CN113904804A - Intranet safety protection method, system and medium based on behavior strategy - Google Patents

Intranet safety protection method, system and medium based on behavior strategy Download PDF

Info

Publication number
CN113904804A
CN113904804A CN202111036424.XA CN202111036424A CN113904804A CN 113904804 A CN113904804 A CN 113904804A CN 202111036424 A CN202111036424 A CN 202111036424A CN 113904804 A CN113904804 A CN 113904804A
Authority
CN
China
Prior art keywords
intranet
mac address
abnormal
strategy
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111036424.XA
Other languages
Chinese (zh)
Other versions
CN113904804B (en
Inventor
吕青松
冯志峰
郭义伟
张建军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Comleader Information Technology Co Ltd
Henan Xinda Wangyu Technology Co Ltd
Original Assignee
Zhuhai Comleader Information Technology Co Ltd
Henan Xinda Wangyu Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Comleader Information Technology Co Ltd, Henan Xinda Wangyu Technology Co Ltd filed Critical Zhuhai Comleader Information Technology Co Ltd
Priority to CN202111036424.XA priority Critical patent/CN113904804B/en
Publication of CN113904804A publication Critical patent/CN113904804A/en
Application granted granted Critical
Publication of CN113904804B publication Critical patent/CN113904804B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an intranet safety protection method, an intranet safety protection system and an intranet safety protection medium based on a behavior strategy, wherein the method comprises the following steps: judging whether a first type of abnormal behavior and a second type of abnormal behavior exist in the intranet; determining whether a new traffic packet is received, responding to the received new traffic packet, extracting a destination MAC address in the new traffic packet, and comparing the destination MAC address with an MAC address table hostList; if the destination MAC address exists in the MAC address table hostList, judging that the new traffic packets are intranet messages, and judging whether the new traffic packets are traffic packets based on a connection protocol; if the new traffic packets are not traffic packets based on the connection protocol, judging whether a destination MAC address in the new traffic packets is associated with an abnormal identifier I or an abnormal identifier II and whether a source MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II; if the traffic flow is not correlated, generating a first flow control strategy; otherwise, a second flow control strategy is generated so as to block the threat in the intranet.

Description

Intranet safety protection method, system and medium based on behavior strategy
Technical Field
The invention relates to the technical field of intranet safety protection, in particular to an intranet safety protection method, an intranet safety protection system and an intranet safety protection medium based on a behavior strategy.
Background
With the rapid development and application of networks, more and more scenes begin to adopt networks for communication. The safety problem of the intranet is also increasingly valued by people. The traditional method is usually to ensure the safety of the intranet by increasing the terminal safety, for example, by deploying antivirus software, firewall and other methods on the terminal equipment, the method usually plays a better protection role for the known threats, and often cannot effectively protect the unknown threats.
The service function in the mimicry boundary is established on the basis of the DHR architecture, and the mimicry camouflage strategy is introduced, so that the mapping relation between the operating environment and the service function in the mimicry boundary is diversified and diversified, and cognitive defense fog such as bug backdoor and defense scenes is caused, and the safety of the equipment on the external service function is improved.
Although the network equipment is constructed based on the mimicry principle to achieve better protection for the network equipment, the mimicry defense function only protects the service function in the mimicry boundary, the function of separating from the mimicry boundary cannot ensure the safety, and is limited by the technology and the cost, and the range of the mimicry boundary is difficult to be expanded to be infinite, so that how to protect the dark function or other functions except the service function of the heterogeneous executive body, how to solve the safety protection problem of the intranet equipment against unknown threats and have very important significance for improving the safety of the intranet equipment.
In order to solve the above problems, people are always seeking an ideal technical solution.
Disclosure of Invention
The invention aims to provide an intranet safety protection method, an intranet safety protection system and an intranet safety protection medium based on a behavior strategy aiming at the defects of the prior art.
In order to achieve the purpose, the invention adopts the technical scheme that:
the invention provides an intranet safety protection method based on a behavior strategy, which comprises the following steps:
establishing a MAC address table hostList (M1, M2, … … and Mn) corresponding to the intranet host, wherein M1-Mn represent n MAC addresses corresponding to the intranet host;
judging whether a first type of abnormal behavior exists in the intranet, and if the first type of abnormal behavior exists in the intranet, establishing an association relation between the abnormal identifier I and the MAC address of the relevant intranet host;
judging whether a second type of abnormal behavior exists in the intranet or not, and if the second type of abnormal behavior exists in the intranet, establishing an association relation between an abnormal identifier II and the MAC address of a related intranet host;
determining whether a new flow packet is received, responding to the received new flow packet, extracting a target MAC address in the new flow packet, and comparing the target MAC address with a MAC address table hostList corresponding to the intranet host;
if the destination MAC address exists in the MAC address table hostList, judging that the new traffic packets are intranet messages, and judging whether the new traffic packets are traffic packets based on a connection protocol;
if the new traffic packets are not traffic packets based on the connection protocol, judging whether a destination MAC address in the new traffic packets is associated with an abnormal identifier I or an abnormal identifier II and whether a source MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II;
if the traffic flow is not correlated, generating a first flow control strategy;
otherwise, generating a second flow control strategy.
The invention provides an intranet safety protection system based on a behavior strategy, which comprises a strategy learner, a strategy database in communication connection with the strategy learner, a first strategy resolver in communication connection with the strategy database, a second strategy resolver in communication connection with the strategy database, and a flow control strategy management unit respectively in communication connection with the first strategy resolver and the second strategy resolver, wherein the flow control strategy management unit comprises a first judgment module, a second judgment module, a third judgment module and a strategy generation module;
the strategy learner is used for establishing MAC address tables hostList (M1, M2, … … and Mn) corresponding to the intranet hosts, wherein M1-Mn represent n MAC addresses corresponding to the intranet hosts, are used for establishing and updating data flow record tables hostData of each intranet host, and are used for establishing and updating behavior record tables action of each intranet host;
the strategy database is used for constructing an incidence relation among the intranet host identity, the corresponding MAC address and the hostData of the data flow record table, and generating and storing a user strategy table List; the system is used for establishing an incidence relation among the intranet host identity, the corresponding MAC address and the behavior record table action and storing the behavior record table action;
the first strategy arbitrator is used for judging whether a first type of abnormal behavior exists in the intranet or not, and if the first type of abnormal behavior exists in the intranet, establishing an association relation between the abnormal identifier I and the MAC address of the relevant intranet host;
the second strategy arbitrator is used for judging whether a second type of abnormal behavior exists in the intranet or not, and if the second type of abnormal behavior exists in the intranet, establishing an association relation between the abnormal identifier II and the MAC address of the relevant intranet host;
the first judging module is used for judging whether the new flow packets are intranet messages or not when the new flow packets are received;
the second judging module is used for judging whether the new flow packets are flow packets based on a connection protocol or not after determining that the new flow packets are intranet messages;
the third judging module is used for judging whether a destination MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II and whether a source MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II after determining that the new traffic packets is not traffic packets based on the connection protocol;
the strategy generation module is used for generating a first flow control strategy when a target MAC address in a new flow packet is not associated with an abnormal identifier I and an abnormal identifier II and a source MAC address in the new flow packet is not associated with the abnormal identifier I or the abnormal identifier II; and the second traffic control strategy is generated when the destination MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II, or the source MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II.
A third aspect of the present invention provides a computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the steps of the intranet security protection method based on behavior policy as described above.
Compared with the prior art, the invention has prominent substantive characteristics and remarkable progress, particularly:
1) the method comprises the steps that a strategy learning device is introduced on the basis of traditional data exchange to generate a user strategy table, a data flow recording table and a behavior recording table, a strategy judgment device judges the flow behavior of a user under the guidance of a relatively correct axiom, and generates a flow control strategy according to abnormal flow information to be sent to a data exchange unit so as to block unknown threats in an intranet;
2) the method monitors whether a first type of abnormal behavior and a second type of abnormal behavior exist in the intranet in real time, carries out abnormal marking on the MAC address of the intranet host by establishing an incidence relation between an abnormal mark I and an abnormal mark II and the MAC address of a related intranet host, and judges whether the MAC address of a sender and the MAC address of a receiver of a new flow packet are marked to be in an abnormal state after receiving the new flow packet, thereby avoiding the abnormal flow from spreading in the intranet and simultaneously determining the flow forwarding speed;
3) the invention also judges whether the destination MAC address and the source MAC address in the new flow packets are associated with the interaction abnormal identifier or not for the flow packets based on the connection protocol, and carries out abnormal marking on the MAC addresses of both parties with abnormal interaction behavior by establishing the association relationship between the interaction abnormal identifier and the MAC address of the related intranet host;
after receiving the new traffic packets, ensuring that abnormal interaction does not occur between a sender and a receiver of the new traffic packets, thereby determining that the traffic based on the connection protocol is safely and reliably forwarded in the intranet;
4) the invention also judges the similarity of the auxiliary factors corresponding to each intranet host, and identifies whether a third abnormal behavior exists in the intranet according to the judgment result, so as to judge whether the heterogeneous executive body (the intranet host) is threatened or attacked by a dark function from the mimicry boundary;
therefore, the invention can protect the dark function or other functions except the service function of the heterogeneous executive body (the intranet host), thereby improving the deep perception capability of the whole intranet equipment to the external threat and solving the problem that the intranet host cannot perceive the threat of the dark function outside the mimicry boundary to a certain extent.
Drawings
FIG. 1 is a schematic structural diagram of an intranet security protection system based on behavior policy according to the present invention;
FIG. 2 is a flow chart of the intranet security protection method based on behavior policy of the present invention;
FIG. 3 is a flow chart of identifying interactive anomalous behavior in accordance with the present invention;
FIG. 4 is a flow chart of the first type of abnormal behavior recognition of the present invention;
FIG. 5 is a flow chart of the second type of abnormal behavior recognition of the present invention.
Detailed Description
The technical solution of the present invention is further described in detail by the following embodiments.
Example 1
Fig. 2 shows a flowchart of an intranet security protection method based on a behavior policy, where the intranet security protection method based on the behavior policy includes the following steps:
establishing a MAC address table hostList (M1, M2, … … and Mn) corresponding to the intranet host, wherein M1-Mn represent n MAC addresses corresponding to the intranet host;
judging whether a first type of abnormal behavior exists in the intranet, and if the first type of abnormal behavior exists in the intranet, establishing an association relation between the abnormal identifier I and the MAC address of the relevant intranet host;
judging whether a second type of abnormal behavior exists in the intranet or not, and if the second type of abnormal behavior exists in the intranet, establishing an association relation between an abnormal identifier II and the MAC address of a related intranet host;
determining whether a new flow packet is received, responding to the received new flow packet, extracting a target MAC address in the new flow packet, and comparing the target MAC address with a MAC address table hostList corresponding to the intranet host;
if the destination MAC address does not exist in the MAC address table hostList, judging a new flow packet non-intranet message, and not processing the new flow packet non-intranet message;
if the destination MAC address exists in the MAC address table hostList, judging that the new traffic packets are intranet messages, and judging whether the new traffic packets are traffic packets based on a connection protocol;
if the new traffic packets are not traffic packets based on the connection protocol, judging whether a destination MAC address in the new traffic packets is associated with an abnormal identifier I or an abnormal identifier II and whether a source MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II;
if the traffic packets are not correlated, generating a first traffic control strategy to forward new traffic packets;
otherwise, a second traffic control policy is generated to drop new traffic packets.
It should be noted that the method monitors whether the first-class abnormal behavior and the second-class abnormal behavior exist in the intranet in real time, carries out abnormal marking on the MAC address of the intranet host by establishing the incidence relation between the abnormal identifier I and the abnormal identifier II and the MAC address of the related intranet host, and continuously updates the incidence relation between the abnormal identifier I and the abnormal identifier II and the MAC address of the related intranet host;
after receiving the new traffic packets, whether the new traffic packets are abnormal traffic can be quickly discriminated by searching whether the sender MAC address and the receiver MAC address are associated with the abnormal identifier I and the abnormal identifier II, and the abnormal traffic is discarded in time, so that the abnormal traffic is prevented from being spread in the intranet, and the unknown threat in the intranet is blocked.
As the traffic packets of a connectionless protocol (e.g., UDP protocol) cannot be judged to be abnormal in interactive behavior, the intranet security protection method based on the behavior policy can be adopted; however, traffic in the intranet also includes traffic packets based on a connection protocol (e.g., TCP protocol) in addition to traffic packets based on a connectionless protocol, in order to improve the flexibility of the intranet security protection method based on the behavior policy; on the basis of the intranet safety protection method based on the behavior strategy, the following steps are also set:
if the new traffic packets are traffic packets based on the connection protocol, judging whether a destination MAC address and a source MAC address in the new traffic packets are associated with the interaction abnormity identification;
if the target MAC address and the source MAC address in the new traffic packets are not associated with the interactive abnormal identifier, the target MAC address in the new traffic packets is not associated with the abnormal identifier I and the abnormal identifier II, and the source MAC address in the new traffic packets is not associated with the abnormal identifier I and the abnormal identifier II, judging the new traffic packets as normal traffic, and generating a first traffic control strategy to forward the new traffic packets; otherwise, judging the new flow packets as abnormal flow, and generating a second flow control strategy to discard the new flow packets.
This embodiment provides a specific implementation manner for identifying an interaction abnormal behavior, as shown in fig. 3, when determining whether the interaction between the hosts in the intranet is legal, the following steps are performed:
classifying according to the source MAC address, establishing and updating an interactive behavior record table F corresponding to each intranet host, and establishing an incidence relation among an intranet host identifier, a corresponding MAC address and the interactive behavior record table F; wherein, the interactive behavior record table Fi= (SMAC, DMAC, FFTYPE, FSPEED, FPACKETS, T), i is more than or equal to 1 and less than or equal to n; wherein SMAC represents source MAC address, DMAC represents destination MAC address, FFTYPE represents message type, FSPEED represents message transmission rate, FPACKETS represents total number of messages, and T represents flowThe interaction time;
calculating a first parameter value K1 associated with the message transmission rate FSPEED and a second parameter value K2 associated with the total number of messages FPACKETS based on the interactive behavior record table F; if the first parameter value K1 and the second parameter value K2 are both within a preset range, judging that the interaction between the intranet hosts is legal; otherwise, judging that the interaction between the intranet hosts is illegal, and establishing an association relation between the interaction abnormal identification and the MAC address of the related intranet host.
It can be understood that the traffic interaction relationship Sxy = (Fx, Fy) between intranet hosts, where Fx denotes the x-th interactive behavior record table, and Fy denotes the y-th interactive behavior record table; by analyzing whether positive correlation values K1, K2 of the (FSPEED, FPACKETS) based parameters exist or not, the calculation formula is as follows: k1= fx.fspeed/fy.fspeed, K2= fx.fpackets/fy.fpackets;
if the value ranges of K1 and K2 are between [0.5-1.5] (under normal conditions, traffic interaction is peer-to-peer interaction, and the ideal values of K1 and K2 are 1, considering that some protocols have unidirectional behavior in the interaction process, the interaction is performed according to 50% of errors), the interaction relation S is considered to be legal interaction.
It should be noted that the size of the message in the network is variable, the length of the message has the byte length of 64, 128, 256, 512byte, etc., and under the condition that the message transmission rate FSPEED is fixed, the total number of the messages FPACKETS may be different in unit time because the length of the message may be dynamically changed; furthermore, the values of fx.fpackets (FPACKETS in the x-th interaction behavior record table) and fy.fpackets (FPACKETS in the y-th interaction behavior record table) may not be equal, and the values of fx.fspeed (FSPEED in the x-th interaction behavior record table) and fy.fspeed (FSPEED in the y-th interaction behavior record table) may not be equal.
In a specific embodiment, TCP traffic interaction exists between the intranet host PC1 and the intranet host PC2, a traffic interaction relationship S12= (F1, F2) between the intranet host PC1 and the intranet host PC2, FFTYPE in F1 and F2 is a TCP message, FSPEED in F1 is 1Mbps, FPACKETS is 60000, FSPEED in F2 is 1.01Mbps, FPACKETS is 60200, and after calculation, K1=0.99 and K2=0.99 are all within a preset range, it can be determined that the interaction between the PCs 1 and PC2 is legal.
Specifically, the second traffic control policy is to block traffic packets carrying a certain port number, block traffic packets based on a certain protocol, block traffic packets carrying a certain IP address, or block traffic packets carrying a MAC address.
Example 2
It should be noted that the SMAC, SIP, chord, DMAC, DIP, DPORT, FTYPE, LENGTH exceptions correspond to the first class of exception behavior and are marked by the exception identifier i.
This embodiment provides a specific implementation manner for identifying a first type of abnormal behavior, and as shown in fig. 4, when determining whether a first type of abnormal behavior exists in an intranet, the following steps are performed:
reading each flow packet transmitted by the data exchange unit, and establishing and updating a data flow record table hostData of each intranet host to learn the flow behavior of each intranet host; the data flow record table hostData _ i (SMAC, SIP, SPORT, DMAC, DIP, DPORT, FTYPE, LENGTH) of the ith intranet host, wherein the SMAC represents a source MAC address, the SIP represents a source IP address, the SPORT represents a source port number, the DMAC represents a destination MAC address, the DIP represents a destination IP address, the DPORT represents a destination port number, the FTYPE represents a message type, and the LENGTH represents a message LENGTH;
constructing the incidence relation among the intranet host identity, the corresponding MAC address and the data traffic record table hostData, and generating a user policy table Listi(hostData1、hostData2、……、hostDatam),1≤i≤n;
Reading a first target field from a data traffic record table hostData associated with the intranet host identity according to a first preset key field; wherein the first preset key field is one or more of SMAC, SIP, SPORT, DMAC, DIP, DPORT, FTYPE or LENGTH;
and carrying out multiple judgment on first target fields corresponding to different intranet host identifiers in the same time interval, and identifying whether a first type of abnormal behavior exists in the intranet according to a judgment result: if the first target field corresponding to a certain intranet host identity is different from the first target fields corresponding to other intranet host identities, it is judged that the first-type abnormal behavior exists in the intranet host and the first-type abnormal behavior does not exist in other intranet hosts.
It should be noted that, in order to further improve the security and reliability, multiple decisions may be performed on the first target fields corresponding to the same intranet host identity in the same time interval.
It will be appreciated that 1 intranet host in the intranet will communicate with multiple other intranet hosts, so that one source MAC address will correspond to multiple hostData, the hostData will contain destination MAC addresses (MAC addresses of other PCs), and the elements in each hostList will correspond to multiple hostData.
Specifically, the first preset key field is a DPORT field, because attacks in the network often attack through the port. In practical application, other fields, such as protocol type, can be selected for comparison and discrimination.
In a specific embodiment, the intranet is provided with an intranet host PC1, an intranet host PC2 and an intranet host PC3, a user policy table list1 (host 1Data1, host1Data2, host1Data3, … …) corresponding to the PC1, a user policy table list2 (host 2Data1, host2Data2, host2Data3, … …) corresponding to the PC2, and a user policy table list3 (host 3Data1, host3Data2, host3Data3, … …) corresponding to the PC 3. The first preset key field is a DPORT field, a judgment strategy of 'search method selection and multiple judgment' is adopted, the DPORT field is taken out of host1Data1, search is carried out in list2 and list3, whether the same DPORT exists or not is judged, if the DPORT field does not exist in list2 and list3, host1Data1 is judged to be abnormal, and the illegal port number is started in the intranet.
Supposing that telnet port numbers (23 ports) in all hosts of the intranet are closed by default, if response messages containing 23 ports suddenly appear in the flow, proving that a hacker or a ghost opens the 23 ports, and remotely controlling the host of the intranet; at this time, the number of illegal ports is considered to be 23 ports.
Example 3
It should be noted that, the second layer communication protocol, the third layer communication protocol, the application layer communication protocol, the network traffic rate, or the total amount of network data is abnormal, and the second type of abnormal behavior is marked by the abnormal identifier ii.
In this embodiment, a specific implementation manner of identifying the second type of abnormal behavior is given, and as shown in fig. 5, when determining whether the second type of abnormal behavior exists in the intranet, the following steps are executed:
establishing and updating a behavior record table action (X) corresponding to each intranet host according to a preset time interval and a corresponding data flow record table hostData1、X2、……、X6) Wherein X is1Representing a two-layer communication protocol, X2Representing a three-layer communication protocol, X3Representing an application layer communication protocol, X4Representing network traffic rate, X5Representing the total amount of network data, X6Represents a time interval;
establishing an incidence relation among an intranet host identity, a corresponding MAC address and an action record table action;
selecting a second target field from the action record table action according to a second preset key field; wherein the second preset key field is X1To X6One or more of;
and carrying out multiple judgment on second target fields corresponding to different intranet host identifiers in the same time interval, and identifying whether a second type of abnormal behavior exists in the intranet according to a judgment result: and if the second target field corresponding to a certain intranet host identity is different from the second target fields corresponding to other intranet host identities, judging that a second type of abnormal behavior exists in the intranet host and other intranet hosts do not have the second type of abnormal behavior.
Note that the total amount of network data X5Different from the total number of messages FPACKETS in the interactive behavior record table F, the total amount of network data X5Is for each user action, provided that this user action refers to the user performing the FTP (File Transfer protocol) file downloading, wherein the whole process of FTP file downloading relates to the exchange of two-layer messages, the interaction of three-layer routing and the like, and the interaction is a series of protocol interaction to form user behavior; and Fx, which refers to interaction only for a certain protocol, such as TCP or arp, is a single traffic behavior exchange. Therefore, the total amount of network data X5The FPACKETS is not equal to the total number of messages.
In a specific embodiment, the intranet is provided with an intranet host PC1, an intranet host PC2 and an intranet host PC3, the action record table action1 (arp, 0, 0, 0, 10, 1000, T1-T2) corresponding to the PC1 is analyzed according to the list1, the action record table action2 (arp, 0, 0, 0, 1, 100, T1-T2) corresponding to the PC2 is analyzed according to the list2, and the action record table action3 (arp, 0, 0, 0, 1, 100, T1-T2) corresponding to the PC3 is analyzed according to the list 3; by adopting a decision strategy of 'search method selection decision', it can be determined that the total amount of arp network data (the number of messages) of the intranet host PC1 is different from that of other intranet hosts in a time period from T1 to T2, so that it is determined that the behavior of the intranet host PC1 is abnormal in the time period.
Example 4
This implementation differs from the above-described embodiments in that: the intranet safety protection method based on the behavior strategy further comprises the following steps:
judging whether each intranet host has a third type abnormal behavior: recording the auxiliary factor corresponding to each intranet host, performing similarity judgment, and identifying whether the intranet host has a third type of abnormal behavior according to a similarity judgment result; if it is determined that a certain intranet host has a third-type abnormal behavior, establishing an association relation between an abnormal identifier III and the MAC address of the intranet host;
and before outputting the first flow control strategy, determining whether the destination MAC address and the source MAC address in the new flow packets are associated with the abnormal identifier III, and if so, replacing the first flow control strategy by the second flow control strategy.
It should be noted that the judgment of the third type of abnormal behavior is self-judgment of the intranet host, which is equivalent to self-examination; the discrimination program of the third type of abnormal behavior can be installed on the intranet host, the intranet host runs and uploads the abnormal identification III, and the incidence relation between the abnormal identification III and the MAC address of the intranet host is established; therefore, when new flow is forwarded, the self-judgment result of the intranet host is also considered, and the safety of the intranet equipment is further improved.
It can be understood that the discrimination program of the third-type abnormal behavior may also be installed on other devices, the auxiliary factor corresponding to each intranet host is uploaded to the device, the device performs similarity judgment, and whether the intranet host has the third-type abnormal behavior is identified according to a similarity judgment result.
Specifically, a data acquirer is provided, which is mainly used for acquiring the cofactor (multidimensional space element) corresponding to the intranet host, and includes but is not limited to: the system state (CPU load, memory usage, process usage, hard disk usage, operating system log information, etc.), the traffic state (traffic rate per network card, number of service messages, number of non-service messages, number of messages on a specific port, etc.), the arbitration data (the number of data sent by the heterogeneous executors to the arbitrator, which may be separately counted according to different service types), and the physical state (the physical state of the heterogeneous executors operating the hardware platform, such as temperature state, fan state, and peripheral device interface state).
It should be noted that, if the intranet host is a mimicry device, the present embodiment determines whether the heterogeneous execution entity is threatened or attacked by a dark function from outside the mimicry boundary by determining multidimensional elements outside the mimicry boundary function of the heterogeneous execution entity, so as to improve the depth perception capability of the whole mimicry configuration device for an external threat.
Due to the fact that heterogeneous executives are different, the probability of inconsistency of multidimensional space elements (auxiliary factors) is high, whether the heterogeneous executives are threatened or not is difficult to judge through consistency judgment or a multi-judgment method, and the auxiliary judgment device judges through a similarity judgment method.
For example, the CPU utilization rate, the heterogeneous implementation 1CPU utilization rate is 10%, the heterogeneous implementation 2CPU utilization rate is 15%, and the heterogeneous implementation 3CPU utilization rate is 12%, and by comparing the two heterogeneous implementations, the difference in the CPU utilization rates of the three heterogeneous implementations does not exceed 6%, i.e., the CPU is considered not to be threatened, and there is no third-type abnormal behavior.
Example 5
On the basis of the intranet security protection method based on the behavior policy, this embodiment provides a specific implementation manner of an intranet security protection system based on the behavior policy, as shown in fig. 1:
the intranet security protection system comprises n intranet hosts, a data exchange unit in communication connection with the intranet hosts respectively, a policy learner in communication connection with the data exchange unit, a policy database in communication connection with the policy learner, a first policy resolver in communication connection with the policy database, a second policy resolver in communication connection with the policy database, and a flow control policy management unit in communication connection with the first policy resolver, the second policy resolver and the data exchange unit respectively, wherein the flow control policy management unit comprises a first judgment module, a second judgment module, a third judgment module and a policy generation module;
the intranet host is used for receiving flow packets through the data exchange unit or sending the flow packets to other intranet hosts through the data exchange unit;
the strategy learner is used for establishing MAC address tables hostList (M1, M2, … … and Mn) corresponding to the intranet hosts, wherein M1-Mn represent n MAC addresses corresponding to the intranet hosts, are used for establishing and updating data flow record tables hostData of each intranet host, and are used for establishing and updating behavior record tables action of each intranet host;
the strategy database is used for constructing an incidence relation among the intranet host identity, the corresponding MAC address and the hostData of the data flow record table, and generating and storing a user strategy table List; the system is used for establishing an incidence relation among the intranet host identity, the corresponding MAC address and the behavior record table action and storing the behavior record table action;
the first strategy arbitrator is used for judging whether a first type of abnormal behavior exists in the intranet or not, and if the first type of abnormal behavior exists in the intranet, establishing an association relation between the abnormal identifier I and the MAC address of the relevant intranet host;
the second strategy arbitrator is used for judging whether a second type of abnormal behavior exists in the intranet or not, and if the second type of abnormal behavior exists in the intranet, establishing an association relation between the abnormal identifier II and the MAC address of the relevant intranet host;
the first judging module is used for judging whether the new flow packets are intranet messages or not when the new flow packets are received;
the second judging module is used for judging whether the new flow packets are flow packets based on a connection protocol or not after determining that the new flow packets are intranet messages;
the third judging module is used for judging whether a destination MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II and whether a source MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II after determining that the new traffic packets is not traffic packets based on the connection protocol;
the strategy generation module is used for generating a first flow control strategy when a target MAC address in a new flow packet is not associated with an abnormal identifier I and an abnormal identifier II and a source MAC address in the new flow packet is not associated with the abnormal identifier I or the abnormal identifier II; and the second traffic control strategy is generated when the destination MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II, or the source MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II.
Specifically, after receiving the second traffic control policy, the data exchange unit blocks forwarding of new traffic, thereby preventing the abnormal behavior from occurring again.
Further, the policy learner is further configured to establish and update an interaction behavior record table F corresponding to each intranet host, where the interaction behavior record table F is used to update the interaction behavior record table Fi=(SMAC,DMAC,FFTYPE,FSPEED,FPACKETS,T),1≤i is less than or equal to n; SMAC represents a source MAC address, DMAC represents a destination MAC address, FFTYPE represents a message type identifier, FSPEED represents a message transmission rate, FPACKETS represents the total number of messages, and T represents flow interaction time;
the strategy database is also used for constructing an incidence relation among the intranet host identity, the corresponding MAC address and the interactive behavior record table F and storing the interactive behavior record table F;
the strategy database is also in communication connection with a third strategy arbitrator, and the third strategy arbitrator is used for judging whether the interaction between the intranet hosts is legal or not and establishing the association relation between the interaction abnormal identification and the MAC address of the related intranet host when the interaction between the intranet hosts is illegal.
Further, the flow control policy management unit further includes a fourth determining unit, where the fourth determining unit is configured to determine whether a destination MAC address and a source MAC address in a new traffic packet are associated with the interaction exception identifier after determining that the new traffic packet is a traffic packet based on a connection protocol;
the strategy generation module is further configured to generate a first flow control strategy when the destination MAC address and the source MAC address in the new flow packets are not associated with the interaction exception identifier, and the destination MAC address and the source MAC address in the new flow packets are not associated with the exception identifier i and the exception identifier ii, or generate a second flow control strategy.
Example 6
The present embodiment provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the intranet security protection method based on the behavior policy as described above.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed system may be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the above-described modules is only one logical functional division, and other divisions may be realized in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated module may be stored in a computer-readable storage medium if it is implemented in the form of a software functional unit and sold or used as a separate product. Based on such understanding, all or part of the flow in the method of the embodiments described above may be implemented by a computer program, which may be stored in a computer-readable storage medium and can implement the steps of the embodiments of the methods described above when the computer program is executed by a processor. The computer program includes computer program code, and the computer program code may be in a source code form, an object code form, an executable file or some intermediate form.
Finally, it should be noted that the above examples are only used to illustrate the technical solutions of the present invention and not to limit the same; although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art will understand that: modifications to the specific embodiments of the invention or equivalent substitutions for parts of the technical features may be made; without departing from the spirit of the present invention, it is intended to cover all aspects of the invention as defined by the appended claims.

Claims (10)

1. An intranet safety protection method based on a behavior strategy is characterized by comprising the following steps:
judging whether a first type of abnormal behavior exists in the intranet, and if the first type of abnormal behavior exists in the intranet, establishing an association relation between the abnormal identifier I and the MAC address of the relevant intranet host;
judging whether a second type of abnormal behavior exists in the intranet or not, and if the second type of abnormal behavior exists in the intranet, establishing an association relation between an abnormal identifier II and the MAC address of a related intranet host;
determining whether a new flow packet is received, responding to the received new flow packet, extracting a target MAC address in the new flow packet, and comparing the target MAC address with a MAC address table hostList corresponding to the intranet host;
if the destination MAC address exists in the MAC address table hostList, judging that the new traffic packets are intranet messages, and judging whether the new traffic packets are traffic packets based on a connection protocol;
if the new traffic packets are not traffic packets based on the connection protocol, judging whether a destination MAC address in the new traffic packets is associated with an abnormal identifier I or an abnormal identifier II and whether a source MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II;
if the traffic flow is not correlated, generating a first flow control strategy;
otherwise, generating a second flow control strategy.
2. The intranet safety protection method based on the behavior strategy according to claim 1, wherein if the new traffic packets are traffic packets based on a connection protocol, whether a destination MAC address and a source MAC address in the new traffic packets are associated with an interaction anomaly identifier is judged;
if the destination MAC address and the source MAC address in the new traffic packets are not associated with the abnormal identifier I and the abnormal identifier II, generating a first traffic control strategy;
otherwise, generating a second flow control strategy.
3. The intranet safety protection method based on the behavior strategy according to claim 2, wherein when judging whether the interaction between the intranet hosts is legal, the following steps are executed:
establishing and updating an interactive behavior record table F corresponding to each intranet host, and establishing an incidence relation among an intranet host identifier, a corresponding MAC address and the interactive behavior record table F;
calculating a first parameter value K1 associated with the message transmission rate FSPEED and a second parameter value K2 associated with the total number of messages FPACKETS based on the interactive behavior record table F;
if the first parameter value K1 and the second parameter value K2 are both within a preset range, judging that the interaction between the intranet hosts is legal;
otherwise, judging that the interaction behavior between the intranet hosts is illegal, and establishing an association relation between the interaction abnormal identification and the MAC address of the related intranet host.
4. The intranet safety protection method based on the behavior strategy according to claim 1, wherein when determining whether the first type of abnormal behavior exists in the intranet, the method executes:
establishing and updating a data flow record table hostData of each intranet host, establishing an incidence relation among an intranet host identifier, a corresponding MAC address and the data flow record table hostData, and generating a user policy table List;
reading a first target field from a data traffic record table hostData associated with the intranet host identity according to a first preset key field; wherein the first preset key field is one or more of SMAC, SIP, SPORT, DMAC, DIP, DPORT, FTYPE or LENGTH;
and carrying out multiple judgment on the first target fields corresponding to different intranet host identifiers in the same time interval, and identifying whether the first-class abnormal behaviors exist in the intranet according to judgment results.
5. The intranet safety protection method based on the behavior strategy according to claim 1, wherein when determining whether the second type of abnormal behavior exists in the intranet, the method executes:
establishing and updating action (X) of behavior record table of each intranet host1、X2、……、X6) Establishing an incidence relation among the intranet host identity, the corresponding MAC address and the action of the behavior record table; wherein, X1Representing a two-layer communication protocol, X2Representing a three-layer communication protocol, X3Representing an application layer communication protocol, X4Representing network traffic rate, X5Representing the total amount of network data, X6Represents a time interval;
selecting a second target field from the action record table action according to a second preset key field; wherein the second preset key field is X1To X6One or more of;
and carrying out multiple judgment on second target fields corresponding to different intranet host identifications in the same time interval, and identifying whether a second type of abnormal behavior exists in the intranet according to a judgment result.
6. The intranet safety protection method based on the behavior strategy according to claim 1, further comprising the following steps:
judging whether each intranet host has a third type abnormal behavior: recording the auxiliary factor corresponding to each intranet host, performing similarity judgment, and identifying whether the intranet host has a third type of abnormal behavior according to a similarity judgment result; if it is determined that a certain intranet host has a third-type abnormal behavior, establishing an association relation between an abnormal identifier III and the MAC address of the intranet host;
and before outputting the first flow control strategy, determining whether the destination MAC address and the source MAC address in the new flow packets are associated with the abnormal identifier III, and if so, replacing the first flow control strategy by the second flow control strategy.
7. The utility model provides an intranet safety protection system based on action strategy which characterized in that: the system comprises a strategy learner, a strategy database in communication connection with the strategy learner, a first strategy resolver in communication connection with the strategy database, a second strategy resolver in communication connection with the strategy database, and a flow control strategy management unit in communication connection with the first strategy resolver and the second strategy resolver respectively, wherein the flow control strategy management unit comprises a first judgment module, a second judgment module, a third judgment module and a strategy generation module;
the strategy learner is used for establishing MAC address tables hostList (M1, M2, … … and Mn) corresponding to the intranet hosts, wherein M1-Mn represent n MAC addresses corresponding to the intranet hosts, are used for establishing and updating data flow record tables hostData of each intranet host, and are used for establishing and updating behavior record tables action of each intranet host;
the strategy database is used for constructing an incidence relation among the intranet host identity, the corresponding MAC address and the hostData of the data flow record table, and generating and storing a user strategy table List; the system is used for establishing an incidence relation among the intranet host identity, the corresponding MAC address and the behavior record table action and storing the behavior record table action;
the first strategy arbitrator is used for judging whether a first type of abnormal behavior exists in the intranet or not, and if the first type of abnormal behavior exists in the intranet, establishing an association relation between the abnormal identifier I and the MAC address of the relevant intranet host;
the second strategy arbitrator is used for judging whether a second type of abnormal behavior exists in the intranet or not, and if the second type of abnormal behavior exists in the intranet, establishing an association relation between the abnormal identifier II and the MAC address of the relevant intranet host;
the first judging module is used for judging whether the new flow packets are intranet messages or not when the new flow packets are received;
the second judging module is used for judging whether the new flow packets are flow packets based on a connection protocol or not after determining that the new flow packets are intranet messages;
the third judging module is used for judging whether a destination MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II and whether a source MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II after determining that the new traffic packets is not traffic packets based on the connection protocol;
the strategy generation module is used for generating a first flow control strategy when a target MAC address in a new flow packet is not associated with an abnormal identifier I and an abnormal identifier II and a source MAC address in the new flow packet is not associated with the abnormal identifier I or the abnormal identifier II; and the second traffic control strategy is generated when the destination MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II, or the source MAC address in the new traffic packets is associated with the abnormal identifier I or the abnormal identifier II.
8. The intranet safety protection system according to claim 7, wherein the policy learner is further configured to establish and update an interactive behavior record table F corresponding to each intranet host, wherein the interactive behavior record table F is configured to be used for storing the interactive behavior record table Fi= (SMAC, DMAC, FFTYPE, FSPEED, FPACKETS, T), i is more than or equal to 1 and less than or equal to n; SMAC represents a source MAC address, DMAC represents a destination MAC address, FFTYPE represents a message type identifier, FSPEED represents a message transmission rate, FPACKETS represents the total number of messages, and T represents flow interaction time;
the strategy database is also used for constructing an incidence relation among the intranet host identity, the corresponding MAC address and the interactive behavior record table F and storing the interactive behavior record table F;
the strategy database is also in communication connection with a third strategy arbitrator, and the third strategy arbitrator is used for judging whether the interaction between the intranet hosts is legal or not and establishing the association relation between the interaction abnormal identification and the MAC address of the related intranet host when the interaction between the intranet hosts is illegal.
9. The intranet safety protection system based on the behavior policy according to claim 8, wherein the flow control policy management unit further comprises a fourth judgment unit, and the fourth judgment unit is configured to judge whether a destination MAC address and a source MAC address in a new traffic packet are associated with the interaction anomaly identifier after determining that the new traffic packet is a traffic packet based on a connection protocol;
the strategy generation module is further configured to generate a first flow control strategy when the destination MAC address and the source MAC address in the new flow packets are not associated with the interaction exception identifier, and the destination MAC address and the source MAC address in the new flow packets are not associated with the exception identifier i and the exception identifier ii, or generate a second flow control strategy.
10. A computer-readable storage medium, on which a computer program is stored, wherein the computer program, when being executed by a processor, implements the steps of the method for intranet security protection based on behavioral policies according to any one of claims 1 to 6.
CN202111036424.XA 2021-09-06 2021-09-06 Intranet safety protection method, system and medium based on behavior strategy Active CN113904804B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111036424.XA CN113904804B (en) 2021-09-06 2021-09-06 Intranet safety protection method, system and medium based on behavior strategy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111036424.XA CN113904804B (en) 2021-09-06 2021-09-06 Intranet safety protection method, system and medium based on behavior strategy

Publications (2)

Publication Number Publication Date
CN113904804A true CN113904804A (en) 2022-01-07
CN113904804B CN113904804B (en) 2023-07-21

Family

ID=79188526

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111036424.XA Active CN113904804B (en) 2021-09-06 2021-09-06 Intranet safety protection method, system and medium based on behavior strategy

Country Status (1)

Country Link
CN (1) CN113904804B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584391A (en) * 2022-03-22 2022-06-03 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for generating abnormal flow processing strategy
CN117221242A (en) * 2023-09-01 2023-12-12 安徽慢音科技有限公司 Network flow direction identification method, device and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070206498A1 (en) * 2005-11-17 2007-09-06 Chang Beom H Network status display device and method using traffic flow-radar
US20110196961A1 (en) * 2010-02-08 2011-08-11 University Of Electronic Science And Technology Of China Method for network anomaly detection in a network architecture based on locator/identifier split
JP2011250033A (en) * 2010-05-25 2011-12-08 Toshiba Corp Monitoring system and server changeover method
CN104468619A (en) * 2014-12-26 2015-03-25 杭州华三通信技术有限公司 Method and gateway for achieving dual-stack web authentication
CN106209843A (en) * 2016-07-12 2016-12-07 工业和信息化部电子工业标准化研究院 A kind of data flow anomaly towards Modbus agreement analyzes method
CN106921676A (en) * 2017-04-20 2017-07-04 电子科技大学 A kind of intrusion detection method based on OPCClassic

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070206498A1 (en) * 2005-11-17 2007-09-06 Chang Beom H Network status display device and method using traffic flow-radar
US20110196961A1 (en) * 2010-02-08 2011-08-11 University Of Electronic Science And Technology Of China Method for network anomaly detection in a network architecture based on locator/identifier split
JP2011250033A (en) * 2010-05-25 2011-12-08 Toshiba Corp Monitoring system and server changeover method
CN104468619A (en) * 2014-12-26 2015-03-25 杭州华三通信技术有限公司 Method and gateway for achieving dual-stack web authentication
CN106209843A (en) * 2016-07-12 2016-12-07 工业和信息化部电子工业标准化研究院 A kind of data flow anomaly towards Modbus agreement analyzes method
CN106921676A (en) * 2017-04-20 2017-07-04 电子科技大学 A kind of intrusion detection method based on OPCClassic

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈光明: "内网主机行为监管和审计系统设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584391A (en) * 2022-03-22 2022-06-03 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for generating abnormal flow processing strategy
CN114584391B (en) * 2022-03-22 2024-02-09 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for generating abnormal flow processing strategy
CN117221242A (en) * 2023-09-01 2023-12-12 安徽慢音科技有限公司 Network flow direction identification method, device and medium

Also Published As

Publication number Publication date
CN113904804B (en) 2023-07-21

Similar Documents

Publication Publication Date Title
Ghorbani et al. Network intrusion detection and prevention: concepts and techniques
Cai et al. Collaborative internet worm containment
US20170257339A1 (en) Logical / physical address state lifecycle management
CN113329029B (en) Situation awareness node defense method and system for APT attack
CN113904804B (en) Intranet safety protection method, system and medium based on behavior strategy
Mohammed et al. Honeycyber: Automated signature generation for zero-day polymorphic worms
CN111970300A (en) Network intrusion prevention system based on behavior inspection
Xiao et al. Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model
CN110113333A (en) A kind of ICP/IP protocol fingerprint mobilism processing method and processing device
Bahashwan et al. Flow-based approach to detect abnormal behavior in neighbor discovery protocol (NDP)
Hussain et al. A novel deep learning based intrusion detection system: Software defined network
Meier et al. Towards an AI-powered Player in Cyber Defence Exercises
US8819285B1 (en) System and method for managing network communications
Khosravifar et al. An experience improving intrusion detection systems false alarm ratio by using honeypot
Wang et al. Identifying peer-to-peer botnets through periodicity behavior analysis
Caulkins et al. A dynamic data mining technique for intrusion detection systems
Ивкин et al. Realization of expert intrusion detection system based on the results of datasets and machine learning algorithm analysis
Alshamrani Reconnaissance attack in sdn based environments
Yong et al. Understanding botnet: From mathematical modelling to integrated detection and mitigation framework
Limmer et al. Survey of event correlation techniques for attack detection in early warning systems
Li et al. Improved automated graph and FCM based DDoS attack detection mechanism in software defined networks
Fava et al. Terrain and behavior modeling for projecting multistage cyber attacks
Alsadhan et al. Detecting distributed denial of service attacks in neighbour discovery protocol using machine learning algorithm based on streams representation
CN114553513A (en) Communication detection method, device and equipment
Lee et al. A probe detection model using the analysis of the fuzzy cognitive maps

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant