CN111835777A - Abnormal flow detection method, device, equipment and medium - Google Patents
Abnormal flow detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN111835777A CN111835777A CN202010697572.5A CN202010697572A CN111835777A CN 111835777 A CN111835777 A CN 111835777A CN 202010697572 A CN202010697572 A CN 202010697572A CN 111835777 A CN111835777 A CN 111835777A
- Authority
- CN
- China
- Prior art keywords
- detected
- analyzed data
- data
- engine
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The application discloses a method, a device, equipment and a medium for detecting abnormal flow, wherein the method comprises the following steps: performing content deep analysis on the data packet to be detected to obtain analyzed data to be detected; determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the analyzed data to be detected; and detecting the analyzed data to be detected by using the target engine to determine whether the analyzed data to be detected is abnormal flow. Therefore, the content of the traffic to be detected is deeply analyzed, so that the real attack load can be found, the identification capability of the content is improved, the traffic to be detected can be detected by utilizing a plurality of engines in the preset abnormal traffic detection engine set, the problem of insufficient expression capability of a single rule engine is solved, the detection accuracy is improved, and the probability of misjudgment and misjudgment is reduced.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a medium for detecting abnormal traffic.
Background
With the evolution of digitization, the variety and number of web (global wide area network) applications has exploded. The complexity of the business, and the ragged level of web application developers, result in various types of security deficiencies that are inevitable for web applications. Typical attacks against web applications are: SQL (Structured Query Language) injection attacks, XSS (i.e., CSS (Cross-Site Scripting) injection attacks, directory traversal, file inclusion, etc., are far-reaching hazards. At present, the attack traffic is mainly identified by performing string matching on http (Hyper Text Transfer Protocol) traffic, and then the attack is blocked. The prior art has the following defects: one is that the rule engine based on string matching only performs feature extraction, so that the recognition capability of the content is insufficient, and the attack load hidden in the traffic cannot be found. And secondly, regular matching is performed by a rule engine based on character string matching, so that the expression capability is insufficient, attack characteristics cannot be accurately identified, and a large amount of misjudgments and missed judgments are caused.
Disclosure of Invention
In view of this, an object of the present application is to provide a method, an apparatus, a device, and a medium for detecting abnormal traffic, which can find a real attack load, improve the capability of identifying content, improve the detection accuracy, and reduce the probability of erroneous judgment and missed judgment. The specific scheme is as follows:
in a first aspect, the present application discloses an abnormal traffic detection method, including:
performing content deep analysis on the data packet to be detected to obtain analyzed data to be detected;
determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the analyzed data to be detected;
and detecting the analyzed data to be detected by using the target engine to determine whether the analyzed data to be detected is abnormal flow.
Optionally, the performing content deep analysis on the data packet to be detected to obtain data to be detected after analysis includes:
determining a target protocol corresponding to the data packet to be detected;
and analyzing the data packet to be detected according to the target protocol to obtain the analyzed data to be detected.
Optionally, before determining, according to the analyzed data to be detected, a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set, the method further includes:
and determining whether the analyzed data to be detected is suspicious flow or not by using a preset flow baseline.
Optionally, the determining, by using a preset flow baseline, whether the analyzed data to be detected is suspicious flow includes:
comparing the analyzed data to be detected with a preset flow baseline;
and if the analyzed data to be detected deviates from a preset flow baseline, determining the analyzed data to be detected as suspicious flow, and determining confidence coefficient parameters of the analyzed data to be detected according to the condition that the analyzed data to be detected deviates from the preset flow baseline.
Optionally, the determining, according to the analyzed data to be detected, a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set includes:
and determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the confidence coefficient parameter.
Optionally, the determining, according to the analyzed data to be detected, a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set includes:
determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the source IP address in the analyzed data to be detected;
and/or determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the target IP address in the analyzed data to be detected.
Optionally, the determining, according to the analyzed data to be detected, a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set includes:
and when the analyzed data to be detected comprises the undisclosed bugs, determining a semantic detection engine and/or a machine learning engine in the preset abnormal flow detection engine set as a target engine for detecting the analyzed data to be detected.
In a second aspect, the present application discloses an abnormal flow detection apparatus, including:
the data analysis module is used for analyzing the data packet to be detected to obtain analyzed data to be detected;
the engine determining module is used for determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the analyzed data to be detected;
and the detection module is used for detecting the analyzed data to be detected by using the target engine so as to determine whether the analyzed data to be detected is abnormal flow.
In a third aspect, the present application discloses an abnormal traffic detection apparatus, including:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the abnormal flow detection method disclosed in the foregoing.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the abnormal traffic detection method disclosed in the foregoing.
According to the method and the device, content deep analysis is firstly carried out on the data packet to be detected, data to be detected after analysis are obtained, then a target engine used for detecting the data to be detected after analysis is determined from a preset abnormal flow detection engine set according to the data to be detected after analysis, then the target engine can be utilized for detecting the data to be detected after analysis, and whether the data to be detected after analysis is abnormal flow or not is determined. Therefore, when the flow needs to be subjected to abnormal detection, the content deep analysis needs to be performed on the flow to be detected firstly, the data to be detected after analysis is obtained, the target engine determined in the preset abnormal flow detection engine set is used for detecting the data to be detected after analysis, so that whether the data to be detected after analysis is abnormal flow or not is determined, the content of the flow to be detected is subjected to deep analysis firstly, a real attack load can be found, the identification capability of the content is improved, the flow to be detected can be detected by using a plurality of engines in the preset abnormal flow detection engine set, the problem that a single rule engine faces insufficient expression capability is solved, the detection accuracy is improved, and the probability of misjudgment and misjudgment is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an abnormal traffic detection method disclosed in the present application;
FIG. 2 is a flow chart of a specific abnormal traffic detection method disclosed herein;
FIG. 3 is a flow chart of a specific abnormal traffic detection method disclosed herein;
fig. 4 is a schematic structural diagram of an abnormal flow rate detection device disclosed in the present application;
fig. 5 is a structural diagram of an abnormal flow rate detecting device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, attack traffic is mainly identified by performing character string matching on http traffic, and then the attack is blocked. The rule engine based on the character string matching is adopted to extract the features in the flow and then perform the regular matching of the character strings on the extracted features, and the method generally has the problem that the attack load hidden in the flow cannot be found due to the insufficient recognition capability of the content. And the problems of insufficient expression capability and incapability of accurately identifying attack characteristics due to regular matching, so that a large number of misjudgments and missed judgments are caused. In view of this, the present application provides an abnormal traffic detection method, which can find a real attack load, improve the content recognition capability, improve the detection accuracy, and reduce the probability of erroneous judgment and missed judgment.
Referring to fig. 1, an embodiment of the present application discloses an abnormal traffic detection method, including:
step S11: and performing content deep analysis on the data packet to be detected to obtain analyzed data to be detected.
In a specific implementation process, after a data packet to be detected is acquired, deep content analysis needs to be performed on the data packet to be detected first, so that data to be detected after analysis is obtained. The data packet to be detected may be a data packet to be detected captured by the network security device.
And performing content deep analysis on the data packet to be detected, including analyzing a protocol in the data packet to be detected, identifying the content of the data packet to be detected, performing coding reduction on the content in the data packet to be detected, decrypting the content in the data packet to be detected and the like, so as to obtain the analyzed data to be detected.
Step S12: and determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the analyzed data to be detected.
After the analyzed data to be detected is obtained, a target engine for detecting the analyzed data to be detected is further determined from a preset abnormal traffic detection engine set according to the analyzed data to be detected, so that whether the analyzed data to be detected is abnormal traffic is determined by using the target engine. The preset abnormal flow detection engine set comprises a plurality of engines. The number of the determined target engines can be one or more.
For example, the preset abnormal traffic detection engine set may include, but is not limited to, a rule engine based on string matching, a semantic detection engine, a machine learning engine, a cloud engine, and a defense engine. The rule engine based on the character string matching can extract the features in the analyzed data to be detected, and then match the extracted features with the character strings in a preset abnormal flow character string library so as to determine whether the analyzed data to be detected is abnormal flow. The semantic detection engine can detect the syntactic format and the semantics of the data to be detected after the analysis so as to determine whether the data to be detected after the analysis is abnormal flow. The machine learning engine can be an abnormal flow detection model which is trained in advance by adopting a machine learning method. The cloud engine can send the analyzed data to be detected to a cloud server for detection so as to determine whether the analyzed data to be detected is abnormal flow. For the data to be detected which needs to consume more resources to determine whether the data is abnormal flow, the cloud engine can be used for detecting, and the detection efficiency can be improved. The master defense engine may perform active attack defense, for example, perform active defense by using a honeypot technology, so as to determine whether the analyzed data to be detected is abnormal traffic.
Specifically, the target engine to be used may be determined according to the specific content in the analyzed data to be detected. For example, a target engine to be used may be determined according to the sensitivity of the content in the analyzed data to be detected, if the sensitivity of the content in the analyzed data to be detected is high and the preset abnormal traffic detection engine set includes 5 different engines, 4 engines may be determined from the preset abnormal traffic detection engine set as the target engine, and if the sensitivity of the content in the analyzed data to be detected is low, 2 engines may be determined from the preset abnormal traffic detection engine set as the target engine. In addition, the target engine and the like may also be determined according to the data type included in the analyzed data to be detected, which is not particularly limited herein.
Step S13: and detecting the analyzed data to be detected by using the target engine to determine whether the analyzed data to be detected is abnormal flow.
It can be understood that, after the target engine is determined, the target engine may be used to determine whether the data to be detected after the analysis is abnormal traffic. For example, if the target engine is the semantic detection engine, the semantic detection engine is firstly used to detect the syntactic format in the analyzed data to be detected, if the syntactic format in the analyzed data to be detected does not meet the requirement of a preset syntactic format, the analyzed data to be detected is determined as abnormal flow, if the syntactic format in the analyzed data to be detected meets the requirement of the preset syntactic format, the semantic in the analyzed data to be detected is detected, if the semantic in the analyzed data to be detected belongs to a preset abnormal flow semantic library, the analyzed data to be detected is determined as abnormal flow, and if the semantic in the analyzed data to be detected does not belong to the preset abnormal flow semantic library, the analyzed data to be detected is determined as normal flow.
When the number of the target engines is greater than 1, whether the analyzed data to be detected is abnormal flow needs to be determined according to the detection result of each target engine, and the multiple engines are flexibly linked and are not directly executed in series. For example, when all the target engines detect that the analyzed data to be detected is normal flow, the analyzed data to be detected is determined as normal flow, otherwise, the analyzed data to be detected is determined as abnormal flow. Or when two or more than two of the target engines detect that the analyzed data to be detected is abnormal flow, determining the analyzed data to be detected as abnormal flow, otherwise determining the analyzed data to be detected as normal flow, wherein the number of the target engines is more than or equal to 2.
The data to be detected are detected by adopting the preset abnormal flow detection engine set comprising the multiple engines, different target engines are determined in the preset abnormal flow detection engine to detect the data to be detected according to the difference of the data to be detected, so that the problems of low detection accuracy and misjudgment and missed detection caused by the fact that different flows are detected by adopting a rule engine based on character string matching in the prior art can be solved, the detection accuracy is improved, and the probability of the misjudgment and the missed detection is reduced.
According to the method and the device, content deep analysis is firstly carried out on the data packet to be detected, data to be detected after analysis are obtained, then a target engine used for detecting the data to be detected after analysis is determined from a preset abnormal flow detection engine set according to the data to be detected after analysis, then the target engine can be utilized for detecting the data to be detected after analysis, and whether the data to be detected after analysis is abnormal flow or not is determined. Therefore, when the flow needs to be subjected to abnormal detection, the content deep analysis needs to be performed on the flow to be detected firstly, the data to be detected after analysis is obtained, the target engine determined in the preset abnormal flow detection engine set is used for detecting the data to be detected after analysis, so that whether the data to be detected after analysis is abnormal flow or not is determined, the content of the flow to be detected is subjected to deep analysis firstly, a real attack load can be found, the identification capability of the content is improved, the flow to be detected can be detected by using a plurality of engines in the preset abnormal flow detection engine set, the problem that a single rule engine faces insufficient expression capability is solved, the detection accuracy is improved, and the probability of misjudgment and misjudgment is reduced.
Referring to fig. 2, an embodiment of the present application discloses a specific abnormal traffic detection method, including:
step S21: and performing content deep analysis on the data packet to be detected to obtain analyzed data to be detected.
In a specific implementation process, after the data packet to be detected is obtained, deep content analysis is performed on the data packet to be detected first, so that data to be detected after analysis is obtained.
Specifically, the deep content analysis of the data packet to be detected includes: determining a target protocol corresponding to the data packet to be detected; and analyzing the data packet to be detected according to the target protocol to obtain the analyzed data to be detected.
The determining the target protocol corresponding to the to-be-detected data packet may include: and matching the data packet to be detected by utilizing a preset application rule base to determine a target protocol corresponding to the data packet to be detected, wherein the application rule base comprises different protocols and rules corresponding to the protocols. Specifically, the data packet to be detected is matched with a preset application rule base, and the target protocol is determined according to a matching result. In practical application, some ports are used for transmitting data of a specific protocol during design, and in this case, according to the port corresponding to the packet to be detected and the corresponding relationship between the port and the protocol, the target protocol corresponding to the packet to be detected can be determined.
Analyzing the data packet to be detected according to the target protocol to obtain the analyzed data to be detected, including: analyzing the target protocol; identifying the content in the data packet to be detected according to the analysis result; judging whether the identified data is coded data; and if the identified data is the coded data, decoding the identified data, and taking the decoded data as the analyzed data to be detected.
The Protocol includes, but is not limited to tcp/ip (Transmission Control Protocol/Internet Protocol ), http. The content identification in the data packet to be detected includes, but is not limited to, content identification in Text, html (Hyper Text Markup Language), xform, json (JavaScript Object Notation), xml (Extensible Markup Language), and file format. The decoding includes, but is not limited to, urenlecode, htmlecode, unicode, base64, utf8/utf16/utf32, hex/oct decoding.
Step S22: and determining whether the analyzed data to be detected is suspicious flow or not by using a preset flow baseline.
After the analyzed data to be detected is obtained, it may be determined whether the analyzed data to be detected is suspicious traffic by using a preset traffic baseline. Specifically, the analyzed data to be detected is compared with a preset flow baseline; and if the analyzed data to be detected deviates from a preset flow baseline, determining the analyzed data to be detected as suspicious flow, and determining confidence coefficient parameters of the analyzed data to be detected according to the condition that the analyzed data to be detected deviates from the preset flow baseline. The preset flow baseline may be a preset data packet content requirement, for example, the data packet to be detected includes registration information filled in by a user on a registration page, and the registration information includes a user name, a password, and a mobile phone number. The preset traffic baseline may include that the user name needs to include 6-20 characters, the password needs to include 6 characters, including numbers and letters, and the mobile phone number needs to include 11 numbers.
Correspondingly, before determining whether the analyzed data to be detected is suspicious traffic by using the preset traffic baseline, the method further includes: and performing service modeling on the traffic of the WEB application corresponding to the data packet to be detected to form the preset traffic baseline.
Step S23: and if the analyzed data to be detected is suspicious traffic, determining a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set according to the analyzed data to be detected.
After judging whether the analyzed data to be detected is suspicious traffic or not, if the analyzed data to be detected is suspicious traffic, determining a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set according to the analyzed data to be detected. The preset abnormal flow detection engine set comprises a plurality of engines.
In a first specific implementation process, the determining, according to the analyzed data to be detected, a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set includes: and determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the confidence coefficient parameter.
After the analyzed data to be detected is compared with the preset flow baseline, if the analyzed data to be detected deviates from the preset flow baseline, the confidence coefficient parameter of the analyzed data to be detected can be determined according to the condition that the analyzed data to be detected deviates from the preset flow baseline. The confidence coefficient parameter may be smaller if the analyzed data to be detected deviates from the preset flow baseline more, the probability indicating that the analyzed data to be detected is normal flow is smaller, and the confidence coefficient parameter is larger if the analyzed data to be detected deviates from the preset flow baseline less, the probability indicating that the analyzed data to be detected is normal flow is larger. The confidence coefficient parameter may be larger if the more the analyzed data to be detected deviates from the preset flow baseline, the larger the probability that the analyzed data to be detected is abnormal flow, and the smaller the deviation of the analyzed data to be detected from the preset flow baseline, the smaller the confidence coefficient parameter, the smaller the probability that the analyzed data to be detected is abnormal flow.
Specifically, the number of the target engines may be determined according to a range to which the confidence coefficient parameter belongs, and then a corresponding number of engines among the engines with a small load in the preset abnormal traffic detection engine set may be determined as the target engines. For example, if the confidence coefficient parameter is larger, the probability that the analyzed data to be detected is abnormal flow is larger, when the confidence coefficient parameter belongs to a first preset range, the number of the target engines is 4, and when the confidence coefficient parameter belongs to a second preset range, the number of the target engines is 3, and the like, wherein the lower boundary of the first preset range is larger than the upper boundary of the second preset range, and the total number of the engines in the preset abnormal detection engines is larger than or equal to 4. In addition, there may be other ways to determine the target engine according to the confidence coefficient parameter, which is not specifically limited herein.
In a second specific implementation process, the determining, according to the analyzed data to be detected, a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set includes: determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the source IP address in the analyzed data to be detected; and/or determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the target IP address in the analyzed data to be detected.
In an actual process, the sensitivity of data content stored in some servers is high, so that strict requirements are imposed on the source of access traffic, and a target engine for detecting the analyzed data to be detected can be determined from a preset abnormal traffic detection engine set according to a source IP address in the analyzed data to be detected. The number of target engines may be relatively small if the source IP address is in a library of pre-set trusted IP addresses. The number of target engines may be relatively large if the source IP address is not in a pre-set trusted IP address repository. Correspondingly, in some scenarios, the server has a limitation on the destination end of the sent data, so that a target engine for detecting the analyzed data to be detected can also be determined from a preset abnormal traffic detection engine set according to the destination IP address in the analyzed data to be detected.
In an actual implementation process, when the analyzed data to be detected includes an undisclosed vulnerability, a semantic detection engine and/or a machine learning engine in the preset abnormal flow detection engine set is determined as a target engine for detecting the analyzed data to be detected. Specifically, the analyzed data to be detected may include some undisclosed bugs, so when the analyzed data to be detected includes the undisclosed bugs, a semantic detection engine and/or a machine learning engine in the preset abnormal traffic detection engine set needs to be determined as a target engine for detecting the analyzed data to be detected.
Before the analyzed data packet is detected by the target engine, the analyzed data packet is preliminarily detected, and the data to be detected after the analysis with low probability of abnormal flow can be filtered, so that the data volume detected by the target engine can be reduced, the detection speed is accelerated, the overall detection performance can be improved, and the probability of erroneous judgment and missed judgment is reduced.
Step S24: and detecting the analyzed data to be detected by using the target engine to determine whether the analyzed data to be detected is abnormal flow.
Step S25: and if the analyzed data to be detected is abnormal flow, responding and disposing the data packet to be detected.
After the analyzed data to be detected is detected by the target engine, if the analyzed data to be detected is abnormal traffic, response handling is required. Wherein the response handling includes but is not limited to logging, blocking, and IP blocking, etc.
Referring to fig. 3, an abnormal flow detection method is shown. Firstly, deep analysis is carried out on the content of a data packet to be detected, specifically, the analysis of the protocol and the content is carried out on the data packet, including but not limited to analysis on tcp/ip and http. Identifying the content in json, xml and file formats. Decoding the url, htmlenda, base64, hex/oct codes. And then carrying out abnormal flow detection, namely carrying out abnormal detection on the analyzed and restored data, and screening out normal service flow. Then, engine detection is carried out, namely, one or more engines are intelligently selected to be in linkage detection based on the judgment result of the anomaly detection, wherein the detection comprises but is not limited to a rule engine, a semantic detection engine, a machine learning engine and the like. Response handling, i.e. response handling to the detected malicious traffic, including but not limited to logging, blocking, and IP blocking, is then performed.
Referring to fig. 4, an embodiment of the present application discloses an abnormal flow detection device, including:
the data analysis module 11 is configured to analyze the data packet to be detected to obtain analyzed data to be detected;
an engine determining module 12, configured to determine, according to the analyzed to-be-detected data, a target engine for detecting the analyzed to-be-detected data from a preset abnormal traffic detection engine set;
the detection module 13 is configured to detect the analyzed data to be detected by using the target engine, so as to determine whether the analyzed data to be detected is abnormal traffic.
According to the method and the device, content deep analysis is firstly carried out on the data packet to be detected, data to be detected after analysis are obtained, then a target engine used for detecting the data to be detected after analysis is determined from a preset abnormal flow detection engine set according to the data to be detected after analysis, then the target engine can be utilized for detecting the data to be detected after analysis, and whether the data to be detected after analysis is abnormal flow or not is determined. Therefore, when the flow needs to be subjected to abnormal detection, the content deep analysis needs to be performed on the flow to be detected firstly, the data to be detected after analysis is obtained, the target engine determined in the preset abnormal flow detection engine set is used for detecting the data to be detected after analysis, so that whether the data to be detected after analysis is abnormal flow or not is determined, the content of the flow to be detected is subjected to deep analysis firstly, a real attack load can be found, the identification capability of the content is improved, the flow to be detected can be detected by using a plurality of engines in the preset abnormal flow detection engine set, the problem that a single rule engine faces insufficient expression capability is solved, the detection accuracy is improved, and the probability of misjudgment and misjudgment is reduced.
In a specific implementation process, the data parsing module 11 includes:
the protocol identification unit is used for determining a target protocol corresponding to the data packet to be detected;
and the analyzing unit is used for analyzing the data packet to be detected according to the target protocol to obtain the analyzed data to be detected.
Further, the abnormality detection apparatus further includes:
and the preliminary detection module is used for determining whether the analyzed data to be detected is suspicious traffic or not by using a preset traffic baseline.
Specifically, the preliminary detection module is specifically configured to:
comparing the analyzed data to be detected with a preset flow baseline;
and if the analyzed data to be detected deviates from a preset flow baseline, determining the analyzed data to be detected as suspicious flow, and determining confidence coefficient parameters of the analyzed data to be detected according to the condition that the analyzed data to be detected deviates from the preset flow baseline.
The engine determination module 12 is specifically configured to: and determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the confidence coefficient parameter.
Further, the engine determining module 12 is specifically configured to: determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the source IP address in the analyzed data to be detected;
and/or determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the target IP address in the analyzed data to be detected.
Specifically, the engine determining module 12 is specifically configured to:
and when the analyzed data to be detected comprises the undisclosed bugs, determining a semantic detection engine and/or a machine learning engine in the preset abnormal flow detection engine set as a target engine for detecting the analyzed data to be detected.
Referring to fig. 5, a schematic structural diagram of an abnormal flow rate detecting device 20 provided in the embodiment of the present application is shown, where the abnormal flow rate detecting device 20 may specifically implement the steps of the abnormal flow rate detecting method disclosed in any one of the foregoing embodiments.
In general, the abnormal traffic detection apparatus 20 in the present embodiment includes: a processor 21 and a memory 22.
The processor 21 may include one or more processing cores, such as a four-core processor, an eight-core processor, and so on. The processor 21 may be implemented by at least one hardware of a DSP (digital signal processing), an FPGA (field-programmable gate array), and a PLA (programmable logic array). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a GPU (graphics processing unit) which is responsible for rendering and drawing images to be displayed on the display screen. In some embodiments, the processor 21 may include an AI (artificial intelligence) processor for processing a calculation operation related to machine learning.
Memory 22 may include one or more computer-readable storage media, which may be non-transitory. Memory 22 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 22 is at least used for storing the following computer program 221, wherein after the computer program is loaded and executed by the processor 21, the steps of the abnormal flow detection method disclosed in any one of the foregoing embodiments can be implemented.
In some embodiments, the abnormal flow detection device 20 may further include a display 23, an input/output interface 24, a communication interface 25, a sensor 26, a power supply 27, and a communication bus 28.
Those skilled in the art will appreciate that the configuration shown in fig. 5 does not constitute a limitation of the abnormal flow detection apparatus 20 and may include more or less components than those shown.
Further, an embodiment of the present application also discloses a computer-readable storage medium for storing a computer program, where the computer program is executed by a processor to implement the abnormal traffic detection method disclosed in any of the foregoing embodiments.
For the specific process of the abnormal traffic detection method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of other elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above detailed description is given to an abnormal traffic detection method, an abnormal traffic detection device, an abnormal traffic detection apparatus, and an abnormal traffic detection medium, and a specific example is applied in the detailed description to explain the principle and the implementation of the present application, and the description of the above embodiment is only used to help understanding the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. An abnormal traffic detection method, comprising:
performing content deep analysis on the data packet to be detected to obtain analyzed data to be detected;
determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the analyzed data to be detected;
and detecting the analyzed data to be detected by using the target engine to determine whether the analyzed data to be detected is abnormal flow.
2. The abnormal traffic detection method according to claim 1, wherein the deep content analysis of the data packet to be detected to obtain the data to be detected after analysis comprises:
determining a target protocol corresponding to the data packet to be detected;
and analyzing the data packet to be detected according to the target protocol to obtain the analyzed data to be detected.
3. The abnormal traffic detection method according to claim 1, wherein before determining, according to the analyzed data to be detected, a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set, the method further comprises:
and determining whether the analyzed data to be detected is suspicious flow or not by using a preset flow baseline.
4. The abnormal traffic detection method according to claim 3, wherein the determining whether the analyzed data to be detected is suspicious traffic by using a preset traffic baseline includes:
comparing the analyzed data to be detected with a preset flow baseline;
and if the analyzed data to be detected deviates from a preset flow baseline, determining the analyzed data to be detected as suspicious flow, and determining confidence coefficient parameters of the analyzed data to be detected according to the condition that the analyzed data to be detected deviates from the preset flow baseline.
5. The abnormal traffic detection method according to claim 4, wherein the determining, according to the analyzed data to be detected, a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set includes:
and determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the confidence coefficient parameter.
6. The abnormal traffic detection method according to claim 1, wherein the determining, according to the analyzed data to be detected, a target engine for detecting the analyzed data to be detected from a preset abnormal traffic detection engine set includes:
determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the source IP address in the analyzed data to be detected;
and/or determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the target IP address in the analyzed data to be detected.
7. The abnormal traffic detection method according to any one of claims 1 to 6, wherein the determining, from a preset abnormal traffic detection engine set, a target engine for detecting the analyzed data to be detected according to the analyzed data to be detected includes:
and when the analyzed data to be detected comprises the undisclosed bugs, determining a semantic detection engine and/or a machine learning engine in the preset abnormal flow detection engine set as a target engine for detecting the analyzed data to be detected.
8. An abnormal flow rate detecting device, comprising:
the data analysis module is used for analyzing the data packet to be detected to obtain analyzed data to be detected;
the engine determining module is used for determining a target engine for detecting the analyzed data to be detected from a preset abnormal flow detection engine set according to the analyzed data to be detected;
and the detection module is used for detecting the analyzed data to be detected by using the target engine so as to determine whether the analyzed data to be detected is abnormal flow.
9. An abnormal flow rate detecting apparatus, comprising:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the abnormal traffic detection method according to any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the abnormal traffic detection method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010697572.5A CN111835777B (en) | 2020-07-20 | 2020-07-20 | Abnormal flow detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010697572.5A CN111835777B (en) | 2020-07-20 | 2020-07-20 | Abnormal flow detection method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111835777A true CN111835777A (en) | 2020-10-27 |
| CN111835777B CN111835777B (en) | 2022-09-30 |
Family
ID=72923113
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010697572.5A Active CN111835777B (en) | 2020-07-20 | 2020-07-20 | Abnormal flow detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111835777B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112422554A (en) * | 2020-11-17 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for detecting abnormal traffic external connection |
| CN112767107A (en) * | 2021-01-14 | 2021-05-07 | 中国工商银行股份有限公司 | Method, apparatus, device, medium and program product for detecting blacklist |
| CN113285916A (en) * | 2021-04-06 | 2021-08-20 | 国家工业信息安全发展研究中心 | Intelligent manufacturing system abnormal flow detection method and detection device |
| CN113422785A (en) * | 2021-08-20 | 2021-09-21 | 北京生泰尔科技股份有限公司 | Malicious attack detection method and system based on network traffic and readable storage medium |
| CN115051873A (en) * | 2022-07-27 | 2022-09-13 | 深信服科技股份有限公司 | Network attack result detection method and device and computer readable storage medium |
| CN115941361A (en) * | 2023-02-16 | 2023-04-07 | 科来网络技术股份有限公司 | Malicious traffic identification method, device and equipment |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761748A (en) * | 2013-12-31 | 2014-04-30 | 北京邮电大学 | Method and device for detecting abnormal behaviors |
| US20160149941A1 (en) * | 2014-11-21 | 2016-05-26 | Honeywell International Inc. | Security log mining devices, methods, and systems |
| CN107645502A (en) * | 2017-09-20 | 2018-01-30 | 新华三信息安全技术有限公司 | A kind of message detecting method and device |
| CN108092948A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信集团湖北有限公司 | A kind of recognition methods of network attack mode and device |
| CN108289088A (en) * | 2017-01-09 | 2018-07-17 | 中国移动通信集团河北有限公司 | Abnormal traffic detection system and method based on business model |
| CN109164786A (en) * | 2018-08-24 | 2019-01-08 | 杭州安恒信息技术股份有限公司 | A kind of anomaly detection method based on time correlation baseline, device and equipment |
| CN109948334A (en) * | 2019-03-26 | 2019-06-28 | 深信服科技股份有限公司 | A kind of leak detection method, system and electronic equipment and storage medium |
| CN110430217A (en) * | 2019-08-19 | 2019-11-08 | 中国建材集团财务有限公司 | Detection method, device and computer readable storage medium based on information system classification security threat |
| CN110519290A (en) * | 2019-09-03 | 2019-11-29 | 南京中孚信息技术有限公司 | Anomalous traffic detection method, device and electronic equipment |
| CN110602029A (en) * | 2019-05-15 | 2019-12-20 | 上海云盾信息技术有限公司 | Method and system for identifying network attack |
| CN111161815A (en) * | 2019-12-27 | 2020-05-15 | 深圳中兴网信科技有限公司 | Medical data detection method, device, terminal and computer-readable storage medium |
-
2020
- 2020-07-20 CN CN202010697572.5A patent/CN111835777B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761748A (en) * | 2013-12-31 | 2014-04-30 | 北京邮电大学 | Method and device for detecting abnormal behaviors |
| US20160149941A1 (en) * | 2014-11-21 | 2016-05-26 | Honeywell International Inc. | Security log mining devices, methods, and systems |
| CN108092948A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信集团湖北有限公司 | A kind of recognition methods of network attack mode and device |
| CN108289088A (en) * | 2017-01-09 | 2018-07-17 | 中国移动通信集团河北有限公司 | Abnormal traffic detection system and method based on business model |
| CN107645502A (en) * | 2017-09-20 | 2018-01-30 | 新华三信息安全技术有限公司 | A kind of message detecting method and device |
| CN109164786A (en) * | 2018-08-24 | 2019-01-08 | 杭州安恒信息技术股份有限公司 | A kind of anomaly detection method based on time correlation baseline, device and equipment |
| CN109948334A (en) * | 2019-03-26 | 2019-06-28 | 深信服科技股份有限公司 | A kind of leak detection method, system and electronic equipment and storage medium |
| CN110602029A (en) * | 2019-05-15 | 2019-12-20 | 上海云盾信息技术有限公司 | Method and system for identifying network attack |
| CN110430217A (en) * | 2019-08-19 | 2019-11-08 | 中国建材集团财务有限公司 | Detection method, device and computer readable storage medium based on information system classification security threat |
| CN110519290A (en) * | 2019-09-03 | 2019-11-29 | 南京中孚信息技术有限公司 | Anomalous traffic detection method, device and electronic equipment |
| CN111161815A (en) * | 2019-12-27 | 2020-05-15 | 深圳中兴网信科技有限公司 | Medical data detection method, device, terminal and computer-readable storage medium |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112422554A (en) * | 2020-11-17 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for detecting abnormal traffic external connection |
| CN112767107A (en) * | 2021-01-14 | 2021-05-07 | 中国工商银行股份有限公司 | Method, apparatus, device, medium and program product for detecting blacklist |
| CN113285916A (en) * | 2021-04-06 | 2021-08-20 | 国家工业信息安全发展研究中心 | Intelligent manufacturing system abnormal flow detection method and detection device |
| CN113285916B (en) * | 2021-04-06 | 2022-11-11 | 国家工业信息安全发展研究中心 | Intelligent manufacturing system abnormal flow detection method and detection device |
| CN113422785A (en) * | 2021-08-20 | 2021-09-21 | 北京生泰尔科技股份有限公司 | Malicious attack detection method and system based on network traffic and readable storage medium |
| CN115051873A (en) * | 2022-07-27 | 2022-09-13 | 深信服科技股份有限公司 | Network attack result detection method and device and computer readable storage medium |
| CN115051873B (en) * | 2022-07-27 | 2024-02-23 | 深信服科技股份有限公司 | Network attack result detection method, device and computer readable storage medium |
| CN115941361A (en) * | 2023-02-16 | 2023-04-07 | 科来网络技术股份有限公司 | Malicious traffic identification method, device and equipment |
| CN115941361B (en) * | 2023-02-16 | 2023-05-09 | 科来网络技术股份有限公司 | Malicious traffic identification method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111835777B (en) | 2022-09-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111835777B (en) | Abnormal flow detection method, device, equipment and medium | |
| US9081961B2 (en) | System and method for analyzing malicious code using a static analyzer | |
| KR101005927B1 (en) | Method for detecting a web application attack | |
| US8577829B2 (en) | Extracting information from unstructured data and mapping the information to a structured schema using the naïve bayesian probability model | |
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| CN110650117B (en) | Cross-site attack protection method, device, equipment and storage medium | |
| CN107463844B (en) | WEB Trojan horse detection method and system | |
| US9871826B1 (en) | Sensor based rules for responding to malicious activity | |
| CN103279710A (en) | Method and system for detecting malicious codes of Internet information system | |
| CN108900554B (en) | HTTP asset detection method, system, device and computer medium | |
| CN113518077A (en) | Malicious web crawler detection method, device, equipment and storage medium | |
| CN113194058A (en) | WEB attack detection method, equipment, website application layer firewall and medium | |
| JPWO2019013266A1 (en) | Determination device, determination method, and determination program | |
| CN110602030A (en) | Network intrusion blocking method, server and computer readable medium | |
| CN113067792A (en) | XSS attack identification method, device, equipment and medium | |
| CN114006746A (en) | Attack detection method, device, equipment and storage medium | |
| CN111770097B (en) | Content lock firewall method and system based on white list | |
| CN112583827A (en) | Data leakage detection method and device | |
| CN109657472B (en) | SQL injection vulnerability detection method, device, equipment and readable storage medium | |
| CN111131236A (en) | Web fingerprint detection device, method, equipment and medium | |
| CN110830416A (en) | Network intrusion detection method and device | |
| CN114117419A (en) | Template injection attack detection method, device, equipment and storage medium | |
| CN114024709A (en) | Defense method, XSS vulnerability searching method, flow detection equipment and storage medium | |
| CN113051876A (en) | Malicious website identification method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |