CN113949571B - Software behavior recognition method and system based on behavior feature knowledge base - Google Patents
Software behavior recognition method and system based on behavior feature knowledge base Download PDFInfo
- Publication number
- CN113949571B CN113949571B CN202111211216.9A CN202111211216A CN113949571B CN 113949571 B CN113949571 B CN 113949571B CN 202111211216 A CN202111211216 A CN 202111211216A CN 113949571 B CN113949571 B CN 113949571B
- Authority
- CN
- China
- Prior art keywords
- software
- behavior
- data
- terminal side
- knowledge base
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 230000006399 behavior Effects 0.000 claims abstract description 245
- 238000007619 statistical method Methods 0.000 claims abstract description 23
- 238000005516 engineering process Methods 0.000 claims abstract description 8
- 230000006870 function Effects 0.000 claims description 15
- 238000009411 base construction Methods 0.000 claims description 14
- 238000001914 filtration Methods 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 7
- 230000003542 behavioural effect Effects 0.000 claims description 2
- 206010000117 Abnormal behaviour Diseases 0.000 abstract description 10
- 238000012423 maintenance Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000011835 investigation Methods 0.000 description 4
- 238000013480 data collection Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention relates to a software behavior recognition method and system based on a behavior feature knowledge base, comprising the following steps: determining terminal side software to be identified, collecting the process of the terminal side software and the data traffic of the corresponding traffic side, and aligning the collected data timelines by using an end-stream timeline data alignment technology; combining URL access information and a network protocol in the data of the alignment time line, and carrying out statistical analysis on the data of the alignment time line to obtain the standard behavior of the terminal side software; and the standard behaviors of the obtained terminal side software are arranged into behavior rules, so that a software behavior characteristic knowledge base is formed. And identifying the specific behavior credibility of the actually running software at the terminal side by using the software behavior feature library. The invention can provide a network behavior baseline of the terminal software, assist the user to judge the trusted software behavior and the untrusted software behavior, assist the operation and maintenance personnel to master the network behavior condition of the equipment, and discover and treat the abnormal behavior in time.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a software behavior recognition method and system based on a behavior feature knowledge base.
Background
The mainstream network security traffic detection device mainly aims at detecting malicious attacks and recovering and analyzing network traffic as primary capabilities. However, some suspicious network behaviors cannot be accurately judged, and in an actual user environment, the specific actions of operation and maintenance personnel on network equipment in the jurisdiction range, the network behaviors and other information palms are limited, and the postnatal nature of equipment use information updating iteration can occur. It is impossible to make a judgment as to whether the network behavior of the device is normal or not in the actual operation and maintenance work.
Disclosure of Invention
In view of the above, the present invention provides a method and a system for identifying software behavior based on a behavior feature knowledge base, which are used for determining which behaviors of a terminal software are trusted and which behaviors are not trusted by collecting data of a terminal side and a traffic side and combining a behavior information boundary of the terminal software to determine standard behaviors of the terminal software and form a software behavior feature knowledge base, so as to at least partially solve the problems existing in the prior art.
The specific invention comprises the following steps:
a method for constructing a software behavior feature knowledge base comprises the following steps:
determining terminal side software to be identified, collecting the process of the terminal side software and the data traffic of the corresponding traffic side, and aligning the collected data timelines by using an end-stream timeline data alignment technology; after the time lines are aligned, the behavior information boundary of the terminal side software can be identified;
combining URL access information and a network protocol in the data of the alignment time line, and carrying out statistical analysis on the data of the alignment time line to obtain the standard behavior of the terminal side software;
and the standard behaviors of the obtained terminal side software are arranged into behavior rules, so that a software behavior characteristic knowledge base is formed.
The software behavior feature library is used for providing a terminal side software behavior baseline and comprises standard behavior rules of a plurality of pieces of software, and each piece of software comprises a plurality of standard behaviors.
Further, the combining URL access information and network protocol in the data of the aligned time line performs statistical analysis on the data of the aligned time line, and specifically includes:
splitting the data aligned with the time line according to a common network protocol and a special network protocol according to a network protocol, and filtering interference data; the common network protocols include HTTP, DNS, TCP/IP and the like;
extracting URL access information from data in a common network protocol, analyzing the function of a domain name requested by the URL, and judging specific software behaviors by combining specific parameter information of the URL; the process can analyze the functions of the domain name by combining the modes of a search engine, direct access and the like;
and analyzing the data in the special network protocol to the original flow packet of the corresponding flow side to obtain specific network protocol information, and judging specific software behaviors according to the specific character information of the specific position.
A software behavior credibility identification method, comprising:
the method comprises the steps of monitoring a terminal side software process and a flow side data flow in real time to obtain specific behaviors of terminal side software;
comparing the specific behavior of the terminal side software with the standard behavior rules of the corresponding software in the software behavior feature knowledge base, and judging that the corresponding software behavior belongs to an unreliable behavior and giving an early warning when the software behavior which does not accord with the standard rules of the corresponding software is compared. The software behavior feature knowledge base defines boundaries for terminal side software behaviors, log file records are arranged on daily running conditions of the software, unreliable behavior conditions can be accurately positioned in the log records by combining early warning information, and abnormal behavior data can be better provided for investigation and evidence collection of future service personnel.
A software behavioral characteristics knowledge base construction system, comprising:
the data acquisition module is used for determining terminal side software to be identified, collecting the process of the terminal side software and the data traffic of the corresponding traffic side, aligning the collected data timelines by using an end-stream timeline data alignment technology, and transmitting the data aligned with the timelines to the statistical analysis module; after the time lines are aligned, the behavior information boundary of the terminal side software can be identified;
the statistical analysis module is used for receiving the data of the alignment time line transmitted by the data acquisition module, carrying out statistical analysis on the data of the alignment time line by combining with URL access information and network protocol in the data of the alignment time line to obtain standard behaviors of the terminal side software, and transmitting the obtained standard behavior information of the terminal side software to the feature knowledge base construction module; the URL access information and the network protocol form a behavior information boundary of terminal side software;
and the characteristic knowledge base construction module is used for receiving the standard behavior information of the terminal side software sent by the statistical analysis module, and finishing the standard behavior information into behavior rules to form a software behavior characteristic knowledge base.
The software behavior feature library is used for providing a terminal side software behavior baseline and comprises standard behavior rules of a plurality of pieces of software, and each piece of software comprises a plurality of standard behaviors.
Further, the combining URL access information and network protocol in the data of the aligned time line performs statistical analysis on the data of the aligned time line, and specifically includes:
splitting the data aligned with the time line according to a common network protocol and a special network protocol according to a network protocol, and filtering interference data; the common network protocols include HTTP, DNS, TCP/IP and the like;
extracting URL access information from data in a common network protocol, analyzing the function of a domain name requested by the URL, and judging specific software behaviors by combining specific parameter information of the URL; the process can analyze the functions of the domain name by combining the modes of a search engine, direct access and the like;
and analyzing the data in the special network protocol to the original flow packet of the corresponding flow side to obtain specific network protocol information, and judging specific software behaviors according to the specific character information of the specific position.
A software behavior credibility identification system, comprising:
the system comprises a software behavior acquisition module, a software behavior judgment module and a software behavior judgment module, wherein the software behavior acquisition module is used for monitoring a terminal side software process and a flow side data flow in real time to obtain a specific behavior of terminal side software, and sending the specific behavior of the terminal side software to the software behavior judgment module;
and the software behavior judging module is used for receiving the specific behavior of the terminal side software sent by the software behavior obtaining module, comparing the specific behavior of the terminal side software with the standard behavior rules of the corresponding software in the software behavior feature knowledge base, judging that the corresponding software behavior belongs to an unreliable behavior when the software behavior which does not accord with the standard rules of the corresponding software is compared, and giving an early warning. The software behavior feature knowledge base defines boundaries for terminal side software behaviors, log file records are arranged on daily running conditions of the software, unreliable behavior conditions can be accurately positioned in the log records by combining early warning information, and abnormal behavior data can be better provided for investigation and evidence collection of future service personnel.
A software behavior recognition system based on a knowledge base of behavior features, comprising:
the software behavior feature knowledge base construction system is used for constructing a software behavior feature knowledge base according to standard behaviors of terminal side software;
the software behavior credibility recognition system is used for judging the credibility of the software behavior at the terminal side according to the software behavior characteristic knowledge base, and when the existence of the unreliable software behavior is found, early warning is made.
An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the aforementioned method.
A computer readable storage medium storing one or more programs executable by one or more processors to implement the foregoing method.
The beneficial effects of the invention are as follows:
according to the invention, through data collection of the terminal side and the flow side and the combination of the behavior information boundary of the terminal software, the standard behavior of the terminal software is judged, and a software behavior characteristic knowledge base is formed. The software behavior feature knowledge base can provide a network behavior baseline of terminal software to assist a user in judging trusted software behaviors and untrusted software behaviors. The invention can enrich the behavior portraits of the terminal equipment and support data for asset identification and asset function speculation. Meanwhile, the invention can define boundaries for the network behaviors of the terminal equipment, assist operation and maintenance personnel to master the network behavior condition of the equipment, discover abnormal behaviors in time and treat the abnormal behaviors.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for constructing a knowledge base of behavior characteristics of software according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of network protocol information content according to an embodiment of the present invention;
FIG. 3 is a flowchart of a method for constructing a knowledge base of behavior characteristics of software according to another embodiment of the present invention;
FIG. 4 is a flowchart of a software behavior credibility identification method according to an embodiment of the invention;
FIG. 5 is a diagram of a system for constructing a knowledge base of behavior characteristics of software according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating a software behavior credibility recognition system according to an embodiment of the present invention;
FIG. 7 is a block diagram of a software behavior recognition system based on a behavior feature knowledge base according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be noted that, without conflict, the following embodiments and features in the embodiments may be combined with each other; and, based on the embodiments in this disclosure, all other embodiments that may be made by one of ordinary skill in the art without inventive effort are within the scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
The invention provides an embodiment of a software behavior feature knowledge base construction method, as shown in fig. 1, comprising the following steps:
s11: determining terminal side software to be identified, collecting the process of the terminal side software and the data traffic of the corresponding traffic side, and aligning the collected data timelines by using an end-stream timeline data alignment technology; after the time lines are aligned, the behavior information boundary of the terminal side software can be identified;
s12: combining URL access information and a network protocol in the data of the alignment time line, and carrying out statistical analysis on the data of the alignment time line to obtain the standard behavior of the terminal side software;
s13: and the standard behaviors of the obtained terminal side software are arranged into behavior rules, so that a software behavior characteristic knowledge base is formed.
The software behavior feature library is used for providing a terminal side software behavior baseline and comprises standard behavior rules of a plurality of pieces of software, and each piece of software comprises a plurality of standard behaviors.
Preferably, the statistical analysis of the data aligned with the time line by combining URL access information and a network protocol in the data aligned with the time line specifically includes:
splitting the data aligned with the time line according to a common network protocol and a special network protocol according to a network protocol, and filtering interference data; the common network protocols include HTTP, DNS, TCP/IP and the like;
extracting URL access information from data in a common network protocol, analyzing the function of a domain name requested by the URL, and combining specific parameter information of the URL to obtain specific software behaviors; the process can analyze the functions of the domain name by combining the modes of a search engine, direct access and the like;
and analyzing the data in the special network protocol to the original flow packet of the corresponding flow side to obtain specific network protocol information, and obtaining specific software behaviors according to the specific character information of the specific position.
The specific software behavior is obtained according to the specified character information of the specified location, for example, as shown in fig. 2, the network behavior may be obtained as a system update according to the hostname, url, http _user_agent field.
To further illustrate the above method, in combination with the above preferred solution, another embodiment of a method for constructing a knowledge base of behavior characteristics of software is provided, as shown in fig. 3, including:
s31: determining terminal side software to be identified, collecting the process of the terminal side software and the data traffic of the corresponding traffic side, and aligning the collected data timelines by using an end-stream timeline data alignment technology;
s32: splitting the data aligned with the time line according to a common network protocol and a special network protocol according to a network protocol, and filtering interference data; for data in common network protocols, enter S33; for data in the special network protocol, enter S34;
s33: extracting URL access information from data in a common network protocol, analyzing the function of a domain name requested by the URL, and combining specific parameter information of the URL to obtain specific software behaviors;
s34: analyzing the data in the special network protocol to the original flow packet of the corresponding flow side to obtain specific network protocol information, and obtaining specific software behaviors according to the specific character information of the specific position;
s35: and the standard behaviors of the obtained terminal side software are arranged into behavior rules, so that a software behavior characteristic knowledge base is formed.
In order to obtain the data of the software behavior characteristic knowledge base more accurately, the invention can do the following work in the realization process, firstly, a plurality of virtual machines or virtual devices of different operating systems are prepared, a main stream operating system and software are installed, and a database and related tool scripts are prepared. And secondly, installing terminal process monitoring software and a network flow monitoring tool in the virtual machine or the virtual equipment, wherein the terminal process monitoring software and the network flow monitoring tool are used for collecting terminal side software processes and flow side data flows.
The invention provides an embodiment of a software behavior credibility identification method, as shown in fig. 4, comprising the following steps:
s41: the method comprises the steps of monitoring a terminal side software process and a flow side data flow in real time to obtain specific behaviors of terminal side software;
s42: comparing the specific behavior of the terminal side software with the standard behavior rules of the corresponding software in the software behavior feature knowledge base;
s43: judging whether software behaviors which do not accord with the standard rules of the corresponding software exist or not, if yes, judging that the corresponding software behaviors belong to unreliable behaviors, and giving early warning; otherwise, the process returns to S42.
The software behavior feature knowledge base can provide a network behavior baseline of terminal software, assist a user in judging trusted network behaviors and untrusted network behaviors, assist operation and maintenance personnel in mastering equipment network behavior conditions, and timely discover and treat abnormal behaviors. The daily running condition of the software is recorded with a log file, and the unreliable behavior condition can be accurately positioned in the log record by combining the early warning information, so that abnormal behavior data can be better provided for investigation and evidence collection of future service personnel.
The invention provides an embodiment of a software behavior feature knowledge base construction system, as shown in fig. 5, comprising:
the data acquisition module 51 is configured to determine terminal side software to be identified, collect a process of the terminal side software and data traffic of a corresponding traffic side, align a collected data timeline by using an end-stream timeline data alignment technology, and send data of the aligned timeline to the statistical analysis module 52; after the time lines are aligned, the behavior information boundary of the terminal side software can be identified;
the statistical analysis module 52 is configured to receive the aligned timeline data sent by the data acquisition module 51, perform statistical analysis on the aligned timeline data in combination with URL access information and a network protocol in the aligned timeline data, obtain standard behavior of the terminal side software, and send the obtained standard behavior information of the terminal side software to the feature knowledge base construction module 53; the URL access information and the network protocol form a behavior information boundary of terminal side software;
the feature knowledge base construction module 53 is configured to receive standard behavior information of the terminal-side software sent by the statistical analysis module, sort the standard behavior information into behavior rules, and form a software behavior feature knowledge base.
Preferably, the statistical analysis of the data aligned with the time line by combining URL access information and a network protocol in the data aligned with the time line specifically includes:
splitting the data aligned with the time line according to a common network protocol and a special network protocol according to a network protocol, and filtering interference data; the common network protocols include HTTP, DNS, TCP/IP and the like;
extracting URL access information from data in a common network protocol, analyzing the function of a domain name requested by the URL, and combining specific parameter information of the URL to obtain specific software behaviors; the process can analyze the functions of the domain name by combining the modes of a search engine, direct access and the like;
and analyzing the data in the special network protocol to the original flow packet of the corresponding flow side to obtain specific network protocol information, and obtaining specific software behaviors according to the specific character information of the specific position.
The invention provides an embodiment of a software behavior credibility identification system, as shown in fig. 6, comprising:
the software behavior acquisition module 61 is configured to monitor a terminal-side software process and a traffic-side data traffic in real time, obtain a specific behavior of the terminal-side software, and send the specific behavior of the terminal-side software to the software behavior determination module 62;
the software behavior determination module 62 is configured to receive the specific behavior of the terminal side software sent by the software behavior acquisition module 61, compare the specific behavior of the terminal side software with the standard behavior rule of the corresponding software in the software behavior feature knowledge base, and determine that the corresponding software behavior belongs to an untrusted behavior when the software behavior that does not conform to the standard rule of the corresponding software is compared, and make an early warning. The software behavior feature knowledge base defines boundaries for terminal side software behaviors, log file records are arranged on daily running conditions of the software, unreliable behavior conditions can be accurately positioned in the log records by combining early warning information, and abnormal behavior data can be better provided for investigation and evidence collection of future service personnel.
The invention provides a software behavior recognition system embodiment based on a behavior feature knowledge base, as shown in fig. 7, comprising:
the software behavior feature knowledge base construction system specifically comprises a data acquisition module 51, a statistical analysis module 52 and a feature knowledge base construction module 53, and is used for constructing a software behavior feature knowledge base according to standard behaviors of terminal side software;
the software behavior credibility recognition system specifically comprises a software behavior acquisition module 61 and a software behavior judgment module 62, wherein the software behavior acquisition module 61 and the software behavior judgment module 62 are used for judging the credibility of the software behavior at the terminal side according to the software behavior characteristic knowledge base, and when the un-credible software behavior is found, early warning is made.
The partial processes of the system embodiment of the invention are similar to those of the method embodiment, the description of the system embodiment is simpler, and the corresponding parts refer to the method embodiment.
The embodiment of the present invention further provides an electronic device, as shown in fig. 8, capable of implementing the processes of the embodiments shown in fig. 1, 3 and 4, where the electronic device includes: the device comprises a shell 81, a processor 82, a memory 83, a circuit board 84 and a power circuit 85, wherein the circuit board 84 is arranged in a space surrounded by the shell 81, and the processor 82 and the memory 83 are arranged on the circuit board 84; a power supply circuit 85 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 83 is for storing executable program code; the processor 82 executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the method described in the foregoing embodiment.
The specific implementation of the above steps by the processor 82 and the further implementation of the steps by the processor 82 through the execution of executable program codes may be referred to in the embodiments of the present invention shown in fig. 1, 3 and 4, and will not be described herein.
The electronic device exists in a variety of forms including, but not limited to:
(1) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(2) Other electronic devices with data interaction functions.
Embodiments of the present invention also provide a computer-readable storage medium storing one or more programs executable by one or more processors to implement the methods described in the foregoing embodiments.
According to the invention, through data collection of the terminal side and the flow side and the combination of the behavior information boundary of the terminal software, the standard behavior of the terminal software is judged, and a software behavior characteristic knowledge base is formed. The software behavior feature knowledge base can provide a network behavior baseline of terminal software to assist a user in judging trusted software behaviors and untrusted software behaviors. The invention can enrich the behavior portraits of the terminal equipment and support data for asset identification and asset function speculation. Meanwhile, the invention can define boundaries for the network behaviors of the terminal equipment, assist operation and maintenance personnel to master the network behavior condition of the equipment, discover abnormal behaviors in time and treat the abnormal behaviors.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (7)
1. The method for constructing the software behavior characteristic knowledge base is characterized by comprising the following steps of:
determining terminal side software to be identified, collecting the process of the terminal side software and the data traffic of the corresponding traffic side, and aligning the collected data timelines by using an end-stream timeline data alignment technology;
combining URL access information and a network protocol in the data of the alignment time line, and carrying out statistical analysis on the data of the alignment time line to obtain the standard behavior of the terminal side software;
the standard behaviors of the obtained terminal side software are arranged into behavior rules, and a software behavior characteristic knowledge base is formed;
wherein, the combining the URL access information and the network protocol in the data of the aligned time line performs statistical analysis on the data of the aligned time line, including:
splitting the data aligned with the time line according to a common network protocol and a special network protocol according to a network protocol, and filtering interference data;
extracting URL access information from data in a common network protocol, analyzing the function of a domain name requested by the URL, and combining specific parameter information of the URL to obtain specific software behaviors;
and analyzing the data in the special network protocol to the original flow packet of the corresponding flow side to obtain specific network protocol information, and obtaining specific software behaviors according to the specific character information of the specific position.
2. A method for identifying the credibility of software behavior, comprising the steps of:
the method comprises the steps of monitoring a terminal side software process and a flow side data flow in real time to obtain specific behaviors of terminal side software;
comparing the specific behavior of the terminal side software with the standard behavior rules of the corresponding software in the software behavior feature knowledge base obtained by the method according to claim 1, and judging that the corresponding software behavior belongs to an unreliable behavior and giving an early warning when the software behavior which does not accord with the standard rules of the corresponding software is compared.
3. A software behavioral characteristics knowledge base construction system, comprising:
the data acquisition module is used for determining terminal side software to be identified, collecting the process of the terminal side software and the data traffic of the corresponding traffic side, aligning the collected data timelines by using an end-stream timeline data alignment technology, and transmitting the data aligned with the timelines to the statistical analysis module;
the statistical analysis module is used for receiving the data of the alignment time line transmitted by the data acquisition module, carrying out statistical analysis on the data of the alignment time line by combining with URL access information and network protocol in the data of the alignment time line to obtain standard behaviors of the terminal side software, and transmitting the obtained standard behavior information of the terminal side software to the feature knowledge base construction module;
the feature knowledge base construction module is used for receiving the standard behavior information of the terminal side software sent by the statistical analysis module, and finishing the standard behavior information into behavior rules to form a software behavior feature knowledge base;
wherein, the combining the URL access information and the network protocol in the data of the aligned time line performs statistical analysis on the data of the aligned time line, including:
splitting the data aligned with the time line according to a common network protocol and a special network protocol according to a network protocol, and filtering interference data;
extracting URL access information from data in a common network protocol, analyzing the function of a domain name requested by the URL, and combining specific parameter information of the URL to obtain specific software behaviors;
and analyzing the data in the special network protocol to the original flow packet of the corresponding flow side to obtain specific network protocol information, and obtaining specific software behaviors according to the specific character information of the specific position.
4. A software behavior credibility identification system, comprising:
the system comprises a software behavior acquisition module, a software behavior judgment module and a software behavior judgment module, wherein the software behavior acquisition module is used for monitoring a terminal side software process and a flow side data flow in real time to obtain a specific behavior of terminal side software, and sending the specific behavior of the terminal side software to the software behavior judgment module;
the software behavior judging module is used for receiving the specific behavior of the terminal side software sent by the software behavior obtaining module, comparing the specific behavior of the terminal side software with the standard behavior rule of the corresponding software in the software behavior feature knowledge base obtained according to claim 1 or 3, judging that the corresponding software behavior belongs to an unreliable behavior when the software behavior which does not accord with the standard rule of the corresponding software is compared, and giving an early warning.
5. A software behavior recognition system based on a knowledge base of behavior features, comprising:
the software behavior feature knowledge base construction system according to claim 3, which is used for constructing a software behavior feature knowledge base according to standard behaviors of terminal side software;
the software behavior credibility identification system of claim 4, wherein the software behavior credibility identification system is used for judging the credibility of the software behavior at the terminal side according to the software behavior feature knowledge base, and when the un-credible software behavior is found, early warning is made.
6. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; a processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of claim 1 or 2.
7. A computer readable storage medium storing one or more programs executable by one or more processors to implement the method of claim 1 or 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111211216.9A CN113949571B (en) | 2021-10-18 | 2021-10-18 | Software behavior recognition method and system based on behavior feature knowledge base |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111211216.9A CN113949571B (en) | 2021-10-18 | 2021-10-18 | Software behavior recognition method and system based on behavior feature knowledge base |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113949571A CN113949571A (en) | 2022-01-18 |
| CN113949571B true CN113949571B (en) | 2023-12-22 |
Family
ID=79331244
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111211216.9A Active CN113949571B (en) | 2021-10-18 | 2021-10-18 | Software behavior recognition method and system based on behavior feature knowledge base |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113949571B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103699489A (en) * | 2014-01-03 | 2014-04-02 | 中国人民解放军装甲兵工程学院 | Software remote fault diagnosis and repair method based on knowledge base |
| CN106664254A (en) * | 2014-08-21 | 2017-05-10 | 七网络有限责任公司 | Optimizing network traffic management in a mobile network |
| CN108573308A (en) * | 2018-04-11 | 2018-09-25 | 湖南女子学院 | The automated construction method and system of soft project knowledge base based on big data |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9386064B2 (en) * | 2006-06-09 | 2016-07-05 | Qualcomm Incorporated | Enhanced block-request streaming using URL templates and construction rules |
-
2021
- 2021-10-18 CN CN202111211216.9A patent/CN113949571B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103699489A (en) * | 2014-01-03 | 2014-04-02 | 中国人民解放军装甲兵工程学院 | Software remote fault diagnosis and repair method based on knowledge base |
| CN106664254A (en) * | 2014-08-21 | 2017-05-10 | 七网络有限责任公司 | Optimizing network traffic management in a mobile network |
| CN108573308A (en) * | 2018-04-11 | 2018-09-25 | 湖南女子学院 | The automated construction method and system of soft project knowledge base based on big data |
Non-Patent Citations (2)
| Title |
|---|
| ISO Media File format specification MP4 Technology under consideration for ISO/IEC 14496-1:2001/Amd 3;David Singer, William Belknap, Guido Franceschini;INTERNATIONAL ORGANISATION FOR STANDARDISATION ORGANISATION INTERNATIONALE DE NORMALISATION;全文 * |
| 基于网络性能异常检测算法的研究;张凤斌, 杨永田;哈尔滨理工大学学报(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113949571A (en) | 2022-01-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105027510B (en) | Network monitoring device and network monitoring method | |
| US20120311562A1 (en) | Extendable event processing | |
| US10091225B2 (en) | Network monitoring method and network monitoring device | |
| CN111881452A (en) | Safety test system for industrial control equipment and working method thereof | |
| CN112114995A (en) | Process-based terminal anomaly analysis method, device, equipment and storage medium | |
| CN114077525A (en) | Abnormal log processing method and device, terminal equipment, cloud server and system | |
| CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| CN111028085A (en) | Network shooting range asset information acquisition method and device based on active and passive combination | |
| CN111970233B (en) | Analysis and identification method for network violation external connection scene | |
| CN113542311B (en) | Method for detecting and backtracking defect host in real time | |
| CN112565278A (en) | Attack capturing method and honeypot system | |
| CN110138780B (en) | Method for realizing Internet of things terminal threat detection based on probe technology | |
| JP5230311B2 (en) | Failure analysis system and failure analysis method | |
| CN113987508A (en) | Vulnerability processing method, device, equipment and medium | |
| CN113949571B (en) | Software behavior recognition method and system based on behavior feature knowledge base | |
| CN112528325B (en) | Data information security processing method and system | |
| CN115514519A (en) | Active defense method based on transverse micro-isolation and plug-in | |
| CN115913634A (en) | Network security abnormity detection method and system based on deep learning | |
| CN101453454A (en) | Internal tracking method and network attack detection | |
| JP2005227982A (en) | Network system equipped with security monitoring function, log data analysis terminal and information terminal | |
| CN110266562B (en) | Method for automatically detecting identity authentication function of network application system | |
| CN109274676B (en) | Method, system and storage device for acquiring IP address of Trojan control terminal based on self-learning mode | |
| CN112699369A (en) | Method and device for detecting abnormal login through stack backtracking | |
| Benova et al. | Detecting anomalous user behavior from NGINX web server logs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |