CN115580441A - Network threat identification method and device based on service flow - Google Patents
Network threat identification method and device based on service flow Download PDFInfo
- Publication number
- CN115580441A CN115580441A CN202211148640.8A CN202211148640A CN115580441A CN 115580441 A CN115580441 A CN 115580441A CN 202211148640 A CN202211148640 A CN 202211148640A CN 115580441 A CN115580441 A CN 115580441A
- Authority
- CN
- China
- Prior art keywords
- threat
- traffic data
- network traffic
- network
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a network threat identification method and device based on service flow, and relates to the technical field of network security technology protection. The method comprises the following steps: acquiring network flow data in a preset scene; carrying out network layer threat identification on network flow data to obtain a first threat identification result; responding to the first threat identification result that no threat exists in the network traffic data, and determining a target application category of the network traffic data; based on a policy rule base under a preset scene, carrying out application layer threat identification on network flow data according to a target application type to obtain a second threat identification result; the policy rule base comprises threat matching rules corresponding to each application category in a preset scene. According to the scheme, the network flow data under the relevant service scene can be effectively identified, so that network access with threats can be blocked and intercepted in time, and long-term stable operation of a service system under the preset scene is guaranteed.
Description
Technical Field
The present application relates to the technical field of network security technology protection, and in particular, to a method and an apparatus for identifying a network threat based on a service flow.
Background
With the rapid development and popularization of networks, network attack technologies are greatly changed, the development is changed from known threats to unknown threats, the development is changed from normal ways to pipelines with evasive behaviors, the development is changed from single forms to diversified attacks, enterprise users can also become helpers of attacks under the unknown conditions, the invasion based on trust is more common, and most attacks can come from authorized service access ends. The traditional security protection technology can not solve the challenges of security protection of enterprise network systems.
Disclosure of Invention
In order to solve the above problems, the present application provides a method and an apparatus for identifying a network threat based on a service flow.
According to a first aspect of the present application, a method for identifying a network threat based on a traffic flow is provided, which includes:
acquiring network flow data in a preset scene;
performing network layer threat identification on the network flow data to obtain a first threat identification result;
in response to the first threat identification result being that the network traffic data is not threatened, determining a target application category of the network traffic data;
based on the policy rule base under the preset scene, according to the target application category, performing application layer threat identification on the network traffic data to obtain a second threat identification result; and the strategy rule base comprises threat matching rules corresponding to each application category in the preset scene.
In some embodiments of the present application, the performing, based on the policy rule base in the preset scenario, application layer threat identification on the network traffic data according to the target application category to obtain a second threat identification result includes:
according to the target application category, at least one threat matching rule corresponding to the target application category is obtained from the strategy rule base;
disassembling the network flow data, and determining parameter values of all parameters in the network flow data;
matching the parameter values of the parameters with the at least one threat matching rule in sequence;
in response to successful matching of the parameter values of the parameters with a target threat matching rule in the at least one threat matching rule, determining that a second threat identification result is that the network traffic data has a threat;
and determining that the second threat identification result is that the network traffic data has no threat in response to the condition that the parameter values of the parameters are not successfully matched with the at least one threat matching rule.
In other embodiments of the present application, the policy rule base further includes a security matching rule corresponding to an application category in the preset scenario; the method for identifying the application layer threat of the network traffic data according to the target application category based on the policy rule base under the preset scene to obtain a second threat identification result includes:
according to the target application category, at least one matching rule corresponding to the target application category is obtained from the strategy rule base; the at least one matching rule comprises at least one threat matching rule and/or a security matching rule;
disassembling the network flow data, and determining parameter values of all parameters in the network flow data;
sequentially matching the parameter values of all the parameters with the at least one matching rule;
in response to successful matching of the parameter values of the parameters with a target threat matching rule in the at least one matching rule, determining that a second threat identification result is that the network traffic data has a threat;
in response to successful matching of the parameter values of the parameters with a target security matching rule in the at least one matching rule, determining that a second threat identification result is that the network traffic data has no threat;
and determining that the second threat identification result is that the network traffic data has no threat in response to the condition that the parameter values of the parameters are not successfully matched with the at least one matching rule.
In some embodiments of the present application, the method further comprises:
in response to the second threat identification result being that no threat exists in the network traffic data, releasing the network traffic data;
and in response to the first threat identification result indicating that the network traffic data is threatened or the second threat identification result indicating that the network traffic data is threatened, blocking the network traffic data.
The construction process of the policy rule base comprises the following steps:
acquiring a network flow data sample with a threat in a preset time range under the preset scene;
dividing the application categories of the network traffic data samples;
disassembling the network traffic data samples under each application type to obtain parameter values of all parameters in the network traffic data samples under each application type;
and based on a preset grammar rule, performing unified compiling processing according to parameter values of all parameters in the network flow data sample under each application category to obtain a matching rule corresponding to each application category.
According to a second aspect of the present application, there is provided a traffic-based cyber-threat identifying apparatus, including:
the first acquisition module is used for acquiring network flow data in a preset scene;
the second acquisition module is used for carrying out network layer threat identification on the network flow data and acquiring a first threat identification result;
the determining module is used for determining a target application category of the network traffic data in response to the first threat identification result indicating that no threat exists in the network traffic data;
a third obtaining module, configured to perform application layer threat identification on the network traffic data according to the target application category based on the policy rule base in the preset scenario, and obtain a second threat identification result; and the strategy rule base comprises threat matching rules corresponding to all application categories in the preset scene.
In some embodiments of the present application, the third obtaining module is specifically configured to:
according to the target application category, at least one threat matching rule corresponding to the target application category is obtained from the strategy rule base;
disassembling the network traffic data and determining parameter values of all parameters in the network traffic data;
matching the parameter values of the parameters with the at least one threat matching rule in sequence;
in response to successful matching of the parameter values of the parameters with a target threat matching rule in the at least one threat matching rule, determining that a second threat identification result is that the network traffic data has a threat;
and determining that a second threat identification result is that the network traffic data has no threat in response to the condition that the parameter values of the parameters are not successfully matched with the at least one threat matching rule.
In other embodiments of the present application, the policy rule base further includes a security matching rule corresponding to an application category in the preset scenario; the third obtaining module is specifically configured to:
according to the target application category, at least one matching rule corresponding to the target application category is obtained from the strategy rule base; the at least one matching rule comprises at least one threat matching rule and/or a security matching rule;
disassembling the network traffic data and determining parameter values of all parameters in the network traffic data;
matching the parameter values of the parameters with the at least one matching rule in sequence;
in response to successful matching of the parameter values of the parameters with a target threat matching rule in the at least one matching rule, determining that a second threat identification result is that the network traffic data has a threat;
in response to successful matching of the parameter values of the parameters and a target security matching rule in the at least one matching rule, determining that a second threat identification result is that the network traffic data has no threat;
and determining that the second threat identification result is that the network traffic data has no threat in response to the condition that the parameter values of the parameters are not successfully matched with the at least one matching rule.
In some embodiments of the present application, the apparatus further comprises:
the releasing module is used for releasing the network traffic data in response to the second threat identification result that the network traffic data has no threat;
and the blocking module is used for blocking the network traffic data in response to the first threat identification result indicating that the network traffic data has a threat or the second threat identification result indicating that the network traffic data has a threat.
In addition, the apparatus further comprises a construction module, which is specifically configured to:
acquiring a network flow data sample with a threat in a preset time range under the preset scene;
dividing the application categories of the network traffic data samples;
disassembling the network flow data samples under each application category to obtain parameter values of all parameters in the network flow data samples under each application category;
and based on a preset grammar rule, performing unified compiling processing according to parameter values of all parameters in the network flow data sample under each application category to obtain a matching rule corresponding to each application category so as to construct the policy rule base.
According to a third aspect of the present application, there is provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of the first aspect when executing the program.
According to a fourth aspect of the present application, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of the first aspect described above.
According to the technical scheme, network layer threat identification is firstly carried out on network flow data under a preset scene to obtain a first threat identification result, if the first threat identification result indicates that the network flow data is not threatened, the target application type of the network flow data is determined, and application layer threat identification is carried out on the network flow data according to the target application type on the basis of a strategy rule base under the preset scene to obtain a second threat identification result. According to the scheme, the threat identification of the application layer is carried out on the network flow data on the basis of carrying out the threat identification of the network layer on the network flow data in the preset scene, so that the network flow data in the relevant service scene can be effectively identified, the network access with the threat can be conveniently blocked and intercepted in time, and the long-term stable operation of the service system in the preset scene is ensured.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a flowchart of a method for identifying a network threat based on a service flow according to an embodiment of the present application;
FIG. 2 is a flowchart of application-layer threat identification on network traffic data in an embodiment of the present application;
fig. 3 is a flow chart of another application-layer threat identification on network traffic data in an embodiment of the present application;
FIG. 4 is a flowchart illustrating a process of constructing a policy rule base according to an embodiment of the present application;
fig. 5 is a block diagram illustrating a structure of a service traffic-based cyber-threat recognition apparatus according to an embodiment of the present disclosure;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application.
It should be noted that, in the enterprise network system environment, as the complexity of the internet interconnection and the large cross-network application increases, it is increasingly difficult to grasp the online behavior of various application services in the network, and to find various challenges and risks really facing the network environment. Meanwhile, in the aspect of security protection technology, because of the prevalence of new-form malicious software and 0day attack, the protection benefits of the traditional mechanisms (feature code comparison) such as anti-virus, anti-hacking, end point protection and the like are almost lost.
With the rapid development and popularization of networks, network attack technologies are greatly changed, the development is changed from known threats to unknown threats, the development is changed from normal ways to pipelines with evasive behaviors, the development is changed from single forms to diversified attacks, enterprise users can also become helpers of attacks under the unknown conditions, the invasion based on trust is more common, and most attacks can come from authorized service access ends. The traditional security protection technology can not solve the challenges of security protection of enterprise network systems.
Due to the expansion of the enterprise network structure, the environment of network attack is also changed, not only an internal local area network, a wide area network or a DMZ is set, but also a large local area network composed of various departments, branch companies or partners is possible, and the risk of the network is increased due to the improvement of the trust level. When one point is broken, the whole line is in danger. Since the technology and purpose of attackers are changed, they know the function, performance and deployment rule of traditional boundary protection equipment, and attack server or PC by using system loophole, and then plant Trojan horse, and these are all carried out by passing through the released port, even the attack characteristic can be changed, so that the boundary protection equipment can not be identified, and attack by using the machine of local area network, and then obtain confidential data, and similar attack behavior can not be effectively prevented.
In order to solve the above problems, the present application provides a method and an apparatus for identifying a network threat based on a service flow.
Fig. 1 is a flowchart of a method for identifying a network threat based on a service flow according to an embodiment of the present application. It should be noted that the traffic-based cyber-threat identification method according to the embodiment of the present application may be used in the traffic-based cyber-threat identification apparatus according to the embodiment of the present application, and the traffic-based cyber-threat identification apparatus according to the embodiment of the present application may be configured in an electronic device. As shown in fig. 1, a method for identifying a network threat based on a traffic flow according to an embodiment of the present application may include the following steps:
In some embodiments of the present application, the preset scenario may be a business scenario inside an enterprise or in a certain department, or may be a business scenario inside an enterprise or in a certain department within a corresponding time range. The network traffic data in the preset scene is network traffic data generated in real time in the preset scene.
The network layer threat identification refers to a traditional network threat identification mode, for example, whether a threat exists in network traffic data is identified through a protocol, an IP address and a port number. The first threat identification result is an identification result after network layer threat identification, and comprises that the network traffic data has a threat or the network traffic data has no threat.
And 103, in response to the first threat identification result that the network traffic data has no threat, determining a target application category of the network traffic data.
It will be appreciated that some network tools that have evasive behavior are not identifiable because they are identified only by network layer threats. For example, through a system vulnerability, a released port is used for attacking a server or a PC, and then a network attack such as trojan horse is implanted, and the system security problem cannot be solved through a network layer threat identification mode. In order to further carry out threat identification on the network traffic data, application layer threat identification is continuously carried out on the network traffic data under the condition that the first threat identification result is that the network traffic data has no threat, so that similar attack behaviors are effectively prevented.
In some embodiments of the present application, since the identified network traffic data occurs in the preset scenario, the application categories of the network traffic data may be divided based on the preset scenario, for example, the application categories may include social applications, conference applications, and the like. Because the threats existing in the network traffic data under each application type have corresponding commonalities, the target application type of the network traffic data can be determined first, and then application layer threat identification is performed on the target application type. The target application class of the network traffic data may be generally determined according to a protocol to which the network traffic data corresponds.
In some embodiments of the present application, a corresponding policy rule base may be formulated based on network traffic data within a period of time under a preset scenario. The policy rule base includes threat matching rules corresponding to each application category in a preset scene, that is, the threat matching rules are extracted based on characteristics of network traffic data samples with threats existing in a period of time in the preset scene and compiled into corresponding threat matching rules, and the policy rule base in the preset scene can be continuously updated.
As an embodiment, the process of performing application-layer threat identification on network traffic data may include: according to the target application category, acquiring at least one threat matching rule corresponding to the target application category from a policy rule base; matching the network flow data with at least one threat matching rule, wherein if a certain threat matching rule is successfully matched with the network flow data, a second threat identification result is that a threat exists in the network flow data; and if the network traffic data is not successfully matched with the at least one threat matching rule, the second threat identification result is that no threat exists in the network traffic data.
In some embodiments of the present application, after threat identification is performed on network traffic data, corresponding processing needs to be performed based on an identification result to implement timely blocking and intercepting network threats such as vulnerability attacks, viruses, password brute force, and the like, so the method may further include:
and step 105, in response to the second threat identification result that the network traffic data has no threat, releasing the network traffic data.
And step 106, in response to the first threat identification result indicating that the network traffic data has a threat or the second threat identification result indicating that the network traffic data has a threat, blocking the network traffic data.
In some embodiments of the application, if the first threat identification result indicates that the network traffic data has a threat, or the second threat identification result indicates that the network traffic data has a threat, the relevant information of the network traffic data may be written into a log while the network traffic is prevented, so as to facilitate subsequent analysis of the identification result. The content written into the log may include the network traffic data, or may include an application type, a threat matching rule if matching with the network traffic data is successful, or the like.
According to the network threat identification method based on the service flow, aiming at network flow data in a preset scene, network layer threat identification is firstly carried out on the network flow data, a first threat identification result is obtained, if the first threat identification result indicates that the network flow data has no threat, the target application type of the network flow data is determined, and based on a strategy rule base in the preset scene, application layer threat identification is carried out on the network flow data according to the target application type, so that a second threat identification result is obtained. According to the scheme, the threat identification of the application layer is carried out on the network flow data on the basis of carrying out the threat identification of the network layer on the network flow data in the preset scene, so that the network flow data in the relevant service scene can be effectively identified, the network access with the threat can be conveniently blocked and intercepted in time, and the long-term stable operation of the service system in the preset scene is ensured.
Next, a process of performing application layer threat identification on network traffic data according to a target application category and acquiring a second threat identification result based on a policy rule base in a preset scene is described in detail.
Fig. 2 is a flowchart of application-layer threat identification on network traffic data in an embodiment of the present application. As shown in fig. 2, based on the above embodiment, the implementation of step 104 in fig. 1 may include the following steps:
And step 203, matching the parameter values of the parameters with at least one threat matching rule in sequence.
The threat matching rule is obtained by uniformly compiling parameter values of all parameters in the network traffic data sample with the threat, so that if the parameter values of all parameters in the network traffic data are successfully matched with a certain rule in at least one threat matching rule, the threat exists in the network traffic data, otherwise, the threat does not exist in the network traffic data.
And step 204, in response to the successful matching between the parameter values of the parameters and the target threat matching rule in the at least one threat matching rule, determining that the second threat identification result is that the network traffic data has a threat.
And step 205, in response to that the parameter values of the parameters are not successfully matched with the at least one threat matching rule, determining that the second threat identification result is that the network traffic data has no threat.
According to the network threat identification method based on the service flow, at least one threat matching rule corresponding to the target application category is obtained from the strategy rule base according to the target application category, the network flow data is disassembled, parameter values of all parameters in the network flow data are determined, the parameter values of all the parameters are matched with the at least one threat matching rule, the parameter values of all the parameters are matched with the target threat matching rule, it is determined that the network flow data has a threat, and otherwise, the threat does not exist. The threat identification is further carried out on the network flow data by matching with the matching rules in the strategy rule base, so that the network flow data under the relevant service scene can be effectively identified, the network access with the threat is conveniently blocked and intercepted in time, and the long-term stable operation of the service system under the preset scene is ensured.
In other embodiments of the present application, the policy rule base further includes a security matching rule corresponding to an application category in a preset scenario. The safe matching rule means that the network traffic data meeting the matching rule is safe, and the safe matching rule can be obtained by uniformly compiling parameter values of all parameters in an obvious safe network traffic data sample. By adding the safety matching rule, the matching speed in the process of identifying the application layer threat of the network flow data can be improved.
Fig. 3 is a flowchart of another application-layer threat identification on network traffic data in an embodiment of the present application. As shown in fig. 3, based on the above embodiment, the implementation of step 104 in fig. 1 may include the following steps:
And 303, matching the parameter values of the parameters with at least one matching rule in sequence.
And 304, in response to the successful matching of the parameter values of the parameters and the target threat matching rule in the at least one matching rule, determining that the second threat identification result is that the network traffic data has a threat.
And 305, in response to the parameter values of the parameters successfully matching with the target safety matching rule in the at least one matching rule, determining that the second threat identification result is that the network traffic data has no threat.
And step 306, in response to that the parameter values of the parameters are not successfully matched with the at least one matching rule, determining that the second threat identification result is that the network traffic data has no threat.
According to the network threat identification method based on the service flow, the security matching rules corresponding to the application categories are added in the strategy rule base to improve the speed of the matching process, so that the efficiency of network threat identification can be improved.
Next, a process of constructing the policy rule base in a preset scenario will be described.
Fig. 4 is a flowchart of a process of constructing a policy rule base in the embodiment of the present application. As shown in fig. 4, the building process includes:
And step 404, based on a preset grammar rule, performing unified compiling processing according to parameter values of each parameter in the network traffic data sample under each application category to obtain a matching rule corresponding to each application category.
As an example, the preset grammar rule may be as shown in table 1, and the preset grammar rule may be similar to a conventional regular expression rule.
Table 1 example of preset grammar rules
In some embodiments of the present application, the policy rule base may further include a security matching rule, for example, features of obviously secure network traffic data may be extracted, that is, parameter values of parameters in the obviously secure network traffic data corresponding to the application category are compiled in a unified manner according to a preset grammar rule, so as to obtain the corresponding security matching rule. In addition, the threat matching rules in the policy rule base can also be combined with a virus feature base, a leak base, a URL base, an IP black name list base and the like.
According to the network threat identification method based on the service flow, the matching rules of the service data flow are compiled uniformly based on the preset grammar rules, and the strategy rule base under the preset scene is constructed, so that the multi-level threat identification based on the service data flow is realized, network access with threats is blocked and intercepted in time, and the long-term stable operation of a service system under the preset scene is ensured.
In order to implement the above embodiments, the present application provides a network threat identification apparatus based on a service flow.
Fig. 5 is a block diagram illustrating a structure of a service traffic-based cyber-threat recognition apparatus according to an embodiment of the present disclosure. As shown in fig. 5, the apparatus includes:
a first obtaining module 501, configured to obtain network traffic data in a preset scene;
a second obtaining module 502, configured to perform network layer threat identification on the network traffic data, and obtain a first threat identification result;
the determining module 503 is configured to determine a target application category of the network traffic data in response to that the first threat identification result indicates that the network traffic data does not have a threat;
a third obtaining module 504, configured to perform application layer threat identification on the network traffic data according to the target application category based on a policy rule base in a preset scenario, and obtain a second threat identification result; the policy rule base comprises threat matching rules corresponding to each application category in a preset scene.
In some embodiments of the present application, the third obtaining module 504 is specifically configured to:
acquiring at least one threat matching rule corresponding to the target application type from a policy rule base according to the target application type;
disassembling the network flow data and determining parameter values of all parameters in the network flow data;
matching the parameter values of all the parameters with at least one threat matching rule in sequence;
responding to successful matching of the parameter values of the parameters and a target threat matching rule in the at least one threat matching rule, and determining that the second threat identification result is that the network flow data has a threat;
and determining that the second threat identification result is that the network traffic data has no threat in response to the condition that the parameter values of the parameters are not successfully matched with the at least one threat matching rule.
In other embodiments of the present application, the policy rule base further includes a security matching rule corresponding to an application category in a preset scenario; the third obtaining module 504 is specifically configured to:
acquiring at least one matching rule corresponding to the target application type from a strategy rule base according to the target application type; the at least one matching rule comprises at least one threat matching rule and/or a security matching rule;
disassembling the network flow data, and determining parameter values of all parameters in the network flow data;
matching the parameter values of all the parameters with at least one matching rule in sequence;
responding to the successful matching of the parameter values of the parameters and the target threat matching rules in the at least one matching rule, and determining that the second threat identification result is that the network traffic data has threats;
responding to successful matching of the parameter values of the parameters and a target safety matching rule in the at least one matching rule, and determining that the second threat identification result is that the network flow data has no threat;
and determining that the second threat identification result is that the network traffic data has no threat in response to the condition that the parameter values of the parameters are not successfully matched with the at least one matching rule.
In some embodiments of the present application, the apparatus further comprises:
a releasing module 505, configured to release the network traffic data in response to the second threat identification result being that the network traffic data does not have a threat;
a blocking module 506, configured to block the network traffic data in response to the first threat identification result indicating that the network traffic data is threatened, or in response to the second threat identification result indicating that the network traffic data is threatened.
In addition, the apparatus further comprises a building module, and the building module 507 is specifically configured to:
acquiring a network flow data sample with a threat in a preset time range under a preset scene;
dividing application categories of the network traffic data samples;
disassembling the network traffic data samples under each application category to obtain parameter values of each parameter in the network traffic data samples under each application category;
and based on a preset grammar rule, uniformly compiling according to parameter values of all parameters in the network flow data sample under each application category to obtain a matching rule corresponding to each application category so as to construct a policy rule base.
According to the network threat identification device based on the service flow, aiming at network flow data in a preset scene, network layer threat identification is firstly carried out on the network flow data, a first threat identification result is obtained, if the first threat identification result indicates that the network flow data has no threat, the target application type of the network flow data is determined, and based on a strategy rule base in the preset scene, application layer threat identification is carried out on the network flow data according to the target application type, so that a second threat identification result is obtained. According to the scheme, on the basis of carrying out threat identification on the network layer on the network flow data in the preset scene, threat identification on the application layer is also carried out on the network flow data, so that effective identification on the network flow data in the relevant service scene can be realized, network access with threats is conveniently blocked and intercepted in time, and long-term stable operation of a service system in the preset scene is guaranteed.
Fig. 6 is a block diagram of an electronic device of a network threat identification method based on traffic flow according to an embodiment of the present application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the applications described and/or claimed herein.
As shown in fig. 6, the electronic apparatus includes: memory 610, processor 620, and computer programs 630 stored on the memory and executable on the processor. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display graphical information of a GUI on an external input/output apparatus (such as a display device coupled to the interface). In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories and multiple memories, if desired. Also, multiple electronic devices may be connected, with each device providing some of the necessary operations (e.g., as an array of servers, a group of blade servers, or a multi-processor system).
The memory 610 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of an electronic device to implement the method in the above-described embodiments, and the like. Further, the memory 610 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 610 may optionally include memory located remotely from processor 620, which may be connected via a network to an electronic device to implement the methods in the embodiments described above. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The electronic device may further include: an input device 640 and an output device 650. The processor 620, the memory 610, the input device 640, and the output device 650 may be connected by a bus or other means, such as the bus connection in fig. 6.
The input device 640 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic apparatus, such as a touch screen, a keypad, a mouse, a track pad, a touch pad, a pointing stick, one or more mouse buttons, a track ball, a joystick, or other input device. The output device 650 may include a display device, an auxiliary lighting device (e.g., an LED), a haptic feedback device (e.g., a vibration motor), and the like. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device can be a touch screen.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless explicitly specified otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing steps of a custom logic function or process, and alternate implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. If implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are well known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried out in the method of implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and the program, when executed, includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.
Claims (12)
1. A network threat identification method based on service flow is characterized by comprising the following steps:
acquiring network flow data in a preset scene;
carrying out network layer threat identification on the network flow data to obtain a first threat identification result;
in response to the first threat identification result indicating that the network traffic data is not threatened, determining a target application category of the network traffic data;
based on the policy rule base under the preset scene, according to the target application category, performing application layer threat identification on the network traffic data to obtain a second threat identification result; and the strategy rule base comprises threat matching rules corresponding to each application category in the preset scene.
2. The method according to claim 1, wherein the performing application-layer threat recognition on the network traffic data according to the target application category based on the policy rule base in the preset scenario to obtain a second threat recognition result includes:
according to the target application category, at least one threat matching rule corresponding to the target application category is obtained from the strategy rule base;
disassembling the network flow data, and determining parameter values of all parameters in the network flow data;
matching the parameter values of the parameters with the at least one threat matching rule in sequence;
in response to successful matching of the parameter values of the parameters and a target threat matching rule in the at least one threat matching rule, determining that a second threat identification result is that the network traffic data has a threat;
and determining that a second threat identification result is that the network traffic data has no threat in response to the condition that the parameter values of the parameters are not successfully matched with the at least one threat matching rule.
3. The method according to claim 1, wherein the policy rule base further includes a security matching rule corresponding to an application category in the preset scenario; the method for identifying the application layer threat of the network flow data based on the policy rule base under the preset scene according to the target application category and acquiring a second threat identification result comprises the following steps:
according to the target application category, at least one matching rule corresponding to the target application category is obtained from the strategy rule base; the at least one matching rule comprises at least one threat matching rule and/or a security matching rule;
disassembling the network traffic data and determining parameter values of all parameters in the network traffic data;
matching the parameter values of the parameters with the at least one matching rule in sequence;
in response to successful matching of the parameter values of the parameters with a target threat matching rule in the at least one matching rule, determining that a second threat identification result is that the network traffic data has a threat;
in response to successful matching of the parameter values of the parameters and a target security matching rule in the at least one matching rule, determining that a second threat identification result is that the network traffic data has no threat;
and determining that the second threat identification result is that the network traffic data has no threat in response to the condition that the parameter values of the parameters are not successfully matched with the at least one matching rule.
4. The method of claim 1, further comprising:
in response to the second threat identification result that the network traffic data has no threat, releasing the network traffic data;
and in response to the first threat identification result indicating that the network traffic data is threatened or the second threat identification result indicating that the network traffic data is threatened, blocking the network traffic data.
5. The method according to any one of claims 1-4, wherein the construction process of the policy rule base comprises:
acquiring a network flow data sample with a threat in a preset time range under the preset scene;
dividing the application categories of the network traffic data samples;
disassembling the network traffic data samples under each application type to obtain parameter values of all parameters in the network traffic data samples under each application type;
and based on a preset grammar rule, performing unified compiling processing according to parameter values of all parameters in the network flow data sample under each application category to obtain a matching rule corresponding to each application category.
6. A traffic-based cyber-threat identification apparatus, comprising:
the first acquisition module is used for acquiring network flow data in a preset scene;
the second acquisition module is used for carrying out network layer threat identification on the network flow data and acquiring a first threat identification result;
the determining module is used for determining a target application category of the network traffic data in response to the first threat identification result indicating that no threat exists in the network traffic data;
a third obtaining module, configured to perform application layer threat identification on the network traffic data according to the target application category based on the policy rule base in the preset scenario, and obtain a second threat identification result; and the strategy rule base comprises threat matching rules corresponding to each application category in the preset scene.
7. The apparatus of claim 6, wherein the third obtaining module is specifically configured to:
according to the target application category, at least one threat matching rule corresponding to the target application category is obtained from the strategy rule base;
disassembling the network traffic data and determining parameter values of all parameters in the network traffic data;
matching the parameter values of the parameters with the at least one threat matching rule in sequence;
in response to successful matching of the parameter values of the parameters with a target threat matching rule in the at least one threat matching rule, determining that a second threat identification result is that the network traffic data has a threat;
and determining that the second threat identification result is that the network traffic data has no threat in response to the condition that the parameter values of the parameters are not successfully matched with the at least one threat matching rule.
8. The apparatus according to claim 6, wherein the policy rule base further includes a security matching rule corresponding to an application category in the preset scenario; the third obtaining module is specifically configured to:
according to the target application category, at least one matching rule corresponding to the target application category is obtained from the strategy rule base; the at least one matching rule comprises at least one threat matching rule and/or a security matching rule;
disassembling the network traffic data and determining parameter values of all parameters in the network traffic data;
matching the parameter values of the parameters with the at least one matching rule in sequence;
in response to successful matching of the parameter values of the parameters and a target threat matching rule in the at least one matching rule, determining that a second threat identification result is that the network traffic data has a threat;
in response to successful matching of the parameter values of the parameters and a target security matching rule in the at least one matching rule, determining that a second threat identification result is that the network traffic data has no threat;
and determining that the second threat identification result is that the network traffic data has no threat in response to the condition that the parameter values of the parameters are not successfully matched with the at least one matching rule.
9. The apparatus of claim 6, further comprising:
the releasing module is used for releasing the network traffic data in response to the second threat identification result that the network traffic data has no threat;
and the blocking module is used for blocking the network traffic data in response to the first threat identification result indicating that the network traffic data has a threat or the second threat identification result indicating that the network traffic data has a threat.
10. The apparatus according to any one of claims 6-9, further comprising a construction module, in particular for:
acquiring a network flow data sample with threat in a preset time range under the preset scene;
dividing the application categories of the network traffic data samples;
disassembling the network flow data samples under each application category to obtain parameter values of all parameters in the network flow data samples under each application category;
and based on a preset grammar rule, performing unified compiling processing according to parameter values of all parameters in the network flow data sample under each application category to obtain a matching rule corresponding to each application category so as to construct the policy rule base.
11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor, when executing the program, implements the method according to any of claims 1 to 5.
12. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211148640.8A CN115580441A (en) | 2022-09-21 | 2022-09-21 | Network threat identification method and device based on service flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211148640.8A CN115580441A (en) | 2022-09-21 | 2022-09-21 | Network threat identification method and device based on service flow |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115580441A true CN115580441A (en) | 2023-01-06 |
Family
ID=84580852
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211148640.8A Pending CN115580441A (en) | 2022-09-21 | 2022-09-21 | Network threat identification method and device based on service flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115580441A (en) |
-
2022
- 2022-09-21 CN CN202211148640.8A patent/CN115580441A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11936666B1 (en) | Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk | |
| US10599841B2 (en) | System and method for reverse command shell detection | |
| US7472421B2 (en) | Computer model of security risks | |
| US8997236B2 (en) | System, method and computer readable medium for evaluating a security characteristic | |
| CN112702300B (en) | Security vulnerability defense method and device | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| Grégio et al. | Toward a taxonomy of malware behaviors | |
| RU2726032C2 (en) | Systems and methods for detecting malicious programs with a domain generation algorithm (dga) | |
| Sharma et al. | Advanced Persistent Threats (APT): evolution, anatomy, attribution and countermeasures | |
| RU2762528C1 (en) | Method for processing information security events prior to transmission for analysis | |
| Djap et al. | Xb-pot: Revealing honeypot-based attacker’s behaviors | |
| Zeng et al. | Modelling Hybrid Cyber Kill Chain. | |
| Bhuiyan et al. | API vulnerabilities: Current status and dependencies | |
| Woo et al. | RE-CHECKER: Towards secure RESTful service in software-defined networking | |
| Choi et al. | Understanding Internet of Things malware by analyzing endpoints in their static artifacts | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| CN113824678B (en) | System, method, and non-transitory computer readable medium for processing information security events | |
| CN115580441A (en) | Network threat identification method and device based on service flow | |
| Choi et al. | A study on analysis of malicious code behavior information for predicting security threats in new environments | |
| RU2587426C2 (en) | System and method of detecting directed attack on corporate infrastructure | |
| Liu et al. | A goal-oriented approach for modeling and analyzing attack graph | |
| Jawad et al. | Intelligent Cybersecurity Threat Management in Modern Information Technologies Systems | |
| Oliveira et al. | System Protection Agent Against Unauthorized Activities via USB Devices. | |
| Bărbieru et al. | Integrated software platform for malware analysis of mobile terminals | |
| Patel et al. | Malware Detection Using Yara Rules in SIEM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |