CN108092948A - A kind of recognition methods of network attack mode and device - Google Patents
A kind of recognition methods of network attack mode and device Download PDFInfo
- Publication number
- CN108092948A CN108092948A CN201611062203.9A CN201611062203A CN108092948A CN 108092948 A CN108092948 A CN 108092948A CN 201611062203 A CN201611062203 A CN 201611062203A CN 108092948 A CN108092948 A CN 108092948A
- Authority
- CN
- China
- Prior art keywords
- attack
- characteristic value
- network
- value collection
- collection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention discloses recognition methods and the device of a kind of network attack mode, is related to field of communication technology, can solve the problems, such as to fail to report network attack.The recognition methods of the network attack mode includes:Obtain operation system to be measured log information and operation system to be measured in default low interactive honey jar be transmitted to the network traffics of high interaction honey jar;Attack feature is obtained from the log information of network traffics and operation system to be measured;Judge whether attack feature meets default normal behaviour condition, attack characteristic value collection is obtained according to judging result;Calculate the similarity of attack characteristic value collection and the characteristic value collection of default multiple known attack patterns;Obtain attack mode corresponding with the characteristic value collection of the highest known attack pattern of attack characteristic value collection similarity, the attack mode as attack characteristic value collection.
Description
Technical field
Recognition methods and device the present invention relates to field of communication technology more particularly to a kind of network attack mode.
Background technology
As status of the network application in the study, work and life of people is more and more important, hacker is in order to steal use
Family information destroys network, can initiate network attack to network, for example be attacked using the loophole for not having patch in network
0day attack or using advanced attack means to specific objective progress long duration network attack APT (Advanced
Persistent Threat, advanced continuation threaten) attack etc..
In order to detect the attack mode for identifying the various network attacks of hacker, generally pass through traditional boundary safety net
Equipment is closed to carry out data capture in network boundary, utilizes the data of the challenge model of database in the data and public cloud of capture
Matched, will have in the database of public cloud with the data of capture can matched attack mode, the data as capture
The attack mode of corresponding network attack realizes the identification of the attack mode of network attack.But for data in public cloud
For the data that the challenge model in storehouse matched can not capture, the corresponding network attack of data that None- identified captures
Attack mode so as to generate the situation that network attack is failed to report, reduces the security of network.
The content of the invention
Recognition methods and device an embodiment of the present invention provides a kind of network attack mode, can avoid network attack from leaking
The situation of report improves the security of network.
In a first aspect, an embodiment of the present invention provides a kind of recognition methods of network attack mode, including:Obtain industry to be measured
Default low interactive honey jar is transmitted to the network traffics of high interaction honey jar in the log information of business system and operation system to be measured;From
Attack feature is obtained in the log information of network traffics and operation system to be measured;It is pre- to judge whether attack feature meets
If normal behaviour condition, and attack characteristic value collection is obtained according to judging result, attack characteristic value collection includes
The value of at least one attack feature;Calculate the characteristic value collection of attack characteristic value collection and multiple known attack patterns
Similarity;Obtain attack corresponding with the characteristic value collection of the highest known attack pattern of attack characteristic value collection similarity
Blow mode, the attack mode as attack characteristic value collection.
With reference to first aspect, in the first possibility of first aspect, the log information of operation system to be measured includes high hand over
The log information of mutual honey jar.
With reference to first aspect, in second of possibility of first aspect, the log information of operation system to be measured includes high hand over
The log information of mutual honey jar and operation system to be measured network perimeter security safeguard in a network alarm log.
With reference to first aspect, in the third possibility of first aspect, the recognition methods of above-mentioned network attack mode is also wrapped
It includes:According to the attack mode of attack characteristic value collection, corresponding Safeguard tactics are generated.
The third possibility with reference to first aspect, in the 4th kind of possibility of first aspect, according to attack characteristic value
The attack mode of set after the step of generating corresponding Safeguard tactics, further includes:It will be under the Safeguard tactics of generation
It is sent to network perimeter security safeguard and/or by the Safeguard tactics generated in the network where operation system to be measured
In share.
With reference to first aspect, in the 5th kind of possibility of first aspect, the recognition methods of above-mentioned network attack mode is also wrapped
It includes:Using low interactive honey jar structure fictitious host computer, the network protocol IP address of fictitious host computer with it is true in operation system to be measured
The IP address of host is consistent;The loophole simulation code in fictitious host computer is rewritten, to repair the loophole in fictitious host computer;By industry to be measured
The fictitious host computer after loophole has been repaired in the network traffics importing that business system receives.
With reference to first aspect, in the 6th kind of possibility of first aspect, it is pre- to judge whether the attack feature meets
If normal behaviour condition, and the step of obtain attack characteristic value collection according to judging result, including:Judge attack
Whether feature meets default normal behaviour condition;The value for the attack feature for meeting default normal behaviour condition is assigned to
First value;The value for the attack feature for not meeting default normal behaviour condition is assigned to the second value;It will be assigned to first
The value of the attack feature of value and/or be assigned to the second value attack feature value, be combined into attack feature
Value set.
The 6th kind of possibility with reference to first aspect, it is special for the attack in the 7th kind of possibility of first aspect
Any one of sign, before the step of whether attack feature meets default normal behaviour condition is judged, further includes:It is right
Attack feature carries out multi collect, obtains multiple attack collection apparatus values;Calculate multiple attack collection apparatus
The average value and standard error of value;The product of standard error and default corrected parameter is calculated as amendment standard error;It calculates
It floats on the basis of average value and corrects the scope of standard error, as normal behaviour condition.
With reference to first aspect, the 8th kind of first aspect may in, calculate attack characteristic value collection with it is multiple
The step of similarity for knowing the characteristic value collection of attack mode, includes:Calculate attack characteristic value collection and known attack pattern
Characteristic value collection in each set Euclidean distance;And it wherein, obtains and attack characteristic value collection similarity
The corresponding attack mode of characteristic value collection of highest known attack pattern, the attack mode as attack characteristic value collection
The step of, including:Obtain the characteristic value collection with the known attack pattern of the Euclidean distance minimum of attack characteristic value collection
Corresponding attack mode, the attack mode as attack characteristic value collection.
With reference to first aspect, in the 9th kind of possibility of first aspect, network protocol IP address and the height of low interactive honey jar
The IP address of interaction honey jar is identical.
Second aspect, an embodiment of the present invention provides a kind of identification device of network attack mode, including:Log acquisition mould
Block, be configured as obtaining operation system to be measured log information and operation system to be measured in default low interactive honey jar be transmitted to height
The network traffics of interaction honey jar;Feature acquisition module is configured as from the log information of network traffics and operation system to be measured
Obtain attack feature;Gather acquisition module, be configured as judging whether attack feature meets default normal behaviour
Condition, and attack characteristic value collection is obtained according to judging result, attack characteristic value collection includes at least one attack
The value of behavioural characteristic;Computing module is configured as calculating the feature of attack characteristic value collection and multiple known attack patterns
The similarity of value set;Analysis module is configured as obtaining and the highest known attack of attack characteristic value collection similarity
The corresponding attack mode of characteristic value collection of pattern, the attack mode as attack characteristic value collection.
With reference to second aspect, in the first possibility of second aspect, the log information of operation system to be measured includes high hand over
The log information of mutual honey jar.
With reference to second aspect, in second of possibility of second aspect, the log information of operation system to be measured includes high hand over
The log information of mutual honey jar and operation system to be measured network perimeter security safeguard in a network alarm log.
With reference to second aspect, in the third possibility of second aspect, the identification device of above-mentioned network attack mode also wraps
It includes:Policy generation module is configured as the attack mode according to attack characteristic value collection, generates corresponding security protection plan
Slightly.
With reference to the third possibility of second aspect, in the 4th kind of possibility of second aspect, above-mentioned network attack mode
Identification device further includes:Policy distribution module is configured as the Safeguard tactics of generation being issued to network perimeter security and prevent
Equipment and/or Policies sharing module are protected, is configured as the Safeguard tactics of generation in the network where operation system to be measured
In share.
With reference to second aspect, in the 5th kind of possibility of second aspect, the identification device of above-mentioned network attack mode also wraps
It includes:Fictitious host computer builds module, is configured as using low interactive honey jar structure fictitious host computer, the procotol IP of fictitious host computer
Location is consistent with the IP address of the true host in operation system to be measured;Leak repairing module is configured as rewriting in fictitious host computer
Loophole simulation code, to repair the loophole in fictitious host computer;Flow import modul is configured as receiving operation system to be measured
Network traffics importing repaired the fictitious host computer after loophole.
With reference to second aspect, in the 6th kind of possibility of second aspect, set acquisition module is configured as:Judge attack row
It is characterized and whether meets default normal behaviour condition;The value that the attack feature of default normal behaviour condition will be met is assigned
For the first value;The value for the attack feature for not meeting default normal behaviour condition is assigned to the second value;It will be assigned to
The value of the attack feature of one value and/or be assigned to the second value attack feature value, be combined into attack spy
Value indicative set.
With reference to the 6th kind of possibility of second aspect, in the 7th kind of possibility of second aspect, above-mentioned network attack mode
Identification device further includes condition setting module, and condition setting module is configured as:Multi collect is carried out to attack behavioural characteristic, is obtained
To multiple attack collection apparatus values;Calculate the average value and standard error of multiple attack collection apparatus values;Calculate mark
Quasi- error and the product of default corrected parameter are as amendment standard error;It calculates to float on the basis of average value and corrects standard error
The scope of difference, as normal behaviour condition.
With reference to second aspect, in the 8th kind of possibility of second aspect, computing module is specifically configured to calculate attack row
It is characterized value set and the Euclidean distance of each set in the characteristic value collection of known attack pattern;The specific quilt of analysis module
It is configured to obtain attack corresponding with the characteristic value collection of the known attack pattern of attack characteristic value collection Euclidean distance minimum
Blow mode, the attack mode as attack characteristic value collection.
With reference to second aspect, in the 9th kind of possibility of second aspect, network protocol IP address and the height of low interactive honey jar
The IP address of interaction honey jar is identical.
The recognition methods of network attack mode provided in an embodiment of the present invention and device, can be from the day of operation system to be measured
Extracting attack behavioural characteristic in will information and network traffics, judges whether attack feature meets default normal behaviour item
Part according to judging that structure obtains attack characteristic value collection, known is attacked by calculating attack characteristic value collection with multiple
The similarity of the characteristic value collection of blow mode judges the attack mode of attack characteristic value.It will be with attack characteristic value collection
The corresponding attack mode of characteristic value collection of the highest known attack pattern of similarity of conjunction, as attack characteristic value collection
Attack mode.It, can be according to the attack feature of network attack for the network attack that operation system to be measured receives
Find with its immediate attack mode, be not in feelings without matched attack mode in public cloud database in the prior art
Condition, so as to identify unknown attack mode, the situation that network attack is avoided to fail to report, so as to improve the security of network.
Description of the drawings
From below in conjunction with the accompanying drawings to the present invention specific embodiment description in may be better understood the present invention wherein,
The same or similar reference numeral represents the same or similar feature.
Fig. 1 is the flow chart of the recognition methods of the network attack mode in one embodiment of the invention;
Fig. 2 is the flow chart of the recognition methods of the network attack mode in another embodiment of the present invention;
Fig. 3 is the flow chart of the recognition methods of the network attack mode in further embodiment of this invention;
Fig. 4 is the structure diagram of the identification device for the network attack mode that one embodiment of the invention provides;
Fig. 5 is the structure diagram of the identification device of network attack mode in another embodiment of the present invention;
Fig. 6 is the structure diagram of the identification device of network attack mode in further embodiment of this invention;
Fig. 7 is the structure diagram of the identification device of network attack mode in yet another embodiment of the invention.
Specific embodiment
The feature and exemplary embodiment of various aspects of the invention is described more fully below.In following detailed description
In, it is proposed that many details, in order to provide complete understanding of the present invention.But to those skilled in the art
It will be apparent that the present invention can be implemented in the case of some details being not required in these details.Below to implementing
The description of example is used for the purpose of by showing that the example of the present invention is better understood from the present invention to provide.The present invention never limits
In any concrete configuration set forth below and algorithm, but cover under the premise of without departing from the spirit of the present invention element,
Any modification, replacement and the improvement of component and algorithm.In the the accompanying drawings and the following description, well known structure and skill is not shown
Art is unnecessary fuzzy to avoid causing the present invention.
Fig. 1 is the flow chart of the recognition methods of the network attack mode in one embodiment of the invention.As shown in Figure 1, this reality
Applying the recognition methods of the network attack mode of example includes step 101- steps 105.
In a step 101, obtain operation system to be measured log information and operation system to be measured in it is default it is low interaction honey
Tank is transmitted to the network traffics of high interaction honey jar.
The network attack mentioned in the embodiment of the present invention can be certain network attack or doubtful network attack
Deng it is possible that can be to threat that network damages.There are at least one operation system in network, in each operation system
To simulate low interactive honey jar, such as honeyd honey jars.Since low interactive honey jar is extremely low to the occupancy of host resource, in an industry
Multiple low interactive honey jars can be simulated in business system, specifically, the low interaction honey of multiple and different operating systems can be simulated
Tank.Such as:Different low interactive honey jars support the operating systems such as windows, linux, solaris respectively.Low interactive honey jar can
To use real IP (Internet Protocol, procotol) address of the idle state in the network segment of operation system occupancy.
In order to improve the validity for the fictitious host computer that low interactive honey jar simulates, can be fictionalized for low interactive honey jar various with safety
The service of loophole, so as to attract the network attack of hacker.Since low interactive honey jar can only simulate the letter of network connection
Single finger print information and the banner information (heading message) of various services, and high interaction honey jar can capture it is more, more detailed
Network intrusions information, the extracting attack feature from network intrusions information.Therefore the network flow that low interactive honey jar can will receive
Amount is transmitted to high interaction honey jar, in order to collect and analyze the various attacks of hacker.Height interaction honey jar can also
Referred to as physics honey jar.Specifically, can be route with Utilization strategies, with reference to GRE, (Generic Routing Encapsulation lead to
With routed encapsulation) passage technology so that the IP address of low interactive honey jar is identical with the IP address of high interaction honey jar, so that hair
The network traffics to low interactive honey jar is sent to forward supreme interactive honey jar.
The network traffics that low interactive honey jar receives can include the operation information of unauthorized user.Operation system to be measured can be with
Baseline modeling is carried out for height interaction honey jar, from user's baseline, port baseline, process baseline, service baseline, critical file, net
Network flow baseline etc. can obtain the specifying information in the system log message of business to be measured.Specifically, operation system to be measured
Log information can include the log information of high interaction honey jar, can also include operation system to be measured network edge in a network
The alarm log of boundary's safety protection equipment.
In a step 102, attack feature is obtained from the log information of network traffics and operation system to be measured.
Wherein, according to the log information of network traffics and operation system to be measured, it can interpolate that operation system with the presence or absence of increasing
Account abnormal behaviour is deleted, port, process, service starts or abnormal behaviour, the behaviors such as critical file modification and abnormal external connection.It treats
The timestamp information for including daily record in the log information of operation system is surveyed, can specifically pass through this data capture instruments of sebek
Carry out the alarm log of collection network flow and network perimeter security safeguard.Network perimeter security safeguard can include
Fire wall, IDS (Intrusion Detection Systems, intruding detection system), IPS (Intrusion Prevention
System, intrusion prevention system), WAF (Web Application Firewall, website apply guard system), flow cleaning
Equipment etc..
It (can be detected from the network traffics of reception by intruding detection system snort, by sebek data capture instruments
Record) and the log information of operation system to be measured in, attack feature can be got.Specifically, it can get a variety of
Attack feature, such as when excessive outbound traffic (referred to as EOT), excessive Inbound traffic (referred to as EIT), inoperative
Between log in (referred to as LI), fire wall receives (referred to as FWA), fire wall refusal (referred to as FWD), Intranet log in (referred to as
LOIN), continuous several times login failure (referred to as MFL), at least 1 Successful login (referred to as SL), single source detect multiple mesh
Mark IP (referred to as SSPMD), single source detect multiple Target IPs and port (referred to as SSPMDP), newly-built account (referred to as
MU it is), one or more in file operation (referred to as MF), process operation (referred to as MP), port operation (referred to as PP).
In step 103, judge whether attack feature meets default normal behaviour condition, and according to judging result
Obtain attack characteristic value collection.
Wherein, for a kind of attack feature, there can be different values.For example, attack be characterized as it is excessive
Outbound traffic if outbound traffic does not meet default normal behaviour condition, has a case that excessive outbound traffic, can incite somebody to action
The value of excessive outbound traffic is denoted as yes or 1, if outbound traffic meets default normal behaviour condition, does not have excessively
The value of excessive outbound traffic can be denoted as no or 0 by the situation of outbound traffic.In above-mentioned network traffics and operation system to be measured
Log information in can get at least one attack feature, according at least one attack feature got, energy
The attack characteristic value collection of the value composition of attack feature is accessed, attack characteristic value collection includes at least one
The value of attack feature.For example, attack is characterized as excessive outbound traffic, excessive Inbound traffic, non-working time
Login, fire wall receiving, fire wall refusal, Intranet login, continuous several times login failure, at least 1 Successful login, single source are visited
Look into multiple Target IPs, single source detects multiple Target IPs and port, newly-built account, file operation, process operation, port behaviour
Make, wherein, there are the feelings of excessive Inbound traffic, Intranet login, continuous several times login failure and at least 1 time Successful login
Condition, then corresponding attack characteristic value collection for no, yes, no, no, no, yes, yes, yes, no, no, no, no, no,
No } or { 0,1,0,0,0,1,1,1,0,0,0,0,0,0 }.
At step 104, the phase of attack characteristic value collection and the characteristic value collection of multiple known attack patterns is calculated
Like degree.
Wherein it is possible to the characteristic value collection of multiple known attack patterns is pre-set in the network where operation system to be measured
It closes, the characteristic value collection of each known attack pattern corresponds to a kind of attack mode, can be special with attack obtained by calculation
The similarity of value indicative set and the characteristic value collection of each known attack pattern, lookup are obtained with attack characteristic value collection most
The characteristic value collection of similar known attack pattern, by the corresponding attack mould of the characteristic value collection of most like known attack pattern
Attack mode of the formula as attack characteristic value collection.
Similarity can be calculated using Euclidean distance, that is to say, that can be by calculating attack characteristic value collection
With in the characteristic value collection of known attack pattern each set Euclidean distance, come calculate attack characteristic value collection with
The similarity of each set in the characteristic value collection of known attack pattern, Euclidean distance is smaller to represent that similarity is higher.Tool
Body, Euclidean distance can be calculated using following formula (1).
Wherein, seFor Euclidean distance, i is positive integer, and n is the value of the attack feature in attack characteristic value collection
Number, piFor i-th of element being directed in a period of time in the unknown attack characteristic value collection of a certain IP address, qi
For i-th of element in the characteristic value collection of known attack pattern.It should be noted that other methods for calculating similarity are also fitted
For the embodiment of the present invention, fall in the protection domain of the embodiment of the present invention.
In step 105, the characteristic value with the highest known attack pattern of attack characteristic value collection similarity is obtained
Gather corresponding attack mode, the attack mode as attack characteristic value collection.
Wherein, if representing similarity using Euclidean distance, the Euclidean distance with attack characteristic value collection is obtained
The corresponding attack mode of characteristic value collection of minimum known attack pattern, the attack mould as attack characteristic value collection
Formula.
For example, the characteristic value collection of known attack pattern is as shown in Table 1, the attack characteristic value of unknown network attack
Gather as shown in Table 2, wherein, the yes Y in the characteristic value collection of attack characteristic value collection and known attack pattern
It represents, no is represented with N, by similarity calculation, can learn the 1 corresponding attack mould of attack characteristic value collection in table two
Formula is that the possible Brute Force in table one logs in, and the 2 corresponding attack mode of attack characteristic value collection in table two is table
Port scan in one, the 3 corresponding attack mode of attack characteristic value collection in table two are the Malware peace in table one
It fills, the 4 corresponding attack mode of attack characteristic value collection in table two is the possible penetration attack in table one.So as to identify
The attack mode of unknown network attack.
Table one
Table two
The recognition methods of network attack mode provided in an embodiment of the present invention, can be from the log information of operation system to be measured
With extracting attack behavioural characteristic in network traffics, judge whether attack feature meets default normal behaviour condition, according to
Judging result obtains attack characteristic value collection, by calculating attack characteristic value collection and multiple known attack patterns
The similarity of characteristic value collection judges the attack mode of attack characteristic value.It will be similar to attack characteristic value collection
Spend the corresponding attack mode of characteristic value collection of highest known attack pattern, the attack mould as attack characteristic value collection
Formula.For the network attack that operation system to be measured receives, can be found according to the attack feature of network attack and its
Immediate attack mode is not in the situation without matched attack mode in public cloud database in the prior art, so as to
It can identify unknown attack mode, the situation that network attack is avoided to fail to report, so as to improve the security of network.
Fig. 2 is the flow chart of the recognition methods of the network attack mode in another embodiment of the present invention, the step in Fig. 2
101- steps 105 and the step 101- steps 105 in Fig. 1 are essentially identical.The difference is that network attack mould shown in Fig. 2
The recognition methods of formula can also include step 106- steps 108.
In step 106, according to the attack mode of attack characteristic value collection, corresponding Safeguard tactics are generated.
Wherein, different Safeguard tactics can be generated for different attack modes.For example, fire wall can be generated
Strategy is usually provisional Safeguard tactics for the Safeguard tactics that fire wall issues, and such as long-range vulnerability scanning is attacked
The blocking hit, password guess crack the blocking of attack, unauthorized remote management accesses.Source IP address can't wide variation,
Short time closes a certain source IP address to the access of purpose IP address, and too many influence will not be generated on operation system to be measured.It issues
The specific form of Safeguard tactics to fire wall can be Sip+Sport+Dip+Dport+ (permit, deny), wherein Sip
Referring to source IP address, Sport refers to source port, and Dip refers to purpose IP address, and Dport refers to destination interface, and permit, which refers to, to be allowed to communicate,
Deny, which refers to, not to be allowed to communicate.
For another example, IDS strategies can be generated, are usually that long-range overflow is attacked for the Safeguard tactics that IDS equipment issues
Hit prevention policies, after the attack in identifying network traffics, can automatically with CVE (Common Vulnerabilities&
Exposures, public loophole and exposure) vulnerability database is associated, therefore is handed down to by the Safeguard tactics of IDS in network
, it is necessary to which the CVE for attacking loophole numbers are handed down to IDS equipment together during existing IDS equipment, and it is corresponding by IDS equipment calls
Safeguard tactics protected.The specific form of Safeguard tactics for being handed down to IDS equipment can be Sip+Sport+Dip
+ Dport+ (leak number), wherein Sip refer to source IP address, and Sport refers to source port, and Dip refers to purpose IP address, Dport feelings the pulse with the finger-tip
Port.
For another example, flow cleaning equipment strategy can be generated, for the Safeguard tactics that flow cleaning equipment issues, one
As be DDOS (Distributed Denial of Service, distributed denial of service) flow attacking class security protection plan
Slightly, after the network attack in identifying network traffics, the type of meeting automatic distinguishing network attack, including syn-flood (refusals
Service attack), udp-flood (flow type Denial of Service attack), ack-flood (confirm character attack) etc., therefore will pacify
Full protection policy distribution during existing flow cleaning equipment in network, it is necessary to which attack type to be handed down to flow cleaning together to setting
It is standby, and protected by the corresponding Safeguard tactics of flow cleaning equipment calls.The safety for being handed down to flow cleaning equipment is prevented
The specific form of shield strategy can be Sip+Sport+Dip+Dport+ (attack type), and wherein Sip refers to source IP address, and Sport refers to
Source port, Dip refer to purpose IP address, and Dport refers to destination interface.
Also there are the safety protection equipment of some specific uses in network, such as DNS (Domain Name System, domain name
System) the attack guard system of front end deployment, the WAF equipment of portal website front end deployment, detailed attack can be provided
Feature receives the Safeguard tactics adjust instruction of maintenance personnel.
In step 107, the Safeguard tactics of generation are issued to network perimeter security safeguard.
Safeguard tactics are issued to network perimeter security safeguard, the depth of unknown network attack is prevented with realizing
It is imperial.Specifically, the Safeguard tactics of generation can be handed down in the form of work order in the terminal device of maintenance personnel.It needs
Bright, the terminal device of maintenance personnel can also receive the Developing Tactics instruction of maintenance personnel's input, prevent so as to adjust safety
Shield strategy.
In step 108, the Safeguard tactics generated are shared in the network where operation system to be measured.
It, can be by Safeguard tactics in the network where operation system to be measured after corresponding Safeguard tactics are generated
In share so that other operation systems in network can also obtain the Safeguard tactics of generation, so as to fulfill network attack
Multipath block, improve network attack early warning and the protective capacities of whole network.It should be noted that after step 106, it can
To only carry out step 107, step 108 can also be only carried out, can also carry out step 107 and step 108.If step 106 it
Step 107 and step 108 are performed afterwards, then the priority for not limiting step 107 and step 108 herein performs sequential.
Fig. 3 is the flow chart of the recognition methods of the network attack mode in further embodiment of this invention, the step in Fig. 3
101- steps 105 and the step 101- steps 105 in Fig. 1 are essentially identical.The difference is that network attack mould shown in Fig. 3
The recognition methods of formula can also include step 109- steps 111.
In step 109, fictitious host computer is built using low interactive honey jar.
Wherein, the IP address of fictitious host computer is consistent with the IP address of the true host in operation system to be measured.It can incite somebody to action true
The loophole of real host is simulated into fictitious host computer so that fictitious host computer has identical loophole with true host.Utilize low interaction
Honey jar TCP/IP (Transmission Control Protocol/Internet Protocol, transmission control protocol/because
Special net interconnection protocol) fingerprint is simulated and operation system fingerprint analog functuion, to ensure the authenticity of fictitious host computer.
In step 110, the loophole simulation code in fictitious host computer is rewritten, to repair the loophole in fictitious host computer.
The loophole simulation code in fictitious host computer is rewritten, to ensure on the fictitious host computer and the fictitious host computer fictionalized
The leaky repairing using having completed.
In step 111, the network traffics importing that operation system to be measured receives has been repaired to the fictitious host computer after loophole.
Specifically, the network traffics for going to true host can be imported by fictitious host computer, network with Utilization strategies routing function
Network Attack may be included in flow, it is effective to hide respectively so as to fulfill " virtual patch " function to true host
Class loophole improves the security of operation system.Pass through " virtual patch " function, additionally it is possible to detect whether the repairing to loophole closes
It is suitable, the network security of true host can't be injured.
It is noted that in embodiments of the present invention, do not limit step 109- steps 111 and step 101- steps
Execution sequential relationship between 105, simply one of which step 109- steps 111 and step 101- steps 105 shown in Fig. 3
Sequential relationship is performed, other feasible execution sequential relationships are fallen between step 109- steps 111 and step 101- steps 105
In the protection domain of the embodiment of the present invention.
It should be noted that the content of the step 103 in above-described embodiment can specifically be refined as step 1031- steps
1034 content.
In step 1031, judge whether attack feature meets default normal behaviour condition.
Wherein, normal behaviour condition is pre-set in the network where operation system to be measured, normal behaviour condition is to attack
Hit the Rule of judgment whether behavioural characteristic is likely to belong to network attack.
In step 1032, the value for the attack feature for meeting default normal behaviour condition is assigned to the first value.
In step 1033, the value for the attack feature for not meeting default normal behaviour condition is assigned to second and is taken
Value.
Wherein, the first value is differed with the second value.First value and the second value can be number, letter, symbol etc.
Character does not limit herein.If the computational methods for having concrete numerical value using Euclidean distance etc. represent similarity, the first value
It is arranged to digital preferable with the second value, convenient for calculating Euclidean distance.
In step 1034, by the value for the attack feature for being assigned to the first value and/or the attack of the second value is assigned to
The value of behavioural characteristic is combined into attack characteristic value collection.
If attack feature meets default normal behaviour condition, the value of the attack feature is assigned to first and is taken
Value, if attack feature does not meet default normal behaviour condition, the second value is assigned to by the value of the attack feature, from
And obtain attack characteristic value collection.For example, attack is characterized as excessive outbound traffic, excessive Inbound traffic, non-
Working time login, fire wall receiving, fire wall refusal, Intranet login, continuous several times login failure, at least 1 Successful login,
Single source detects multiple Target IPs, single source detects multiple Target IPs and port, newly-built account, file operation, process operation,
Port operation, wherein, excessive Inbound traffic, Intranet log in, continuous several times login failure and at least 1 Successful login is not inconsistent
Default normal behaviour condition is closed, except excessive Inbound traffic, Intranet login, continuous several times login failure and at least 1 success
Attack feature beyond login meets default normal behaviour condition, and it is 0 to set the first value, and the second value is 1, then right
The attack characteristic value collection answered is { 0,1,0,0,0,1,1,1,0,0,0,0,0,0 }.
It should also be noted that, before judging whether attack signature meets default exceptional condition, can set normal
Behavior condition, the step of being set normal behaviour condition using the method for machine learning, be set normal behaviour condition, can be with
Including step 1035- steps 1038.
In step 1035, multi collect is carried out to attack behavioural characteristic, obtains multiple attack collection apparatus values.Tool
Body, can periodical acquisition be carried out to attack behavioural characteristic whithin a period of time.
In step 1036, the average value and standard error of multiple attack collection apparatus values are calculated.
In step 1037, the product of standard error and default corrected parameter is calculated as amendment standard error.
In step 1038, calculate to float on the basis of average value and correct the scope of standard error, as normal behaviour
Condition.
For example, whithin a period of time, as in the time of 4-6 weeks by being attacked from operation system log information acquisition to be measured
It hits feature to be sampled, periodic sampling specifically can be used, obtain multiple attack signature collection values.It is multiple according to what is collected
The average value, standard deviation and standard error of attack signature collection value can be calculated in attack signature collection value.In order to make
Obtaining the normal behaviour condition judgment network attack set below more precisely can introduce corrected parameter, and corrected parameter specifically may be used
To be obtained according to confidence calculations.Obtain correcting standard error using standard error and corrected parameter, so as to according to average value and
Standard error is corrected, obtains normal behaviour condition.
It is illustrated below by taking excessive outbound traffic as an example.N times acquisition outbound traffic whithin a period of time, obtains N number of
Outbound traffic collection value.It is calculated according to following equation (2) to formula (4), the final baseline threshold values calculated to outbound traffic
Scope, and using baseline threshold range as normal behaviour condition.
Wherein, xkFor k-th of value in N number of outbound traffic collection value, k is positive integer, and μ is average value, and σ is standard deviation
Difference, s are standard error, and N is positive integer.
It is 95% to set confidence level, then the corrected parameter obtained according to confidence level is 1.96, and 1.96 × s is amendment standard error
Difference, thus baseline threshold range for (μ -1.96 × s, μ+1.96 × s], that is to say, that excessive outbound traffic is corresponding normal
Behavior condition for (μ -1.96 × s, μ+1.96 × s], when excessive outbound traffic (μ -1.96 × s, μ+1.96 × s] this model
When enclosing interior, the value of excessive outbound traffic is assigned to the first value, when excessive outbound traffic (μ -1.96 × s, μ+1.96 × s]
When outside this scope, the value of excessive outbound traffic is assigned to the second value.
It should be noted that some attack features do not have specific numerical quantities, normal behaviour condition can be direct
Judge, for example whether fire wall receives, can be received according to fire wall in actual conditions, with "Yes" or "No" or other words
If according with showing that fire wall receives, then the value of fire wall receiving can be set as yes or 1, if fire wall does not receive, can be set
The value for determining fire wall receiving is no or 0.
Fig. 4 is the structure diagram of the identification device for the network attack mode that one embodiment of the invention provides, shown in Fig. 4
The identification device 200 of network attack mode include log acquisition module 201, feature acquisition module 202, set acquisition module 203,
Computing module 204 and analysis module 205.
Wherein, log acquisition module 201 can be configured as obtaining the log information of operation system to be measured and business system to be measured
Default low interactive honey jar is transmitted to the network traffics of high interaction honey jar in system.
Feature acquisition module 202 can be configured as obtaining from the log information of network traffics and operation system to be measured and attack
Hit behavioural characteristic.
Gather acquisition module 205, be configured as judging whether attack feature meets default normal behaviour condition, and
Attack characteristic value collection is obtained according to judging result, attack characteristic value collection includes at least one attack feature
Value.
Computing module 204 can be configured as calculating the feature of attack characteristic value collection and multiple known attack patterns
The similarity of value set.
Analysis module 205 can be configured as obtaining and the highest known attack mould of attack characteristic value collection similarity
The corresponding attack mode of characteristic value collection of formula, the attack mode as attack characteristic value collection.
It should be noted that the log information of operation system to be measured can include the log information of high interaction honey jar.It is to be measured
The log information of operation system can also include the log information of high interaction honey jar and operation system to be measured in a network
The alarm log of network perimeter security safeguard.The network protocol IP address of above-mentioned low interactive honey jar interacts honey jar with above-mentioned height
IP address it is identical.
The identification device 200 of network attack mode provided in an embodiment of the present invention, can be from the daily record of operation system to be measured
Extracting attack behavioural characteristic in information and network traffics, judges whether attack feature meets default normal behaviour condition,
According to judging result, attack characteristic value collection is obtained, by calculating attack characteristic value collection and multiple known attacks
The similarity of the characteristic value collection of pattern judges the attack mode of attack characteristic value.It will be with attack characteristic value collection
The highest known attack pattern of similarity the corresponding attack mode of characteristic value collection, as attack characteristic value collection
Attack mode.For the network attack that operation system to be measured receives, can be looked for according to the attack feature of network attack
To with its immediate attack mode, be not in feelings without matched attack mode in public cloud database in the prior art
Condition, so as to identify unknown attack mode, the situation that network attack is avoided to fail to report, so as to improve the security of network.
Fig. 5 is the structure diagram of the identification device of network attack mode in another embodiment of the present invention, the daily record in Fig. 5
In acquisition module 201, feature acquisition module 202, set acquisition module 203, computing module 204 and analysis module 205 and Fig. 4
Log acquisition module 201, feature acquisition module 202, set acquisition module 203, computing module 204 and analysis module 205 are basic
It is identical.The difference is that the identification device 200 of the network attack mode shown in Fig. 5 further includes policy generation module 206, plan
Slightly issue module 207 and Policies sharing module 208.
Wherein, policy generation module 206 can be configured as the attack mode according to attack characteristic value collection, generation
Corresponding Safeguard tactics.
Policy distribution module 207 can be configured as the Safeguard tactics of generation being issued to network perimeter security protection
Equipment.
Policies sharing module 208 can be configured as the Safeguard tactics that will be generated where operation system to be measured
It is shared in network.
In embodiments of the present invention, Safeguard tactics are issued to network perimeter security protection by policy distribution module 207
Equipment, to realize the depth defense to unknown network attack.Policies sharing module 208 can be by Safeguard tactics in industry to be measured
It is shared in network where business system so that other operation systems in network can also obtain the Safeguard tactics of generation,
It is blocked so as to fulfill the multipath of network attack, improves network attack early warning and the protective capacities of whole network.It should be noted that
In embodiments of the present invention, the identification device 200 of network attack mode can include policy distribution module 207 and Policies sharing mould
Block 208 can also only include a function module in policy distribution module 207 and Policies sharing module 208, herein and unlimited
It is fixed.
Fig. 6 is the structure diagram of the identification device of network attack mode in further embodiment of this invention, the daily record in Fig. 6
In acquisition module 201, feature acquisition module 202, set acquisition module 203, computing module 204 and analysis module 205 and Fig. 4
Log acquisition module 201, feature acquisition module 202, set acquisition module 203, computing module 204 and analysis module 205 are basic
It is identical.The difference is that the identification device 200 of the network attack mode shown in Fig. 6 further includes fictitious host computer structure module
209th, leak repairing module 210 and flow import modul 211.
Wherein, fictitious host computer structure module 209 can be configured as using low interactive honey jar structure fictitious host computer, virtual main
The network protocol IP address of machine is consistent with the IP address of the true host in operation system to be measured.
Leak repairing module 210 can be configured as rewriting the loophole simulation code in fictitious host computer, to repair fictitious host computer
In loophole.
Flow import modul 211 can be configured as the network traffics importing that operation system to be measured receives having repaired loophole
Fictitious host computer afterwards.
The embodiment of the present invention can realize " virtual patch " function to true host, effectively hide all kinds of loopholes, carry
The high security of operation system.Pass through " virtual patch " function, additionally it is possible to which whether the repairing detected to loophole is suitable, can't
Injure the network security of true host.
Fig. 7 is the structure diagram of the identification device of network attack mode in yet another embodiment of the invention, the daily record in Fig. 7
In acquisition module 201, feature acquisition module 202, set acquisition module 203, computing module 204 and analysis module 205 and Fig. 4
Log acquisition module 201, feature acquisition module 202, set acquisition module 203, computing module 204 and analysis module 205 are basic
It is identical.The difference is that the identification device 200 of network attack mode shown in Fig. 7 further includes condition setting module 212.
Wherein, condition setting module 212 can be configured as:Multi collect is carried out to attack behavioural characteristic, obtains multiple attack
Hit behavioural characteristic collection value;Calculate the average value and standard error of multiple attack collection apparatus values;Calculate standard error and
The product of default corrected parameter is as amendment standard error;It calculates to float on the basis of average value and corrects the model of standard error
It encloses, as normal behaviour condition.
It should be noted that the set acquisition module 203 in above-described embodiment can be specifically configured as:Judge attack
Whether feature meets default normal behaviour condition;The value for the attack feature for meeting default normal behaviour condition is assigned to
First value;The value for the attack feature for not meeting default normal behaviour condition is assigned to the second value;It will be assigned to first
The value of the attack feature of value and/or be assigned to the second value attack feature value, be combined into attack feature
Value set.
Computing module 204 in above-described embodiment can specifically be configured as calculating attack characteristic value collection and be attacked with known
The Euclidean distance of each set in the characteristic value collection of blow mode.
Analysis module 205 can specifically be configured as obtaining and be attacked with the known of attack characteristic value collection Euclidean distance minimum
The corresponding attack mode of characteristic value collection of blow mode, the attack mode as attack characteristic value collection.
It should be clear that the invention is not limited in particular configuration described above and shown in figure and processing.
Also, the detailed description to known method technology for brevity, is omitted here.In the above-described embodiments, describe and show
Several specific steps are as example.But procedure of the invention is not limited to described and illustrated specific steps,
Those skilled in the art can be variously modified, change and add or change step after the spirit of the present invention is understood
Order between rapid.
Structures described above illustrate function module shown in figure can be implemented as hardware, software, firmware or they
Combination.When realizing in hardware, may, for example, be electronic circuit, application-specific integrated circuit (ASIC), appropriate firmware,
Plug-in unit, function card etc..When being realized with software mode, element of the invention be used to perform needed for task program or
Code segment.Either code segment can be stored in machine readable media program or the data-signal by being carried in carrier wave exists
Transmission medium or communication links are sent." machine readable media " can include any Jie for being capable of storage or transmission information
Matter.The example of machine readable media include electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM),
Floppy disk, CD-ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via such as internet, interior
The computer network of networking etc. is downloaded.
Claims (20)
1. a kind of recognition methods of network attack mode, including:
Obtain operation system to be measured log information and the operation system to be measured in default low interactive honey jar be transmitted to high friendship
The network traffics of mutual honey jar;
Attack feature is obtained from the log information of the network traffics and the operation system to be measured;
Judge whether the attack feature meets default normal behaviour condition, and attack is obtained according to judging result
Characteristic value collection, the attack characteristic value collection include the value of at least one attack feature;
Calculate the similarity of the attack characteristic value collection and the characteristic value collection of multiple known attack patterns;
It obtains corresponding with the characteristic value collection of the highest known attack pattern of the attack characteristic value collection similarity
Attack mode, the attack mode as the attack characteristic value collection.
2. according to the method described in claim 1, wherein, the log information of the operation system to be measured includes the high interaction honey
The log information of tank.
3. according to the method described in claim 1, wherein, the log information of the operation system to be measured includes the high interaction honey
The log information of tank and the operation system to be measured network perimeter security safeguard in a network alarm log.
4. it according to the method described in claim 1, further includes:
According to the attack mode of the attack characteristic value collection, corresponding Safeguard tactics are generated.
5. it according to the method described in claim 4, further includes:
By the Safeguard tactics generated be issued to network perimeter security safeguard and/or
The Safeguard tactics generated are shared in the network where the operation system to be measured.
6. it according to the method described in claim 1, further includes:
Using the low interactive honey jar structure fictitious host computer, wherein, the network protocol IP address of the fictitious host computer is treated with described
The IP address for surveying the true host in operation system is consistent;
The loophole simulation code in the fictitious host computer is rewritten, to repair the loophole in the fictitious host computer;
The network traffics importing that the operation system to be measured receives has been repaired to the fictitious host computer after loophole.
7. according to the method described in claim 1, wherein, judge whether the attack feature meets default normal behaviour
Condition, and the step of attack characteristic value collection is obtained according to judging result include:
Judge whether the attack feature meets the default normal behaviour condition;
The value for the attack feature for meeting the default normal behaviour condition is assigned to the first value;
The value for the attack feature for not meeting the default normal behaviour condition is assigned to the second value;
By the value for the attack feature for being assigned to first value and/or the attack feature for being assigned to second value
Value, is combined into the attack characteristic value collection.
8. according to the method described in claim 7, wherein, for any one of described attack feature, described in judgement
Before whether attack feature meets the step of default normal behaviour condition, further include:
Multi collect is carried out to the attack feature, obtains multiple attack collection apparatus values;
Calculate the average value and standard error of multiple attack collection apparatus values;
The product of the standard error and default corrected parameter is calculated as amendment standard error;
The scope for the amendment standard error of floating on the basis of the average value is calculated, as the normal behaviour condition.
9. according to the method described in claim 1, wherein, calculate the attack characteristic value collection and multiple known attack moulds
The step of similarity of the characteristic value collection of formula, includes:
Calculate the attack characteristic value collection and each set in the characteristic value collection of the known attack pattern
Euclidean distance;
And wherein, obtain the characteristic value with the highest known attack pattern of the attack characteristic value collection similarity
Gather corresponding attack mode, the step of attack mode as the attack characteristic value collection, including:
It obtains corresponding with the characteristic value collection of the known attack pattern of the Euclidean distance minimum of the attack characteristic value collection
Attack mode, the attack mode as the attack characteristic value collection.
10. according to the method described in claim 1, wherein, network protocol IP address and the height of the low interactive honey jar
The IP address of interaction honey jar is identical.
11. a kind of identification device of network attack mode, including:
Log acquisition module, be configured as obtaining operation system to be measured log information and the operation system to be measured in it is default
Low interactive honey jar is transmitted to the network traffics of high interaction honey jar;
Feature acquisition module is configured as obtaining attack from the log information of the network traffics and the operation system to be measured
Behavioural characteristic;
Gather acquisition module, be configured as judging whether the attack feature meets default normal behaviour condition, and root
It is judged that as a result obtaining attack characteristic value collection, it is special that the attack characteristic value collection includes at least one attack
The value of sign;
Computing module is configured as calculating the characteristic value collection of the attack characteristic value collection and multiple known attack patterns
Similarity;
Analysis module is configured as obtaining and the highest known attack pattern of the attack characteristic value collection similarity
The corresponding attack mode of characteristic value collection, the attack mode as the attack characteristic value collection.
12. according to the devices described in claim 11, wherein, the log information of the operation system to be measured includes the high interaction
The log information of honey jar.
13. according to the devices described in claim 11, wherein, the log information of the operation system to be measured includes the high interaction
The log information of honey jar and the operation system to be measured network perimeter security safeguard in a network alarm log.
14. it according to the devices described in claim 11, further includes:
Policy generation module is configured as the attack mode according to the attack characteristic value collection, generates corresponding safety
Prevention policies.
15. device according to claim 14, further includes:
Policy distribution module is configured as the Safeguard tactics of generation being issued to network perimeter security safeguard,
And/or Policies sharing module, the Safeguard tactics that will be generated are configured as in the operation system institute to be measured
Network in share.
16. it according to the devices described in claim 11, further includes:
Fictitious host computer builds module, is configured as using the low interactive honey jar structure fictitious host computer, wherein, the fictitious host computer
Network protocol IP address it is consistent with the IP address of the true host in the operation system to be measured;
Leak repairing module is configured as rewriting the loophole simulation code in the fictitious host computer, to repair the fictitious host computer
In loophole;
Flow import modul is configured as having repaired the network traffics importing that the operation system to be measured receives into the institute after loophole
State fictitious host computer.
17. according to the devices described in claim 11, wherein, set acquisition module is configured as:
Judge whether the attack feature meets the default normal behaviour condition;
The value for the attack feature for meeting the default normal behaviour condition is assigned to the first value;
The value for the attack feature for not meeting the default normal behaviour condition is assigned to the second value;
By the value for the attack feature for being assigned to first value and/or the attack feature for being assigned to second value
Value, is combined into the attack characteristic value collection.
18. device according to claim 17, further includes condition setting module, the condition setting module is configured as:
Multi collect is carried out to the attack feature, obtains multiple attack collection apparatus values;
Calculate the average value and standard error of multiple attack collection apparatus values;
The product of the standard error and default corrected parameter is calculated as amendment standard error;
The scope for the amendment standard error of floating on the basis of the average value is calculated, as the normal behaviour condition.
19. according to the devices described in claim 11, wherein, the computing module is specifically configured to calculate the attack
The Euclidean distance of characteristic value collection and each set in the characteristic value collection of the known attack pattern;
The analysis module is specifically configured to obtain known with the Euclidean distance of attack characteristic value collection minimum
The corresponding attack mode of characteristic value collection of attack mode, the attack mode as the attack characteristic value collection.
20. according to the device described in claim 11, wherein, network protocol IP address and the height of the low interactive honey jar
The IP address of interaction honey jar is identical.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611062203.9A CN108092948B (en) | 2016-11-23 | 2016-11-23 | Network attack mode identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611062203.9A CN108092948B (en) | 2016-11-23 | 2016-11-23 | Network attack mode identification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108092948A true CN108092948A (en) | 2018-05-29 |
| CN108092948B CN108092948B (en) | 2021-04-02 |
Family
ID=62170221
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611062203.9A Active CN108092948B (en) | 2016-11-23 | 2016-11-23 | Network attack mode identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108092948B (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109167767A (en) * | 2018-08-17 | 2019-01-08 | 苏州亮磊知识产权运营有限公司 | A kind of working method of the ddos attack system of defense for DHCP framework |
| CN109302401A (en) * | 2018-10-25 | 2019-02-01 | 国家电网有限公司 | Protecting information safety method and device |
| CN109361670A (en) * | 2018-10-21 | 2019-02-19 | 北京经纬信安科技有限公司 | Utilize the device and method of the targeted Dynamical Deployment capture malice sample of honey jar |
| CN109818984A (en) * | 2019-04-10 | 2019-05-28 | 吉林亿联银行股份有限公司 | The defence method and device of loophole |
| CN110351237A (en) * | 2019-05-23 | 2019-10-18 | 中国科学院信息工程研究所 | Honey jar method and device for numerically-controlled machine tool |
| CN110751570A (en) * | 2019-09-16 | 2020-02-04 | 中国电力科学研究院有限公司 | Power service message attack identification method and system based on service logic |
| CN110830457A (en) * | 2019-10-25 | 2020-02-21 | 腾讯科技(深圳)有限公司 | Attack sensing method, device, equipment and medium based on honeypot induction |
| CN110839088A (en) * | 2018-08-16 | 2020-02-25 | 深信服科技股份有限公司 | Detection method, system, device and storage medium for dug by virtual currency |
| CN111447168A (en) * | 2019-01-16 | 2020-07-24 | 河南信安通信技术股份有限公司 | Multidimensional network security prediction method |
| CN111726264A (en) * | 2020-06-18 | 2020-09-29 | 中国电子科技集团公司第三十六研究所 | Network protocol variation detection method, device, electronic equipment and storage medium |
| CN111835777A (en) * | 2020-07-20 | 2020-10-27 | 深信服科技股份有限公司 | Abnormal flow detection method, device, equipment and medium |
| CN112165459A (en) * | 2020-09-08 | 2021-01-01 | 广州锦行网络科技有限公司 | Application method for automatically switching to host honeypot based on alarm honeypot information analysis |
| CN112333196A (en) * | 2020-11-10 | 2021-02-05 | 恒安嘉新(北京)科技股份公司 | Attack event tracing method and device, electronic equipment and storage medium |
| CN112367307A (en) * | 2020-10-27 | 2021-02-12 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-grade honey pot group |
| CN112910895A (en) * | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Network attack behavior detection method and device, computer equipment and system |
| CN113395288A (en) * | 2021-06-24 | 2021-09-14 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN113422787A (en) * | 2021-08-24 | 2021-09-21 | 广州乐盈信息科技股份有限公司 | Intelligent anti-attack method for passive optical network system |
| CN114006766A (en) * | 2021-11-04 | 2022-02-01 | 杭州安恒信息安全技术有限公司 | Network attack detection method and device, electronic equipment and readable storage medium |
| CN114205127A (en) * | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
| CN114866349A (en) * | 2022-07-06 | 2022-08-05 | 深圳市永达电子信息股份有限公司 | Network information filtering method |
| CN115529145A (en) * | 2021-06-25 | 2022-12-27 | 中国移动通信集团广东有限公司 | Network security intrusion detection and protection system and method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101102314A (en) * | 2007-06-21 | 2008-01-09 | 北京联合大学 | A 3-level modular intrusion detection system based on risk model |
| CN103971054A (en) * | 2014-04-25 | 2014-08-06 | 天津大学 | Detecting method of browser extension loophole based on behavior sequence |
| US20150271199A1 (en) * | 2014-03-19 | 2015-09-24 | International Business Machines Corporation | Generating Accurate Preemptive Security Device Policy Tuning Recommendations |
| CN105245495A (en) * | 2015-08-27 | 2016-01-13 | 哈尔滨工程大学 | Similarity match based rapid detection method for malicious shellcode |
| CN105488394A (en) * | 2014-12-27 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for carrying out intrusion behavior identification and classification on hotpot system |
| CN105721416A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
-
2016
- 2016-11-23 CN CN201611062203.9A patent/CN108092948B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101102314A (en) * | 2007-06-21 | 2008-01-09 | 北京联合大学 | A 3-level modular intrusion detection system based on risk model |
| US20150271199A1 (en) * | 2014-03-19 | 2015-09-24 | International Business Machines Corporation | Generating Accurate Preemptive Security Device Policy Tuning Recommendations |
| CN103971054A (en) * | 2014-04-25 | 2014-08-06 | 天津大学 | Detecting method of browser extension loophole based on behavior sequence |
| CN105488394A (en) * | 2014-12-27 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for carrying out intrusion behavior identification and classification on hotpot system |
| CN105245495A (en) * | 2015-08-27 | 2016-01-13 | 哈尔滨工程大学 | Similarity match based rapid detection method for malicious shellcode |
| CN105721416A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110839088A (en) * | 2018-08-16 | 2020-02-25 | 深信服科技股份有限公司 | Detection method, system, device and storage medium for dug by virtual currency |
| CN109167767A (en) * | 2018-08-17 | 2019-01-08 | 苏州亮磊知识产权运营有限公司 | A kind of working method of the ddos attack system of defense for DHCP framework |
| CN109361670A (en) * | 2018-10-21 | 2019-02-19 | 北京经纬信安科技有限公司 | Utilize the device and method of the targeted Dynamical Deployment capture malice sample of honey jar |
| CN109361670B (en) * | 2018-10-21 | 2021-05-28 | 北京经纬信安科技有限公司 | Device and method for capturing malicious sample by utilizing targeted dynamic deployment of honeypots |
| CN109302401A (en) * | 2018-10-25 | 2019-02-01 | 国家电网有限公司 | Protecting information safety method and device |
| CN109302401B (en) * | 2018-10-25 | 2021-07-09 | 国家电网有限公司 | Information security protection method and device |
| CN111447168B (en) * | 2019-01-16 | 2022-05-24 | 河南信安通信技术股份有限公司 | Multidimensional network security prediction method |
| CN111447168A (en) * | 2019-01-16 | 2020-07-24 | 河南信安通信技术股份有限公司 | Multidimensional network security prediction method |
| CN109818984A (en) * | 2019-04-10 | 2019-05-28 | 吉林亿联银行股份有限公司 | The defence method and device of loophole |
| CN110351237A (en) * | 2019-05-23 | 2019-10-18 | 中国科学院信息工程研究所 | Honey jar method and device for numerically-controlled machine tool |
| CN110751570A (en) * | 2019-09-16 | 2020-02-04 | 中国电力科学研究院有限公司 | Power service message attack identification method and system based on service logic |
| CN110830457A (en) * | 2019-10-25 | 2020-02-21 | 腾讯科技(深圳)有限公司 | Attack sensing method, device, equipment and medium based on honeypot induction |
| CN110830457B (en) * | 2019-10-25 | 2022-06-21 | 腾讯科技(深圳)有限公司 | Attack sensing method, device, equipment and medium based on honeypot induction |
| CN111726264B (en) * | 2020-06-18 | 2021-11-19 | 中国电子科技集团公司第三十六研究所 | Network protocol variation detection method, device, electronic equipment and storage medium |
| CN111726264A (en) * | 2020-06-18 | 2020-09-29 | 中国电子科技集团公司第三十六研究所 | Network protocol variation detection method, device, electronic equipment and storage medium |
| CN111835777A (en) * | 2020-07-20 | 2020-10-27 | 深信服科技股份有限公司 | Abnormal flow detection method, device, equipment and medium |
| CN111835777B (en) * | 2020-07-20 | 2022-09-30 | 深信服科技股份有限公司 | Abnormal flow detection method, device, equipment and medium |
| CN112165459A (en) * | 2020-09-08 | 2021-01-01 | 广州锦行网络科技有限公司 | Application method for automatically switching to host honeypot based on alarm honeypot information analysis |
| CN112165459B (en) * | 2020-09-08 | 2021-06-11 | 广州锦行网络科技有限公司 | Application method for automatically switching to host honeypot based on alarm honeypot information analysis |
| CN112367307A (en) * | 2020-10-27 | 2021-02-12 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-grade honey pot group |
| CN112367307B (en) * | 2020-10-27 | 2023-05-23 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-level honey pot group |
| CN112333196B (en) * | 2020-11-10 | 2023-04-04 | 恒安嘉新(北京)科技股份公司 | Attack event tracing method and device, electronic equipment and storage medium |
| CN112333196A (en) * | 2020-11-10 | 2021-02-05 | 恒安嘉新(北京)科技股份公司 | Attack event tracing method and device, electronic equipment and storage medium |
| CN112910895A (en) * | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Network attack behavior detection method and device, computer equipment and system |
| CN112910895B (en) * | 2021-02-02 | 2022-11-15 | 杭州安恒信息技术股份有限公司 | Network attack behavior detection method and device, computer equipment and system |
| CN113395288A (en) * | 2021-06-24 | 2021-09-14 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN115529145A (en) * | 2021-06-25 | 2022-12-27 | 中国移动通信集团广东有限公司 | Network security intrusion detection and protection system and method |
| CN113422787A (en) * | 2021-08-24 | 2021-09-21 | 广州乐盈信息科技股份有限公司 | Intelligent anti-attack method for passive optical network system |
| CN113422787B (en) * | 2021-08-24 | 2021-11-09 | 广州乐盈信息科技股份有限公司 | Intelligent anti-attack method for passive optical network system |
| CN114006766A (en) * | 2021-11-04 | 2022-02-01 | 杭州安恒信息安全技术有限公司 | Network attack detection method and device, electronic equipment and readable storage medium |
| CN114205127A (en) * | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
| CN114866349A (en) * | 2022-07-06 | 2022-08-05 | 深圳市永达电子信息股份有限公司 | Network information filtering method |
| CN114866349B (en) * | 2022-07-06 | 2022-11-15 | 深圳市永达电子信息股份有限公司 | Network information filtering method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108092948B (en) | 2021-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108092948A (en) | A kind of recognition methods of network attack mode and device | |
| Vidal et al. | Adaptive artificial immune networks for mitigating DoS flooding attacks | |
| Brewer | Advanced persistent threats: minimising the damage | |
| CN107659583B (en) | Method and system for detecting attack in fact | |
| Schmittner et al. | Security application of failure mode and effect analysis (FMEA) | |
| CN111490970A (en) | Tracing analysis method for network attack | |
| Eian et al. | Cyber attacks in the era of covid-19 and possible solution domains | |
| CN105939311A (en) | Method and device for determining network attack behavior | |
| WO2020060503A1 (en) | An email threat simulator for identifying security vulnerabilities in email protection mechanisms | |
| CN106713358A (en) | Attack detection method and device | |
| CN107493256A (en) | Security incident defence method and device | |
| Grechishnikov et al. | Algorithmic model of functioning of the system to detect and counter cyber attacks on virtual private network | |
| CN113079185B (en) | Industrial firewall control method and equipment for realizing deep data packet detection control | |
| Innab et al. | Hybrid system between anomaly based detection system and honeypot to detect zero day attack | |
| CN108200095A (en) | The Internet boundaries security strategy fragility determines method and device | |
| CN114143096A (en) | Security policy configuration method, device, equipment, storage medium and program product | |
| KR20170091989A (en) | System and method for managing and evaluating security in industry control network | |
| Adeleke | Intrusion detection: issues, problems and solutions | |
| KR102377784B1 (en) | Network security system that provides security optimization function of internal network | |
| CN115694965A (en) | Network security close network system for power industry | |
| CN115396167A (en) | Network information security protection method based on big data | |
| Bendiab et al. | IoT Security Frameworks and Countermeasures | |
| Bokovnya et al. | Taxonomy of attacks on cyber-physical systems: Technological and legal aspects | |
| CN113411288A (en) | Equipment security detection method and device and storage medium | |
| Wisthoff | Ddos countermeasures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |