CN104954864B - Bi-directional set-top box intruding detection system and its detection method - Google Patents
Bi-directional set-top box intruding detection system and its detection method Download PDFInfo
- Publication number
- CN104954864B CN104954864B CN201510342856.1A CN201510342856A CN104954864B CN 104954864 B CN104954864 B CN 104954864B CN 201510342856 A CN201510342856 A CN 201510342856A CN 104954864 B CN104954864 B CN 104954864B
- Authority
- CN
- China
- Prior art keywords
- data
- detection
- user
- top box
- traffic data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/43—Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
- H04N21/442—Monitoring of processes or resources, e.g. detecting the failure of a recording device, monitoring the downstream bandwidth, the number of times a movie has been viewed, the storage space available from the internal hard disk
- H04N21/44236—Monitoring of piracy processes or activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/23—Processing of content or additional data; Elementary server operations; Server middleware
- H04N21/24—Monitoring of processes or resources, e.g. monitoring of server load, available bandwidth, upstream requests
- H04N21/2407—Monitoring of transmitted content, e.g. distribution time, number of downloads
Landscapes
- Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Networks & Wireless Communication (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention relates to a kind of bi-directional set-top box intruding detection system and its detection methods, its intruding detection system includes front end subsystem and backend systems, front end subsystem, it is connect with the upstream OLT two-way link, the bidirectional traffics of the upstream in/out OLT two-way link is acquired and is handled;Backend systems carry out safety detection to the data packet of front end subsystem and data are analyzed.The present invention is deployed in the upstream OLT two-way link, to convergence flow realize in real time, intelligent recognition, and real-time detection and block, clean malicious attack flow;Guarantee that access net is normal to run without interruption, issuable disruption in a link of connecting to it is pocessed, and guarantees the unimpeded of link;System itself is without external observable IP address, and similar to the transparent transmission device of physical layer, similar one section of optical fiber has natural " stealth " characteristic, can exempt attacker and detect to it, it is ensured that own net safety.
Description
Technical field
The present invention relates to Broadcasting Cable Network security technology area, in particular to a kind of bi-directional set-top box intruding detection system and its inspection
Survey method.
Background technique
In August, 2014, Wenzhou Broadcasting Cable Network are interrupted by hacker attack, legal program, and a large amount of sensitive pictures occurs in terminal,
It makes an extremely bad impression, this has beaten the alarm bell of Broadcasting Cable Network safety to us.In integration of three networks evolution, Broadcasting Cable Network was pacified originally
Full part may become no longer safe under new fusion situation.Bidirectional rebuilding is that ordinary user brings autonomous, personalized view
While frequency viewing service, attack path, this safe base of traditional CHINA RFTCOM Co Ltd one way propagation also are provided for malicious attacker
Stone has not existed.Intelligent Terminal, TV networkization are also that Broadcasting Cable Network brings new security risk, intelligentized set-top box, electricity
Depending on terminal operatings such as machine, home gateways on the basis of various processor platforms, the operating systems such as Android are installed, have connection
The bi-directional communication channels of external network can also become target or attack springboard that malicious attacker implements network attack.
As shown in Figure 1, Broadcasting Cable Network network is divided into external network and internal network, wherein internal network is divided into front end, transmission and terminal three
It is most of.1) external network: corresponding to other public networks except CHINA RFTCOM Co Ltd, such as internet;2) front network: correspond to
Broadcasting service front network, two-way services front network and broadcasting and TV office network, front network are located at the front of carrier network,
Complete routine office work and broadcast, the program of two-way services, program publication, EPG (Electronic Program Guide),
The functions such as BOSS/SMS can be abstracted into source part in entire CHINA RFTCOM Co Ltd model of communication system;3) transmission network: before being located at
After holding network, channel strip can be abstracted into entire CHINA RFTCOM Co Ltd model of communication system;Including one-way broadcast transmissions network
With transmitted in both directions network, backbone network and access network can be also divided into from level, backbone network connects structure by backbone router
At access network generallys use PON+EOC (PON, Passive Optical Network; EOC, Ethernet over
) or other access ways Coax;4) terminal network: the home network formed with Novel STB or Household intelligent gateway, whole
Terminal part can be abstracted into a CHINA RFTCOM Co Ltd model of communication system.
The network security boundary of CHINA RFTCOM Co Ltd includes the zone boundary between external network and front network, front network with
The boundary of the zone boundary of transmission network, transmission network and terminal network.Currently, Broadcasting Cable Network is in front network and external network
Boundary, front network and transmission network boundary have installed firewall, IDS, IPS (Intrusion Prevention System) additional
Equal convention securities safeguard, launches a offensive to broadcasting and TV front network with taking precautions against attacker from external network or office network, prevents
Model attacker launches a offensive to broadcasting and TV front network from transmitted in both directions network or terminal network.In comparison, in transmission network
It proposes and implements with corresponding Networked RAID technology rare so far on the boundary of terminal network.The network security of Broadcasting Cable Network is built
If needing to network whole implementation security hardening, ignorance is likely to result in transmission network and the security protection on terminal network boundary
" short slab " of safe wooden barrel, i.e. the general safety of network is not to be determined by that strongest a part of safety, and often by pacifying
The minimum part of full property determines.
In internet area, access net is the emphasis cloth defence area of security protection, firewall, vulnerability scanning, IDS, IPS etc.
Specialized security device is widely deployed, and in the terminal PC in linking Internet net, also there is the software of anti-virus etc,
Operating system is also all the security breaches that regular upgrading carrys out up operation system with this.Obviously, there is phase in internet
To three-dimensional security protection system.Compared to internet, lack relatively three-dimensional security system before broadcasting and TV access mesh, without similar
The secure private equipment specifically for broadcasting and TV, comparatively broadcasting and TV access net end is the state of " naked " safety, attacker can be with
Easily pellucidly enter network and set-top box is arrived in directly attack.In this way, even if installing all kinds of secure firmwares inside set-top box, attack
The attack difficulty of person is also little.
Access net has safety " short slab " possible security risk and has: (1) attacker can be from terminal network initiation pair
The uplink of front network is attacked.The hiding security breaches of Intelligent set top box are seldom concerned in terminal network, in fact, very much
Intelligent set top box is due to scaling difficulty, along with consciousness of the people to set-top box safety is weak and " silence " of set-top box itself
Characteristic is easy a wide range of by malicious attacker, extensive long-term control so that set-top box security risk has longer latency period
System, may cause serious consequence of failure.(2) access net non-boundary protection, attacker can initiate from front network to terminal network
The downlink of network is attacked.A wide range of safety accident is fermented by controlling a large amount of set-top boxes, causes machine top using set-top box silence characteristic
Box downloading storage illegal application, plays invalid information.(3) access net non-boundary protection, illegal terminal may be with the body of personation
Part enters network easily, carries out various destructive activities;The terminal of legal identity is after entering network, it is also possible to which unauthorized access is various
Internet resources.
Summary of the invention
Aiming at the shortcomings in the prior art, the present invention provides a kind of bi-directional set-top box intruding detection system and its detection side
Method copes with the safety problem that Broadcasting Cable Network faces now, improves broadcasting and TV net safety protective ability, compensates for Broadcasting Cable Network access
The problem of net security mechanism lacks is embodied as broadcasting and TV access net protection and provides a kind of effective method for protecting, ensure that and attack
Hit can not being stealthy for flow.
According to design scheme provided by the present invention, a kind of bi-directional set-top box intruding detection system includes front end subsystem
And backend systems, front end subsystem are connect with the upstream OLT two-way link, to the bidirectional flow of the upstream in/out OLT two-way link
Amount is acquired and handles, and picks out known determining non-hazardous data, remaining suspicious traffic is acquired and is sent into rear end subsystem
System;Backend systems carry out safety detection to the data packet of front end subsystem and data are analyzed.
Above-mentioned, the backend systems also include safety detection module, and safety detection module is according to security threat library pair
Detection, and real-time informing front end subsystem is compared in security threat.
Above-mentioned, optical electrical switch protecting module also is concatenated comprising linear speed, linear speed concatenates optical electrical switch protecting resume module
The disruption being connected in the two-way link of the upstream OLT, guarantees the unimpeded of link.
A kind of bi-directional set-top box intrusion detection method, comprises the following steps:
Step 1. front end subsystem carries out screening acquisition to the bidirectional traffics of the upstream in/out OLT two-way link, known to rejecting
It determines non-hazardous data on flows, acquire remaining suspicious traffic data and is transmitted to backend systems;
Whether step 2. backend systems include known threat characteristics according to the suspicious traffic data judging received, if
Include, then threaten library to carry out security threat detection to the suspicious traffic data received according to known safe and remove, otherwise, leads to
It crosses statistics behavioural characteristic and security threat detection is carried out to the suspicious traffic data according to big data association analysis method, and to inspection
The security threat measured carries out signature analysis, and known safe is added in analysis result and is threatened in library.
Above-mentioned bi-directional set-top box intrusion detection method, the step 1 specifically include the following steps:
Step 1.1. according to the characteristics of Broadcasting Cable Network flow judge the upstream in/out OLT two-way link bidirectional traffics whether be
Otherwise known legitimate audio-video frequency content carries out in next step, being then determined as suspicious traffic data if so, rejecting;
Step 1.2. is acquired suspicious traffic data;
Collected suspicious traffic data are transmitted to backend systems and are analyzed and processed by step 1.3.;
The analysis of step 1.4. backend systems determines whether the suspicious traffic data are attack traffic data by analysis, if
It is then to carry out in next step, otherwise, rejects;
After step 1.5. passes through backend systems to Data Analysis Services, front end subsystem sends response processing order, into
Enter step 1.6;
Step 1.6. is ordered according to response, and front end subsystem makes respective handling to the attack traffic data.
Above-mentioned bi-directional set-top box intrusion detection method, the step 2 specifically include the following steps:
Step 2.1. receives suspicious traffic data, which is transmitted to safety detection module;
Step 2.2. safety detection module judges whether suspicious traffic data deposit by comparing known safe threat characteristics library
It is threatened in known safe, and if it exists, then terminal system sends exception handling instruction forward, otherwise, into next step 2.3;
Step 2.3. detects suspicious traffic data according to big data association analysis method, judges whether suspicious traffic data deposit
In unknown security threat, and if it exists, then terminal system sends exception handling instruction forward, otherwise, executes step 2.4;
The suspicious traffic data transmission that step 2.4. will test is to corresponding light line terminal.
Above-mentioned bi-directional set-top box intrusion detection method, the step 2 also returns flow detection comprising Broadcasting Cable Network, described wide
Power grid passback flow detection specifically includes following content: being detected to customer flow, and if there is extensive flow to return, if
No, then determine to belong to normal behaviour, if so, whether the time for then detecting extensive flow passback is the when segmentum intercalaris arranged
Point, if so, determining to belong to normal discharge passback behavior, otherwise, it is determined that being intrusion behavior, and take invasion to ring intrusion behavior
It answers.
Above-mentioned bi-directional set-top box intrusion detection method, by statistics behavioural characteristic and according to big data in the step 2
Association analysis method carries out security threat detection to the suspicious traffic data, and carries out feature point to the security threat detected
Analysis, specifically include the following steps: step (1) takes out user's history data from shielded operation system, by historical data into
Row is converted to the corresponding data used for bi-directional set-top box intruding detection system;Step (2) is according to the correspondence number being converted to
According to user's normal behaviour normative model is generated, user is generated in bi-directional set-top box intruding detection system according to network security technology
Normal behaviour specification, for as detection user's current behavior whether be normal behaviour standard;It is current that step (3) detects user
The current behavior data of the user detected are extracted in behavior from shielded operation system, according to raw in step (2)
At user's normal behaviour specification, detection comparative analysis is carried out, if current behavior data and the difference of normal behaviour data are greater than
Defined threshold then determines that user's current behavior is abnormal, there is security risk, and the sending of bi-directional set-top box intruding detection system is illegally entered
The safety alarm invaded;If current behavior data fit normal behaviour data standard, determines user's current behavior for normal behaviour;
Step (4) takes out user's current behavior data from shielded operation system, and user's current behavior data are turned by algorithm
It changes, carries out data analysis for bi-directional set-top box intruding detection system administrator;Active user's behavioral data is switched to use by step (5)
Family historical data is analyzed for subsequent user behavioral value and is used.
Beneficial effects of the present invention:
1. bi-directional set-top box intruding detection system of the present invention is deployed in the upstream OLT two-way link, complete to convergence flow
In real time, intelligent recognition realizes the correct processing to convergence flow;It concatenates under deployment way, system can detect security threat and can
Real-time detection simultaneously blocks, cleans malicious attack flow;System designs linear speed and concatenates optical electrical switch protecting technology, occurs in failure
When can be kept away in real time automatically in real time by link switching to transparent transmission mode around fault point, thus guarantee access net it is normal not between
Disconnected operation connects to it at issuable disruption in a link using linear speed concatenation optical electrical switch protecting technology
Reason, guarantees the unimpeded of link;Using the deployment and working method of " non-cooperation ", system deployment can after the two-way link of the upstream OLT
Independent operating forwards known safe traffic in real time, real-time blocking is carried out to the security threat of known features, to unknown
The suspicious traffic of feature is associated analysis, judges its security attribute and carries out respective handling, whole service process does not need general
The cooperation at general family, does not need the cooperation of the intelligent terminals such as set-top box manufacturer, does not need operator's front network operation system yet
Cooperation;It is deployed in the upstream OLT two-way link, system itself is without external observable IP address, similar to the saturating of physical layer
Bright transmitting device, similar one section of optical fiber, has natural " stealth " characteristic, can exempt attacker and detect to it, it is ensured that from
Body network security.
2. the processing of front end subsystem convection current amount mainly includes two parts in bi-directional set-top box intrusion detection method of the present invention:
Data acquisition and data processing, function are to carry out processing judgement to according to the collected data of " discharge " principle, that is, are picked out known
It determines the data such as non-hazardous video, audio, remaining suspicious traffic is acquired and is sent into back-end system.Further according to rear end subsystem
The dependent instruction passed back of uniting performs corresponding processing flow;Backend systems carry out the data packet that front terminal screening system goes out
Further analysis processing, on the one hand, by analyzing acquisition flow, can intuitively show the interaction industry of radio and TV operator
Business, Internet service, live broadcast service and user's service condition and situation of Profit, including content hot spot, all types of URL access frequency
Degree, the analysis of channel number of users, customer flow etc.;On the other hand, safety detection module is set in system, when security threat reaches
Afterwards, which can be compared detection according to security threat of the security threat library to known threat characteristics, and discovery is real-time after threatening
Notice front end system carries out the processing such as blocking;And the unknown characteristics for needing aposterior knowledge just to can determine that 0-DAY attack etc. are pacified
Complete to threaten, safety detection module can utilize big data by statistics behavioural characteristic based on the full dimension data of front terminal system acquisition
Association analysis method detects unknown threat.
3. bi-directional set-top box intrusion detection method of the present invention makes full use of the design feature of system differentiation front and back end, according to multiple
Miscellaneous degree size by it is easy and it is difficult about subtract measurement of discharge to be checked layer by layer, complete detection;Firstly, front end subsystem can filter out it is most of
The conjunction rule video program flow known, this allows for flow that this system to be detected much smaller than input flow rate, be larger about subtracted it is to be checked
Measurement of discharge improves detection accuracy;Mixed traffic composition and internet traffic composition in broadcasting and TV bilateral construction network chain road have very
It is different, wherein existing radio and TV operator much has the flow that business generates by oneself, and there is the unique operation interaction of radio and TV operator
Information.This allows for the detection of Broadcasting Cable Network traffic security and is different from internet;It threatens in library in known safe in addition to common known
Outside security threat feature, there are also the distinctive known safe features for being directed to Broadcasting Cable Network flow, such as the regular back information of set-top box
Detection, since broadcasting and TV network operation business needs to count programme information (such as audience ratings, program request rate etc.), in some agreement
Period has a large amount of data and is returned from Intelligent set top box to server, other times section other than program request flow not
A large amount of flows passback phenomenons are had, can suffer from attacking if if other times section also has a large amount of passback flow, are needed pair
It is handled;In addition, being associated analysis to acquisition data by behavioural analysis when coping with unknown security threat, pass through expansion
Be detected domain, by the real-time detection based on single time point, single attack be changed into the detection based on historical time window come
It was found that attack;The characteristics of due to Broadcasting Cable Network flow, is subject to analysis modeling according to the peculiar behavioural characteristic of Broadcasting Cable Network;Set-top box APP is more
New data stream needs corresponding transmission standard, and the linkage descriptor of Loader is contained in the NIT sent on network
The identification parameters such as update set-top box manufacturer's number, hardware version numbers, software version number and product ID, and what hacker forged
Update data stream can not often exactly match, and also can be used as an attack distinguishing rule;When cutting channel and changing, manpower work switching frequency
There are certain interval and rule in the time in road, and the switching of hacker is difficult to imitate, and is also used as an attack distinguishing rule.
Detailed description of the invention:
Fig. 1 is CHINA RFTCOM Co Ltd hierarchical relationship schematic diagram;
Fig. 2 is that internet and Broadcasting Cable Network current capacity contrast scheme;
Fig. 3 is bi-directional set-top box intrusion detection system structure schematic diagram of the invention;
Fig. 4 is that bi-directional set-top box intruding detection system of the invention disposes schematic diagram;
Fig. 5 is safety detection module structural block diagram of the invention;
Fig. 6 is front terminal flow system flow process flow diagram of the invention;
Fig. 7 is safety detection module process flow of the invention;
Fig. 8 is that Broadcasting Cable Network of the invention returns flow detection flow diagram;
Fig. 9 is personal behavior model testing process schematic diagram of the invention.
Specific embodiment:
The present invention is described in further detail with technical solution with reference to the accompanying drawing, and detailed by preferred embodiment
Describe bright embodiments of the present invention in detail, but embodiments of the present invention are not limited to this.
Embodiment one, referring to fig. 2 ~ 4 shown in, Fig. 2 gives current capacity contrast's figure of internet and Broadcasting Cable Network, flows in internet
Amount ingredient is considerably complicated, regular poor using various, flow, this also promotes that a variety of phases must be used at linking Internet net end
Attack is detected to complicated detection method, it is ensured that safety;Different from internet, Broadcasting Cable Network flow is few and its ingredient is relatively simple
It is single, it is primarily only some video flowings, the set-top box recording that client's program request stream and operator need to recycle within a certain period of time
Stream, these foreseeable Broadcasting Cable Network flows are dealt with unlike internet is so complicated;Therefore Broadcasting Cable Network access net does not have
Necessity follows the security mechanism of linking Internet net, it directly can complete phase with a kind of simpler detection system or method
Answer the safety detection of incoming end.Fig. 3 and Fig. 4 be the bi-directional set-top box intruding detection system overall structure and deployment schematic diagram, one
Kind bi-directional set-top box intruding detection system, includes front end subsystem and backend systems, and front end subsystem is two-way with the upstream OLT
Link connection is acquired and handles to the bidirectional traffics of the upstream in/out OLT two-way link, and it is non-hazardous to pick out known determination
Remaining suspicious traffic is acquired and is sent into backend systems by data;Backend systems carry out the data packet of front end subsystem
Safety detection and data analysis.
Embodiment two, it is shown in Figure 5, it is basically the same as the first embodiment, the difference is that: the backend systems are also
Comprising safety detection module, detection, and real-time informing is compared to security threat according to security threat library in safety detection module
Front end subsystem.Safety detection module, safety detection module and unknown threat including known threat characteristics is arranged in back-end system
The safety detection module of feature.Various security threat libraries known to the safety detection module maintenance features of known threat characteristics, and
Security threat detection is carried out to input flow rate according to known features.The safety detection module utilization of unknown threat characteristics is rigid in recent years
The method of the big data association analysis of proposition detects security threat, impends signature analysis to the threat detected, and will point
It analyses result and known threat characteristics library is added.The suspected attack flow of front end system acquisition passes through the safety of known threat characteristics first
Detection module by known safe threat detection and is removed by the module, and remaining unknown flow rate is sent into unknown threat characteristics detection
Module, further analysis detection.
Embodiment three, is basically the same as the first embodiment, the difference is that: the bi-directional set-top box intruding detection system is also wrapped
Optical electrical switch protecting module is concatenated containing linear speed, linear speed concatenation optical electrical switch protecting resume module is connected on the upstream OLT Two-way Chain
Disruption in road guarantees the unimpeded of link, can be in real time by link switching to transparent transmission mode, automatically when failure occurs
It keeps away around fault point, runs without interruption to guarantee that access net is normal in real time.
A kind of example IV, bi-directional set-top box intrusion detection method, comprises the following steps:
Step 1. front end subsystem carries out screening acquisition to the bidirectional traffics of the upstream in/out OLT two-way link, known to rejecting
It determines non-hazardous data on flows, acquire remaining suspicious traffic data and is transmitted to backend systems;
Whether step 2. backend systems include known threat characteristics according to the suspicious traffic data judging received, if
Include, then threaten library to carry out security threat detection to the suspicious traffic data received according to known safe and remove, otherwise, leads to
It crosses statistics behavioural characteristic and security threat detection is carried out to the suspicious traffic data according to big data association analysis method, and to inspection
The security threat measured carries out signature analysis, and known safe is added in analysis result and is threatened in library.
Embodiment five, it is shown in Figure 6, it is essentially identical with example IV, the difference is that: the step 1 is specifically wrapped
Containing following steps:
Step 1.1. according to the characteristics of Broadcasting Cable Network flow judge the upstream in/out OLT two-way link bidirectional traffics whether be
Otherwise known legitimate audio-video frequency content carries out in next step, being then determined as suspicious traffic data if so, rejecting;
Step 1.2. is acquired suspicious traffic data;
Collected suspicious traffic data are transmitted to backend systems and are analyzed and processed by step 1.3.;
The analysis of step 1.4. backend systems determines whether the suspicious traffic data are attack traffic data by analysis,
If so, carrying out in next step, otherwise, reject;
After step 1.5. passes through backend systems to Data Analysis Services, front end subsystem sends response processing order, into
Enter step 1.6;
Step 1.6. is ordered according to response, and front end subsystem makes respective handling to the attack traffic data.
Embodiment six, it is shown in Figure 7, it is essentially identical with example IV, the difference is that: the step 2 is specifically wrapped
Containing following steps:
Step 2.1. receives suspicious traffic data, which is transmitted to safety detection module;
Whether step 2.2. safety detection module judges suspicious traffic data by comparing known safe threat characteristics library
There are known safe threats, and if it exists, then terminal system sends exception handling instruction forward, otherwise, into next step 2.3;
Step 2.3. detects suspicious traffic data according to big data association analysis method, whether judges suspicious traffic data
There are unknown security threats, and if it exists, then terminal system sends exception handling instruction forward, otherwise, executes step 2.4;
The suspicious traffic data transmission that step 2.4. will test is to corresponding light line terminal.
Embodiment seven, it is shown in Figure 8, it is essentially identical with example IV, the difference is that: the step 2 also includes
Broadcasting Cable Network returns flow detection, and the Broadcasting Cable Network passback flow detection specifically includes following content: customer flow is detected,
Whether there is extensive flow to return, if it is not, determining to belong to normal behaviour, if so, then detecting extensive flow passback
Time whether be agreement timing node, if so, determine belong to normal discharge passback behavior, otherwise, it is determined that for invasion row
For, and intrusion response is taken to intrusion behavior.
Embodiment eight, it is shown in Figure 9, it is essentially identical with example IV, the difference is that: pass through in the step 2
It counts behavioural characteristic and security threat detection is carried out to the suspicious traffic data according to big data association analysis method, and to detection
Security threat out carries out signature analysis, and specifically include the following steps: step (1) takes out user from shielded operation system
Historical data is converted to the corresponding data used for bi-directional set-top box intruding detection system by historical data;Step (2)
User's normal behaviour normative model is generated according to the corresponding data being converted to, is entered according to network security technology in bi-directional set-top box
Invade in detection system generation user's normal behaviour specification, for as detection user's current behavior whether be normal behaviour mark
It is quasi-;Step (3) detects user's current behavior, and the current line of the user detected is extracted from shielded operation system
For data, according to the user's normal behaviour specification generated in step (2), carry out detection comparative analysis, if current behavior data with
The difference of normal behaviour data is greater than defined threshold, then determines that user's current behavior is abnormal, have security risk, bi-directional set-top box enters
Detection system is invaded to issue by the safety alarm of illegal invasion;If current behavior data fit normal behaviour data standard, determines
User's current behavior is normal behaviour;Step (4) takes out user's current behavior data from shielded operation system, by user
Current behavior data are converted by algorithm, carry out data analysis for bi-directional set-top box intruding detection system administrator;Step (5) will
Active user's behavioral data switchs to user's history data, analyzes and uses for subsequent user behavioral value.
The invention is not limited to above-mentioned specific embodiment, those skilled in the art can also make a variety of variations accordingly,
But it is any all to cover within the scope of the claims with equivalent or similar variation of the invention.
Claims (4)
1. a kind of bi-directional set-top box intrusion detection method, it is characterised in that: comprise the following steps:
Step 1. front end subsystem carries out screening acquisition to the bidirectional traffics of the upstream in/out OLT two-way link, rejects known determine
Non-hazardous data on flows acquires remaining suspicious traffic data and is transmitted to backend systems;
Whether step 2. backend systems include known threat characteristics according to the suspicious traffic data judging received, if comprising,
It then threatens library to carry out security threat detection to the suspicious traffic data received according to known safe and removes, otherwise, pass through system
It counts behavioural characteristic and security threat detection is carried out to the suspicious traffic data according to big data association analysis method, and to detecting
Security threat carry out signature analysis, will analysis result be added known safe threaten library in;Also comprising Broadcasting Cable Network passback flow inspection
It surveys, the Broadcasting Cable Network passback flow detection specifically includes following content: being detected to customer flow, if having extensive flow
Passback, if it is not, determining to belong to normal behaviour, if so, whether the time for then detecting extensive flow passback is agreement
Timing node, if so, determining that belong to normal discharge passback behavior and adopts intrusion behavior otherwise, it is determined that being intrusion behavior
Take intrusion response.
2. bi-directional set-top box intrusion detection method according to claim 1, it is characterised in that: the step 1 specifically includes
Following steps:
Step 1.1. judges whether the bidirectional traffics of the upstream in/out OLT two-way link are known according to the characteristics of Broadcasting Cable Network flow
Otherwise legal audio-video frequency content carries out in next step, being then determined as suspicious traffic data if so, rejecting;
Step 1.2. is acquired suspicious traffic data;
Collected suspicious traffic data are transmitted to backend systems and are analyzed and processed by step 1.3.;
The analysis of step 1.4. backend systems determines whether the suspicious traffic data are attack traffic data by analysis, if so,
It then carries out in next step, otherwise, rejects;
After step 1.5. passes through backend systems to Data Analysis Services, front end subsystem sends response processing order, into step
Rapid 1.6;
Step 1.6. is ordered according to response, and front end subsystem makes respective handling to the attack traffic data.
3. bi-directional set-top box intrusion detection method according to claim 1, it is characterised in that: the step 2 specifically includes
Following steps:
Step 2.1. receives suspicious traffic data, which is transmitted to safety detection module;
Step 2.2. safety detection module judges suspicious traffic data with the presence or absence of by comparing known safe threat characteristics library
Know security threat, and if it exists, then terminal system sends exception handling instruction forward, otherwise, into next step 2.3;
Step 2.3. detects suspicious traffic data according to big data association analysis method, judges suspicious traffic data with the presence or absence of not
Know security threat, and if it exists, then terminal system sends exception handling instruction forward, otherwise, executes step 2.4;
The suspicious traffic data transmission that step 2.4. will test is to corresponding light line terminal.
4. bi-directional set-top box intrusion detection method according to claim 1, it is characterised in that: pass through system in the step 2
It counts behavioural characteristic and security threat detection is carried out to the suspicious traffic data according to big data association analysis method, and to detecting
Security threat carry out signature analysis, specifically include the following steps: step (1) is taken out user from shielded operation system and is gone through
Historical data is converted to the corresponding data used for bi-directional set-top box intruding detection system by history data;Step (2) root
User's normal behaviour normative model is generated according to the corresponding data being converted to, is invaded according to network security technology in bi-directional set-top box
In detection system generate user's normal behaviour specification, for as detection user's current behavior whether be normal behaviour standard;
Step (3) detects user's current behavior, and the current behavior of the user detected is extracted from shielded operation system
Data carry out detection comparative analysis according to the user's normal behaviour specification generated in step (2), if current behavior data with just
The difference of normal behavioral data is greater than defined threshold, then determines that user's current behavior is abnormal, there is security risk, bi-directional set-top box invasion
Detection system is issued by the safety alarm of illegal invasion;If current behavior data fit normal behaviour data standard, determines to use
Family current behavior is normal behaviour;Step (4) takes out user's current behavior data from shielded operation system, and user is worked as
Preceding behavioral data is converted by algorithm, carries out data analysis for bi-directional set-top box intruding detection system administrator;Step (5) will be worked as
Preceding user behavior data switchs to user's history data, analyzes and uses for subsequent user behavioral value.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510342856.1A CN104954864B (en) | 2015-06-19 | 2015-06-19 | Bi-directional set-top box intruding detection system and its detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510342856.1A CN104954864B (en) | 2015-06-19 | 2015-06-19 | Bi-directional set-top box intruding detection system and its detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104954864A CN104954864A (en) | 2015-09-30 |
CN104954864B true CN104954864B (en) | 2019-03-01 |
Family
ID=54169150
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510342856.1A Active CN104954864B (en) | 2015-06-19 | 2015-06-19 | Bi-directional set-top box intruding detection system and its detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104954864B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107404466A (en) * | 2016-05-20 | 2017-11-28 | 中国移动通信集团上海有限公司 | A kind of SDN network safety protection method and device |
CN107294666B (en) * | 2017-06-02 | 2020-01-31 | 沈阳航空航天大学 | broadcast packet transmission flow and power control method applied to wireless ad hoc network |
CN111355687B (en) * | 2018-12-21 | 2022-04-22 | 国家新闻出版广电总局广播科学研究院 | Broadcasting and television convergence service system |
CN110113204A (en) * | 2019-05-05 | 2019-08-09 | 江苏阳廷电气科技有限公司 | A method of realizing application program management on intelligent gateway |
CN116346774A (en) * | 2023-02-16 | 2023-06-27 | 北京有元科技有限公司 | Network flow data query system based on DNS (Domain name System) route |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101321171A (en) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | Method and apparatus for detecting distributed refusal service attack |
CN101729873A (en) * | 2009-12-11 | 2010-06-09 | 浪潮电子信息产业股份有限公司 | Network platform for realizing fusion and access of multimedia services |
CN101854275A (en) * | 2010-05-25 | 2010-10-06 | 军工思波信息科技产业有限公司 | Method and device for detecting Trojans by analyzing network behaviors |
CN103312693A (en) * | 2013-05-08 | 2013-09-18 | 华迪计算机集团有限公司 | Video and audio access control gateway equipment |
CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100456830C (en) * | 2006-06-28 | 2009-01-28 | 华为技术有限公司 | User terminal equipment for stream media content checking and checking method |
JP6277137B2 (en) * | 2012-02-17 | 2018-02-07 | ヴェンコア ラブズ、インク.Vencore Labs, Inc. | Method and system for packet acquisition, analysis and intrusion detection in field area networks |
-
2015
- 2015-06-19 CN CN201510342856.1A patent/CN104954864B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101321171A (en) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | Method and apparatus for detecting distributed refusal service attack |
CN101729873A (en) * | 2009-12-11 | 2010-06-09 | 浪潮电子信息产业股份有限公司 | Network platform for realizing fusion and access of multimedia services |
CN101854275A (en) * | 2010-05-25 | 2010-10-06 | 军工思波信息科技产业有限公司 | Method and device for detecting Trojans by analyzing network behaviors |
CN103312693A (en) * | 2013-05-08 | 2013-09-18 | 华迪计算机集团有限公司 | Video and audio access control gateway equipment |
CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
Also Published As
Publication number | Publication date |
---|---|
CN104954864A (en) | 2015-09-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104954864B (en) | Bi-directional set-top box intruding detection system and its detection method | |
CN111385236B (en) | Dynamic defense system based on network spoofing | |
CN109962891B (en) | Method, device and equipment for monitoring cloud security and computer storage medium | |
US8769682B2 (en) | Mechanism for identifying malicious content, DoS attacks, and illegal IPTV services | |
KR100942456B1 (en) | Method for detecting and protecting ddos attack by using cloud computing and server thereof | |
CN101087196B (en) | Multi-layer honey network data transmission method and system | |
CN106411562B (en) | Electric power information network safety linkage defense method and system | |
CN106850690B (en) | Honeypot construction method and system | |
US20120023572A1 (en) | Malicious Attack Response System and Associated Method | |
CN100435513C (en) | Method of linking network equipment and invading detection system | |
CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
KR102045468B1 (en) | Apparatus for detection of anomalous connection behavior based on network data analytics and method using the same | |
CN106992955A (en) | APT fire walls | |
CN106534042A (en) | Server invasion identifying method and apparatus based on data analysis and cloud safety system | |
CN107347067B (en) | Network risk monitoring method and system and security network system | |
CN103916288A (en) | Botnet detection method and system on basis of gateway and local | |
CN112565300A (en) | Industry-based cloud hacker attack identification and blocking method, system, device and medium | |
CN110753014B (en) | Threat perception method, equipment and device based on flow forwarding and storage medium | |
KR20130033161A (en) | Intrusion detection system for cloud computing service | |
KR20120000942A (en) | Bot-infected host detection apparatus and method based on blacklist access statistics | |
Behal et al. | Signature-based botnet detection and prevention | |
KR101923054B1 (en) | Wire and wireless gateway for detecting malignant action autonomously based on signature and method thereof | |
Mudgal et al. | Spark-Based Network Security Honeypot System: Detailed Performance Analysis | |
Ponomarev | Intrusion Detection System of industrial control networks using network telemetry | |
Sun et al. | A deception defense and active defense based three-dimensional defense architecture: DA-3DD design and implementation plan |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |