic data according to big data association analysis method, judges whether suspicious traffic data deposit In unknown security threat, and if it exists, then terminal system sends exception handling instruction forward, otherwise, executes step 2.4;
The suspicious traffic data transmission that step 2.4. will test is to corresponding light line terminal.
Above-mentioned bi-directional set-top box intrusion detection method, the step 2 also returns flow detection comprising Broadcasting Cable Network, described wide Power grid passback flow detection specifically includes following content: being detected to customer flow, and if there is extensive flow to return, if No, then determine to belong to normal behaviour, if so, whether the time for then detecting extensive flow passback is the when segmentum intercalaris arranged Point, if so, determining to belong to normal discharge passback behavior, otherwise, it is determined that being intrusion behavior, and take invasion to ring intrusion behavior It answers.
Above-mentioned bi-directional set-top box intrusion detection method, by statistics behavioural characteristic and according to big data in the step 2 Association analysis method carries out security threat detection to the suspicious traffic data, and carries out feature point to the security threat detected Analysis, specifically include the following steps: step (1) takes out user's history data from shielded operation system, by historical data into Row is converted to the corresponding data used for bi-directional set-top box intruding detection system;Step (2) is according to the correspondence number being converted to According to user's normal behaviour normative model is generated, user is generated in bi-directional set-top box intruding detection system according to network security technology Normal behaviour specification, for as detection user's current behavior whether be normal behaviour standard;It is current that step (3) detects user The current behavior data of the user detected are extracted in behavior from shielded operation system, according to raw in step (2) At user's normal behaviour specification, detection comparative analysis is carried out, if current behavior data and the difference of normal behaviour data are greater than Defined threshold then determines that user's current behavior is abnormal, there is security risk, and the sending of bi-directional set-top box intruding detection system is illegally entered The safety alarm invaded;If current behavior data fit normal behaviour data standard, determines user's current behavior for normal behaviour; Step (4) takes out user's current behavior data from shielded operation system, and user's current behavior data are turned by algorithm It changes, carries out data analysis for bi-directional set-top box intruding detection system administrator;Active user's behavioral data is switched to use by step (5) Family historical data is analyzed for subsequent user behavioral value and is used.
Beneficial effects of the present invention:
1. bi-directional set-top box intruding detection system of the present invention is deployed in the upstream OLT two-way link, complete to convergence flow In real time, intelligent recognition realizes the correct processing to convergence flow;It concatenates under deployment way, system can detect security threat and can Real-time detection simultaneously blocks, cleans malicious attack flow;System designs linear speed and concatenates optical electrical switch protecting technology, occurs in failure When can be kept away in real time automatically in real time by link switching to transparent transmission mode around fault point, thus guarantee access net it is normal not between Disconnected operation connects to it at issuable disruption in a link using linear speed concatenation optical electrical switch protecting technology Reason, guarantees the unimpeded of link;Using the deployment and working method of " non-cooperation ", system deployment can after the two-way link of the upstream OLT Independent operating forwards known safe traffic in real time, real-time blocking is carried out to the security threat of known features, to unknown The suspicious traffic of feature is associated analysis, judges its security attribute and carries out respective handling, whole service process does not need general The cooperation at general family, does not need the cooperation of the intelligent terminals such as set-top box manufacturer, does not need operator's front network operation system yet Cooperation;It is deployed in the upstream OLT two-way link, system itself is without external observable IP address, similar to the saturating of physical layer Bright transmitting device, similar one section of optical fiber, has natural " stealth " characteristic, can exempt attacker and detect to it, it is ensured that from Body network security.
2. the processing of front end subsystem convection current amount mainly includes two parts in bi-directional set-top box intrusion detection method of the present invention: Data acquisition and data processing, function are to carry out processing judgement to according to the collected data of " discharge " principle, that is, are picked out known It determines the data such as non-hazardous video, audio, remaining suspicious traffic is acquired and is sent into back-end system.Further according to rear end subsystem The dependent instruction passed back of uniting performs corresponding processing flow;Backend systems carry out the data packet that front terminal screening system goes out Further analysis processing, on the one hand, by analyzing acquisition flow, can intuitively show the interaction industry of radio and TV operator Business, Internet service, live broadcast service and user's service condition and situation of Profit, including content hot spot, all types of URL access frequency Degree, the analysis of channel number of users, customer flow etc.;On the other hand, safety detection module is set in system, when security threat reaches Afterwards, which can be compared detection according to security threat of the security threat library to known threat characteristics, and discovery is real-time after threatening Notice front end system carries out the processing such as blocking;And the unknown characteristics for needing aposterior knowledge just to can determine that 0-DAY attack etc. are pacified Complete to threaten, safety detection module can utilize big data by statistics behavioural characteristic based on the full dimension data of front terminal system acquisition Association analysis method detects unknown threat.
3. bi-directional set-top box intrusion detection method of the present invention makes full use of the design feature of system differentiation front and back end, according to multiple Miscellaneous degree size by it is easy and it is difficult about subtract measurement of discharge to be checked layer by layer, complete detection;Firstly, front end subsystem can filter out it is most of The conjunction rule video program flow known, this allows for flow that this system to be detected much smaller than input flow rate, be larger about subtracted it is to be checked Measurement of discharge improves detection accuracy;Mixed traffic composition and internet traffic composition in broadcasting and TV bilateral construction network chain road have very It is different, wherein existing radio and TV operator much has the flow that business generates by oneself, and there is the unique operation interaction of radio and TV operator Information.This allows for the detection of Broadcasting Cable Network traffic security and is different from internet;It threatens in library in known safe in addition to common known Outside security threat feature, there are also the distinctive known safe features for being directed to Broadcasting Cable Network flow, such as the regular back information of set-top box Detection, since broadcasting and TV network operation business needs to count programme information (such as audience ratings, program request rate etc.), in some agreement Period has a large amount of data and is returned from Intelligent set top box to server, other times section other than program request flow not A large amount of flows passback phenomenons are had, can suffer from attacking if if other times section also has a large amount of passback flow, are needed pair It is handled;In addition, being associated analysis to acquisition data by behavioural analysis when coping with unknown security threat, pass through expansion Be detected domain, by the real-time detection based on single time point, single attack be changed into the detection based on historical time window come It was found that attack;The characteristics of due to Broadcasting Cable Network flow, is subject to analysis modeling according to the peculiar behavioural characteristic of Broadcasting Cable Network;Set-top box APP is more New data stream needs corresponding transmission standard, and the linkage descriptor of Loader is contained in the NIT sent on network The identification parameters such as update set-top box manufacturer's number, hardware version numbers, software version number and product ID, and what hacker forged Update data stream can not often exactly match, and also can be used as an attack distinguishing rule;When cutting channel and changing, manpower work switching frequency There are certain interval and rule in the time in road, and the switching of hacker is difficult to imitate, and is also used as an attack distinguishing rule.
Detailed description of the invention:
Fig. 1 is CHINA RFTCOM Co Ltd hierarchical relationship schematic diagram;
Fig. 2 is that internet and Broadcasting Cable Network current capacity contrast scheme;
Fig. 3 is bi-directional set-top box intrusion detection system structure schematic diagram of the invention;
Fig. 4 is that bi-directional set-top box intruding detection system of the invention disposes schematic diagram;
Fig. 5 is safety detection module structural block diagram of the invention;
Fig. 6 is front terminal flow system flow process flow diagram of the invention;
Fig. 7 is safety detection module process flow of the invention;
Fig. 8 is that Broadcasting Cable Network of the invention returns flow detection flow diagram;
Fig. 9 is personal behavior model testing process schematic diagram of the invention.
Specific embodiment:
The present invention is described in further detail with technical solution with reference to the accompanying drawing, and detailed by preferred embodiment Describe bright embodiments of the present invention in detail, but embodiments of the present invention are not limited to this.
Embodiment one, referring to fig. 2 ~ 4 shown in, Fig. 2 gives current capacity contrast's figure of internet and Broadcasting Cable Network, flows in internet Amount ingredient is considerably complicated, regular poor using various, flow, this also promotes that a variety of phases must be used at linking Internet net end Attack is detected to complicated detection method, it is ensured that safety;Different from internet, Broadcasting Cable Network flow is few and its ingredient is relatively simple It is single, it is primarily only some video flowings, the set-top box recording that client's program request stream and operator need to recycle within a certain period of time Stream, these foreseeable Broadcasting Cable Network flows are dealt with unlike internet is so complicated;Therefore Broadcasting Cable Network access net does not have Necessity follows the security mechanism of linking Internet net, it directly can complete phase with a kind of simpler detection system or method Answer the safety detection of incoming end.Fig. 3 and Fig. 4 be the bi-directional set-top box intruding detection system overall structure and deployment schematic diagram, one Kind bi-directional set-top box intruding detection system, includes front end subsystem and backend systems, and front end subsystem is two-way with the upstream OLT Link connection is acquired and handles to the bidirectional traffics of the upstream in/out OLT two-way link, and it is non-hazardous to pick out known determination Remaining suspicious traffic is acquired and is sent into backend systems by data;Backend systems carry out the data packet of front end subsystem Safety detection and data analysis.
Embodiment two, it is shown in Figure 5, it is basically the same as the first embodiment, the difference is that: the backend systems are also Comprising safety detection module, detection, and real-time informing is compared to security threat according to security threat library in safety detection module Front end subsystem.Safety detection module, safety detection module and unknown threat including known threat characteristics is arranged in back-end system The safety detection module of feature.Various security threat libraries known to the safety detection module maintenance features of known threat characteristics, and Security threat detection is carried out to input flow rate according to known features.The safety detection module utilization of unknown threat characteristics is rigid in recent years The method of the big data association analysis of proposition detects security threat, impends signature analysis to the threat detected, and will point It analyses result and known threat characteristics library is added.The suspected attack flow of front end system acquisition passes through the safety of known threat characteristics first Detection module by known safe threat detection and is removed by the module, and remaining unknown flow rate is sent into unknown threat characteristics detection Module, further analysis detection.
Embodiment three, is basically the same as the first embodiment, the difference is that: the bi-directional set-top box intruding detection system is also wrapped Optical electrical switch protecting module is concatenated containing linear speed, linear speed concatenation optical electrical switch protecting resume module is connected on the upstream OLT Two-way Chain Disruption in road guarantees the unimpeded of link, can be in real time by link switching to transparent transmission mode, automatically when failure occurs It keeps away around fault point, runs without interruption to guarantee that access net is normal in real time.
A kind of example IV, bi-directional set-top box intrusion detection method, comprises the following steps:
Step 1. front end subsystem carries out screening acquisition to the bidirectional traffics of the upstream in/out OLT two-way link, known to rejecting It determines non-hazardous data on flows, acquire remaining suspicious traffic data and is transmitted to backend systems;
Whether step 2. backend systems include known threat characteristics according to the suspicious traffic data judging received, if Include, then threaten library to carry out security threat detection to the suspicious traffic data received according to known safe and remove, otherwise, leads to It crosses statistics behavioural characteristic and security threat detection is carried out to the suspicious traffic data according to big data association analysis method, and to inspection The security threat measured carries out signature analysis, and known safe is added in analysis result and is threatened in library.
Embodiment five, it is shown in Figure 6, it is essentially identical with example IV, the difference is that: the step 1 is specifically wrapped Containing following steps:
Step 1.1. according to the characteristics of Broadcasting Cable Network flow judge the upstream in/out OLT two-way link bidirectional traffics whether be Otherwise known legitimate audio-video frequency content carries out in next step, being then determined as suspicious traffic data if so, rejecting;
Step 1.2. is acquired suspicious traffic data;
Collected suspicious traffic data are transmitted to backend systems and are analyzed and processed by step 1.3.;
The analysis of step 1.4. backend systems determines whether the suspicious traffic data are attack traffic data by analysis, If so, carrying out in next step, otherwise, reject;
After step 1.5. passes through backend systems to Data Analysis Services, front end subsystem sends response processing order, into Enter step 1.6;
Step 1.6. is ordered according to response, and front end subsystem makes respective handling to the attack traffic data.
Embodiment six, it is shown in Figure 7, it is essentially identical with example IV, the difference is that: the step 2 is specifically wrapped Containing following steps:
Step 2.1. receives suspicious traffic data, which is transmitted to safety detection module;
Whether step 2.2. safety detection module judges suspicious traffic data by comparing known safe threat characteristics library There are known safe threats, and if it exists, then terminal system sends exception handling instruction forward, otherwise, into next step 2.3;
Step 2.3. detects suspicious traffic data according to big data association analysis method, whether judges suspicious traffic data There are unknown security threats, and if it exists, then terminal system sends exception handling instruction forward, otherwise, executes step 2.4;
The suspicious traffic data transmission that step 2.4. will test is to corresponding light line terminal.
Embodiment seven, it is shown in Figure 8, it is essentially identical with example IV, the difference is that: the step 2 also includes Broadcasting Cable Network returns flow detection, and the Broadcasting Cable Network passback flow detection specifically includes following content: customer flow is detected, Whether there is extensive flow to return, if it is not, determining to belong to normal behaviour, if so, then detecting extensive flow passback Time whether be agreement timing node, if so, determine belong to normal discharge passback behavior, otherwise, it is determined that for invasion row For, and intrusion response is taken to intrusion behavior.
Embodiment eight, it is shown in Figure 9, it is essentially identical with example IV, the difference is that: pass through in the step 2 It counts behavioural characteristic and security threat detection is carried out to the suspicious traffic data according to big data association analysis method, and to detection Security threat out carries out signature analysis, and specifically include the following steps: step (1) takes out user from shielded operation system Historical data is converted to the corresponding data used for bi-directional set-top box intruding detection system by historical data;Step (2) User's normal behaviour normative model is generated according to the corresponding data being converted to, is entered according to network security technology in bi-directional set-top box Invade in detection system generation user's normal behaviour specification, for as detection user's current behavior whether be normal behaviour mark It is quasi-;Step (3) detects user's current behavior, and the current line of the user detected is extracted from shielded operation system For data, according to the user's normal behaviour specification generated in step (2), carry out detection comparative analysis, if current behavior data with The difference of normal behaviour data is greater than defined threshold, then determines that user's current behavior is abnormal, have security risk, bi-directional set-top box enters Detection system is invaded to issue by the safety alarm of illegal invasion;If current behavior data fit normal behaviour data standard, determines User's current behavior is normal behaviour;Step (4) takes out user's current behavior data from shielded operation system, by user Current behavior data are converted by algorithm, carry out data analysis for bi-directional set-top box intruding detection system administrator;Step (5) will Active user's behavioral data switchs to user's history data, analyzes and uses for subsequent user behavioral value.
The invention is not limited to above-mentioned specific embodiment, those skilled in the art can also make a variety of variations accordingly, But it is any all to cover within the scope of the claims with equivalent or similar variation of the invention.

Claims (4)

1. a kind of bi-directional set-top box intrusion detection method, it is characterised in that: comprise the following steps:
Step 1. front end subsystem carries out screening acquisition to the bidirectional traffics of the upstream in/out OLT two-way link, rejects known determine Non-hazardous data on flows acquires remaining suspicious traffic data and is transmitted to backend systems;
Whether step 2. backend systems include known threat characteristics according to the suspicious traffic data judging received, if comprising, It then threatens library to carry out security threat detection to the suspicious traffic data received according to known safe and removes, otherwise, pass through system It counts behavioural characteristic and security threat detection is carried out to the suspicious traffic data according to big data association analysis method, and to detecting Security threat carry out signature analysis, will analysis result be added known safe threaten library in;Also comprising Broadcasting Cable Network passback flow inspection It surveys, the Broadcasting Cable Network passback flow detection specifically includes following content: being detected to customer flow, if having extensive flow Passback, if it is not, determining to belong to normal behaviour, if so, whether the time for then detecting extensive flow passback is agreement Timing node, if so, determining that belong to normal discharge passback behavior and adopts intrusion behavior otherwise, it is determined that being intrusion behavior Take intrusion response.
2. bi-directional set-top box intrusion detection method according to claim 1, it is characterised in that: the step 1 specifically includes Following steps:
Step 1.1. judges whether the bidirectional traffics of the upstream in/out OLT two-way link are known according to the characteristics of Broadcasting Cable Network flow Otherwise legal audio-video frequency content carries out in next step, being then determined as suspicious traffic data if so, rejecting;
Step 1.2. is acquired suspicious traffic data;
Collected suspicious traffic data are transmitted to backend systems and are analyzed and processed by step 1.3.;
The analysis of step 1.4. backend systems determines whether the suspicious traffic data are attack traffic data by analysis, if so, It then carries out in next step, otherwise, rejects;
After step 1.5. passes through backend systems to Data Analysis Services, front end subsystem sends response processing order, into step Rapid 1.6;
Step 1.6. is ordered according to response, and front end subsystem makes respective handling to the attack traffic data.
3. bi-directional set-top box intrusion detection method according to claim 1, it is characterised in that: the step 2 specifically includes Following steps:
Step 2.1. receives suspicious traffic data, which is transmitted to safety detection module;
Step 2.2. safety detection module judges suspicious traffic data with the presence or absence of by comparing known safe threat characteristics library Know security threat, and if it exists, then terminal system sends exception handling instruction forward, otherwise, into next step 2.3;
Step 2.3. detects suspicious traffic data according to big data association analysis method, judges suspicious traffic data with the presence or absence of not Know security threat, and if it exists, then terminal system sends exception handling instruction forward, otherwise, executes step 2.4;
The suspicious traffic data transmission that step 2.4. will test is to corresponding light line terminal.
4. bi-directional set-top box intrusion detection method according to claim 1, it is characterised in that: pass through system in the step 2 It counts behavioural characteristic and security threat detection is carried out to the suspicious traffic data according to big data association analysis method, and to detecting Security threat carry out signature analysis, specifically include the following steps: step (1) is taken out user from shielded operation system and is gone through Historical data is converted to the corresponding data used for bi-directional set-top box intruding detection system by history data;Step (2) root User's normal behaviour normative model is generated according to the corresponding data being converted to, is invaded according to network security technology in bi-directional set-top box In detection system generate user's normal behaviour specification, for as detection user's current behavior whether be normal behaviour standard; Step (3) detects user's current behavior, and the current behavior of the user detected is extracted from shielded operation system Data carry out detection comparative analysis according to the user's normal behaviour specification generated in step (2), if current behavior data with just The difference of normal behavioral data is greater than defined threshold, then determines that user's current behavior is abnormal, there is security risk, bi-directional set-top box invasion Detection system is issued by the safety alarm of illegal invasion;If current behavior data fit normal behaviour data standard, determines to use Family current behavior is normal behaviour;Step (4) takes out user's current behavior data from shielded operation system, and user is worked as Preceding behavioral data is converted by algorithm, carries out data analysis for bi-directional set-top box intruding detection system administrator;Step (5) will be worked as Preceding user behavior data switchs to user's history data, analyzes and uses for subsequent user behavioral value.
CN201510342856.1A 2015-06-19 2015-06-19 Bi-directional set-top box intruding detection system and its detection method Active CN104954864B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510342856.1A CN104954864B (en) 2015-06-19 2015-06-19 Bi-directional set-top box intruding detection system and its detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510342856.1A CN104954864B (en) 2015-06-19 2015-06-19 Bi-directional set-top box intruding detection system and its detection method

Publications (2)

Publication Number Publication Date
CN104954864A CN104954864A (en) 2015-09-30
CN104954864B true CN104954864B (en) 2019-03-01

Family

ID=54169150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510342856.1A Active CN104954864B (en) 2015-06-19 2015-06-19 Bi-directional set-top box intruding detection system and its detection method

Country Status (1)

Country Link
CN (1) CN104954864B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107404466A (en) * 2016-05-20 2017-11-28 中国移动通信集团上海有限公司 A kind of SDN network safety protection method and device
CN107294666B (en) * 2017-06-02 2020-01-31 沈阳航空航天大学 broadcast packet transmission flow and power control method applied to wireless ad hoc network
CN111355687B (en) * 2018-12-21 2022-04-22 国家新闻出版广电总局广播科学研究院 Broadcasting and television convergence service system
CN110113204A (en) * 2019-05-05 2019-08-09 江苏阳廷电气科技有限公司 A method of realizing application program management on intelligent gateway
CN116346774A (en) * 2023-02-16 2023-06-27 北京有元科技有限公司 Network flow data query system based on DNS (Domain name System) route

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101321171A (en) * 2008-07-04 2008-12-10 北京锐安科技有限公司 Method and apparatus for detecting distributed refusal service attack
CN101729873A (en) * 2009-12-11 2010-06-09 浪潮电子信息产业股份有限公司 Network platform for realizing fusion and access of multimedia services
CN101854275A (en) * 2010-05-25 2010-10-06 军工思波信息科技产业有限公司 Method and device for detecting Trojans by analyzing network behaviors
CN103312693A (en) * 2013-05-08 2013-09-18 华迪计算机集团有限公司 Video and audio access control gateway equipment
CN104468631A (en) * 2014-12-31 2015-03-25 国家电网公司 Network intrusion identification method based on anomaly flow and black-white list library of IP terminal

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100456830C (en) * 2006-06-28 2009-01-28 华为技术有限公司 User terminal equipment for stream media content checking and checking method
JP6277137B2 (en) * 2012-02-17 2018-02-07 ヴェンコア ラブズ、インク.Vencore Labs, Inc. Method and system for packet acquisition, analysis and intrusion detection in field area networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101321171A (en) * 2008-07-04 2008-12-10 北京锐安科技有限公司 Method and apparatus for detecting distributed refusal service attack
CN101729873A (en) * 2009-12-11 2010-06-09 浪潮电子信息产业股份有限公司 Network platform for realizing fusion and access of multimedia services
CN101854275A (en) * 2010-05-25 2010-10-06 军工思波信息科技产业有限公司 Method and device for detecting Trojans by analyzing network behaviors
CN103312693A (en) * 2013-05-08 2013-09-18 华迪计算机集团有限公司 Video and audio access control gateway equipment
CN104468631A (en) * 2014-12-31 2015-03-25 国家电网公司 Network intrusion identification method based on anomaly flow and black-white list library of IP terminal

Also Published As

Publication number Publication date
CN104954864A (en) 2015-09-30

Similar Documents

Publication Publication Date Title
CN104954864B (en) Bi-directional set-top box intruding detection system and its detection method
CN111385236B (en) Dynamic defense system based on network spoofing
CN109962891B (en) Method, device and equipment for monitoring cloud security and computer storage medium
US8769682B2 (en) Mechanism for identifying malicious content, DoS attacks, and illegal IPTV services
KR100942456B1 (en) Method for detecting and protecting ddos attack by using cloud computing and server thereof
CN101087196B (en) Multi-layer honey network data transmission method and system
CN106411562B (en) Electric power information network safety linkage defense method and system
CN106850690B (en) Honeypot construction method and system
US20120023572A1 (en) Malicious Attack Response System and Associated Method
CN100435513C (en) Method of linking network equipment and invading detection system
CN107888607A (en) A kind of Cyberthreat detection method, device and network management device
KR102045468B1 (en) Apparatus for detection of anomalous connection behavior based on network data analytics and method using the same
CN106992955A (en) APT fire walls
CN106534042A (en) Server invasion identifying method and apparatus based on data analysis and cloud safety system
CN107347067B (en) Network risk monitoring method and system and security network system
CN103916288A (en) Botnet detection method and system on basis of gateway and local
CN112565300A (en) Industry-based cloud hacker attack identification and blocking method, system, device and medium
CN110753014B (en) Threat perception method, equipment and device based on flow forwarding and storage medium
KR20130033161A (en) Intrusion detection system for cloud computing service
KR20120000942A (en) Bot-infected host detection apparatus and method based on blacklist access statistics
Behal et al. Signature-based botnet detection and prevention
KR101923054B1 (en) Wire and wireless gateway for detecting malignant action autonomously based on signature and method thereof
Mudgal et al. Spark-Based Network Security Honeypot System: Detailed Performance Analysis
Ponomarev Intrusion Detection System of industrial control networks using network telemetry
Sun et al. A deception defense and active defense based three-dimensional defense architecture: DA-3DD design and implementation plan

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant