CN111314300A - Malicious scanning IP detection method, system, device, equipment and storage medium - Google Patents
Malicious scanning IP detection method, system, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111314300A CN111314300A CN202010051255.6A CN202010051255A CN111314300A CN 111314300 A CN111314300 A CN 111314300A CN 202010051255 A CN202010051255 A CN 202010051255A CN 111314300 A CN111314300 A CN 111314300A
- Authority
- CN
- China
- Prior art keywords
- quintuple information
- port
- network
- malicious scanning
- different
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application relates to a malicious scanning IP detection method, a system, a device, equipment and a storage medium, wherein quintuple information of a flow network packet accessing a closed port in each network area uploaded by each network area control equipment is received through a master control equipment, different closed port numbers and different server numbers accessed by each source IP in the quintuple information are obtained, and then malicious scanning IP in each network area is detected based on the different closed port numbers and the different server numbers. The method can quickly and accurately detect the malicious scanning IP, and effectively provides a scheme capable of accurately and quickly detecting the malicious scanning IP.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a malicious scanning IP detection method, system, apparatus, device, and storage medium.
Background
With the expansion of the computer application range and the rapid development of internet technology, computer information technology has penetrated aspects of people's lives, such as online shopping, commercial commerce, financial finance, and the like. However, computer networks are vulnerable to hackers, malware and other persons due to their diverse connection forms, non-uniform distribution of terminals, and openness and interconnectivity of the networks.
Among the malicious Internet attacks, Internet Protocol (IP) scanning is the most common attack method, and in the Internet world, more than one million IPs are continuously scanning public network IPs every day to discover vulnerabilities and attempt to hack. In the conventional technology, there are many processing ways for the IP scan attack phenomenon, for example, it can be determined by detecting the number of times of IP occurrence. However, if the number of times of occurrence of the user IP is large due to the fact that the normal user continuously uploads the video data, the IP of the normal user is also judged to be a malicious IP by the processing method.
Therefore, an effective method for accurately and rapidly detecting malicious scanning IP is lacking at present.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a malicious scanning IP detection method, system, apparatus, device, and storage medium.
In a first aspect, an embodiment of the present application provides a malicious scanning IP detection method, where the method includes:
receiving quintuple information uploaded by each network area control device; the quintuple information is the quintuple information of the flow network packet accessing the closed port in each network region; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
acquiring the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information;
malicious scans are detected I P in each network region based on the number of different closed ports and the number of different servers.
In one embodiment, the detecting malicious scanning IPs in each network area according to the number of different closed ports and the number of different servers includes:
if the number of different closed ports is larger than a first preset threshold value, determining that the corresponding source IP is a malicious scanning IP; alternatively, the first and second electrodes may be,
if the number of different closed ports is greater than a second preset threshold value and the number of different servers is greater than a preset number, determining that the corresponding source IP is a malicious scanning IP; the second preset threshold is smaller than the first preset threshold.
In one embodiment, after the detecting the malicious scanning IPs in each network area, the method further includes: and pushing all the detected malicious scanning IP to the firewall.
In a second aspect, an embodiment of the present application provides a malicious scanning IP detection method, including:
acquiring quintuple information of a flow network packet accessing a closed port in each network area; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
uploading the quintuple information to a master control device; the quintuple information is used for indicating the master control equipment to acquire the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information, and detecting malicious scanning IP in each network area according to the number of the different closed ports and the number of the different servers.
In one embodiment, the obtaining five-tuple information of the traffic network packet accessing the closed port in each network region includes:
acquiring mirror image flow of each server in each network area;
extracting quintuple information of all flow network packets in the mirror flow of each server;
and acquiring quintuple information of the traffic network packet accessing the closed port according to the extracted quintuple information of all the traffic network packets.
In one embodiment, the obtaining the quintuple information of the traffic network packet accessing the closed port according to the extracted quintuple information of all the traffic network packets includes:
searching an open port information list reported by a server corresponding to each flow network packet according to a target IP in each quintuple information;
if the target port in the quintuple information of the corresponding flow network packet does not exist in the open port information list reported by the server, determining the corresponding flow network as the flow network packet accessing the closed port;
and acquiring quintuple information of all the flow network packets accessing the closed ports in all the flow network packets.
In a third aspect, an embodiment of the present application provides a malicious scanning IP detection system, where the system includes: the system comprises a master control center control device and a plurality of network area control devices;
a total control center control device, configured to implement the malicious scanning I P detection method according to any one of the embodiments of the first aspect;
network area control devices for implementing the malicious scanning I P detection method of any of the embodiments of the second aspect described above.
In a fourth aspect, an embodiment of the present application provides an IP detection apparatus for malicious scanning, where the apparatus includes:
the receiving module is used for receiving quintuple information uploaded by each network area control device; the quintuple information is the quintuple information of the flow network packet accessing the closed port in each network region; the five-tuple information comprises a source I P address, a source port, a destination IP address, a destination port and a transport layer protocol;
the quantity obtaining module is used for obtaining the quantity of different closed ports and the quantity of different servers accessed by each source IP in the quintuple information;
and the detection module is used for detecting malicious scanning IP in each network area according to the number of different closed ports and the number of different servers.
In a fifth aspect, an embodiment of the present application provides a malicious scanning IP detection apparatus, where the apparatus includes:
the information acquisition module is used for acquiring quintuple information of the flow network packet accessing the closed port in each network area; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
the uploading module is used for uploading the quintuple information to the master control equipment; the quintuple information is used for indicating the master control equipment to acquire the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information, and detecting malicious scanning IP in each network area according to the number of the different closed ports and the number of the different servers.
In a sixth aspect, an embodiment of the present application provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of any one of the malicious scanning IP detection methods provided in the first aspect or the second aspect when executing the computer program.
In a seventh aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of any one of the malicious scanning IP detection methods provided in the foregoing first aspect or embodiments of the second aspect.
In the malicious scanning IP detection method, system, apparatus, device, and storage medium provided in the embodiments of the present application, the master control device receives quintuple information of a traffic network packet accessing a closed port in each network area uploaded by each network area control device, obtains the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information, and then detects a malicious scanning IP in each network area based on the number of different closed ports and the number of different servers. Normally, in a certain period of time, a normal user does not access the closed ports of the servers and does not try to access the closed ports of the plurality of servers, so that in the method, the number of different closed ports and different servers accessed is counted based on information of flow data packet quintuple accessing the closed ports, and further malicious scanning I P is determined based on the number of different closed ports and different servers, so that malicious scanning IP can be detected quickly and accurately, and a scheme capable of accurately and quickly detecting the malicious scanning IP is provided effectively.
Drawings
Fig. 1 is a block diagram of an IP detection system for malicious scanning according to an embodiment;
fig. 1a is an internal structure diagram of a control device according to an embodiment;
fig. 2 is a flowchart illustrating a malicious scanning IP detection method according to an embodiment;
fig. 3 is a flowchart illustrating a malicious scanning IP detection method according to another embodiment;
fig. 4 is a flowchart illustrating a malicious scanning IP detection method according to another embodiment;
FIG. 5 is a diagram illustrating one embodiment of obtaining mirrored traffic for servers;
fig. 6 is a flowchart illustrating a malicious scanning IP detection method according to another embodiment;
fig. 7 is a block diagram illustrating a structure of an IP detection apparatus for malicious scanning according to an embodiment;
fig. 8 is a block diagram illustrating a structure of a malicious scanning IP detection apparatus according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In order to better understand the malicious scanning IP detection method provided in the embodiment of the present application, an application environment applicable to the embodiment of the present application is provided. Referring to fig. 1, the malicious scanning IP detection method provided by the present application may be applied to the malicious scanning IP detection system shown in fig. 1. The system comprises a master control center control device 01 and a plurality of network area control devices 02, wherein in one case, if only one network area exists, the control device 02 in the network area and the master control center control device 01 are the same device, and in the other case, if a plurality of network areas exist, each network area has one control device 02, the master control center control device 01 can be a single control device for controlling each network area control device 02; of course, in the case where there are a plurality of network areas, the overall control center control device 01 may be the control device 02 of one of the network areas; the embodiment of the present application does not limit the setting relationship between the total control center control device 01 and the plurality of network area control devices 02.
The overall control center control device 01 or the plurality of network area control devices 02 can be embodied in the form of a server, a terminal or other computer devices. For example, taking the control devices as computer devices, the schematic internal structure of the control devices can be shown by referring to the internal structure diagram of the computer device shown in fig. 1 a. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing data of a malicious scanning IP detection method. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a malicious scanning IP detection method. It is to be understood that the internal structure shown in fig. 1a is only one example of each control device and is not intended to be limiting.
The embodiment of the application provides a malicious scanning IP detection method, a malicious scanning IP detection system, a malicious scanning IP detection device, malicious scanning IP detection equipment and a storage medium, aims to accurately identify and intercept malicious scanning IP and can greatly reduce malicious IP invasion. The following describes in detail the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems by embodiments and with reference to the drawings. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. It should be noted that, in the malicious scanning IP detection method provided in this application, the execution main body in fig. 2 is a total control center control device (hereinafter referred to as a total control device), and the execution main bodies in fig. 3 to fig. 6 are network area control devices, where the execution main bodies in fig. 2 to fig. 6 may also be malicious scanning IP detection apparatuses, where the apparatuses may be implemented as part or all of the total control device or the network area control device in a software, hardware, or a combination of software and hardware.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments.
The embodiment of the present application will be described by taking an overall control device as a single control device for controlling a plurality of network area control devices. An embodiment in which the execution subject is the overall control apparatus will be described first.
In an embodiment, fig. 2 provides a malicious scanning IP detection method, where the embodiment relates to a specific process in which a master control device analyzes quintuple information according to quintuple information of a traffic network packet that accesses a closed port in each network area and is uploaded by each network area control device, and detects a malicious scanning IP in each network area according to an analysis result, as shown in fig. 2, the method includes:
s101, receiving quintuple information uploaded by each network area control device; the quintuple information is the quintuple information of the flow network packet accessing the closed port in each network region; the five-tuple information includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol.
In this embodiment, the quintuple information refers to quintuple information of a traffic network packet accessing a closed port in each network area, where in practical application, a network area may be understood as a machine room in common and one control device in one network area, that is, one machine room may be considered as one control device in one machine room, and thus a plurality of network areas may have a plurality of machine rooms.
In the network area (machine room), there are a plurality of servers, and it should be understood that the quintuple information is the quintuple information of the traffic network packet accessing the closed port in the traffic data of each server of each machine room collected by the control device of each machine room, and it is understood that the control device of each machine room uploads the quintuple information of the traffic network packet accessing the closed port of all servers in its own area to the master control device. For the process of collecting the quintuple information of the traffic network packet accessing the closed port in each network area by each network area control device, reference may be made to the following description in which the execution main body is an embodiment of each network area control device side, and details will not be described here.
The five tuple is a communication term that generally refers to a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol. In this step, the master control device receives the quintuple information uploaded by each network area control device, that is, the source IP address, the source port, the destination IP address, the destination port, and the transport layer protocol of the flow network packet accessing the closed port, uploaded by each network area control device are received.
S102, acquiring the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information.
Based on the received quintuple information of the flow network packet accessing the closed port uploaded by each network area control device, the master control device obtains the number of different closed ports and the number of different servers accessed by the source IP in the flow network packet accessing the closed port. Here, the number of different shutdown ports and the number of different servers are obtained, that is, one shutdown port and one server are obtained.
In this step, the quintuple information received by the master control device is already the flow network packets accessing the closed ports, and each flow network packet corresponds to one piece of quintuple information, that is, the master control device only needs to count the number of flow network packets accessing different closed ports by the source IP in the received quintuple information, each flow network packet has a server corresponding to the flow network packet, and the master control device can count the number of different servers from the received quintuple information.
S103, malicious scanning IP in each network area is detected according to the number of different closed ports and the number of different servers.
After the master control device obtains the number of different closed ports and the number of different servers accessed by each source IP, malicious scanning IPs in each network area are detected according to the number of different closed ports and the number of different servers. Illustratively, the master control device may determine, through the big data, critical values of the number of different closed gateways and the number of different servers, and determine whether the corresponding source IP is a malicious scanning IP according to the determined critical values, so as to sequentially determine all malicious scanning IPs, that is, to detect the malicious scanning IPs in each network area.
In the malicious scanning IP detection method provided in this embodiment, the master control device receives quintuple information of a traffic network packet accessing a closed port in each network area, which is uploaded by each network area control device, acquires different numbers of closed ports and different numbers of servers accessed by each source IP in the quintuple information, and then detects a malicious scanning IP in each network area based on the different numbers of closed ports and the different numbers of servers. Normally, a normal user does not access the closed ports of the servers and does not try to access the closed ports of the plurality of servers within a certain time, so that in the method, the number of different closed ports and different servers accessed is counted based on information of flow data packet quintuple accessing the closed ports, malicious scanning IP is further determined based on the number of the different closed ports and the different servers, the malicious scanning IP can be quickly and accurately detected, and a scheme capable of accurately and quickly detecting the malicious scanning IP is effectively provided.
As to the specific process of the above general control device detecting malicious scanning IPs in each network area according to different numbers of closed ports and different numbers of servers, which is described in detail below by an embodiment, on the basis of the above embodiment, the embodiment of the present application further provides a scanning intent IP detection method, where the step S103 includes: if the number of different closed ports is larger than a first preset threshold value, determining that the corresponding source IP is a malicious scanning IP; or if the number of different closed ports is greater than a second preset threshold value and the number of different servers is greater than a preset number, determining that the corresponding source IP is a malicious scanning IP; and the second preset threshold is smaller than the first preset threshold.
In this embodiment, two implementation manners of the step S103 are provided, wherein one of the implementation manners is to set a threshold, that is, a first preset threshold, for a malicious scanning IP to access the number of the different closed ports only according to the obtained number of the different closed ports in the case that the number of the different closed ports is small, and in this case, as long as the number of the different closed ports accessed exceeds the first preset threshold, it is determined that the corresponding source IP is malicious scanning I P.
In another embodiment, a lower threshold, that is, a second preset threshold, is preset for accessing different numbers of closed ports, where the second preset threshold is smaller than the first preset threshold, and on this basis, a preset number of different numbers of servers is preset, so that in this case, the number of different closed ports needs to be larger than the second preset threshold, and the number of different servers is larger than the preset number, and it is determined that the corresponding source IP is a malicious scanning IP.
It is understood that in the present application, there are multiple servers in each network region, each server has multiple traffic network packets, each traffic network packet corresponds to a five-tuple information, and the five-tuple information includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol. Therefore, in this embodiment, the number of different closed ports and the number of different servers corresponding to each source IP are determined, and it is determined whether the corresponding source IP is a malicious scanning IP, so that there is a determination result for the source IP in each traffic network packet in sequence, and it is naturally possible to determine the malicious scanning IP in each network area.
In this embodiment, based on the fact that a normal user does not access the closed ports of the servers and does not attempt to access the closed ports of the plurality of servers within a certain period of time, the malicious scanning IP can be quickly and accurately detected by finding out the IP having more access closed ports and servers and determining the IP as the malicious scanning IP.
In addition, after detecting the malicious scanning IPs in each network area, and finally aiming to prohibit the scanning IPs from accessing the server, and reduce the server from being attacked, in an embodiment, after detecting the malicious scanning IPs in each network area, the method further includes: and pushing all the detected malicious scanning IP to the firewall. In this embodiment, the malicious scanning IP detected by the master control device is pushed to the firewall, so that the malicious scanning IP can be prohibited from accessing the server from the firewall level.
Certainly, in practical application, a situation that a normal user is poisoned and then identified as a malicious scanning IP by the server may occur, so as to ensure that the subsequent normal user can also normally access, the total control device updates the IP pushed to the firewall according to the malicious scanning IP detected each time, and the interception of the malicious scanning I P is no longer removed.
An embodiment in which the execution subject is each network area control device is explained below.
It should be noted that although the present application includes an embodiment in which the total control device is an execution subject and an embodiment in which each network area control device is an execution subject, in practice, the total control device and each network area control device cooperate with each other to interactively implement malicious scanning IP detection, and in other cases, the total control device may be the same control device as each network area control device, and therefore, the processes in the embodiment in which the total control device is an execution subject and the processes in the embodiment in which each network area control device is an execution subject may be referred to each other, rather than limiting the execution ranges of the two.
As shown in fig. 3, in an embodiment, an embodiment of the present application provides a malicious scanning IP detection method, which relates to a specific process in which each network area control device uploads collected quintuple information of a traffic network packet accessing a closed port in each network area to a master control device, and the method includes:
s201, acquiring quintuple information of a flow network packet accessing a closed port in each network area; the five-tuple information includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol.
S202, uploading quintuple information to a master control device; the quintuple information is used for indicating the master control equipment to acquire the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information, and detecting malicious scanning IP in each network area according to the number of the different closed ports and the number of the different servers.
In this embodiment, each network area control device obtains quintuple information of a flow network packet accessing a closed port in each area, and then uploads the obtained quintuple information to the master control device, so as to instruct the master control device to obtain different numbers of closed ports and different numbers of servers accessed by each source IP in the quintuple information, and to detect malicious scanning IPs in each network area according to the different numbers of closed ports and different numbers of servers. For the principle of each process in this embodiment, reference may be made to the description in the embodiment in which the above-mentioned general control device is an execution main body, and details are not described here.
In a certain period of time, a normal user cannot access the closed ports of the servers and cannot try to access the closed ports of the plurality of servers, so that the method counts the number of different closed ports and different servers accessed based on the information of the quintuple of each flow data packet accessing the closed ports, further determines the malicious scanning IP based on the number of the different closed ports and the different servers, can quickly and accurately detect the malicious scanning IP, and effectively provides a scheme for accurately and quickly detecting the malicious scanning IP.
In the following, a detailed description is given of a specific process of each network area control device collecting quintuple information of a traffic network packet accessing a closed port in each network area, and in an embodiment, as shown in fig. 4, the step S201 includes:
s301, obtaining mirror image flow of each server in each network area.
The mirror traffic is the mirror traffic replicated by the service traffic of all servers in each network area. In this step, the mirror traffic of each server may be uploaded to each network area control device by the switch. For example, referring to fig. 5, a network area control device in a network area (computer room) acquires the mirror traffic of each server.
S302, extracting quintuple information of all traffic network packets in the mirror flow of each server.
Extracting quintuple information of all flow network packets in all the obtained mirror image flows, wherein each flow network packet carries information of a source IP, a target IP, a source port, a target port and a protocol, and each network area control device can directly read the information.
S303, acquiring quintuple information of the traffic network packet accessing the closed port according to the extracted quintuple information of all traffic network packets.
And each network area control device determines the flow network packet accessing the closed port from the acquired quintuple information of all the flow network packets. That is, the traffic network packet accessing the open port is removed from the traffic network packets, and only the quintuple information of the traffic network packet accessing the closed port is obtained.
Optionally, as shown in fig. 6, one implementation of acquiring five-tuple information of a traffic network packet accessing a closed port in step S303 includes:
s401, according to the destination IP in each quintuple information, searching an open port information list reported by a server corresponding to each flow network packet.
Specifically, each network area control device acquires a destination IP in each traffic network packet, and then also acquires an open port information list reported by a server to which each traffic network packet belongs. Equivalently, each network area control device determines a corresponding server according to the destination IP, and then obtains an open port information list reported by the corresponding server.
S402, if the target port in the quintuple information of the corresponding flow network packet does not exist in the open port information list reported by the server, determining the corresponding flow network packet as the flow network packet accessing the closed port.
S403, acquiring quintuple information of all traffic network packets accessing the closed port in all traffic network packets.
Based on the obtained open port information list reported by each server, each network area control device searches a destination port in each traffic network packet in the corresponding open port information list, if the destination port is in the open port information list, the destination port belongs to an open port, but if the destination port is not in the open port information list, the destination port is a closed port.
According to the method, each network area control device finds out the traffic network packet with the target port as the closed port in sequence, and then obtains the quintuple information of all the traffic network packets with the closed ports.
It can be understood that, after acquiring the quintuple information of the flow network packet of the closed port of each area, each network area control device stores the quintuple information, and then uploads the quintuple information to the master control device at intervals. Certainly, in order to reduce frequent reporting, the recently reported information is not reported any more, and resource waste caused by repeated information reporting is avoided.
In this embodiment, the IP accessing the closed port in all the traffic network packets is identified according to the information of the transport layer quintuple and the information of the open port on the server, so that the number of different ports and the number of different servers accessed by each IP only need to be determined from the IP accessing the closed port subsequently, and the detection efficiency of maliciously scanning the IP is improved.
The above embodiment is described by taking an overall control device as an individual control device for controlling a plurality of network area control devices as an example, and the execution subject in other cases is adaptively changed for different situations, based on actual situations. For example, if the network area is only one network area, that is, if the total control device is the network area control device, the embodiments in which the execution main body is the total control device and the execution main body is each network area control device are all executed by the network area control device.
It should be understood that although the various steps in the flow charts of fig. 2-6 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-6 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternating with other steps or at least some of the sub-steps or stages of other steps.
In addition, an embodiment of the present application further provides a malicious scanning IP detection system, which is shown in fig. 1 and includes: the system comprises a master control center control device and a plurality of network area control devices;
the master control center control device is used for realizing the processes in all the embodiments taking the master control center control device as an execution main body; and each network area control device is used for realizing the processes in all the embodiments taking each network area control device as an execution main body.
The implementation principle and technical effect of the malicious scanning IP detection system provided in the foregoing embodiment are similar to those of the foregoing malicious scanning IP detection method embodiment, and details are not repeated here.
In addition, a virtual device corresponding to the malicious scanning IP detection method is also provided, as shown in fig. 7, in an embodiment, a malicious scanning IP detection device is provided, and the device includes: the device comprises a receiving module 10, a quantity obtaining module 11 and a detecting module 12; wherein the content of the first and second substances,
a receiving module 10, configured to receive quintuple information uploaded by each network area control device; the quintuple information is the quintuple information of the flow network packet accessing the closed port in each network region; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
the quantity obtaining module 11 is configured to obtain the quantity of different closed ports and the quantity of different servers accessed by each source IP in the quintuple information;
and the detection module 12 is configured to detect malicious scanning IPs in each network area according to the number of different closed ports and the number of different servers.
In an embodiment, the detection module 12 is specifically configured to determine that a corresponding source IP is a malicious scanning IP if the number of different closed ports is greater than a first preset threshold; or if the number of different closed ports is greater than the second preset threshold and the number of different servers is greater than the preset number, determining that the corresponding source IP is malicious scanning I P; the second preset threshold is smaller than the first preset threshold.
In one embodiment, the apparatus further comprises: and the pushing module is used for pushing all the detected malicious scanning IP to the firewall.
As shown in fig. 8, in one embodiment, there is provided a malicious scanning IP detection apparatus, including: an information acquisition module 13 and an uploading module 14; wherein the content of the first and second substances,
an information obtaining module 13, configured to obtain quintuple information of a traffic network packet accessing a closed port in each network area; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
the uploading module 14 is used for uploading the quintuple information to the master control equipment; the quintuple information is used for indicating the master control equipment to acquire the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information, and detecting malicious scanning IP in each network area according to the number of the different closed ports and the number of the different servers.
In one embodiment, the information obtaining module 13 includes:
a mirror flow acquiring unit, configured to acquire mirror flows of servers in network areas;
the information extraction unit is used for extracting quintuple information of all traffic network packets in the mirror flow of each server;
and the closing port information acquisition unit is used for acquiring quintuple information of the flow network packet accessing the closing port according to the extracted quintuple information of all the flow network packets.
In an embodiment, the closed port information obtaining unit is specifically configured to search, according to a destination IP in each quintuple information, an open port information list reported by a server corresponding to each traffic network packet; if the target port in the quintuple information of the corresponding flow network packet does not exist in the open port information list reported by the server, determining the corresponding flow network as the flow network packet accessing the closed port; and acquiring quintuple information of all the flow network packets accessing the closed ports in all the flow network packets.
The implementation principle and technical effect of all malicious scanning IP detection apparatuses provided in the above embodiments are similar to those of the above malicious scanning IP detection method embodiments, and are not described herein again.
For specific limitations of the malicious scanning IP detection apparatus, reference may be made to the above limitations of the malicious scanning IP detection method, which is not described herein again. The modules in the malicious scanning IP detection device can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a terminal, the internal structure of which may be as described above in fig. 1 a. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a malicious scanning IP detection method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 1a is a block diagram of only a portion of the structure relevant to the present application, and does not constitute a limitation on the computing device to which the present application is applied, and a particular computing device may include more or less components than those shown, or combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
receiving quintuple information uploaded by each network area control device; the quintuple information is the quintuple information of the flow network packet accessing the closed port in each network region; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
acquiring the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information;
malicious scans are detected I P in each network region based on the number of different closed ports and the number of different servers.
Alternatively, the processor implements the following steps when executing the computer program:
acquiring quintuple information of a flow network packet accessing a closed port in each network area; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
uploading the quintuple information to a master control device; the quintuple information is used for indicating the master control equipment to acquire the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information, and detecting malicious scanning IP in each network area according to the number of the different closed ports and the number of the different servers.
The implementation principle and technical effect of the computer device provided by the above embodiment are similar to those of the above method embodiment, and are not described herein again.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
receiving quintuple information uploaded by each network area control device; the quintuple information is the quintuple information of the flow network packet accessing the closed port in each network region; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
acquiring the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information;
malicious scans are detected I P in each network region based on the number of different closed ports and the number of different servers.
Alternatively, the computer program when executed by a processor implements the steps of:
acquiring quintuple information of a flow network packet accessing a closed port in each network area; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
uploading the quintuple information to a master control device; the quintuple information is used for indicating the master control equipment to acquire the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information, and detecting malicious scanning IP in each network area according to the number of the different closed ports and the number of the different servers.
The implementation principle and technical effect of the computer-readable storage medium provided by the above embodiments are similar to those of the above method embodiments, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (11)
1. A malicious scanning IP detection method is characterized by comprising the following steps:
receiving quintuple information uploaded by each network area control device; the quintuple information is quintuple information of a flow network packet accessing a closed port in each network region; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
acquiring the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information;
and detecting malicious scanning IP in each network area according to the number of the different closed ports and the number of the different servers.
2. The IP malicious scanning detection method according to claim 1, wherein the detecting the malicious scanning IPs in each network area according to the number of the different closed ports and the number of the different servers comprises:
if the number of the different closed ports is larger than a first preset threshold value, determining that the corresponding source IP is a malicious scanning IP; alternatively, the first and second electrodes may be,
if the number of the different closed ports is larger than a second preset threshold value and the number of the different servers is larger than a preset number, determining that the corresponding source IP is a malicious scanning IP; the second preset threshold is smaller than the first preset threshold.
3. The IP malicious scanning detection method according to claim 1 or 2, wherein after the detecting the malicious scanning IPs in each of the network areas, the method further comprises:
and pushing all the detected malicious scanning IP to the firewall.
4. A malicious scanning IP detection method is characterized by comprising the following steps:
acquiring quintuple information of a flow network packet accessing a closed port in each network area; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
uploading the quintuple information to a master control device; the quintuple information is used for indicating the master control device to acquire the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information, and detecting malicious scanning IPs in each network area according to the number of the different closed ports and the number of the different servers.
5. The IP detection method of claim 4, wherein the obtaining of quintuple information of traffic network packets accessing a closed port in each network region comprises:
acquiring mirror image flow of each server in each network area;
extracting quintuple information of all traffic network packets in the mirror flow of each server;
and acquiring the quintuple information of the traffic network packet accessing the closed port according to the extracted quintuple information of all the traffic network packets.
6. The IP detection method according to claim 5, wherein obtaining the quintuple information of the traffic network packet accessing the closed port according to the extracted quintuple information of all the traffic network packets comprises:
searching an open port information list reported by a server corresponding to each flow network packet according to a target IP in each quintuple information;
if the target port in the quintuple information of the corresponding traffic network packet does not exist in the open port information list reported by the server, determining that the corresponding traffic network is the traffic network packet accessing the closed port;
and acquiring quintuple information of all the flow network packets accessing the closed ports in all the flow network packets.
7. A malicious scanning IP detection system, the system comprising: the system comprises a master control center control device and a plurality of network area control devices;
the master control center control equipment is used for realizing the malicious scanning IP detection method of any one of claims 1 to 3;
each of the network area control devices is configured to implement the malicious scanning IP detection method according to any one of claims 4 to 6.
8. An apparatus for malicious scanning IP detection, the apparatus comprising:
the receiving module is used for receiving quintuple information uploaded by each network area control device; the quintuple information is quintuple information of a flow network packet accessing a closed port in each network region; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
the quantity obtaining module is used for obtaining the quantity of different closed ports and the quantity of different servers accessed by each source IP in the quintuple information;
and the detection module is used for detecting malicious scanning IP in each network area according to the number of the different closed ports and the number of the different servers.
9. An apparatus for malicious scanning IP detection, the apparatus comprising:
the information acquisition module is used for acquiring quintuple information of the flow network packet accessing the closed port in each network area; the quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
the uploading module is used for uploading the quintuple information to a master control device; the quintuple information is used for indicating the master control device to acquire the number of different closed ports and the number of different servers accessed by each source IP in the quintuple information, and detecting malicious scanning IPs in each network area according to the number of the different closed ports and the number of the different servers.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the malicious scanning IP detection method of any of claims 1 to 6.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the malicious scanning IP detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010051255.6A CN111314300B (en) | 2020-01-17 | 2020-01-17 | Malicious scanning IP detection method, system, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010051255.6A CN111314300B (en) | 2020-01-17 | 2020-01-17 | Malicious scanning IP detection method, system, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111314300A true CN111314300A (en) | 2020-06-19 |
| CN111314300B CN111314300B (en) | 2022-03-22 |
Family
ID=71160371
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010051255.6A Active CN111314300B (en) | 2020-01-17 | 2020-01-17 | Malicious scanning IP detection method, system, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111314300B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112839018A (en) * | 2019-11-25 | 2021-05-25 | 华为技术有限公司 | Degree value generation method and related equipment |
| CN113542310A (en) * | 2021-09-17 | 2021-10-22 | 上海观安信息技术股份有限公司 | Network scanning detection method and device and computer storage medium |
| CN114244543A (en) * | 2020-09-08 | 2022-03-25 | 中国移动通信集团河北有限公司 | Network security defense method and device, computing equipment and computer storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719906A (en) * | 2009-11-10 | 2010-06-02 | 电子科技大学 | Worm propagation behavior-based worm detection method |
| CN102594620A (en) * | 2012-02-20 | 2012-07-18 | 南京邮电大学 | Linkable distributed network intrusion detection method based on behavior description |
| US20140101724A1 (en) * | 2012-10-10 | 2014-04-10 | Galois, Inc. | Network attack detection and prevention based on emulation of server response and virtual server cloning |
| CN106330944A (en) * | 2016-08-31 | 2017-01-11 | 杭州迪普科技有限公司 | Method and device for recognizing malicious system vulnerability scanner |
| CN109768949A (en) * | 2017-11-09 | 2019-05-17 | 阿里巴巴集团控股有限公司 | A kind of port scan processing system, method and relevant apparatus |
-
2020
- 2020-01-17 CN CN202010051255.6A patent/CN111314300B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719906A (en) * | 2009-11-10 | 2010-06-02 | 电子科技大学 | Worm propagation behavior-based worm detection method |
| CN102594620A (en) * | 2012-02-20 | 2012-07-18 | 南京邮电大学 | Linkable distributed network intrusion detection method based on behavior description |
| US20140101724A1 (en) * | 2012-10-10 | 2014-04-10 | Galois, Inc. | Network attack detection and prevention based on emulation of server response and virtual server cloning |
| CN106330944A (en) * | 2016-08-31 | 2017-01-11 | 杭州迪普科技有限公司 | Method and device for recognizing malicious system vulnerability scanner |
| CN109768949A (en) * | 2017-11-09 | 2019-05-17 | 阿里巴巴集团控股有限公司 | A kind of port scan processing system, method and relevant apparatus |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112839018A (en) * | 2019-11-25 | 2021-05-25 | 华为技术有限公司 | Degree value generation method and related equipment |
| CN114244543A (en) * | 2020-09-08 | 2022-03-25 | 中国移动通信集团河北有限公司 | Network security defense method and device, computing equipment and computer storage medium |
| CN114244543B (en) * | 2020-09-08 | 2024-05-03 | 中国移动通信集团河北有限公司 | Network security defense method, device, computing equipment and computer storage medium |
| CN113542310A (en) * | 2021-09-17 | 2021-10-22 | 上海观安信息技术股份有限公司 | Network scanning detection method and device and computer storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111314300B (en) | 2022-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111314300B (en) | Malicious scanning IP detection method, system, device, equipment and storage medium | |
| US10623376B2 (en) | Qualifying client behavior to mitigate attacks on a host | |
| US9848016B2 (en) | Identifying malicious devices within a computer network | |
| EP2779574B1 (en) | Attack detection and prevention using global device fingerprinting | |
| AU2017268608B2 (en) | Method, device, server and storage medium of detecting DoS/DDoS attack | |
| US10193929B2 (en) | Methods and systems for improving analytics in distributed networks | |
| US8683585B1 (en) | Using file reputations to identify malicious file sources in real time | |
| US9386036B2 (en) | Method for detecting and preventing a DDoS attack using cloud computing, and server | |
| KR102159930B1 (en) | Network attack defense system and method | |
| US11627146B2 (en) | Detection and prevention of hostile network traffic flow appropriation and validation of firmware updates | |
| US20160036856A1 (en) | Data flow forwarding method and device | |
| CN113992356A (en) | Method and device for detecting IP attack and electronic equipment | |
| CN107426132B (en) | The detection method and device of network attack | |
| CN115174269B (en) | Linux host network communication security protection method and device | |
| CN111314379B (en) | Attacked domain name identification method and device, computer equipment and storage medium | |
| CN113114663A (en) | Judgment method and device based on message scanning behavior | |
| Yang | A study on attack information collection using virtualization technology | |
| US10237287B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| Whyte et al. | Tracking darkports for network defense | |
| US11075911B2 (en) | Group-based treatment of network addresses | |
| CN113992421A (en) | Message processing method and device and electronic equipment | |
| CN106254375A (en) | The recognition methods of a kind of hotspot equipment and device | |
| US20050147037A1 (en) | Scan detection | |
| CN112153011A (en) | Detection method and device for machine scanning, electronic equipment and storage medium | |
| KR100870871B1 (en) | Access level network securing device and securing system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20200619 Assignee: GUANGZHOU CUBESILI INFORMATION TECHNOLOGY Co.,Ltd. Assignor: GUANGZHOU HUADUO NETWORK TECHNOLOGY Co.,Ltd. Contract record no.: X2021440000031 Denomination of invention: Malicious scanning IP detection method, system, device, device and storage medium License type: Common License Record date: 20210125 |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |