CN114338593B - Behavior detection method and device for network scanning by using address resolution protocol - Google Patents

Behavior detection method and device for network scanning by using address resolution protocol Download PDF

Info

Publication number
CN114338593B
CN114338593B CN202111594056.0A CN202111594056A CN114338593B CN 114338593 B CN114338593 B CN 114338593B CN 202111594056 A CN202111594056 A CN 202111594056A CN 114338593 B CN114338593 B CN 114338593B
Authority
CN
China
Prior art keywords
request
address
source address
determining
score
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111594056.0A
Other languages
Chinese (zh)
Other versions
CN114338593A (en
Inventor
徐�明
辜乘风
魏国富
夏玉明
殷钱安
周晓勇
陶景龙
余贤喆
梁淑云
刘胜
王启凡
马影
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN202111594056.0A priority Critical patent/CN114338593B/en
Publication of CN114338593A publication Critical patent/CN114338593A/en
Application granted granted Critical
Publication of CN114338593B publication Critical patent/CN114338593B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a behavior detection method and device for network scanning by using an address resolution protocol, a storage medium and computer equipment. The method comprises the following steps: acquiring communication information, wherein the communication information comprises a source address, a destination address, a request time and a request result; determining a request rule corresponding to a source address according to the destination address and the request time; determining a request rule score according to a request rule, determining a request result score according to a request result corresponding to a source address, and determining a request breadth score according to a destination address corresponding to the source address; and determining a target source address corresponding to the network scanning in source addresses corresponding to the plurality of communication information according to the request rule score, the request result score and the request breadth score, and determining a target request corresponding to the target source address as the network scanning behavior. The method improves the accuracy of ARP network scanning behavior detection.

Description

Behavior detection method and device for network scanning by using address resolution protocol
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for detecting network scanning behavior by using an address resolution protocol, a storage medium, and a computer device.
Background
ARP (address resolution protocol) is a protocol by which mapping from an IP address to a MAC address, i.e., a MAC address corresponding to an inquiry target IP, is achieved. ARP protocol is extremely important in IPv 4. ARP scanning is a process used to identify other active hosts on a local network. In the penetration, when an attacker takes a next server as a springboard to further perform intranet penetration, the surviving host information in the link can be quickly collected through ARP network scanning.
Aiming at the network scanning action by using APR (address resolution protocol), the existing detection method can only judge whether the host has the network scanning action according to the total number of ARP requests sent by the host in the network, and the accuracy of the judgment result is low.
Disclosure of Invention
In view of this, the present application provides a method and apparatus for detecting network scanning behaviors by using address resolution protocol, a storage medium, and a computer device, which can improve the accuracy of ARP network scanning behavior detection.
According to one aspect of the present application, there is provided a network scanning behavior detection method, including:
acquiring communication information, wherein the communication information comprises a source address, a destination address, a request time and a request result;
Determining a request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address;
determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address;
and determining a target source address corresponding to network scanning in source addresses corresponding to a plurality of communication information according to the request rule scores, the request result scores and the request breadth scores, and determining a target request corresponding to the target source address as network scanning behavior.
Optionally, the request rule includes a character rule;
the determining the request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address specifically includes:
determining at least one first destination address corresponding to the source address according to the communication information;
dividing each first destination address into a plurality of address segments, determining the position of each address segment in the first destination address, and taking the address segments with the same position as an address segment set;
In each address segment set, sequencing a plurality of address segments according to the sequence of the first destination addresses corresponding to the address segments from small to large, and taking each address segment as an element in a first layer address segment sequence to obtain the first layer address segment sequence corresponding to the address segment set;
subtracting two adjacent elements from each other in the i-th layer address segment sequence to obtain an i+1-th layer address segment sequence, wherein i=1 or i=2;
and determining the character rule according to the elements in the third-layer address segment sequence.
Optionally, the request rule includes an access rule;
the determining the request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address specifically includes:
in the communication information, determining a target request time of the source address in each preset time window and a second destination address corresponding to the target request time respectively;
de-duplicating the plurality of second destination addresses to obtain the address quantity of the second destination addresses;
sequencing the address numbers corresponding to a plurality of time windows according to the sequence of the time windows from first to last, and taking each address number as an element in a first layer address number sequence to obtain the first layer address number sequence;
Obtaining a j+1th layer address quantity sequence by subtracting two adjacent elements from each other, wherein j=1 or j=2;
and determining the access rule according to the elements in the third-layer address quantity sequence.
Optionally, the request law includes a wave law,
the determining the request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address specifically includes:
in the communication information, a third destination address corresponding to the source address and the access times of each third destination address are respectively determined;
ordering the access times corresponding to a plurality of third destination addresses according to the order of the third destination addresses from small to large, and taking each access time as an element in a first layer access time sequence to obtain the first layer access time sequence;
obtaining a k+1 layer access time sequence by subtracting two adjacent elements from each other, wherein k=1 or k=2;
and determining the fluctuation rule according to the elements in the third layer access times sequence.
Optionally, the determining a request result score according to the request result corresponding to the source address specifically includes:
according to at least one request result corresponding to the source address, determining that the request result is failure communication information of access failure in communication information corresponding to the source address, and determining the number of the failure communication information and the proportion of the failure communication information in the communication information;
and determining the request result score according to the number of the failed communication information and the proportion by utilizing an orphan forest model.
Optionally, the determining the request breadth score according to the destination address corresponding to the source address specifically includes:
determining the number of communication information corresponding to the source address and the number of fourth destination addresses corresponding to the source address according to the plurality of communication information;
and determining the request breadth score according to the quantity of the communication information corresponding to the source address and the quantity of the fourth destination address by using the orphan forest model.
Optionally, determining, according to the request rule score, the request result score and the request breadth score, a target source address corresponding to network scanning among source addresses corresponding to the plurality of communication information specifically includes:
Sequencing the request rule scores corresponding to the source addresses according to the sequence from the large number to the small number, determining the request rule score of the front N% of sequencing positions as a target request rule score, and forming a first source address set by utilizing a first source address corresponding to the target request rule score, wherein 0< N <5;
sequencing the request result scores corresponding to the source addresses according to the sequence from big to small, determining the request result score with the front N% of the sequencing position as a target request result score, and forming a second source address set by utilizing a second source address corresponding to the target request result score;
sequencing the request breadth scores corresponding to the source addresses according to the sequence from big to small, determining the request breadth score with the front N% of sequencing positions as a target request breadth score, and utilizing a third source address corresponding to the target request breadth score to form a third source address set;
and if the first source address set, the second source address set and the third source address set contain the same source address, determining that the same source address is the target source address.
According to another aspect of the present application, there is provided a network scanning behavior detection apparatus, including:
The system comprises an acquisition module, a communication module and a processing module, wherein the acquisition module is used for acquiring communication information, and the communication information comprises a source address, a destination address, request time and a request result;
the computing module is used for determining a request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address;
the analysis module is used for determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address;
and the judging module is used for determining a target source address corresponding to network scanning in the source addresses corresponding to the communication information according to the request rule score, the request result score and the request breadth score, and determining a target request corresponding to the target source address as network scanning behavior.
Optionally, the calculation module includes a character rule calculation unit, where the character rule calculation unit is specifically configured to:
determining at least one first destination address corresponding to the source address according to the communication information;
dividing each first destination address into a plurality of address segments, determining the position of each address segment in the first destination address, and taking the address segments with the same position as an address segment set;
In each address segment set, sequencing a plurality of address segments according to the sequence of the first destination addresses corresponding to the address segments from small to large, and taking each address segment as an element in a first layer address segment sequence to obtain the first layer address segment sequence corresponding to the address segment set;
subtracting two adjacent elements from each other in the i-th layer address segment sequence to obtain an i+1-th layer address segment sequence, wherein i=1 or i=2;
and determining the character rule according to the elements in the third-layer address segment sequence.
Optionally, the computing module includes an access rule computing unit, where the access rule computing unit is specifically configured to:
in the communication information, determining a target request time of the source address in each preset time window and a second destination address corresponding to the target request time respectively;
de-duplicating the plurality of second destination addresses to obtain the address quantity of the second destination addresses;
sequencing the address numbers corresponding to a plurality of time windows according to the sequence of the time windows from first to last, and taking each address number as an element in a first layer address number sequence to obtain the first layer address number sequence;
Obtaining a j+1th layer address quantity sequence by subtracting two adjacent elements from each other, wherein j=1 or j=2;
and determining the access rule according to the elements in the third-layer address quantity sequence.
Optionally, the calculation module includes a fluctuation rule calculation unit, where the fluctuation rule calculation unit is specifically configured to:
in the communication information, a third destination address corresponding to the source address and the access times of each third destination address are respectively determined;
ordering the access times corresponding to a plurality of third destination addresses according to the order of the third destination addresses from small to large, and taking each access time as an element in a first layer access time sequence to obtain the first layer access time sequence;
obtaining a k+1 layer access time sequence by subtracting two adjacent elements from each other, wherein k=1 or k=2;
and determining the fluctuation rule according to the elements in the third layer access times sequence.
Optionally, the analysis module is specifically configured to:
according to at least one request result corresponding to the source address, determining that the request result is failure communication information of access failure in communication information corresponding to the source address, and determining the number of the failure communication information and the proportion of the failure communication information in the communication information;
And determining the request result score according to the number of the failed communication information and the proportion by utilizing an orphan forest model.
Optionally, the analysis module is specifically configured to:
determining the number of communication information corresponding to the source address and the number of fourth destination addresses corresponding to the source address according to the plurality of communication information;
and determining the request breadth score according to the quantity of the communication information corresponding to the source address and the quantity of the fourth destination address by using the orphan forest model.
Optionally, the judging module is specifically configured to:
sequencing the request rule scores corresponding to the source addresses according to the sequence from big to small, determining the request rule score with the front N% of sequencing positions as a target request rule score, and forming a first source address set by utilizing a first source address corresponding to the target request rule score, wherein 0< N <5;
sequencing the request result scores corresponding to the source addresses according to the sequence from big to small, determining the request result score with the front N% of sequencing positions as a target request result score, and forming a second source address set by utilizing a second source address corresponding to the target request result score;
Sequencing the request breadth scores corresponding to the source addresses according to the sequence from big to small, determining the request breadth score with the front N% of sequencing positions as a target request breadth score, and utilizing a third source address corresponding to the target request breadth score to form a third source address set;
and if the first source address set, the second source address set and the third source address set contain the same source address, determining that the same source address is the target source address.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described detection method.
According to still another aspect of the present application, there is provided a computer device including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor implementing the above detection method when executing the program.
By means of the technical scheme, the method and the device comprehensively analyze communication information sent by the source address from three aspects of request rules, request results and request breadth, judge whether the source address has network scanning behaviors, reduce false alarm or missing report generation, and improve accuracy of judging results.
The foregoing description is only an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is a flow chart illustrating a behavior detection method for performing network scanning by using an address resolution protocol according to an embodiment of the present application;
FIG. 2 is a flow chart illustrating another method for detecting network scanning by using address resolution protocol according to an embodiment of the present application;
fig. 3 is a schematic diagram illustrating calculation of a request rule score according to another behavior detection method for performing network scanning by using an address resolution protocol according to an embodiment of the present application;
FIG. 4 is a schematic diagram showing calculation of a score of a request result of another behavior detection method for performing network scanning by using an address resolution protocol according to an embodiment of the present application;
FIG. 5 is a schematic diagram showing a request breadth score of another behavior detection method for performing network scanning by using an address resolution protocol according to an embodiment of the present application;
FIG. 6 is a second flow chart illustrating another method for detecting network scanning by using address resolution protocol according to the embodiment of the present application;
FIG. 7 is a third flow chart illustrating another method for detecting network scanning by using an address resolution protocol according to the embodiment of the present application;
fig. 8 is a block diagram of a behavior detection apparatus for performing network scanning by using an address resolution protocol according to an embodiment of the present application.
Detailed Description
The present application will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other.
In this embodiment, a behavior detection method for performing network scanning by using an address resolution protocol is provided, as shown in fig. 1, where the method includes:
step 101, obtaining communication information, wherein the communication information comprises a source address, a destination address, a request time and a request result;
the network scanning behavior detection method provided by the embodiment of the application is used for judging whether the host computer has the network scanning behavior. Because the host computer realizes the network scanning behavior based on the address resolution protocol by sending the communication information, the embodiment firstly obtains the communication information sent by the host computer, and further analyzes the communication information to obtain a detection result.
The communication information may be address resolution protocol (ARP, address Resolution Protocol) based communication information, where the host determines which IP addresses are connected to the computer by using the address resolution protocol, so as to implement network scanning. Specifically, the source host sends request information containing an IP address to the destination host, and after receiving the request information, the destination host corresponding to the IP address converts the IP address into an MAC address and sends a reply message containing the MAC address to the source host.
Step 102, determining a request rule corresponding to a source address according to a destination address corresponding to the source address and a request time corresponding to the source address;
in this embodiment, since the communication information at the time of normal communication and the communication information at the time of scanning have different characteristics. Based on the request rule corresponding to the source address is determined according to the destination address and the request time corresponding to each source address in the communication information, so that the communication information in normal communication and the communication information in scanning are distinguished according to the request rule.
Step 103, determining a request rule score according to a request rule, determining a request result score according to a request result corresponding to a source address, and determining a request breadth score according to a destination address corresponding to the source address;
In this embodiment, since the communication information during scanning has a certain rule, a request rule score is determined according to the request rule, so that whether a specific rule exists between all the communication information sent by the source host is represented by using the request rule score; because the condition of communication information access failure during scanning is far greater than that during normal communication, a request result score is determined according to a request result, so that the results of all communication information sent by a source host are represented by the request result score; because the communication information is sent to a large number of different destination addresses during scanning, and the communication information is only sent to the destination addresses needing to be communicated during normal communication, the request breadth score is determined according to the destination addresses, so that the request breadth score is used for representing the range of all communication information sent by the source host to cover the destination addresses.
Step 104, determining a target source address corresponding to the network scanning in the source addresses corresponding to the plurality of communication information according to the request rule score, the request result score and the request breadth score, and determining the target request corresponding to the target source address as the network scanning behavior.
In this embodiment, the communication information sent by each source address is comprehensively analyzed from three aspects of a request rule, a request result and a request breadth, and whether the source address has a network scanning behavior is judged, so that the source address with the network scanning behavior is determined to be a target source address, and the request sent by the target source address is the network scanning behavior.
By applying the technical scheme of the embodiment, the communication information sent by the source address is comprehensively analyzed from three aspects of request rules, request results and request breadth, whether the source address has network scanning behaviors is judged, false alarm or missing report generation is reduced, and the accuracy of the judgment results is improved.
Further, as a refinement and extension of the foregoing embodiment, in order to fully describe a specific implementation procedure of the present embodiment, another network scanning behavior detection method is provided, where a request rule includes a character rule, as shown in fig. 2, and in the method, a request rule corresponding to a source address is determined according to a destination address corresponding to the source address and a request time corresponding to the source address, and specifically includes:
step 201, determining at least one first destination address corresponding to a source address according to communication information;
in this embodiment, one source address may send communication information to a plurality of destination addresses, based on which, when determining whether or not one source address has network scanning activity, a first destination address corresponding to the source address is first determined.
Step 202, dividing each first destination address into a plurality of address segments, determining the position of each address segment in the first destination address, and taking the address segments with the same position as an address segment set;
In this embodiment, each first destination address is segmented into a plurality of address segments, and the number of address segments obtained by segmentation of each first destination address is the same.
Specifically, each first destination address may be segmented into four address segments according to a point decimal, with the point of the IP address as a separator. For example, as shown in fig. 3, 192.168.10.106 is split into four address segments with dots as separators: 192.168, 10 and 106.
In this embodiment, the address segments that are identical in position in the first destination addresses are taken as one address segment set, and since each first destination address is split into four address segments, four address segment sets can be obtained. For example, for three destination addresses (192.168.10.106, 192.168.10.107, and 192.168.10.108) corresponding to the same source address, the following four address segment sets are obtained: {192, 192, 192}, {168, 168, 168}, {10, 10, 10} and {106, 107, 108}.
Step 203, in each address segment set, ordering the plurality of address segments according to the order of the first destination addresses corresponding to the address segments from small to large, and taking each address segment as an element in the first layer address segment sequence to obtain a first layer address segment sequence corresponding to the address segment set;
In this embodiment, the address segments in each set of address segments are ordered in order of the first destination address from small to large. As in this example, [192, 192, 192], [168, 168, 168], [10, 10, 10] and [106, 107, 108] were obtained.
In addition, the address segments may be ordered in other orders.
Step 204, subtracting two adjacent elements from each other in the i-th layer address segment sequence to obtain an i+1-th layer address segment sequence, wherein i=1 or i=2;
in this embodiment, in each layer address segment sequence, for two adjacent elements, the element located later minus the element located earlier is used, and the resulting difference is taken as the element in the next layer address segment sequence.
For example, for the first layer address segment sequence [192, 192, 192], a second layer address segment sequence [192-192, 192-192] = [0,0] is obtained, and a third layer address segment sequence [0-0] = [0]; similarly, the third layer address segment sequences corresponding to [168, 168, 168] and [10, 10, 10] are all [0]; for the first layer address segment sequence [106, 107, 108], a second layer address segment sequence [108-107, 107-106] = [1,1] and a third layer address segment [1-1] = [0] are obtained.
Step 205, determining a character rule according to elements in the third layer address field sequence.
In this embodiment, it may be understood that, if the first destination addresses corresponding to the plurality of communications sent by one source address are closer, the regularity of the communications sent by the source address is stronger, and elements in the third layer address segment sequence in this embodiment may represent the closeness degree of the plurality of first destination addresses. Based on this, the character rule may be determined according to the elements in the third layer address segment sequence, specifically, the more elements with the value of 0 in the third layer address segment sequence, the closer the first destination addresses are, the stronger the character rule may be determined.
For example, in this embodiment, the four first layer address segment sequences [192, 192, 192], [168, 168], [10, 10, 10] and [106, 107, 108] correspond to the third layer address segment sequences being all [0], i.e., the four third layer address segment sequences have a total of 4 elements with a value of 0.
Further, in another network scanning behavior detection method, the request rule includes an access rule; according to the destination address corresponding to the source address and the request time corresponding to the source address, determining the request rule corresponding to the source address specifically comprises the following steps:
step 301, in the communication information, determining a target request time of the source address in each preset time window and a second destination address corresponding to the target request time respectively;
In this embodiment, a plurality of continuous time windows are preset according to the order of the request time from first to last for the plurality of communication information corresponding to the source address, wherein each time window has the same length, for example, three time windows of [ t_1, t_n ], [ t_ (n+1), t_ (2 n) ], [ t_ (2n+1), t_ (3 n) ] are preset, and each time window has a length n.
And determining target request time falling in each preset time window, and further determining a second destination address corresponding to each target request time.
Step 302, de-duplicating the plurality of second destination addresses to obtain the address number of the second destination addresses;
in this embodiment, the number of second destination addresses corresponding to each preset time window is counted only once for repeated second destination addresses.
Step 303, sorting the address numbers corresponding to the time windows according to the sequence of the time windows from first to last, and taking each address number as an element in the first layer address number sequence to obtain the first layer address number sequence;
in this embodiment, as shown in fig. 4, for example, it is determined that the number of second destination addresses (access target number in fig. 4) corresponding to the [ t_1, t_n ] time window is m1, the number of second destination addresses corresponding to the [ t_ (n+1), t_ (2 n) ] time window is m2, and the number of second destination addresses corresponding to the [ t_ (2n+1), t_ (3 n) ] time window is m3. And sequencing the address numbers according to a preset time window from first to last to obtain a first layer address number sequence [ m1, m2, m3].
In addition, the second number of destination addresses may be ordered in other orders.
Step 304, for the elements in the j-th layer address number sequence, obtaining a j+1-th layer address number sequence by subtracting two adjacent elements, wherein j=1 or j=2;
in this embodiment, in each layer address number sequence, for two adjacent elements, the element located later minus the element located earlier is used, and the resulting difference is taken as the element in the next layer address number sequence.
For example, for the first layer address number sequence [ m1, m2, m3], the second layer address number sequence [ m2-m1, m3-m2], the third layer address number sequence [ (m 3-m 2) - (m 2-m 1) ] is obtained.
Step 305, determining an access rule according to the elements in the third layer address quantity sequence.
In this embodiment, it may be understood that, if the number of second destination addresses corresponding to the plurality of communication information sent by one source address in each preset time window is closer, the regularity of the communication information sent by the source address is stronger, and elements in the third layer address segment sequence in this embodiment may represent the degree of closeness of the number of the plurality of second destination addresses. Based on this, the access rule may be determined according to the elements in the third layer address segment sequence, specifically, the more elements with a value of 0 in the third layer address segment sequence, the closer the number of the second destination addresses may be, the stronger the access rule may be determined.
Further, in another network scanning behavior detection method, the request rule includes a fluctuation rule, and determining the request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address specifically includes:
step 401, in the communication information, determining a third destination address corresponding to the source address and the access times of each third destination address respectively;
in this embodiment, each third destination address corresponding to the source address is determined according to the plurality of communication information corresponding to the source address, and the number of accesses of each third destination address by the source address is determined respectively. For example, as shown in fig. 5, if the source address sends communication information to the destination IP1, the destination IP2, the destination IP3, the destination IP4, and the destination IP5 respectively, the destination IP1-5 are all third destination addresses corresponding to the source address, and the number of communication information sent by the source address to each third destination address is the number of accesses of the third destination address.
Step 402, sorting the access times corresponding to the third destination addresses according to the order of the third destination addresses from small to large, and taking each access time as an element in the first layer access time sequence to obtain the first layer access time sequence;
In this embodiment, the number of accesses of the plurality of third destination addresses is ordered in order of the third destination addresses from small to large. For example, the access times corresponding to the five third destination addresses in this embodiment are ordered to obtain a first-layer access times sequence [25, 24, 23, 22, 23].
In addition, the access times may be ordered in other orders.
Step 403, obtaining a k+1 layer access time sequence by subtracting two adjacent elements from each other, wherein k=1 or k=2;
in this embodiment, in each layer access time series, for two adjacent elements, the element located later minus the element located earlier is used, and the resulting difference is taken as the element in the next layer access time series.
For example, for the first layer access times sequence [25, 24, 23, 22, 23], a second layer access times sequence [24-25, 23-24, 22-23, 23-22] = [ -1, -1,1], a third layer access times sequence [ (-1) - (-1), (-1) - (-1), 1- (-1) ]= [0, 2] is obtained.
Step 404, determining a fluctuation rule according to the elements in the third layer access times sequence.
In this embodiment, it may be understood that, if the number of accesses of a source address to each third destination address is closer, the regularity of the communication information sent by the source address is stronger, and the elements in the third layer access number sequence in this embodiment may represent the closeness degree of the access numbers of the plurality of third destination addresses. Based on this, the fluctuation rule may be determined according to the elements in the third layer access time sequence, specifically, the more elements in the third layer access time sequence with values between [ -5,5], the closer the third destination address access time may be determined, the stronger the fluctuation rule, in this embodiment, the three elements of the third layer access time sequence [0, 2] are all between [ -5,5 ].
In addition, the fluctuation rule may be determined according to the number of elements having a value of 0 in the third layer access number sequence, for example, in this embodiment, the third layer access number sequence [0, 2] has two elements having a value of 0.
Further, in another network scanning behavior detection method, determining a request result score according to a request result corresponding to a source address specifically includes:
step 501, determining that the request result is failed communication information of access failure in the communication information corresponding to the source address according to at least one request result corresponding to the source address, and determining the number of the failed communication information and the proportion of the failed communication information in the communication information;
step 502, determining a request result score according to the number and the proportion of the failed communication information by using the orphan forest model.
In this embodiment, the total number of communications sent by the source address is determined, and the request result is the number of access failures, so as to determine the proportion of the number of communications with access failures to the total number. And carrying out the quantity and the proportion relation of the failed communication information into a preset orphan forest model, and calculating the request result score of each source address by utilizing an orphan forest algorithm.
Specifically, in an isolated forest model, the dataset is recursively randomly partitioned with each source address as one sample point until all sample points are isolated. Under this random partitioning strategy, outliers typically have shorter paths. In this algorithm, given a dataset containing n samples, the average path length of the tree is:
Figure BDA0003430037540000151
where H (i) is a harmonic number, this value can be estimated as ln (i) +0.5772156649.c (n) is the average of the path lengths for a given number of samples n, and is used to normalize the path length h (x) of sample x.
The anomaly score for sample x is defined as:
Figure BDA0003430037540000152
s (x, n) is the request result score of the source address x.
Where E (h (x)) is the expected path length of sample x in a batch of orphan trees.
In addition, other models of machine learning methods may be utilized to determine the request result score.
Further, in another network scanning behavior detection method, determining a request breadth score according to a destination address corresponding to a source address specifically includes:
step 601, determining the number of communication information corresponding to the source address and the number of fourth destination addresses corresponding to the source address according to the plurality of communication information;
step 602, determining a request breadth score according to the number of communication information corresponding to the source address and the number of fourth destination addresses by using the orphan forest model.
In this embodiment, the total number of communication information sent by the source address and the number of all destination addresses corresponding to the source address are determined and brought into a preset orphan forest model, and the request breadth score is calculated by using an orphan forest algorithm.
In addition, other models of machine learning methods may be utilized to determine the request result score.
Further, as shown in fig. 6, in another network scanning behavior detection method, determining a target source address corresponding to a network scan from source addresses corresponding to a plurality of communication information according to a request rule score, a request result score and a request breadth score specifically includes:
step 701, ordering request rule scores corresponding to a plurality of source addresses according to a sequence from big to small, determining the request rule score of the front N% of the ordering position as a target request rule score, and forming a first source address set by utilizing a first source address corresponding to the target request rule score, wherein 0< N <5;
in this embodiment, the first source address, and thus the first set of source addresses, is determined based on the request law score for the plurality of source addresses.
Specifically, if the request rule score of the source address is higher, the request rule of the source address may be considered to be abnormal. Based on the request rule scores corresponding to all the source addresses are ordered according to the order from the big to the small, the more forward the location, the greater the request rule score, and the more likely the request rule of its corresponding source address is abnormal. The request rule scores of the top N% of the ordering positions, namely the top N% of the request rule scores with the highest scores, are found, the key request rule scores are determined to be target request rule scores, the source addresses corresponding to the target request rule scores are first source addresses, and the set formed by all the first source addresses is a first source address set.
Further, the detection accuracy of the detection method can be adjusted by adjusting the value of N. Specifically, the larger the value of N, the less the missing report; the smaller the value of N, the fewer false positives. Considering both the demands of missing report and false report, N can be set between (0, 5).
Further, N may be 5.
Further, each request rule score can be rounded to reserve a decimal, and then probability distribution conditions of the request rule scores can be determined, so that the possibility of repetition of the request rule scores is increased, and the situation that all the request rule scores are not repeated is avoided.
Step 702, sorting the request result scores corresponding to the plurality of source addresses according to the order from large to small, determining the request result score with the front N% of the sorting position as a target request result score, and forming a second source address set by using a second source address corresponding to the target request result score;
step 703, sorting the request breadth scores corresponding to the plurality of source addresses according to the order from the first big to the second big, determining the request breadth score with the top N% of the sorting position as the target request breadth score, and forming a third source address set by using the third source address corresponding to the target request breadth score;
In step 704, if the first source address set, the second source address set, and the third source address set include the same source address, the same source address is determined as the target source address.
In this embodiment, if the first source address set, the second source address set and the third source address set include a same source address, that is, the same source address exists in the first source address set, the second source address set and the third source address set at the same time, the same source address may be determined to be the target source address, which is considered to have the network scanning behavior.
Further, if a source address exists in two sets of the first source address set, the second source address set and the third source address set at the same time, the source address can be determined to be a suspected target source address, and it is considered that there is a possibility of network scanning behavior.
Further, as shown in fig. 7, in another network scanning behavior detection method, ARP communication data (i.e., communication information) sent by a source address is first received, and feature data corresponding to the source address is extracted from a plurality of ARP communication data sent by the source address, where the feature data includes a failure condition class feature, an access rule class feature, and an access breadth class feature, and the access rule class feature includes an access target IP character regularity (i.e., character rule), an access target IP time-varying rule (i.e., access rule), and an access target number-of-times volatility rule (i.e., volatility rule). After the three features are determined, a result score is requested from three aspects corresponding to the three features, a request rule score and a request breadth score are obtained through calculation by using a preset abnormal failure algorithm (i.e. an orphan forest algorithm). And finally, judging whether each score meets the judging condition according to the probability distribution conditions of the three scores, and further judging whether the ARP communication request sent by the source address is ARP attack.
Further, as a specific implementation of the above network scanning behavior detection method, an embodiment of the present application provides a network scanning behavior detection apparatus, as shown in fig. 8, where the network scanning behavior detection apparatus includes: the device comprises an acquisition module, a calculation module, an analysis module and a judgment module.
The acquisition module is used for acquiring communication information, wherein the communication information comprises a source address, a destination address, request time and a request result;
the computing module is used for determining a request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address;
the analysis module is used for determining a request rule score according to a request rule, determining a request result score according to a request result corresponding to a source address, and determining a request breadth score according to a destination address corresponding to the source address;
and the judging module is used for determining a target source address corresponding to the network scanning in the source addresses corresponding to the plurality of communication information according to the request rule score, the request result score and the request breadth score, and determining the target request corresponding to the target source address as the network scanning behavior.
In a specific application scenario, optionally, the computing module includes a character rule computing unit, where the character rule computing unit is specifically configured to:
Determining at least one first destination address corresponding to the source address according to the communication information;
dividing each first destination address into a plurality of address segments, determining the position of each address segment in the first destination address, and taking the address segments with the same position as an address segment set;
in each address segment set, sequencing a plurality of address segments according to the sequence of the first destination addresses corresponding to the address segments from small to large, and taking each address segment as an element in a first layer address segment sequence to obtain a first layer address segment sequence corresponding to the address segment set;
subtracting two adjacent elements from each other in the i-th layer address segment sequence to obtain an i+1-th layer address segment sequence, wherein i=1 or i=2;
and determining a character rule according to elements in the third-layer address segment sequence.
In a specific application scenario, optionally, the computing module includes an access rule computing unit, where the access rule computing unit is specifically configured to:
according to the destination address and the request time, determining a request rule corresponding to the source address specifically includes:
in the communication information, respectively determining target request time of a source address in each preset time window and a second destination address corresponding to the target request time;
De-duplicating the plurality of second destination addresses to obtain the address quantity of the second destination addresses;
sequencing the address numbers corresponding to the time windows according to the sequence of the time windows from first to last, and taking each address number as an element in the first layer address number sequence to obtain the first layer address number sequence;
obtaining a j+1th layer address quantity sequence by subtracting two adjacent elements from each other, wherein j=1 or j=2;
and determining an access rule according to elements in the third-layer address quantity sequence.
In a specific application scenario, optionally, the calculation module includes a fluctuation rule calculation unit, where the fluctuation rule calculation unit is specifically configured to:
according to the destination address and the request time, determining a request rule corresponding to the source address specifically includes:
in the communication information, a third destination address corresponding to the source address and the access times of each third destination address are respectively determined;
ordering the access times corresponding to the third destination addresses according to the sequence of the third destination addresses from small to large, and taking each access time as an element in the first layer access time sequence to obtain the first layer access time sequence;
Obtaining a k+1 layer access time sequence by subtracting two adjacent elements from each other, wherein k=1 or k=2;
and determining a fluctuation rule according to the elements in the third layer access time sequence.
In a specific application scenario, optionally, the analysis module is specifically configured to:
according to at least one request result corresponding to the source address, determining that the request result is failure communication information of access failure in communication information corresponding to the source address, and determining the number of the failure communication information and the proportion of the failure communication information in the communication information;
and determining the score of the request result according to the quantity and the proportion of the failed communication information by utilizing the orphan forest model.
In a specific application scenario, optionally, the analysis module is specifically configured to:
determining the number of communication information corresponding to the source address and the number of fourth destination addresses corresponding to the source address according to the plurality of communication information;
and determining the request breadth score according to the number of the communication information corresponding to the source address and the number of the fourth destination address by utilizing the orphan forest model.
In a specific application scenario, optionally, the judging module is specifically configured to:
Sequencing the request rule scores corresponding to the source addresses according to the sequence from big to small, determining the request rule score with the front N% of sequencing positions as a target request rule score, and forming a first source address set by utilizing a first source address corresponding to the target request rule score, wherein 0< N <5;
sequencing the request result scores corresponding to the source addresses according to the sequence from big to small, determining the request result score with the front N% of sequencing positions as a target request result score, and forming a second source address set by utilizing a second source address corresponding to the target request result score;
sequencing the request breadth scores corresponding to the source addresses according to the sequence from big to small, determining the request breadth score with the front N% of sequencing positions as a target request breadth score, and utilizing a third source address corresponding to the target request breadth score to form a third source address set;
and if the first source address set, the second source address set and the third source address set contain the same source address, determining that the same source address is the target source address.
It should be noted that, other corresponding descriptions of each functional module related to the network scanning behavior detection apparatus provided in the embodiments of the present application may refer to corresponding descriptions in fig. 1 to fig. 7, and are not repeated herein.
Based on the above-mentioned methods shown in fig. 1 to 7, correspondingly, the embodiments of the present application further provide a storage medium having a computer program stored thereon, where the program, when executed by a processor, implements the above-mentioned detection method shown in fig. 1 to 7.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.), and includes several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to perform the methods described in various implementation scenarios of the present application.
Based on the method shown in fig. 1 to 7 and the network scanning behavior detection apparatus embodiment shown in fig. 8, in order to achieve the above object, the embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, etc., where the computer device includes a storage medium and a processor; a storage medium storing a computer program; a processor for executing a computer program to implement the detection method as described above and shown in fig. 1 to 7.
Optionally, the computer device may also include a user interface, a network interface, a camera, radio Frequency (RF) circuitry, sensors, audio circuitry, WI-FI modules, and the like. The user interface may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., bluetooth interface, WI-FI interface), etc.
It will be appreciated by those skilled in the art that the architecture of a computer device provided in the present embodiment is not limited to the computer device, and may include more or fewer components, or may combine certain components, or may be arranged in different components.
The storage medium may also include an operating system, a network communication module. An operating system is a program that manages and saves computer device hardware and software resources, supporting the execution of information handling programs and other software and/or programs. The network communication module is used for realizing communication among all the controls in the storage medium and communication with other hardware and software in the entity equipment.
From the above description of the embodiments, it will be apparent to those skilled in the art that the present application may be implemented by means of software plus necessary general hardware platforms, or may be implemented by hardware.
Those skilled in the art will appreciate that the drawings are merely schematic illustrations of one preferred implementation scenario, and that the elements or processes in the drawings are not necessarily required to practice the present application. Those skilled in the art will appreciate that elements of an apparatus in an implementation may be distributed throughout the apparatus in an implementation as described in the implementation, or that corresponding variations may be located in one or more apparatuses other than the present implementation. The units of the implementation scenario may be combined into one unit, or may be further split into a plurality of sub-units.
The foregoing application serial numbers are merely for description, and do not represent advantages or disadvantages of the implementation scenario. The foregoing disclosure is merely a few specific implementations of the present application, but the present application is not limited thereto and any variations that can be considered by a person skilled in the art shall fall within the protection scope of the present application.

Claims (10)

1. A behavior detection method for network scanning by using an address resolution protocol, the method comprising:
acquiring communication information, wherein the communication information comprises a source address, a destination address, a request time and a request result;
determining a request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address;
determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address;
and determining a target source address corresponding to network scanning in source addresses corresponding to a plurality of communication information according to the request rule scores, the request result scores and the request breadth scores, and determining a target request corresponding to the target source address as network scanning behavior.
2. The method of claim 1, wherein the request law comprises a character law;
the determining the request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address specifically includes:
determining at least one first destination address corresponding to the source address according to the communication information;
dividing each first destination address into a plurality of address segments, determining the position of each address segment in the first destination address, and taking the address segments with the same position as an address segment set;
in each address segment set, sequencing a plurality of address segments according to the sequence of the first destination addresses corresponding to the address segments from small to large, and taking each address segment as an element in a first layer address segment sequence to obtain the first layer address segment sequence corresponding to the address segment set;
subtracting two adjacent elements from each other in the i-th layer address segment sequence to obtain an i+1-th layer address segment sequence, wherein i=1 or i=2;
and determining the character rule according to the elements in the third-layer address segment sequence.
3. The method of claim 1, wherein the request law comprises an access law;
the determining the request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address specifically includes:
in the communication information, determining a target request time of the source address in each preset time window and a second destination address corresponding to the target request time respectively;
de-duplicating the plurality of second destination addresses to obtain the address quantity of the second destination addresses;
sequencing the address numbers corresponding to a plurality of time windows according to the sequence of the time windows from first to last, and taking each address number as an element in a first layer address number sequence to obtain the first layer address number sequence;
obtaining a j+1th layer address quantity sequence by subtracting two adjacent elements from each other, wherein j=1 or j=2;
and determining the access rule according to the elements in the third-layer address quantity sequence.
4. The method of claim 1, wherein the request law comprises a wave law,
The determining the request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address specifically includes:
in the communication information, a third destination address corresponding to the source address and the access times of each third destination address are respectively determined;
ordering the access times corresponding to a plurality of third destination addresses according to the order of the third destination addresses from small to large, and taking each access time as an element in a first layer access time sequence to obtain the first layer access time sequence;
obtaining a k+1 layer access time sequence by subtracting two adjacent elements from each other, wherein k=1 or k=2;
and determining the fluctuation rule according to the elements in the third layer access times sequence.
5. The method according to claim 1, wherein the determining a request result score according to the request result corresponding to the source address specifically includes:
according to at least one request result corresponding to the source address, determining that the request result is failure communication information of access failure in communication information corresponding to the source address, and determining the number of the failure communication information and the proportion of the failure communication information in the communication information;
And determining the request result score according to the number of the failed communication information and the proportion by utilizing an orphan forest model.
6. The method according to claim 5, wherein determining the request breadth score according to the destination address corresponding to the source address specifically comprises:
determining the number of communication information corresponding to the source address and the number of fourth destination addresses corresponding to the source address according to the plurality of communication information;
and determining the request breadth score according to the quantity of the communication information corresponding to the source address and the quantity of the fourth destination address by using the orphan forest model.
7. The method according to claim 1, wherein determining a target source address corresponding to a network scan among source addresses corresponding to a plurality of communication information according to the request rule score, the request result score, and the request breadth score, specifically comprises:
sequencing the request rule scores corresponding to the source addresses according to the sequence from big to small, determining the request rule score with the front N% of sequencing positions as a target request rule score, and forming a first source address set by utilizing a first source address corresponding to the target request rule score, wherein 0< N <5;
Sequencing the request result scores corresponding to the source addresses according to the sequence from big to small, determining the request result score with the front N% of sequencing positions as a target request result score, and forming a second source address set by utilizing a second source address corresponding to the target request result score;
sequencing the request breadth scores corresponding to the source addresses according to the sequence from big to small, determining the request breadth score with the front N% of sequencing positions as a target request breadth score, and utilizing a third source address corresponding to the target request breadth score to form a third source address set;
and if the first source address set, the second source address set and the third source address set contain the same source address, determining that the same source address is the target source address.
8. A behavior detection system for network scanning using an address resolution protocol, the system comprising:
the system comprises an acquisition module, a communication module and a processing module, wherein the acquisition module is used for acquiring communication information, and the communication information comprises a source address, a destination address, request time and a request result;
the computing module is used for determining a request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address;
The analysis module is used for determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address;
and the judging module is used for determining a target source address corresponding to network scanning in the source addresses corresponding to the communication information according to the request rule score, the request result score and the request breadth score, and determining a target request corresponding to the target source address as network scanning behavior.
9. A readable storage medium having stored thereon a program or instructions, which when executed by a processor, implement the steps of the detection method according to any of claims 1 to 7.
10. A computer device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, characterized in that the processor implements the detection method according to any one of claims 1 to 7 when executing the program.
CN202111594056.0A 2021-12-23 2021-12-23 Behavior detection method and device for network scanning by using address resolution protocol Active CN114338593B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111594056.0A CN114338593B (en) 2021-12-23 2021-12-23 Behavior detection method and device for network scanning by using address resolution protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111594056.0A CN114338593B (en) 2021-12-23 2021-12-23 Behavior detection method and device for network scanning by using address resolution protocol

Publications (2)

Publication Number Publication Date
CN114338593A CN114338593A (en) 2022-04-12
CN114338593B true CN114338593B (en) 2023-07-04

Family

ID=81013944

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111594056.0A Active CN114338593B (en) 2021-12-23 2021-12-23 Behavior detection method and device for network scanning by using address resolution protocol

Country Status (1)

Country Link
CN (1) CN114338593B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610266A (en) * 2009-07-28 2009-12-23 杭州华三通信技术有限公司 A kind of method and device that detects ARP message validity
CN108229156A (en) * 2017-12-28 2018-06-29 阿里巴巴集团控股有限公司 URL attack detection methods, device and electronic equipment
CN110430226A (en) * 2019-09-16 2019-11-08 腾讯科技(深圳)有限公司 Network attack detecting method, device, computer equipment and storage medium
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN111225002A (en) * 2020-03-18 2020-06-02 深圳市腾讯计算机系统有限公司 Network attack tracing method and device, electronic equipment and storage medium
CN111698214A (en) * 2020-05-15 2020-09-22 平安科技(深圳)有限公司 Network attack security processing method and device and computer equipment
CN112738018A (en) * 2020-11-30 2021-04-30 南方电网数字电网研究院有限公司 ARP spoofing attack detection method, device, computer equipment and storage medium
CN112910825A (en) * 2019-11-19 2021-06-04 华为技术有限公司 Worm detection method and network equipment
CN112953933A (en) * 2021-02-09 2021-06-11 恒安嘉新(北京)科技股份公司 Abnormal attack behavior detection method, device, equipment and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101270041B1 (en) * 2011-10-28 2013-05-31 삼성에스디에스 주식회사 System and method for detecting arp spoofing
US20190058731A1 (en) * 2017-08-17 2019-02-21 Qualcomm Incorporated User-side detection and containment of arp spoofing attacks

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610266A (en) * 2009-07-28 2009-12-23 杭州华三通信技术有限公司 A kind of method and device that detects ARP message validity
CN108229156A (en) * 2017-12-28 2018-06-29 阿里巴巴集团控股有限公司 URL attack detection methods, device and electronic equipment
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN110430226A (en) * 2019-09-16 2019-11-08 腾讯科技(深圳)有限公司 Network attack detecting method, device, computer equipment and storage medium
CN112910825A (en) * 2019-11-19 2021-06-04 华为技术有限公司 Worm detection method and network equipment
CN111225002A (en) * 2020-03-18 2020-06-02 深圳市腾讯计算机系统有限公司 Network attack tracing method and device, electronic equipment and storage medium
CN111698214A (en) * 2020-05-15 2020-09-22 平安科技(深圳)有限公司 Network attack security processing method and device and computer equipment
CN112738018A (en) * 2020-11-30 2021-04-30 南方电网数字电网研究院有限公司 ARP spoofing attack detection method, device, computer equipment and storage medium
CN112953933A (en) * 2021-02-09 2021-06-11 恒安嘉新(北京)科技股份公司 Abnormal attack behavior detection method, device, equipment and storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
An access-context based method to detect network scanning event in LAN;Di Wu等;2009 International Conference on Machine Learning and Cybernetics;全文 *
一种改进的ARP协议欺骗检测方法;张洁;武装;陆倜;;计算机科学(03);全文 *
基于SNMP的校园网ARP攻击检测方法研究;禹龙;朱惠明;田生伟;高峰;;计算机应用与软件(05);全文 *

Also Published As

Publication number Publication date
CN114338593A (en) 2022-04-12

Similar Documents

Publication Publication Date Title
EP2769508B1 (en) System and method for detection of denial of service attacks
US9009824B1 (en) Methods and apparatus for detecting phishing attacks
CN110365636B (en) Method and device for judging attack data source of industrial control honeypot
CN112217650B (en) Network blocking attack effect evaluation method, device and storage medium
CN110855649A (en) Method and device for detecting abnormal process in server
CN112784281A (en) Safety assessment method, device, equipment and storage medium for industrial internet
CN114553591A (en) Training method of random forest model, abnormal flow detection method and device
TWI599905B (en) Protecting method and system for malicious code, and monitor apparatus
Umbarkar et al. Analysis of heuristic based feature reduction method in intrusion detection system
CN114338593B (en) Behavior detection method and device for network scanning by using address resolution protocol
CN113765850B (en) Internet of things abnormality detection method and device, computing equipment and computer storage medium
EP4169223A1 (en) Method and apparatus to detect scripted network traffic
CN113162939A (en) Detection and defense system for DDoS (distributed denial of service) attack under SDN (software defined network) based on improved k-nearest neighbor algorithm
CN111431884B (en) Host computer defect detection method and device based on DNS analysis
CN115296904B (en) Domain name reflection attack detection method and device, electronic equipment and storage medium
CN115037790B (en) Abnormal registration identification method, device, equipment and storage medium
Song et al. A comprehensive approach to detect unknown attacks via intrusion detection alerts
CN112822220B (en) Multi-sample combination attack-oriented tracing method and device
CN112491820B (en) Abnormity detection method, device and equipment
US20230008765A1 (en) Estimation apparatus, estimation method and program
CN110489568B (en) Method and device for generating event graph, storage medium and electronic equipment
CN114329449A (en) System security detection method and device, storage medium and electronic device
KR100738550B1 (en) Network intrusion detection system using genetic algorithm and method thereof
CN115098602B (en) Data processing method, device and equipment based on big data platform and storage medium
CN116760644B (en) Terminal abnormality judging method, system, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant