WO2017206499A1 - Network attack detection method and attack detection apparatus - Google Patents

Network attack detection method and attack detection apparatus Download PDF

Info

Publication number
WO2017206499A1
WO2017206499A1 PCT/CN2016/112155 CN2016112155W WO2017206499A1 WO 2017206499 A1 WO2017206499 A1 WO 2017206499A1 CN 2016112155 W CN2016112155 W CN 2016112155W WO 2017206499 A1 WO2017206499 A1 WO 2017206499A1
Authority
WO
WIPO (PCT)
Prior art keywords
objects
attack
network
sessions
attack detection
Prior art date
Application number
PCT/CN2016/112155
Other languages
French (fr)
Chinese (zh)
Inventor
周冲
付天福
刘金华
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201610495352.8A external-priority patent/CN107454052A/en
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017206499A1 publication Critical patent/WO2017206499A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of data processing, and in particular, to a network attack detection method and an attack detection apparatus.
  • the existing packet sampling technology can analyze the obtained data traffic with very few features, and can only detect simple known network anomalies such as data traffic bursts. Because of the inability to perform in-depth analysis of the characteristics of data traffic, it is difficult to provide more useful information for the detection of network attacks, resulting in inefficient detection of attacks.
  • the present application provides a network attack detection method for providing more useful information for network attack detection.
  • the first aspect of the present application provides a network attack detection method, including: acquiring information of P sessions forwarded by a forwarding device in a network in a first time period.
  • Each of the P sessions belongs to one of the Q objects, where P and Q are integers greater than or equal to 1, and P is greater than or equal to Q.
  • the amount of data of each of the Q objects is determined.
  • the data flow is deeply analyzed, and the obtained statistical information can reflect the more diverse, deep, complex and accurate characteristics of the network data traffic, which is beneficial to the attack detection device to the unknown attack and hiding in the network. Deep attacks are detected.
  • the amount of data of each of the Q objects may be calculated accurately or may be estimated.
  • the second time period may be the same time period as the first time period, or may be a different time period.
  • the data volume of each of the Q objects includes: the number of sessions of the session included in the first time period, or the data traffic of the session included in the first time period. The size, or the number of messages in the session included in the first time period.
  • the attack detecting device may sort the Q objects according to the order of the data amount, and determine the first object, where the first object is: the sorted Q objects are sorted by the top N objects.
  • the attack detection device may remove the preset M objects from the Q objects, and sort the remaining QM objects according to the data amount from large to small, and determine that the first object is: The preset M objects, and the sorted QM objects, sort the objects located in the top N objects, wherein the preset M objects can be set by the artificial designated or attack detection device, wherein M is smaller than An integer of Q, where N is an integer less than QM.
  • the attack detection device may further input the obtained statistical result into a preset machine model, where the machine model is a classifier, and can determine whether there is an attack in the network according to the statistical result.
  • the machine model is a classifier
  • the attack detection device may further compare the obtained statistical result with a preset baseline, where the baseline may be regarded as a boundary line of a normal or abnormal statistical result of the first object, or whether the statistical result of the first object is normal.
  • the criteria or rules by comparing the statistical results with the baseline, can determine whether there is an attack in the network.
  • the attack detection device may also modify the preset baseline according to the statistical result to adapt to the changed network environment.
  • the second aspect of the present application provides an attack detection apparatus, including: an information acquisition module, configured to acquire information of P sessions forwarded by a forwarding device in a first time period, where each session of the P sessions belongs to Q One of the objects. a data amount determining module for using the P sessions Information that determines the amount of data for each of the Q objects. And an object determining module, configured to determine the first object according to the data amount of each of the Q objects.
  • the eigenvalue statistic module is configured to collect the eigenvalues of the plurality of sessions of the first object that are forwarded by the forwarding device in the second time period, and obtain the statistic result, where the statistic result is used to determine whether there is an attack in the network where the forwarding device is located.
  • the attack detection device provided by the present application can perform deep analysis on the data flow, and the obtained statistical information can reflect more diverse, deep, complex, and accurate characteristics of the network data traffic, and is beneficial to unknown attacks and deep hidden in the network. The attack is detected.
  • the data volume of each of the Q objects includes: the number of sessions of the session included in the first time period, or the data traffic of the session included in the first time period. The size, or the number of messages in the session included in the first time period.
  • the object determining module is specifically configured to: sort the Q objects according to the order of the data amount, and determine the first object, where the first object is: the sorted Q objects are ranked in the front An object among N objects, where N is an integer less than Q. This is advantageous for selecting an object with a large amount of data as the first object.
  • the object determining module is further configured to: remove the preset M objects from the Q objects, and sort the remaining QM objects according to the data amount in descending order, and determine the first object.
  • the first object is: the preset M objects, and the sorted QM objects among the objects located in the top N objects.
  • the attack detection device may further include an attack determination module, where the attack determination module may be configured to input the obtained statistical result into a preset machine model, and determine, by the machine module, whether there is an attack in the network.
  • the machine model is a classifier that can determine whether there is an attack in the network based on statistical results.
  • the attack judging module may further compare the obtained statistical result with a preset baseline, where the baseline may be regarded as a boundary line of a normal or abnormal statistical result of the first object, or whether the statistical result of the first object is normal.
  • the criteria or rules by comparing the statistical results with the baseline, can determine whether there is an attack in the network.
  • the attack judging module may also modify the preset baseline according to the statistical result to adapt to the changed network environment.
  • a third aspect of the present application provides another attack detection apparatus including a processor and a communication interface.
  • the communication interface is configured to obtain information about P sessions forwarded by the forwarding device in the network in the first time period, and each of the P sessions belongs to one of the Q objects, where P and Q are both Is an integer greater than or equal to 1, and P is greater than or equal to Q.
  • the processor is configured to: determine, according to information about the P sessions acquired by the communication interface, a data amount of each object in the Q objects; determine a first object according to a data volume of each object in the Q objects, and then determine The statistic value of the plurality of sessions of the first object forwarded by the forwarding device in the second time period is obtained, and a statistical result is obtained.
  • FIG. 1 is a schematic structural diagram of an available system according to an embodiment of the present application.
  • FIG. 2 is a structural diagram of an attack detection apparatus according to an embodiment of the present application.
  • FIG. 3 is a flowchart of a network attack detection method according to an embodiment of the present application.
  • FIG. 4 is a structural diagram of another attack detection apparatus according to an embodiment of the present application.
  • the present application provides an attack detection method for improving attack detection efficiency of a data stream.
  • the present application also provides related attack detection devices, which will be separately described below.
  • FIG. 1 is a diagram of an available system architecture provided by the present application.
  • the network may include multiple forwarding devices, such as the forwarding device 101, the forwarding device 102, and the forwarding device 103.
  • Each forwarding device can be a router, a switch, a firewall, a packet transport network device, a wavelength division multiplexing device, an optical transport network device, a base station, or a base station controller.
  • the attack detection device 104 is configured to couple with one or more forwarding devices in the internetwork, and detect whether there is an attack in the packet sent and received by the forwarding device.
  • the attack detection device 104 is coupled to the forwarding device 103 for detecting whether there is an attack in the packet sent and received by the forwarding device 103.
  • the attack detection device 104 may be an independent physical device, such as a server.
  • the attack detection device 104 may also be a function module deployed on a physical device, which is not limited in this application.
  • a session refers to a communication interaction between two devices in a network during a specific uninterrupted operation time.
  • the packets belonging to the same session have matching address signals, for example, in the Transmission Control Protocol (English: Transmission Control Protocol; TCP) or User Datagram Protocol (English: User Datagram Protocol; UDP).
  • the packets in a session can be identified by the quintuple information, that is, the packets of the same session have the same quintuple information, including the same source IP address, destination IP address, source port number, and destination. Port number and transport layer protocol number.
  • ICMP Internet Control Message Protocol
  • a message belonging to a session can be identified by a binary group information, and a message of the same session has the same binary group information, that is, The same source IP address and destination IP address.
  • a session refers to a communication interaction between two devices in a network during an uninterrupted, specific operational time. During a session, all messages transmitted between the two devices belong to the session.
  • the TCP report is carried in the text or UDP packet. Match the quintuple information of multiple messages in the same session. That is, in the quintuple information carried by the packet sent by the first device to the second device, the source IP address is the IP address of the first device, the source port number is the port number of the first device, and the destination IP address is the second.
  • the IP address of the device, the destination port number is the port number of the second device; the quintuple information carried in the packet sent by the second device to the first device, the source IP address is the IP address of the second device, and the source port number It is the port number of the second device.
  • the destination IP address is the IP address of the first device, and the destination port number is the port number of the first device.
  • the transport layer protocol numbers used by the two devices are the same. These messages belong to the same TCP/UDP session.
  • the message that is communicated between the first device and the second device is not a TCP message or a UDP message
  • the message that is communicated between the first device and the second device is an ICMP message.
  • multiple packets matching the two-group information belong to the same session. That is, in the binary information carried by the packet sent by the first device to the second device, the source IP address is the IP address of the first device, and the destination IP address is the IP address of the second device; the second device gives the first In the binary information carried in the packet sent by the device, the source IP address is the IP address of the second device, and the destination IP address is the IP address of the first device.
  • the transmission of the packets sent between the two devices is used. Layer protocol numbers are the same. These messages belong to the same ICMP session.
  • the attack detection device 104 shown in FIG. 1 can be implemented by the attack detection device 200 shown in FIG. 2, and includes a processor 201, a memory 202, and a communication interface 203.
  • a bus 204 is also included.
  • the processor 201, the memory 202, and the communication interface 203 can implement a communication connection with each other via the bus 204.
  • communication can also be achieved by other means such as wireless transmission.
  • the memory 202 can include a volatile memory, such as a random Access memory (English: random-access memory, abbreviation: RAM); may also include non-volatile memory (English: non-volatile memory), such as read-only memory (English: read-only memory, abbreviation: ROM), Flash memory (English: flash memory), hard disk (English: hard disk drive, abbreviated: HDD) or SSD; the memory 202 may also include a combination of the above types of memory.
  • a volatile memory such as a random Access memory (English: random-access memory, abbreviation: RAM); may also include non-volatile memory (English: non-volatile memory), such as read-only memory (English: read-only memory, abbreviation: ROM), Flash memory (English: flash memory), hard disk (English: hard disk drive, abbreviated: HDD) or SSD; the memory 202 may also include a combination of the above types of memory.
  • the program code for implementing the attack detection method provided in FIG. 3 of the present application
  • the communication interface 203 can be a wired interface, such as a Fiber Distributed Data Interface (FDDI) or an Ethernet (English) interface.
  • Network interface 503 can also be a wireless interface, such as a wireless local area network interface.
  • the communication interface 203 is configured to acquire information of P sessions forwarded by the forwarding device in the first time period, and feature values of the plurality of sessions of the first object forwarded in the second time period.
  • the processor 201 can be a central processing unit (English: central processing unit, CPU for short), a hardware chip or a combination of a CPU and a hardware chip.
  • the control communication interface 203 acquires information of the P sessions forwarded by the forwarding device in the first time period, and each session of the P sessions One of the Q objects, wherein P and Q are integers greater than or equal to 1, and P is greater than or equal to Q; determining the data amount of each of the Q objects according to the information of the P sessions Determining a first object according to the data amount of each object in the Q objects; collecting a feature value of the plurality of sessions of the first object forwarded by the forwarding device in the second time period, and obtaining a statistical result, the statistical result is used Determine whether there is an attack on the network where the forwarding device is located.
  • the data volume of each object is the number of sessions of the session included in the first time period of each object, or the data traffic size of the session included in the first time period, or The number of packets of the session included in a period of time.
  • the determining the first object according to the data volume of each of the Q objects includes: sorting the Q objects according to the order of the data amount, and determining that the first object is: An object that is located among the objects of the top N after sorting, where N is an integer smaller than the Q.
  • the determining the first object according to the data volume of each of the Q objects may further include: removing the preset M objects from the Q objects, and removing the remaining QM objects Sorting according to the order of the data amount, and determining that the first object is: the preset M objects, and the sorted QM objects among the objects in the top N, wherein M is less than Q An integer, N is an integer less than Q-M.
  • the processor 201 is further configured to input the statistical result into a preset machine model, and determine, by using the machine model, whether an attack exists in the network.
  • the processor 201 is further configured to compare the statistical result with a preset baseline to determine whether an attack exists in the network.
  • the processor 201 is further configured to: according to the statistical result, correct a preset baseline, where the preset baseline is used to determine whether an attack exists in the network.
  • FIG. 3 is a flowchart of a method for detecting network attacks provided by an embodiment of the present application.
  • the execution body of the method shown in FIG. 3 may be the attack detecting device 104 shown in FIG. 1.
  • the forwarding device in the embodiment shown in FIG. 3 may be one or more of the forwarding devices 101-103 shown in FIG. 1. See Figure 3 for the basic process, including:
  • S301 Acquire information about P sessions forwarded by the forwarding device in the first time period.
  • Each of the P sessions belongs to one of the Q objects, where P and Q are integers greater than or equal to 1, and P is greater than or equal to Q.
  • the forwarding device includes the P sessions in a large number of sessions forwarded in the first time period.
  • the attack detecting device acquires information of the P sessions.
  • the P sessions may be obtained by the forwarding device sampling according to a pre-sampling rule.
  • the information of the P sessions may be that, when the forwarding device receives each of the P sessions, the packet in the session is mirrored, and is saved in the forwarding device, and then in the mirrored packet. Obtained; it can also be obtained directly during the forwarding process.
  • the information of the P sessions is sent to the attack detection device according to the pre-established connection, so that the attack detection device acquires the information of the P sessions.
  • the information of the information obtained by the attack detection device may be in the form of the IPFIX data, or may be in the form of the NetFlow data, or other forms that the forwarding device or the attack detection device can support, which is not limited herein.
  • the session information can include many parameters, such as session identifier, source/destination IP address, source/destination port, protocol type, service type, and traffic size.
  • the information of the session can be reported to the attack detection device by the forwarding device.
  • the attack detection device may also send an indication to the forwarding device indicating that the forwarding device reports the session information, and actively acquire the session information.
  • the information of the P sessions may be sent by a forwarding device to the attack detection device.
  • it may be sent by multiple forwarding devices to the attack detection device.
  • the information of the P sessions may be sent by the forwarding device to the attack detection device at one time, or may be sent to the attack detection device multiple times.
  • the "object" is used to divide the session in the network.
  • a session in the network can be associated with an object, that is, the certain session belongs to the certain object.
  • a session belongs to an object, and it can be called an object including a session.
  • An object can include one or more sessions.
  • each session belongs to one of the Q objects.
  • the session is divided according to the destination IP address, and the attack detection device analyzes the P session information to obtain three destination IP addresses, which are respectively a first IP address, a second IP address, and a third IP address, and the three IP addresses are respectively Corresponding to the first object, the second object, and the third object, respectively.
  • the session with the first IP address as the destination address belongs to the first object
  • the session with the second IP address as the destination address belongs to the second object
  • the session with the third IP address as the destination address is Belongs to the third object.
  • the same session can belong to different objects.
  • the subnet segment of the destination IP is divided. Assume that the first IP address and the second IP address belong to the first subnet segment and the third IP address belongs to the second subnet segment.
  • the network segments correspond to the fourth object and the fifth object, respectively. Then, the session with the first IP address as the destination address and the session with the second IP address as the destination IP address belong to the fourth object; the session with the third IP address as the destination address belongs to the fifth object.
  • each of the P sessions belongs to one of Q objects, and the Q objects are objects divided according to a specific manner.
  • the object is not limited to the form of an IP address, and various parameters in the session information may be used as an object.
  • the object may be a network segment (English: segment), a URL (English: website),
  • the autonomous system (English: autonomous system, abbreviation: AS) can also be the physical address (such as city, province, or even country) or other address information determined by the geographic information system (English: geographic information system, abbreviation: GIS).
  • the address information of the IP address, the network segment, the autonomous system, and the physical address in the present application refers to the source address or destination address of the packet transmitted in one direction of the bidirectional packet in the session.
  • the IP address is used as the partitioning method, and then the IP address 1 corresponds to The object includes session 1, which means that the source IP address of the packet in one direction is IP address 1 and the destination address of the packet in the other direction is IP address 1.
  • the division of other address forms is the same as this example and will not be described again.
  • the object can also be in the form of a service type, such as a domain name system (English: domain name system, abbreviation: DNS) type, a file transfer protocol (English: file transfer protocol, abbreviation: FTP) type, a hypertext transfer protocol (English: Hypertext transfer protocol, abbreviation: HTTP) type and other business types.
  • a domain name system English: domain name system, abbreviation: DNS
  • a file transfer protocol English: file transfer protocol, abbreviation: FTP
  • HTTP Hypertext transfer protocol
  • the object can also be in other forms, which is not limited herein.
  • S302. Determine, according to the information of the P sessions, the amount of data of each of the Q objects.
  • the data amount of each object is the number of sessions of the session included in the first time period of the object, or the data of the session included in the first time period.
  • the amount of data of each of the Q objects is obtained from the information of the P sessions. Therefore, the information of the P sessions should include the amount of data of each of the Q objects. For example, if the amount of data refers to the number of sessions of each of the Q objects, the information of the P sessions should include at least the session identifier of each session. For another example, if the data volume refers to the data traffic of each of the Q objects, the information of the P sessions should include at least the traffic size of each session.
  • the amount of data for each of the Q objects can be accurately calculated.
  • the data volume as the data traffic as an example, for each object, the session belonging to the object in the P sessions is determined, and the data traffic of each session in the session belonging to the object is calculated, and the sum of the data flows is calculated.
  • the size of the data traffic can be expressed in bits (in English: bit) or in bytes (in English: Byte).
  • the amount of data for each of the Q objects may be estimated. Still taking the data volume as an example, if the first time period is a long time period, such as one day, then the number of sessions sampled is a large value. If the data traffic of each session is counted, the calculation amount is too large, especially for some of the Q objects, the amount of data is small, and the object determined to be less likely to be the first object does not need to be accurate. registration. For example, in S301, the information of the P sessions is an example in which the forwarding device sends the attack detection device multiple times.
  • the attack detecting device may have deleted the previous session information several times, so the total data amount of the object in the first time period can only be estimated. obtain.
  • Ld-Sketch A Distributed
  • Jn Huang Qun Huang
  • Patrick PCLee in 2014 at the Institute of Electrical and Electronics Engineers (abbreviation: IEEE).
  • the attack detecting device filters one or more objects from the Q objects and analyzes the selected objects.
  • the first object is included in the selected object.
  • the attack detecting device may sort the Q objects according to the order of the data amount, and determine the first object.
  • the first object is: the sorted objects among the Q objects are sorted among the objects of the top N, that is, the N objects having the largest amount of data among the Q objects. Where N is an integer less than Q.
  • the attack detection device may further include preset M objects.
  • the preset M objects can be set by the user.
  • the user can preset M objects to be observed.
  • the preset M objects may also be correspondingly determined by the attack detecting means before the first time period by using a method similar to determining the first object.
  • the attack detection device may also set a life cycle for the preset M objects, and the preset M objects are no longer set as preset objects after the end of the life cycle.
  • the preset M objects may be removed from the Q objects, and the remaining QM objects are sorted according to the order of the data amount, and determined.
  • the first object is: the preset M objects, and the sorted objects of the QM objects among the objects of the top N, that is, the N objects with the largest amount of data among the QM objects, where N Is an integer less than QM.
  • the attack detecting device may further determine, as the first object, the object whose data amount exceeds the threshold in the Q objects.
  • the feature value of the session refers to the value used to describe the feature of the session (English: feature).
  • the session may be characterized by the size of the session traffic, the average packet length in the session, the session termination reason, the session duration, the maximum packet length in the session, and the minimum packet length in the session.
  • the session may also be characterized by the number of packets whose value of a certain flag bit in the TCP session is equal to one.
  • the plurality of sessions of the first object refer to a plurality of sessions belonging to the first object.
  • the attack detection device acquires information of multiple sessions of the first object forwarded by the forwarding device in the second time period, where the information of each session includes the feature value of the session, or is included in the calculation Information about the feature value of the session.
  • the eigenvalue is the average packet length of the session
  • the information of the session obtained from the forwarding device may directly include the average packet length of each session, and may also include the total number of bytes of the session and the total number of packets.
  • the detecting device determines the average packet length of each session by the total number of bytes of the session and the total number of packets.
  • the attack detecting device acquires the feature value of each session of the first object in S304
  • the feature values of the plurality of sessions are further counted to obtain the statistical result.
  • the statistical result may be the sum of the feature values of the multiple sessions, or may be obtained by performing other statistical operations on the feature values of the multiple sessions.
  • the second time period can be the same time period as the first time period.
  • the information of the P sessions is acquired in S301, and the feature value of each session is already included, and the attack detecting device saves the feature value of the session.
  • the attack detection device may not save the information of the P sessions in the first time period.
  • the attack detection device needs to acquire the first object that the forwarding device forwards in the second time period.
  • the second time period can be after the first time period.
  • the attack detection device counts the feature values of the plurality of sessions of the first object forwarded by the forwarding device in the second time period, and obtains a statistical result.
  • the statistics are used to determine whether there is an attack in the network where the forwarding device is located.
  • the machine model is pre-stored in the attack detection device.
  • the machine model is also called a classifier (English: classifier), and its essence can be a classification function or a classification model.
  • the machine The model can be a back propagation (abbreviation: BP) neural network model. It can divide the current input statistics into existing attacks and not based on the historical statistical results and the historical network. There are two types of attacks to determine if there is an attack in the network.
  • the attack detection device may input the statistical result into a preset machine model to determine whether there is an attack in the network where the forwarding device is located through the machine model.
  • the attack detection device may be pre-configured with a baseline corresponding to the first object (English: baseline), and the baseline may be regarded as a standard or rule that the statistical result of the first object is normal or abnormal.
  • the baseline can be a numerical value or a judgment condition.
  • the baseline may be automatically generated by the attack detection device according to the statistics obtained in the previous attack detection process, which is not limited in this application.
  • the attack detecting device compares the statistical result of the first object with the corresponding baseline, and can obtain whether the statistical result of the first object has an abnormality, thereby determining whether there is an attack in the network, and determining the presence and the abnormality of the attack. The result is related to the session.
  • the attack detection device may adjust the baseline according to the determined statistical result.
  • the specific adjustment algorithm includes averaging, weighting, smoothing, prediction, correction, or other algorithms, which is not limited herein. For example, if the traffic size of the session of the website www.baidu.com is 5M per unit time in the second time period, and the baseline of the data traffic size is 7M per unit time, the attack detection device uses a first-order smoothing algorithm to adjust the baseline.
  • the smoothing coefficient is 0.4
  • the attack detection device may perform statistics on multiple feature values of the session included in the first object to obtain multiple baselines. Generate or modify a machine model based on multiple baselines.
  • the present invention provides an attack detection method, in which the attack detection device acquires information of P sessions forwarded by the forwarding device, wherein the P sessions belong to one of the Q objects, and then the attack detection device determines the Q objects.
  • the amount of data of each object in the object, and determining the first object according to the data volume of each object, and then counting the feature values of the session of the first object in the second time period to obtain a statistical result the statistical result is used to determine whether there is an attack in the network .
  • the present application selects the first object of main concern on the basis of extracting the session information in the network, and then determines the feature value of the selected first object session, and statistically obtains statistics on the feature value of the session of the first object. result.
  • This application performs a deep analysis of the data stream by such a method, and the obtained statistical information can reflect the number of networks. According to the more diverse, deep, complex and accurate traffic, the attack detection device can detect unknown attacks and deep hidden attacks in the network.
  • FIG. 3 provides a basic flow of the network attack detection method provided by the present application.
  • the following describes the attack detection apparatus provided by the present application for implementing the foregoing network attack detection method.
  • Figure 4 including:
  • the information obtaining module 401 is configured to obtain information about P sessions forwarded by the forwarding device in the first time period, and each of the P sessions belongs to one of the Q objects.
  • P and Q are integers greater than or equal to 1, and P is greater than or equal to Q.
  • the data amount determining module 402 is configured to determine, according to the information of the P sessions, the amount of data of each of the Q objects.
  • the object determining module 403 is configured to determine the first object according to the data amount of each of the Q objects.
  • the object determining module 403 sorts the Q objects according to the order of the data amount, and determines that the first object is the object that is ranked among the objects of the top N among the sorted Q objects. Where N is an integer less than Q.
  • the preset M objects are removed from the Q objects, and the remaining QM objects are sorted according to the data amount from large to small, and the first object is determined as: preset M objects. And sorting the objects among the top N objects among the sorted QM objects, M is an integer smaller than Q, and N is an integer smaller than QM.
  • the eigenvalue statistic module 404 is configured to count the eigenvalues of the plurality of sessions of the first object that are forwarded by the forwarding device in the second time period, and obtain a statistic result, where the statistic result is used to determine whether there is an attack in the network where the forwarding device is located. .
  • the attack detection device may further include an attack determination module 405, configured to input the statistical result into the machine model, and determine, by using the machine model, whether there is an attack in the network.
  • an attack determination module 405 configured to input the statistical result into the machine model, and determine, by using the machine model, whether there is an attack in the network.
  • the attack determining module 405 is configured to compare the statistical result with a preset baseline to determine whether an attack exists in the network.
  • the attack determination module 405 can also correct the preset baseline according to the statistical result.
  • attack detection apparatus shown in FIG. 4 and a specific application method, reference may be made to the method embodiment shown in FIG. 3, and details are not described herein.
  • each module shown in FIG. 4 is only a functional division of the attack detection device.
  • the attack detection device shown in FIG. 4 may be substantially a device with the attack detection device shown in FIG. 2, and FIG. 4 is The logical perspective is described, and Figure 2 is described from a structural perspective.
  • the information acquisition module 401 shown in FIG. 4 can be implemented by the communication interface 203 shown in FIG. 2, and the number shown in FIG.
  • the data determination module 402, the object determination module 403, the feature value statistics module 404, and the attack determination module 405 can be implemented by the processor 201 shown in FIG.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the modules is only a logical function division.
  • there may be another division manner for example, multiple modules or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or module, and may be electrical, mechanical or otherwise.
  • the modules described as separate components may or may not be physically separated.
  • the components displayed as modules may or may not be physical modules, that is, may be located in one place, or may be distributed to multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist physically separately, or two or more modules may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules if implemented in the form of software functional modules and sold or used as separate products, may be stored in a computer readable storage medium.
  • a computer readable storage medium A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes various media that can store program codes, such as a USB flash drive, a mobile hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

Abstract

Disclosed is a network attack detection method, which is used for providing more diverse and deeper information for network attack detection. The network attack detection method provided in the present application comprises: acquiring information about P sessions forwarded by a forwarding device, wherein the P sessions respectively belong to one object of Q objects; then, an attack detection apparatus determining a data amount of each object of the Q objects, and determining a first object according to the data amount of each object; and then, collecting statistics of feature values of sessions of the first object within a second time period so as to obtain a statistical result, wherein the statistical result is used for determining whether there is an attack in a network. Also provided is a relevant attack detection apparatus.

Description

网络攻击检测方法以及攻击检测装置Network attack detection method and attack detection device
本申请要求于2016年05月31日提交中国专利局、申请号为201610380229.1、发明名称为“网络攻击检测方法以及攻击检测装置”和于2016年06月28日提交中国专利局、申请号为201610495352.8、发明名称为“网络攻击检测方法以及攻击检测装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application is required to be submitted to the China Patent Office on May 31, 2016, the application number is 201610380229.1, and the invention name is “Network Attack Detection Method and Attack Detection Device” and submitted to the Chinese Patent Office on June 28, 2016, and the application number is 201610495352.8. The priority of the Chinese patent application entitled "Network Attack Detection Method and Attack Detection Device" is incorporated herein by reference.
技术领域Technical field
本申请涉及数据处理领域,尤其涉及一种网络攻击检测方法以及攻击检测装置。The present application relates to the field of data processing, and in particular, to a network attack detection method and an attack detection apparatus.
背景技术Background technique
互联网络中时刻会产生大量的会话,这些会话组成了巨量的数据流。巨量的数据流要求网络对数据流进行准确的流量监控、计费、潜在攻击检测。现阶段一般采用报文抽样技术对网络中转发设备所转发数据流是否安全进行检测。There are a lot of sessions in the Internet at all times, and these sessions make up a huge amount of data. A huge amount of data flow requires the network to perform accurate traffic monitoring, billing, and potential attack detection on the data stream. At this stage, packet sampling technology is generally used to detect whether the data stream forwarded by the forwarding device in the network is secure.
但是,现有的报文抽样技术所能够分析获得的数据流量的特征非常少,只能检测到数据流量突发等简单已知的网络异常形式。由于无法对数据流量的特征进行深度分析,因此难以为网络攻击的检测提供更多有用的信息,导致攻击检测的效率过低。However, the existing packet sampling technology can analyze the obtained data traffic with very few features, and can only detect simple known network anomalies such as data traffic bursts. Because of the inability to perform in-depth analysis of the characteristics of data traffic, it is difficult to provide more useful information for the detection of network attacks, resulting in inefficient detection of attacks.
发明内容Summary of the invention
本申请提供了一种网络攻击检测方法,用于为网络攻击检测提供更多的有用信息。The present application provides a network attack detection method for providing more useful information for network attack detection.
本申请第一方面提供了一种网络攻击检测方法,包括:获取网络中的转发设备在第一时间段中转发的P个会话的信息。该P个会话中的每个会话属于Q个对象中的一个对象,其中P和Q均为大于或等于1的整数,并且P大于或等于Q。根据该P个会话的信息,确定该Q个对象中每个对象的数据量。根据该Q个对象中每个对象的数据量,确定第一对象,然后统计转发设备在第二时间段中转发的第一对象的多个会话的特征值,得到统计结果。其 中,该统计结果用于判断转发设备所在的网络中是否存在攻击。本申请通过这样的方法对数据流进行了深度的分析,得到的统计信息能够反映网络数据流量更为多样、深度、复杂、精确的特征,有利于攻击检测装置对网络中的未知攻击和隐藏较深的攻击进行检测。The first aspect of the present application provides a network attack detection method, including: acquiring information of P sessions forwarded by a forwarding device in a network in a first time period. Each of the P sessions belongs to one of the Q objects, where P and Q are integers greater than or equal to 1, and P is greater than or equal to Q. Based on the information of the P sessions, the amount of data of each of the Q objects is determined. And determining, according to the data volume of each of the Q objects, the first object, and then counting the feature values of the plurality of sessions of the first object forwarded by the forwarding device in the second time period, to obtain a statistical result. Its The statistics are used to determine whether an attack exists on the network where the forwarding device is located. Through the method, the data flow is deeply analyzed, and the obtained statistical information can reflect the more diverse, deep, complex and accurate characteristics of the network data traffic, which is beneficial to the attack detection device to the unknown attack and hiding in the network. Deep attacks are detected.
可选的,该Q个对象中每个对象的数据量可以是准确计算得到的,也可以是估算得到的。Optionally, the amount of data of each of the Q objects may be calculated accurately or may be estimated.
可选的,第二时间段可以与第一时间段是同一个时间段,也可以是不同的时间段。Optionally, the second time period may be the same time period as the first time period, or may be a different time period.
可选的,该Q个对象中每个对象的数据量包括:该每个对象在第一时间段中所包括的会话的会话个数、或在第一时间段中所包括的会话的数据流量大小、或在第一时间段中所包括的会话的报文个数。Optionally, the data volume of each of the Q objects includes: the number of sessions of the session included in the first time period, or the data traffic of the session included in the first time period. The size, or the number of messages in the session included in the first time period.
可选的,攻击检测装置可以按照数据量由大到小的顺序对该Q个对象进行排序,并确定第一对象,第一对象为:排序后的该Q个对象中排序位于前N的对象当中的对象,其中N为小于Q的整数。这样有利于将数据量较大的对象选择为第一对象。Optionally, the attack detecting device may sort the Q objects according to the order of the data amount, and determine the first object, where the first object is: the sorted Q objects are sorted by the top N objects. The object in which N is an integer less than Q. This is advantageous for selecting an object with a large amount of data as the first object.
可选的,攻击检测装置可以从该Q个对象中除去预置的M个对象,并将余下的Q-M个对象按照数据量由大到小的顺序进行排序,并确定所述第一对象为:该预置的M个对象,以及排序后的Q-M个对象中排序位于前N的对象当中的对象,其中该预置的M个对象可以为人为指定或攻击检测装置自行设定,其中M为小于Q的整数,N为小于Q-M的整数。Optionally, the attack detection device may remove the preset M objects from the Q objects, and sort the remaining QM objects according to the data amount from large to small, and determine that the first object is: The preset M objects, and the sorted QM objects, sort the objects located in the top N objects, wherein the preset M objects can be set by the artificial designated or attack detection device, wherein M is smaller than An integer of Q, where N is an integer less than QM.
可选的,攻击检测装置还可以将得到的统计结果输入预置的机器模型,该机器模型是一种分类器,能够根据统计结果判断网络中是否存在攻击。Optionally, the attack detection device may further input the obtained statistical result into a preset machine model, where the machine model is a classifier, and can determine whether there is an attack in the network according to the statistical result.
可选的,攻击检测装置还可以将得到的统计结果与预置的基线比较,该基线可以视为第一对象的统计结果正常或异常的分界线,或是判定第一对象的统计结果是否正常的标准或规则,通过将统计结果与基线进行比较,能够判断出网络中是否存在攻击。Optionally, the attack detection device may further compare the obtained statistical result with a preset baseline, where the baseline may be regarded as a boundary line of a normal or abnormal statistical result of the first object, or whether the statistical result of the first object is normal. The criteria or rules, by comparing the statistical results with the baseline, can determine whether there is an attack in the network.
可选的,攻击检测装置还可以根据统计结果,修正预置的的基线,以适应变化的网络环境。Optionally, the attack detection device may also modify the preset baseline according to the statistical result to adapt to the changed network environment.
本发申请第二方面提供了一种攻击检测装置,包括:信息获取模块,用于获取转发设备在第一时间段中转发的P个会话的信息,该P个会话中的每个会话属于Q个对象中的一个对象。数据量确定模块,用于根据该P个会话 的信息,确定该Q个对象中每个对象的数据量。对象确定模块,用于根据该Q个对象中每个对象的数据量,确定第一对象。特征值统计模块,用于统计转发设备在第二时间段中转发的第一对象的多个会话的特征值,获得统计结果,该统计结果被用于判断转发设备所在的网络中是否存在攻击。本申请提供的攻击检测装置能够对数据流进行深度的分析,得到的统计信息能够反映网络数据流量更为多样、深度、复杂、精确的特征,有利于对网络中的未知攻击和隐藏较深的攻击进行检测。The second aspect of the present application provides an attack detection apparatus, including: an information acquisition module, configured to acquire information of P sessions forwarded by a forwarding device in a first time period, where each session of the P sessions belongs to Q One of the objects. a data amount determining module for using the P sessions Information that determines the amount of data for each of the Q objects. And an object determining module, configured to determine the first object according to the data amount of each of the Q objects. The eigenvalue statistic module is configured to collect the eigenvalues of the plurality of sessions of the first object that are forwarded by the forwarding device in the second time period, and obtain the statistic result, where the statistic result is used to determine whether there is an attack in the network where the forwarding device is located. The attack detection device provided by the present application can perform deep analysis on the data flow, and the obtained statistical information can reflect more diverse, deep, complex, and accurate characteristics of the network data traffic, and is beneficial to unknown attacks and deep hidden in the network. The attack is detected.
可选的,该Q个对象中每个对象的数据量包括:该每个对象在第一时间段中所包括的会话的会话个数、或在第一时间段中所包括的会话的数据流量大小、或在第一时间段中所包括的会话的报文个数。Optionally, the data volume of each of the Q objects includes: the number of sessions of the session included in the first time period, or the data traffic of the session included in the first time period. The size, or the number of messages in the session included in the first time period.
可选的,对象确定模块具体用于:按照数据量由大到小的顺序对该Q个对象进行排序,并确定第一对象,第一对象为:排序后的该Q个对象中排序位于前N的对象当中的对象,其中N为小于Q的整数。这样有利于将数据量较大的对象选择为第一对象。Optionally, the object determining module is specifically configured to: sort the Q objects according to the order of the data amount, and determine the first object, where the first object is: the sorted Q objects are ranked in the front An object among N objects, where N is an integer less than Q. This is advantageous for selecting an object with a large amount of data as the first object.
可选的,对象确定模块还可以用于:从该Q个对象中除去预置的M个对象,并将余下的Q-M个对象按照数据量由大到小的顺序进行排序,并确定第一对象,第一对象为:该预置的M个对象,以及排序后的Q-M个对象中排序位于前N的对象当中的对象,。Optionally, the object determining module is further configured to: remove the preset M objects from the Q objects, and sort the remaining QM objects according to the data amount in descending order, and determine the first object. The first object is: the preset M objects, and the sorted QM objects among the objects located in the top N objects.
可选的,攻击检测装置还可以包括攻击判断模块,该攻击判断模块可以用于将得到的统计结果输入预置的机器模型,并通过机器模块判断网络中是否存在攻击。该机器模型是一种分类器,能够根据统计结果判断网络中是否存在攻击。Optionally, the attack detection device may further include an attack determination module, where the attack determination module may be configured to input the obtained statistical result into a preset machine model, and determine, by the machine module, whether there is an attack in the network. The machine model is a classifier that can determine whether there is an attack in the network based on statistical results.
可选的,攻击判断模块还可以将得到的统计结果与预置的基线比较,该基线可以视为第一对象的统计结果正常或异常的分界线,或是判定第一对象的统计结果是否正常的标准或规则,通过将统计结果与基线进行比较,能够判断出网络中是否存在攻击。Optionally, the attack judging module may further compare the obtained statistical result with a preset baseline, where the baseline may be regarded as a boundary line of a normal or abnormal statistical result of the first object, or whether the statistical result of the first object is normal. The criteria or rules, by comparing the statistical results with the baseline, can determine whether there is an attack in the network.
可选的,攻击判断模块还可以根据统计结果,修正预置的的基线,以适应变化的网络环境。Optionally, the attack judging module may also modify the preset baseline according to the statistical result to adapt to the changed network environment.
本申请的第三方面提供了另一种攻击检测装置,包括处理器以及通信接口。其中,通信接口用于获取网络中的转发设备在第一时间段中转发的P个会话的信息,该P个会话中的每个会话属于Q个对象中的一个对象,其中P和Q均 为大于或等于1的整数,并且P大于或等于Q。处理器用于执行:根据通信接口获取的所述P个会话的信息,确定该Q个对象中每个对象的数据量;根据该Q个对象中每个对象的数据量,确定第一对象,然后统计转发设备在第二时间段中转发的第一对象的多个会话的特征值,得到统计结果。A third aspect of the present application provides another attack detection apparatus including a processor and a communication interface. The communication interface is configured to obtain information about P sessions forwarded by the forwarding device in the network in the first time period, and each of the P sessions belongs to one of the Q objects, where P and Q are both Is an integer greater than or equal to 1, and P is greater than or equal to Q. The processor is configured to: determine, according to information about the P sessions acquired by the communication interface, a data amount of each object in the Q objects; determine a first object according to a data volume of each object in the Q objects, and then determine The statistic value of the plurality of sessions of the first object forwarded by the forwarding device in the second time period is obtained, and a statistical result is obtained.
附图说明DRAWINGS
图1为本申请实施例提供的一种可用的系统架构图;FIG. 1 is a schematic structural diagram of an available system according to an embodiment of the present application;
图2为本申请实施例提供的一种攻击检测装置的结构图;2 is a structural diagram of an attack detection apparatus according to an embodiment of the present application;
图3为本申请实施例提供的一种网络攻击检测方法的流程图;FIG. 3 is a flowchart of a network attack detection method according to an embodiment of the present application;
图4为本申请实施例提供的另一种攻击检测装置的结构图。FIG. 4 is a structural diagram of another attack detection apparatus according to an embodiment of the present application.
具体实施方式detailed description
本申请提供了一种攻击检测方法,用于提升数据流的攻击检测效率。本申请还提供了相关的攻击检测装置,以下将分别进行描述。The present application provides an attack detection method for improving attack detection efficiency of a data stream. The present application also provides related attack detection devices, which will be separately described below.
图1是本申请提供的一种可用的系统架构图。其中,网络中可以包括多个转发设备,如转发设备101、转发设备102以及转发设备103。每个转发设备均可以是路由器、交换机、防火墙、分组传送网设备、波分复用设备、光传送网设备、基站或者基站控制器。FIG. 1 is a diagram of an available system architecture provided by the present application. The network may include multiple forwarding devices, such as the forwarding device 101, the forwarding device 102, and the forwarding device 103. Each forwarding device can be a router, a switch, a firewall, a packet transport network device, a wavelength division multiplexing device, an optical transport network device, a base station, or a base station controller.
攻击检测装置104,用于与互联网络中的一个或多个转发设备耦合,并检测该转发设备收发的报文中是否存在攻击。例如,攻击检测装置104与转发设备103耦合,用于检测转发设备103收发的报文中是否存在攻击。本申请实施例中,攻击检测装置104可以是独立的物理设备,如服务器等。攻击检测装置104还可以是部署在物理设备上的功能模块,本申请中不做限定。The attack detection device 104 is configured to couple with one or more forwarding devices in the internetwork, and detect whether there is an attack in the packet sent and received by the forwarding device. For example, the attack detection device 104 is coupled to the forwarding device 103 for detecting whether there is an attack in the packet sent and received by the forwarding device 103. In the embodiment of the present application, the attack detection device 104 may be an independent physical device, such as a server. The attack detection device 104 may also be a function module deployed on a physical device, which is not limited in this application.
本申请中的一种示例中,会话(英文:session)指的是在一个不中断的特定操作时间内,网络中两个设备之间的通信交互。在一个会话期间,两个设备之间相互传输的所有报文都属于该会话。隶属于同一个会话的报文具有相匹配的地址信号,例如在传输控制协议(英文:Transmission Control Protocol;缩写:TCP)或用户数据报协议(英文:User Datagram Protocol;缩写:UDP)中,隶属于一个会话的报文可由五元组信息来标识,即同一个会话的报文具有相同的五元组信息,包括相同的源IP地址、目的IP地址、源端口号、目的 端口号以及传输层协议号。在因特网控制消息协议(英文:Internet Control Message Protocol;缩写:ICMP)中,隶属于一个会话的报文可以由二元组信息来标识,同一个会话的报文具有相同的二元组信息,即相同的源IP地址和目的IP地址。In one example in this application, a session (English: session) refers to a communication interaction between two devices in a network during a specific uninterrupted operation time. During a session, all messages transmitted between the two devices belong to the session. The packets belonging to the same session have matching address signals, for example, in the Transmission Control Protocol (English: Transmission Control Protocol; TCP) or User Datagram Protocol (English: User Datagram Protocol; UDP). The packets in a session can be identified by the quintuple information, that is, the packets of the same session have the same quintuple information, including the same source IP address, destination IP address, source port number, and destination. Port number and transport layer protocol number. In the Internet Control Message Protocol (ICMP), a message belonging to a session can be identified by a binary group information, and a message of the same session has the same binary group information, that is, The same source IP address and destination IP address.
本申请的另一种示例中,会话指的是在一个不中断的特定操作时间内,网络中两个设备之间的通信交互。在一个会话期间,两个设备之间相互传输的所有报文都属于该会话。In another example of the present application, a session refers to a communication interaction between two devices in a network during an uninterrupted, specific operational time. During a session, all messages transmitted between the two devices belong to the session.
例如,在第一设备和第二设备之间通信的报文是TCP报文的情况下,或者在第一设备和第二设备之间通信的报文是UDP报文的情况下,该TCP报文或UDP报文中携带五元组信息。同一个会话的多个报文的五元组信息相匹配。即,第一设备给第二设备发送的报文所携带的五元组信息中,源IP地址是第一设备的IP地址,源端口号是第一设备的端口号,目的IP地址是第二设备的IP地址,目的端口号是第二设备的端口号;第二设备给第一设备发送的报文所携带的五元组信息中,源IP地址是第二设备的IP地址,源端口号是第二设备的端口号,目的IP地址是第一设备的IP地址,目的端口号是第一设备的端口号;两个设备之间相互发送的报文所采用的传输层协议号都相同。这些报文都属于同一个TCP/UDP会话。For example, in the case that the message communicated between the first device and the second device is a TCP message, or in the case where the message communicated between the first device and the second device is a UDP message, the TCP report The quintuple information is carried in the text or UDP packet. Match the quintuple information of multiple messages in the same session. That is, in the quintuple information carried by the packet sent by the first device to the second device, the source IP address is the IP address of the first device, the source port number is the port number of the first device, and the destination IP address is the second. The IP address of the device, the destination port number is the port number of the second device; the quintuple information carried in the packet sent by the second device to the first device, the source IP address is the IP address of the second device, and the source port number It is the port number of the second device. The destination IP address is the IP address of the first device, and the destination port number is the port number of the first device. The transport layer protocol numbers used by the two devices are the same. These messages belong to the same TCP/UDP session.
又例如,在第一设备和第二设备之间通信的报文不是TCP报文或UDP报文的情况下,例如在第一设备和第二设备之间通信的报文是ICMP报文的情况下,也可以认为二元组信息相匹配的多个报文属于同一个会话的报文。即,第一设备给第二设备发送的报文所携带的二元组信息中,源IP地址是第一设备的IP地址,目的IP地址是第二设备的IP地址;第二设备给第一设备发送的报文所携带的二元组信息中,源IP地址是第二设备的IP地址,目的IP地址是第一设备的IP地址;两个设备之间相互发送的报文所采用的传输层协议号都相同。这些报文都属于同一个ICMP会话。For example, in a case where the message communicated between the first device and the second device is not a TCP message or a UDP message, for example, the message that is communicated between the first device and the second device is an ICMP message. In the following, it is also considered that multiple packets matching the two-group information belong to the same session. That is, in the binary information carried by the packet sent by the first device to the second device, the source IP address is the IP address of the first device, and the destination IP address is the IP address of the second device; the second device gives the first In the binary information carried in the packet sent by the device, the source IP address is the IP address of the second device, and the destination IP address is the IP address of the first device. The transmission of the packets sent between the two devices is used. Layer protocol numbers are the same. These messages belong to the same ICMP session.
图1所示的攻击检测装置104可以由图2所示的攻击检测装置200来实现,包括处理器201、存储器202、通信接口203。可选的,还包括总线204。处理器201、存储器202和通信接口203可以通过总线204实现彼此之间的通信连接。当然,也可以通过无线传输等其他手段实现通信。The attack detection device 104 shown in FIG. 1 can be implemented by the attack detection device 200 shown in FIG. 2, and includes a processor 201, a memory 202, and a communication interface 203. Optionally, a bus 204 is also included. The processor 201, the memory 202, and the communication interface 203 can implement a communication connection with each other via the bus 204. Of course, communication can also be achieved by other means such as wireless transmission.
存储器202可以包括易失性存储器(英文:volatile memory),例如随机 存取存储器(英文:random-access memory,缩写:RAM);也可以包括非易失性存储器(英文:non-volatile memory),例如只读存储器(英文:read-only memory,缩写:ROM),快闪存储器(英文:flash memory),硬盘(英文:hard disk drive,缩写:HDD)或SSD;存储器202还可以包括上述种类的存储器的组合。在通过软件来实现本申请提供的技术方案时,用于实现本申请图3提供的攻击检测方法的程序代码可以保存在存储器202中,并由处理器201来执行。The memory 202 can include a volatile memory, such as a random Access memory (English: random-access memory, abbreviation: RAM); may also include non-volatile memory (English: non-volatile memory), such as read-only memory (English: read-only memory, abbreviation: ROM), Flash memory (English: flash memory), hard disk (English: hard disk drive, abbreviated: HDD) or SSD; the memory 202 may also include a combination of the above types of memory. When the technical solution provided by the present application is implemented by software, the program code for implementing the attack detection method provided in FIG. 3 of the present application may be saved in the memory 202 and executed by the processor 201.
通信接口203可以是可以是有线接口,例如光纤分布式数据接口(英文:Fiber Distributed Data Interface,简称:FDDI)、以太网(英文:Ethernet)接口。网络接口503也可以是无线接口,例如无线局域网接口。通信接口203用于获取转发设备在第一时间段中转发的P个会话的信息,以及在在第二时间段中转发的第一对象的多个会话的特征值。The communication interface 203 can be a wired interface, such as a Fiber Distributed Data Interface (FDDI) or an Ethernet (English) interface. Network interface 503 can also be a wireless interface, such as a wireless local area network interface. The communication interface 203 is configured to acquire information of P sessions forwarded by the forwarding device in the first time period, and feature values of the plurality of sessions of the first object forwarded in the second time period.
处理器201可以为中央处理器(英文:central processing unit,简称:CPU),硬件芯片或CPU和硬件芯片的组合。处理器201在运行时,通过调用存储器202的程序代码,可以执行如下步骤:控制通信接口203获取转发设备在第一时间段中转发的P个会话的信息,该P个会话中的每个会话属于Q个对象中的一个对象,其中P和Q均为大于或等于1的整数,并且P大于或等于Q;根据该P个会话的信息,确定所述Q个对象中每个对象的数据量;根据Q个对象中每个对象的数据量,确定第一对象;统计转发设备在第二时间段中转发的第一对象的多个会话的特征值,获得统计结果,该统计结果被用于判断转发设备所在的网络中是否存在攻击。The processor 201 can be a central processing unit (English: central processing unit, CPU for short), a hardware chip or a combination of a CPU and a hardware chip. When the processor 201 is running, by calling the program code of the memory 202, the following steps may be performed: the control communication interface 203 acquires information of the P sessions forwarded by the forwarding device in the first time period, and each session of the P sessions One of the Q objects, wherein P and Q are integers greater than or equal to 1, and P is greater than or equal to Q; determining the data amount of each of the Q objects according to the information of the P sessions Determining a first object according to the data amount of each object in the Q objects; collecting a feature value of the plurality of sessions of the first object forwarded by the forwarding device in the second time period, and obtaining a statistical result, the statistical result is used Determine whether there is an attack on the network where the forwarding device is located.
可选的,该每个对象的数据量为该每个对象在第一时间段中所包括的会话的会话个数,或在第一时间段中所包括的会话的数据流量大小,或在第一时间段中所包括的会话的报文个数。Optionally, the data volume of each object is the number of sessions of the session included in the first time period of each object, or the data traffic size of the session included in the first time period, or The number of packets of the session included in a period of time.
可选的,所述根据Q个对象中每个对象的数据量,确定第一对象,具体包括:按照数据量由大到小的顺序对该Q个对象进行排序,并确定第一对象为:排序后位于前N的对象当中的对象,其中N为小于所述Q的整数。Optionally, the determining the first object according to the data volume of each of the Q objects includes: sorting the Q objects according to the order of the data amount, and determining that the first object is: An object that is located among the objects of the top N after sorting, where N is an integer smaller than the Q.
又可选的,所述根据Q个对象中每个对象的数据量,确定第一对象,还可以包括:可以从该Q个对象中除去预置的M个对象,并将余下的Q-M个对象按照数据量由大到小的顺序进行排序,并确定第一对象为:该预置的M个对象,以及排序后的Q-M个对象中排序位于前N的对象当中的对象,其中M为小于Q 的整数,N为小于Q-M的整数。Optionally, the determining the first object according to the data volume of each of the Q objects may further include: removing the preset M objects from the Q objects, and removing the remaining QM objects Sorting according to the order of the data amount, and determining that the first object is: the preset M objects, and the sorted QM objects among the objects in the top N, wherein M is less than Q An integer, N is an integer less than Q-M.
可选的,处理器201还用于,将所述统计结果输入预置的机器模型,并通过所述机器模型判断所述网络中是否存在攻击。Optionally, the processor 201 is further configured to input the statistical result into a preset machine model, and determine, by using the machine model, whether an attack exists in the network.
可选的,处理器201还用于,将所述统计结果与预置的基线比较,判断所述网络中是否存在攻击。Optionally, the processor 201 is further configured to compare the statistical result with a preset baseline to determine whether an attack exists in the network.
可选的,处理器201还用于,根据所述统计结果,修正预置的的基线,该预置的基线用于判断网络中是否存在攻击。Optionally, the processor 201 is further configured to: according to the statistical result, correct a preset baseline, where the preset baseline is used to determine whether an attack exists in the network.
图3示出本申请实施例提供的了一种网络攻击检测的方法流程图。举例来说,图3所示的方法的执行主体,可以是图1所示的攻击检测装置104。或者图2所示的攻击检测装置200。图3所示的实施例中的转发设备可以是图1所示的转发设备101~103中的一个或多个。基本流程请参阅图3,包括:FIG. 3 is a flowchart of a method for detecting network attacks provided by an embodiment of the present application. For example, the execution body of the method shown in FIG. 3 may be the attack detecting device 104 shown in FIG. 1. Or the attack detecting device 200 shown in FIG. 2. The forwarding device in the embodiment shown in FIG. 3 may be one or more of the forwarding devices 101-103 shown in FIG. 1. See Figure 3 for the basic process, including:
S301、获取转发设备在第一时间段中转发的P个会话的信息。该P个会话中的每个会话属于Q个对象中的一个对象,其中P和Q均为大于或等于1的整数,并且P大于或等于Q。S301. Acquire information about P sessions forwarded by the forwarding device in the first time period. Each of the P sessions belongs to one of the Q objects, where P and Q are integers greater than or equal to 1, and P is greater than or equal to Q.
具体来说,转发设备在第一时间段中转发的大量会话中包括所述P个会话。攻击检测装置获取该P个会话的信息。举例来说,所述P个会话可以是转发设备按照预先的抽样规则抽样获得的。所述P个会话的信息可以是转发设备在接收到所述P个会话中的每个会话时,镜像该会话中的报文,保存在所述转发设备中,随后再从镜像的报文中获取的;也可以是在转发过程中直接获取的。Specifically, the forwarding device includes the P sessions in a large number of sessions forwarded in the first time period. The attack detecting device acquires information of the P sessions. For example, the P sessions may be obtained by the forwarding device sampling according to a pre-sampling rule. The information of the P sessions may be that, when the forwarding device receives each of the P sessions, the packet in the session is mirrored, and is saved in the forwarding device, and then in the mirrored packet. Obtained; it can also be obtained directly during the forwarding process.
举例来说,转发设备获取所述P个会话的信息后,根据预先建立的连接将所述P个会话的信息发送给攻击检测装置,从而使得攻击检测装置获取该P个会话的信息。攻击检测装置获取这些会话的信息具体形式可以为IPFIX数据的形式,也可以为NetFlow数据的形式,也可以是转发设备或攻击检测设备均可以支持的其它形式,此处不做限定。会话的信息中可以包括很多参数,如会话的会话标识、源/目的IP地址、源/目的端口、协议类型、服务类型、流量大小等方方面面的参数。会话的信息可以由转发设备主动上报给攻击检测装置。攻击检测装置也可以向转发设备发送指示该转发设备上报会话信息的指示,主动获取会话的信息。For example, after the forwarding device acquires the information of the P sessions, the information of the P sessions is sent to the attack detection device according to the pre-established connection, so that the attack detection device acquires the information of the P sessions. The information of the information obtained by the attack detection device may be in the form of the IPFIX data, or may be in the form of the NetFlow data, or other forms that the forwarding device or the attack detection device can support, which is not limited herein. The session information can include many parameters, such as session identifier, source/destination IP address, source/destination port, protocol type, service type, and traffic size. The information of the session can be reported to the attack detection device by the forwarding device. The attack detection device may also send an indication to the forwarding device indicating that the forwarding device reports the session information, and actively acquire the session information.
举例来说,所述P个会话的信息可以是一个转发设备发送给攻击检测装 置的,也可以是多个转发设备发送给攻击检测装置的。For example, the information of the P sessions may be sent by a forwarding device to the attack detection device. Alternatively, it may be sent by multiple forwarding devices to the attack detection device.
举例来说,所述P个会话的信息可以是转发设备一次发送给攻击检测装置的,也可以是多次发送给攻击检测装置的。For example, the information of the P sessions may be sent by the forwarding device to the attack detection device at one time, or may be sent to the attack detection device multiple times.
本申请中通过“对象”来对网络中的会话进行划分。对于某种划分方式,网络中的某个会话可以被关联到某个对象中,即所述某个会话属于所述某个对象。某个会话属于某个对象,又可以称作某个对象包括某个会话。一个对象可以包括一个或多个会话。攻击检测装置获取的P个会话中,每个会话分别属于Q个对象中的一个对象。例如,按照目的IP地址对会话进行划分,攻击检测装置分析该P个会话信息得到3个目的IP地址,分别为第一IP地址、第二IP地址、第三IP地址,则该三个IP地址分别对应与第一对象、第二对象、第三对象。且该P个会话中,以第一IP地址为目的地址的会话就属于第一对象,以第二IP地址为目的地址的会话就属于第二对象,以第三IP地址为目的地址的会话就属于第三对象。In this application, the "object" is used to divide the session in the network. For some sorting, a session in the network can be associated with an object, that is, the certain session belongs to the certain object. A session belongs to an object, and it can be called an object including a session. An object can include one or more sessions. Among the P sessions acquired by the attack detecting device, each session belongs to one of the Q objects. For example, the session is divided according to the destination IP address, and the attack detection device analyzes the P session information to obtain three destination IP addresses, which are respectively a first IP address, a second IP address, and a third IP address, and the three IP addresses are respectively Corresponding to the first object, the second object, and the third object, respectively. And in the P sessions, the session with the first IP address as the destination address belongs to the first object, the session with the second IP address as the destination address belongs to the second object, and the session with the third IP address as the destination address is Belongs to the third object.
当然,对于不同的划分方式,同一个会话可以属于不同的对象。例如以目的IP的子网网段为划分方式,假设上述示例中第一IP地址和第二IP地址属于第一子网网段,第三IP地址属于第二子网网段,则该两个子网网段分别对应与第四对象和第五对象。那么上述以第一IP地址为目的地址的会话,以及以第二IP地址为目的IP地址的会话,均属于第四对象;以第三IP地址为目的地址的会话,属于第五对象。Of course, for different partitioning methods, the same session can belong to different objects. For example, the subnet segment of the destination IP is divided. Assume that the first IP address and the second IP address belong to the first subnet segment and the third IP address belongs to the second subnet segment. The network segments correspond to the fourth object and the fifth object, respectively. Then, the session with the first IP address as the destination address and the session with the second IP address as the destination IP address belong to the fourth object; the session with the third IP address as the destination address belongs to the fifth object.
S301中,所述P个会话中的每个会话属于Q个对象中的一个对象,该Q个对象是按照某种特定的方式划分的对象。In S301, each of the P sessions belongs to one of Q objects, and the Q objects are objects divided according to a specific manner.
本申请中,对象并不局限于IP地址的形式,会话信息中的多种参数均可以用来作为对象,举例来说,对象可以是网段(英文:segment)、网址(英文:website)、自治系统(英文:autonomous system,缩写:AS),也可以是地理位置系统(英文:geographic information system,缩写:GIS)确定的物理地址(如市、省、甚至国家)或其他地址信息的形式。In this application, the object is not limited to the form of an IP address, and various parameters in the session information may be used as an object. For example, the object may be a network segment (English: segment), a URL (English: website), The autonomous system (English: autonomous system, abbreviation: AS) can also be the physical address (such as city, province, or even country) or other address information determined by the geographic information system (English: geographic information system, abbreviation: GIS).
需要说明的是,由于会话中的报文是双向的,例如会话的发起方向响应方发送的报文是一个传输方向,会话的响应方向发起方发送的报文是另一个传输方向。因此本申请中的上述IP地址、网段、自治系统、物理地址等各种形式的地址信息,均指会话的双向报文中某一个方向传输的报文的源地址或目的地址。例如,上文中以IP地址为对象的划分方式,那么IP地址1对应的 对象包括会话1,是指会话1的双向报文中,一个方向的报文的源IP地址是IP地址1,另一个方向的报文的目的地址是IP地址1。其他地址形式的划分方式,与该示例相同,不再赘述。It should be noted that, because the message in the session is bidirectional, for example, the message sent by the responder in the direction of the session is a transmission direction, and the message sent by the initiator in the response direction of the session is another transmission direction. Therefore, the address information of the IP address, the network segment, the autonomous system, and the physical address in the present application refers to the source address or destination address of the packet transmitted in one direction of the bidirectional packet in the session. For example, in the above, the IP address is used as the partitioning method, and then the IP address 1 corresponds to The object includes session 1, which means that the source IP address of the packet in one direction is IP address 1 and the destination address of the packet in the other direction is IP address 1. The division of other address forms is the same as this example and will not be described again.
此外,对象也可以是业务类型的形式,例如域名系统(英文:domain name system,缩写:DNS)类型、文件传输协议(英文:file transfer protocol,缩写:FTP)类型、超文本传输协议(英文:hypertext transfer protocol,缩写:HTTP)类型以及其他业务类型。In addition, the object can also be in the form of a service type, such as a domain name system (English: domain name system, abbreviation: DNS) type, a file transfer protocol (English: file transfer protocol, abbreviation: FTP) type, a hypertext transfer protocol (English: Hypertext transfer protocol, abbreviation: HTTP) type and other business types.
此外,对象还可以为其他形式,此处不做限定。In addition, the object can also be in other forms, which is not limited herein.
S302、根据该P个会话的信息,确定该Q个对象中每个对象的数据量。S302. Determine, according to the information of the P sessions, the amount of data of each of the Q objects.
举例来说,所述每个对象的数据量为所述每个对象在所述第一时间段中所包括的会话的会话个数,或在所述第一时间段中所包括的会话的数据流量大小,或在所述第一时间段中所包括的会话的报文个数。For example, the data amount of each object is the number of sessions of the session included in the first time period of the object, or the data of the session included in the first time period. The size of the traffic, or the number of packets of the session included in the first time period.
该Q个对象中每个对象的数据量,是从该P个会话的信息中获取的。因此该P个会话的信息应该包括该Q个对象中每个对象的数据量。举例来说,若数据量指的是该Q个对象中每个对象的会话个数,则该P个会话的信息中至少应该包括每个会话的会话标识。又举例来说,若数据量指的是该Q个对象中每个对象的数据流量,则该P个会话的信息中至少应该包括每个会话的流量大小。The amount of data of each of the Q objects is obtained from the information of the P sessions. Therefore, the information of the P sessions should include the amount of data of each of the Q objects. For example, if the amount of data refers to the number of sessions of each of the Q objects, the information of the P sessions should include at least the session identifier of each session. For another example, if the data volume refers to the data traffic of each of the Q objects, the information of the P sessions should include at least the traffic size of each session.
在一种示例中,该Q个对象中每个对象的数据量,可以是准确计算得到的。以数据量为数据流量为例,对于每一个对象,确定所述P个会话中属于该对象的会话,并计算属于该对象的会话中每个会话的数据流量,并计算这些数据流量之和,作为该对象的数据流量。例如,数据流量的大小,可以用比特(英文:bit)表示,也可以用字节(英文:Byte)表示。In one example, the amount of data for each of the Q objects can be accurately calculated. Taking the data volume as the data traffic as an example, for each object, the session belonging to the object in the P sessions is determined, and the data traffic of each session in the session belonging to the object is calculated, and the sum of the data flows is calculated. As the data traffic of this object. For example, the size of the data traffic can be expressed in bits (in English: bit) or in bytes (in English: Byte).
在另一种示例中,该Q个对象中每个对象的数据量,可以是估算得到的。仍以数据量为例,如果第一时间段是一个较长的时间段,例如一天,那么抽样得到的会话数是一个很大的值。如果对每个会话的数据流量都进行统计,那么计算量过大,尤其是对于Q个对象中一些数据量较小,被确定为所述第一对象可能性不大的对象,不需要进行精确的统计。例如,在S301中所述P个会话的信息是转发设备多次发送给攻击检测装置的示例中,如果开始的若干次发送的会话的信息中,某个对象的数据量都不大,因此没有统计该某个对象的准确数据量,而后来的若干次发送的会话的信息中,该某个对象的数 据量变大,有可能被选中作为所述第一对象,而这时攻击检测装置很可能已经删除了前面的若干次的会话信息,因此该对象在第一时间段的总数据量只能通过估算获得。In another example, the amount of data for each of the Q objects may be estimated. Still taking the data volume as an example, if the first time period is a long time period, such as one day, then the number of sessions sampled is a large value. If the data traffic of each session is counted, the calculation amount is too large, especially for some of the Q objects, the amount of data is small, and the object determined to be less likely to be the first object does not need to be accurate. registration. For example, in S301, the information of the P sessions is an example in which the forwarding device sends the attack detection device multiple times. If the information of the session that is sent several times starts, the data volume of an object is not large, so there is no Count the exact amount of data for that object, and the number of that object in the information of the session sent several times later As the volume becomes larger, it is possible to be selected as the first object, and at this time, the attack detecting device may have deleted the previous session information several times, so the total data amount of the object in the first time period can only be estimated. obtain.
举例来说,估算获得某个对象的数据量,可以采用Ld-Sketch算法。Ld-sketch算法的具体实现方式,可以参见Qun Huang,Patrick P.C.Lee于2014年在电气和电子工程师协会(英文:Institute of Electrical and Electronics Engineers,缩写:IEEE)发表的文章“LD-Sketch:A Distributed Sketching Design for Accurate and Scalable Anomaly Detection in Network Data Streams”。For example, to estimate the amount of data for an object, you can use the Ld-Sketch algorithm. For the specific implementation of the Ld-sketch algorithm, see the article "LD-Sketch: A Distributed" published by Qun Huang, Patrick PCLee in 2014 at the Institute of Electrical and Electronics Engineers (abbreviation: IEEE). Sketching Design for Accurate and Scalable Anomaly Detection in Network Data Streams”.
S303、根据该Q个对象中每个对象的数据量,确定第一对象。S303. Determine a first object according to a data amount of each of the Q objects.
根据会话的信息能够确定大量的对象,但是在进行网络的攻击检测的过程中,往往并不需要关注全部的对象,只需要根据实际应用的需要重点研究几个关键的对象即可。因此,本申请中攻击检测装置从该Q个对象中筛选一个或多个对象,并对选中的对象进行分析。选中的对象中包括第一对象。According to the information of the session, a large number of objects can be determined, but in the process of detecting the attack of the network, it is not necessary to pay attention to all the objects, and only a few key objects need to be studied according to the needs of the actual application. Therefore, in the present application, the attack detecting device filters one or more objects from the Q objects and analyzes the selected objects. The first object is included in the selected object.
可选的,攻击检测装置可以按照数据量由大到小的顺序对该Q个对象进行排序,并确定第一对象。所述第一对象为:排序后的该Q个对象中排序位于前N的对象当中的对象,即该Q个对象中数据量最大的N个对象。其中N为小于Q的整数。Optionally, the attack detecting device may sort the Q objects according to the order of the data amount, and determine the first object. The first object is: the sorted objects among the Q objects are sorted among the objects of the top N, that is, the N objects having the largest amount of data among the Q objects. Where N is an integer less than Q.
可选的,攻击检测装置中还可以包括预置的M个对象。该预置的M个对象可以由用户设定,举例来说,用户可以预置M个希望观测的对象。该预置的M个对象也可以是由攻击检测装置在所述第一时间段之前,采用与确定所述第一对象类似的方法已经确定出来的对应。攻击检测装置还可以为该预置的M个对象设置生命周期,该预置的M个对象在生命周期结束后不再被设置为预置的对象。Optionally, the attack detection device may further include preset M objects. The preset M objects can be set by the user. For example, the user can preset M objects to be observed. The preset M objects may also be correspondingly determined by the attack detecting means before the first time period by using a method similar to determining the first object. The attack detection device may also set a life cycle for the preset M objects, and the preset M objects are no longer set as preset objects after the end of the life cycle.
若攻击检测装置包括预置的M个对象,则可以从该Q个对象中除去该预置的M个对象,并将余下的Q-M个对象按照数据量由大到小的顺序进行排序,并确定第一对象。所述第一对象为:该预置的M个对象,以及排序后的该Q-M个对象中排序位于前N的对象当中的对象,即该Q-M个对象中数据量最大的N个对象,其中N为小于Q-M的整数。If the attack detection device includes preset M objects, the preset M objects may be removed from the Q objects, and the remaining QM objects are sorted according to the order of the data amount, and determined. The first object. The first object is: the preset M objects, and the sorted objects of the QM objects among the objects of the top N, that is, the N objects with the largest amount of data among the QM objects, where N Is an integer less than QM.
可选的,攻击检测装置还可以将该Q个对象中数据量超过阈值的对象确定为第一对象。Optionally, the attack detecting device may further determine, as the first object, the object whose data amount exceeds the threshold in the Q objects.
S304、统计所述转发设备在第二时间段中转发的所述第一对象的多个会 话的特征值,获得统计结果,所述统计结果被用于判断所述转发设备所在的网络中是否存在攻击。S304. Count multiple sessions of the first object that are forwarded by the forwarding device in the second time period. The statistic value of the vocabulary is obtained, and the statistic result is used to determine whether there is an attack in the network where the forwarding device is located.
会话的特征值是指用于描述会话的特征(英文:feature)的值。举例来说,会话的特征可以是会话的流量大小、会话中平均报文长度、、会话终结原因、会话持续时间、会话中最大报文长度、会话中最小报文长度等。在会话为TCP会话的示例中,会话的特征还可以是TCP会话中某个标志位的值等于1的报文的个数。The feature value of the session refers to the value used to describe the feature of the session (English: feature). For example, the session may be characterized by the size of the session traffic, the average packet length in the session, the session termination reason, the session duration, the maximum packet length in the session, and the minimum packet length in the session. In the example where the session is a TCP session, the session may also be characterized by the number of packets whose value of a certain flag bit in the TCP session is equal to one.
具体来说,所述第一对象的多个会话,是指属于所述第一对象的多个会话。Specifically, the plurality of sessions of the first object refer to a plurality of sessions belonging to the first object.
举例来说,攻击检测装置获取转发设备在第二时间段中转发的第一对象的多个会话的信息,其中每个会话的信息中都包括了该会话的特征值,或者包括了用于计算该会话的特征值的信息。例如,特征值是会话的平均报文长度,那么从转发设备获取的会话的信息,可以直接包括每个会话的平均报文长度,也可以包括会话的总字节数和总报文数,攻击检测装置通过会话的总字节数和总报文数,确定每个会话的平均报文长度。For example, the attack detection device acquires information of multiple sessions of the first object forwarded by the forwarding device in the second time period, where the information of each session includes the feature value of the session, or is included in the calculation Information about the feature value of the session. For example, the eigenvalue is the average packet length of the session, and the information of the session obtained from the forwarding device may directly include the average packet length of each session, and may also include the total number of bytes of the session and the total number of packets. The detecting device determines the average packet length of each session by the total number of bytes of the session and the total number of packets.
举例来说,S304中攻击检测装置获取第一对象的每个会话的特征值之后,再对上述多个会话的特征值进行统计,获得所述统计结果。该统计结果可以是多个会话的特征值的求和,也可以是对所述多个会话的特征值进行其他统计运算获取的。For example, after the attack detecting device acquires the feature value of each session of the first object in S304, the feature values of the plurality of sessions are further counted to obtain the statistical result. The statistical result may be the sum of the feature values of the multiple sessions, or may be obtained by performing other statistical operations on the feature values of the multiple sessions.
在一种示例中,第二时间段可以与第一时间段是同一个时间段。在该示例中,S301中获取所述P个会话的信息,就已经包括了每个会话的特征值,并且所述攻击检测装置保存了上述会话的特征值。In one example, the second time period can be the same time period as the first time period. In this example, the information of the P sessions is acquired in S301, and the feature value of each session is already included, and the attack detecting device saves the feature value of the session.
在另一种示例中,攻击检测装置也可能没有保存第一时间段中P个会话的信息,在该示例中,攻击检测装置需要获取转发设备在第二时间段中转发的第一对象的多个会话中每个会话的特征值。第二时间段可以在第一时间段之后。In another example, the attack detection device may not save the information of the P sessions in the first time period. In this example, the attack detection device needs to acquire the first object that the forwarding device forwards in the second time period. The eigenvalue of each session in a session. The second time period can be after the first time period.
攻击检测装置统计转发设备在第二时间段中转发的该第一对象的多个会话的特征值,获得统计结果。该统计结果被用于判断该转发设备所在的网络中是否存在攻击。The attack detection device counts the feature values of the plurality of sessions of the first object forwarded by the forwarding device in the second time period, and obtains a statistical result. The statistics are used to determine whether there is an attack in the network where the forwarding device is located.
可选的,攻击检测装置中预先存储了机器模型。机器模型也称分类器(英文:classifier),其实质可以是一个分类函数或一个分类模型。举例来说,机 器模型可以是反向传播(英文:back propagation,缩写:BP)神经网络模型,能够根据历史的统计结果与历史的网络是否存在攻击的对应关系,把当前输入的统计结果分为存在攻击和不存在攻击两类,以判定网络中是否存在攻击。本申请中,攻击检测装置可以将统计结果输入预置的机器模型,以通过机器模型判断转发设备所在的网络中是否存在攻击。Optionally, the machine model is pre-stored in the attack detection device. The machine model is also called a classifier (English: classifier), and its essence can be a classification function or a classification model. For example, the machine The model can be a back propagation (abbreviation: BP) neural network model. It can divide the current input statistics into existing attacks and not based on the historical statistical results and the historical network. There are two types of attacks to determine if there is an attack in the network. In the present application, the attack detection device may input the statistical result into a preset machine model to determine whether there is an attack in the network where the forwarding device is located through the machine model.
又可选的,攻击检测装置中可以预设有第一对象对应的基线(英文:baseline),该基线可以视为第一对象的统计结果正常或异常的标准或规则。基线可以是一个数值,也可以是一个判断条件。基线可以由预先设定的,也可以由攻击检测装置根据前几次攻击检测流程中得到的统计结果自动生成,本申请中不做限定。攻击检测装置将第一对象的统计结果与对应的基线进行比较,就能够获知第一对象的统计结果是否存在异常,进而能够判定网络中是否存在攻击,且能够确定存在攻击的是与异常的统计结果相关的会话。Optionally, the attack detection device may be pre-configured with a baseline corresponding to the first object (English: baseline), and the baseline may be regarded as a standard or rule that the statistical result of the first object is normal or abnormal. The baseline can be a numerical value or a judgment condition. The baseline may be automatically generated by the attack detection device according to the statistics obtained in the previous attack detection process, which is not limited in this application. The attack detecting device compares the statistical result of the first object with the corresponding baseline, and can obtain whether the statistical result of the first object has an abnormality, thereby determining whether there is an attack in the network, and determining the presence and the abnormality of the attack. The result is related to the session.
需要指出的是,网络中的数据流瞬息万变,因此判断第一对象的统计结果是否异常的标准或规则也可以是变化的。因此可选的,若通过基线来判断网络中是否存在攻击,则应根据统计结果不断修正基线。因此可选的,本申请中攻击检测装置可以根据已确定的统计结果来对基线进行调整,具体的调整算法包括平均、加权、平滑、预测、修正或其它算法,此处不做限定。例如,若在第二时间段内网址www.baidu.com的会话的流量大小为单位时间内5M,而数据流量大小的基线为单位时间内7M,攻击检测装置采用一阶平滑算法来调整基线,平滑系数为0.4,则调整后的基线为单位时间内:0.4×5M+(1-0.4)×7M=6.2M。It should be pointed out that the data flow in the network changes rapidly, so the criteria or rules for judging whether the statistical result of the first object is abnormal may also be changed. Therefore, if the baseline is used to determine whether there is an attack in the network, the baseline should be continuously corrected based on the statistical results. Therefore, in the present application, the attack detection device may adjust the baseline according to the determined statistical result. The specific adjustment algorithm includes averaging, weighting, smoothing, prediction, correction, or other algorithms, which is not limited herein. For example, if the traffic size of the session of the website www.baidu.com is 5M per unit time in the second time period, and the baseline of the data traffic size is 7M per unit time, the attack detection device uses a first-order smoothing algorithm to adjust the baseline. The smoothing coefficient is 0.4, and the adjusted baseline is unit time: 0.4 × 5M + (1 - 0.4) × 7M = 6.2M.
又可选的,攻击检测装置可以对第一对象包括的会话的多种特征值进行统计,获得多条基线。根据多条基线,生成或修正机器模型。Optionally, the attack detection device may perform statistics on multiple feature values of the session included in the first object to obtain multiple baselines. Generate or modify a machine model based on multiple baselines.
本实施例提供了一种攻击检测方法,其中攻击检测装置获取转发设备转发的P个会话的信息,其中该P个会话分别属于Q个对象中的一个对象,然后攻击检测装置确定该Q个对象中各对象的数据量,并根据各对象的数据量确定第一对象,然后统计第一对象的会话在第二时间段内的特征值得到统计结果,该统计结果用于判断网络中是否存在攻击。本申请在抽取网络中的会话信息的基础上选择出了主要关注的第一对象,然后确定选择出的第一对象的会话的特征值,并对第一对象的会话的特征值进行统计得到统计结果。本申请通过这样的方法对数据流进行了深度的分析,得到的统计信息能够反映网络数 据流量更为多样、深度、复杂、精确的特征,有利于攻击检测装置对网络中的未知攻击和隐藏较深的攻击进行检测。The present invention provides an attack detection method, in which the attack detection device acquires information of P sessions forwarded by the forwarding device, wherein the P sessions belong to one of the Q objects, and then the attack detection device determines the Q objects. The amount of data of each object in the object, and determining the first object according to the data volume of each object, and then counting the feature values of the session of the first object in the second time period to obtain a statistical result, the statistical result is used to determine whether there is an attack in the network . The present application selects the first object of main concern on the basis of extracting the session information in the network, and then determines the feature value of the selected first object session, and statistically obtains statistics on the feature value of the session of the first object. result. This application performs a deep analysis of the data stream by such a method, and the obtained statistical information can reflect the number of networks. According to the more diverse, deep, complex and accurate traffic, the attack detection device can detect unknown attacks and deep hidden attacks in the network.
图3所示的实施例给出了本申请提供的网络攻击检测方法的基本流程,下面将介绍本申请提供的用于实现上述网络攻击检测方法的另一种攻击检测装置,其基本结构请参阅图4,包括:The embodiment shown in FIG. 3 provides a basic flow of the network attack detection method provided by the present application. The following describes the attack detection apparatus provided by the present application for implementing the foregoing network attack detection method. For the basic structure, refer to the following. Figure 4, including:
信息获取模块401,用于获取转发设备在第一时间段中转发的P个会话的信息,该P个会话中的每个会话属于Q个对象中的一个对象。其中P和Q均为大于或等于1的整数,并且P大于或等于Q。The information obtaining module 401 is configured to obtain information about P sessions forwarded by the forwarding device in the first time period, and each of the P sessions belongs to one of the Q objects. Wherein P and Q are integers greater than or equal to 1, and P is greater than or equal to Q.
数据量确定模块402,用于根据该P个会话的信息,确定该Q个对象中每个对象的数据量。The data amount determining module 402 is configured to determine, according to the information of the P sessions, the amount of data of each of the Q objects.
对象确定模块403,用于根据该Q个对象中每个对象的数据量,确定第一对象。可选的,对象确定模块403按照数据量由大到小的顺序对该Q个对象进行排序,并确定第一对象为排序后的所述Q个对象中排序位于前N的对象当中的对象,其中N为小于Q的整数。可选的,从该Q个对象中除去预置的M个对象,并将余下的Q-M个对象按照数据量由大到小的顺序进行排序,并确定第一对象为:预置的M个对象,以及排序后的Q-M个对象中排序位于前N的对象当中的对象,M为小于Q的整数,N为小于Q-M的整数。The object determining module 403 is configured to determine the first object according to the data amount of each of the Q objects. Optionally, the object determining module 403 sorts the Q objects according to the order of the data amount, and determines that the first object is the object that is ranked among the objects of the top N among the sorted Q objects. Where N is an integer less than Q. Optionally, the preset M objects are removed from the Q objects, and the remaining QM objects are sorted according to the data amount from large to small, and the first object is determined as: preset M objects. And sorting the objects among the top N objects among the sorted QM objects, M is an integer smaller than Q, and N is an integer smaller than QM.
特征值统计模块404,用于统计转发设备在第二时间段中转发的第一对象的多个会话的特征值,获得统计结果,该统计结果被用于判断转发设备所在的网络中是否存在攻击。The eigenvalue statistic module 404 is configured to count the eigenvalues of the plurality of sessions of the first object that are forwarded by the forwarding device in the second time period, and obtain a statistic result, where the statistic result is used to determine whether there is an attack in the network where the forwarding device is located. .
可选的,攻击检测装置还可以包括攻击判断模块405,用于将统计结果输入机器模型,并通过机器模型判断网络中是否存在攻击。Optionally, the attack detection device may further include an attack determination module 405, configured to input the statistical result into the machine model, and determine, by using the machine model, whether there is an attack in the network.
可选的,攻击判断模块405用于将统计结果与预置的基线比较,判断网络中是否存在攻击。Optionally, the attack determining module 405 is configured to compare the statistical result with a preset baseline to determine whether an attack exists in the network.
可选的,攻击判断模块405还可以根据统计结果,修正预置的基线。Optionally, the attack determination module 405 can also correct the preset baseline according to the statistical result.
图4所示的攻击检测装置的详细描述和具体应用方法可以参考图3所示的方法实施例,此处不做赘述。For a detailed description of the attack detection apparatus shown in FIG. 4 and a specific application method, reference may be made to the method embodiment shown in FIG. 3, and details are not described herein.
可选的,图4所示的各个模块仅为对攻击检测装置功能上的划分,图4所示的攻击检测装置实质上可以与图2所示的攻击检测装置是一个装置,图4是从逻辑的角度进行描述,而图2是从结构的角度进行描述。例如,图4所示的信息获取模块401可以由图2所示的通信接口203实现,图4所示的数 据量确定模块402、对象确定模块403、特征值统计模块404以及攻击判断模块405可以由图2所示的处理器201实现。Optionally, each module shown in FIG. 4 is only a functional division of the attack detection device. The attack detection device shown in FIG. 4 may be substantially a device with the attack detection device shown in FIG. 2, and FIG. 4 is The logical perspective is described, and Figure 2 is described from a structural perspective. For example, the information acquisition module 401 shown in FIG. 4 can be implemented by the communication interface 203 shown in FIG. 2, and the number shown in FIG. The data determination module 402, the object determination module 403, the feature value statistics module 404, and the attack determination module 405 can be implemented by the processor 201 shown in FIG.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the system, the device and the module described above can refer to the corresponding process in the foregoing method embodiments, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或模块的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the modules is only a logical function division. In actual implementation, there may be another division manner, for example, multiple modules or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or module, and may be electrical, mechanical or otherwise.
所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The modules described as separate components may or may not be physically separated. The components displayed as modules may or may not be physical modules, that is, may be located in one place, or may be distributed to multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist physically separately, or two or more modules may be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。The integrated modules, if implemented in the form of software functional modules and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes various media that can store program codes, such as a USB flash drive, a mobile hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其 中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。 The above embodiments are only used to explain the technical solutions of the present application, and are not limited thereto; although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that they can still The technical solutions described in the embodiments are modified, or The technical features of the present invention are not limited to the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (14)

  1. 一种网络攻击检测方法,其特征在于,所述方法包括:A network attack detection method, characterized in that the method comprises:
    获取转发设备在第一时间段中转发的P个会话的信息,所述P个会话中的每个会话属于Q个对象中的一个对象,其中所述P和所述Q均为大于或等于1的整数,并且所述P大于或等于所述Q;Acquiring information of the P sessions forwarded by the forwarding device in the first time period, each of the P sessions belonging to one of the Q objects, wherein the P and the Q are greater than or equal to 1 An integer, and the P is greater than or equal to the Q;
    根据所述P个会话的信息,确定所述Q个对象中每个对象的数据量;Determining, according to information of the P sessions, a data amount of each of the Q objects;
    根据所述Q个对象中每个对象的数据量,确定第一对象;Determining a first object according to a data amount of each of the Q objects;
    统计所述转发设备在第二时间段中转发的所述第一对象的多个会话的特征值,获得统计结果,所述统计结果被用于判断所述转发设备所在的网络中是否存在攻击。The statistic value of the plurality of sessions of the first object that is forwarded by the forwarding device in the second time period is obtained, and the statistic result is obtained, where the statistic result is used to determine whether there is an attack in the network where the forwarding device is located.
  2. 根据权利要求1所述的网络攻击检测方法,其特征在于,所述每个对象的数据量为所述每个对象在所述第一时间段中所包括的会话的会话个数,或在所述第一时间段中所包括的会话的数据流量大小,或在所述第一时间段中所包括的会话的报文个数。The network attack detection method according to claim 1, wherein the data amount of each object is the number of sessions of the session included in the first time period of each object, or The data traffic size of the session included in the first time period, or the number of packets of the session included in the first time period.
  3. 根据权利要求1或2所述的网络攻击检测方法,其特征在于,所述根据所述Q个对象中每个对象的数据量,确定第一对象包括:The network attack detection method according to claim 1 or 2, wherein the determining the first object according to the data amount of each of the Q objects comprises:
    按照数据量由大到小的顺序对所述Q个对象进行排序,并确定所述第一对象,所述第一对象为排序后的所述Q个对象中排序位于前N的对象当中的对象,所述N为小于所述Q的整数。Sorting the Q objects according to the order of the amount of data, and determining the first object, wherein the first object is an object that is sorted among the objects of the top N among the sorted Q objects. The N is an integer smaller than the Q.
  4. 根据权利要求1或2所述的网络攻击检测方法,其特征在于,所述根据所述Q个对象中每个对象的数据量,确定第一对象包括:The network attack detection method according to claim 1 or 2, wherein the determining the first object according to the data amount of each of the Q objects comprises:
    从所述Q个对象中除去预置的M个对象,并将余下的Q-M个对象按照数据量由大到小的顺序进行排序,并确定所述第一对象,所述第一对象为,所述预置的M个对象,以及排序后的所述Q-M个对象中排序位于前N的对象当中的对象,所述M为小于所述Q的整数,所述N为小于所述Q-M的整数。Removing the preset M objects from the Q objects, and sorting the remaining QM objects in order of increasing data size, and determining the first object, the first object is The preset M objects, and the sorted QM objects, are sorted among the objects located in the top N, the M being an integer smaller than the Q, and the N being an integer smaller than the QM.
  5. 根据权利要求1至4中任一项所述的网络攻击检测方法,其特征在于,所述方法还包括:The network attack detection method according to any one of claims 1 to 4, wherein the method further comprises:
    将所述统计结果输入预置的机器模型,并根据所述机器模型判断所述网络中是否存在攻击。The statistical result is input into a preset machine model, and it is determined whether there is an attack in the network according to the machine model.
  6. 根据权利要求1至4中任一项所述的网络攻击检测方法,其特征在于, 所述方法还包括:The network attack detecting method according to any one of claims 1 to 4, characterized in that The method further includes:
    将所述统计结果与预置的基线比较,判断所述网络中是否存在攻击。The statistical result is compared with a preset baseline to determine whether there is an attack in the network.
  7. 根据权利要求1至6所述的网络攻击检测方法,其特征在于,所述方法还包括:The network attack detection method according to any one of claims 1 to 6, wherein the method further comprises:
    根据所述统计结果,修正预置的基线,所述基线用于判断所述网络中是否存在攻击。Based on the statistical result, the preset baseline is corrected, and the baseline is used to determine whether there is an attack in the network.
  8. 一种攻击检测装置,其特征在于,包括:An attack detection device, comprising:
    信息获取模块,用于获取转发设备在第一时间段中转发的P个会话的信息,所述P个会话中的每个会话属于Q个对象中的一个对象,其中所述P和所述Q均为大于或等于1的整数,并且所述P大于或等于所述Q;An information acquiring module, configured to acquire information of P sessions forwarded by the forwarding device in a first time period, where each of the P sessions belongs to one of Q objects, where the P and the Q are All are integers greater than or equal to 1, and the P is greater than or equal to the Q;
    数据量确定模块,用于根据所述P个会话的信息,确定所述Q个对象中每个对象的数据量;a data quantity determining module, configured to determine, according to information about the P sessions, a data amount of each of the Q objects;
    对象确定模块,用于根据所述Q个对象中每个对象的数据量,确定第一对象;An object determining module, configured to determine a first object according to an amount of data of each of the Q objects;
    特征值统计模块,用于统计所述转发设备在第二时间段中转发的所述第一对象的多个会话的特征值,获得统计结果,所述统计结果被用于判断所述转发设备所在的网络中是否存在攻击。An eigenvalue statistic module is configured to collect a statistic value of the plurality of sessions of the first object that is forwarded by the forwarding device in the second time period, and obtain a statistic result, where the statistic result is used to determine that the forwarding device is located Whether there is an attack in the network.
  9. 根据权利要求8所述的攻击检测装置,其特征在于,所述每个对象的数据量为所述每个对象在所述第一时间段中所包括的会话的会话个数,或在所述第一时间段中所包括的会话的数据流量大小,或在所述第一时间段中所包括的会话的报文个数。The attack detecting apparatus according to claim 8, wherein the data amount of each object is the number of sessions of the session included in each of the objects in the first time period, or The size of the data traffic of the session included in the first time period, or the number of packets of the session included in the first time period.
  10. 根据权利要求8或9所述的攻击检测装置,其特征在于,所述对象确定模块具体用于:The attack detection apparatus according to claim 8 or 9, wherein the object determination module is specifically configured to:
    按照数据量由大到小的顺序对所述Q个对象进行排序,并确定所述第一对象,所述第一对象为排序后的所述Q个对象中排序位于前N的对象当中的对象,所述N为小于所述Q的整数。Sorting the Q objects according to the order of the amount of data, and determining the first object, wherein the first object is an object that is sorted among the objects of the top N among the sorted Q objects. The N is an integer smaller than the Q.
  11. 根据权利要求8或9所述的攻击检测装置,其特征在于,所述对象确定模块具体用于:The attack detection apparatus according to claim 8 or 9, wherein the object determination module is specifically configured to:
    从所述Q个对象中除去预置的M个对象,并将余下的Q-M个对象按照数据量由大到小的顺序进行排序,并确定所述第一对象,所述第一对象为,所述预置的M个对象,以及排序后的所述Q-M个对象中排序位于前N的对象当中的 对象,所述M为小于所述Q的整数,所述N为小于所述Q-M的整数。Removing the preset M objects from the Q objects, and sorting the remaining QM objects in order of increasing data size, and determining the first object, the first object is Presetting the M objects, and sorting the sorted QM objects among the top N objects Object, the M is an integer smaller than the Q, and the N is an integer smaller than the Q-M.
  12. 根据权利要求8至11中任一项所述的攻击检测装置,其特征在于,所述装置还包括:The attack detection device according to any one of claims 8 to 11, wherein the device further comprises:
    攻击判断模块,用于将所述统计结果输入预置的机器模型,并根据所述机器模型判断所述网络中是否存在攻击。The attack judging module is configured to input the statistical result into a preset machine model, and determine, according to the machine model, whether there is an attack in the network.
  13. 根据权利要求8至11中任一项所述的攻击检测装置,其特征在于,所述装置还包括:The attack detection device according to any one of claims 8 to 11, wherein the device further comprises:
    攻击判断模块,用于将所述统计结果与预置的基线比较,判断所述网络中是否存在攻击。The attack judging module is configured to compare the statistical result with a preset baseline to determine whether an attack exists in the network.
  14. 根据权利要求7至13所述的攻击检测装置,其特征在于,所述攻击判断模块还用于:The attack detection apparatus according to any one of claims 7 to 13, wherein the attack determination module is further configured to:
    根据所述统计结果,修正预置的基线,所述基线用于判断所述网络中是否存在攻击。 Based on the statistical result, the preset baseline is corrected, and the baseline is used to determine whether there is an attack in the network.
PCT/CN2016/112155 2016-05-31 2016-12-26 Network attack detection method and attack detection apparatus WO2017206499A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201610380229.1 2016-05-31
CN201610380229 2016-05-31
CN201610495352.8A CN107454052A (en) 2016-05-31 2016-06-28 Network attack detecting method and attack detecting device
CN201610495352.8 2016-06-28

Publications (1)

Publication Number Publication Date
WO2017206499A1 true WO2017206499A1 (en) 2017-12-07

Family

ID=60479704

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/112155 WO2017206499A1 (en) 2016-05-31 2016-12-26 Network attack detection method and attack detection apparatus

Country Status (1)

Country Link
WO (1) WO2017206499A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111601309A (en) * 2020-05-29 2020-08-28 广东工业大学 Monitoring method and device for wireless chargeable sensor network
CN115065568A (en) * 2022-08-19 2022-09-16 北京珞安科技有限责任公司 Industrial control network intrusion detection method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104283897A (en) * 2014-10-29 2015-01-14 刘胜利 Trojan horse communication feature fast extraction method based on clustering analysis of multiple data streams
CN104519031A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for detecting malicious network behaviors
CN104580173A (en) * 2014-12-25 2015-04-29 广东顺德中山大学卡内基梅隆大学国际联合研究院 SDN (self-defending network) anomaly detection and interception method and system
CN104901953A (en) * 2015-05-05 2015-09-09 中国科学院信息工程研究所 Distributed detection method and system for ARP (Address Resolution Protocol) cheating

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104519031A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for detecting malicious network behaviors
CN104283897A (en) * 2014-10-29 2015-01-14 刘胜利 Trojan horse communication feature fast extraction method based on clustering analysis of multiple data streams
CN104580173A (en) * 2014-12-25 2015-04-29 广东顺德中山大学卡内基梅隆大学国际联合研究院 SDN (self-defending network) anomaly detection and interception method and system
CN104901953A (en) * 2015-05-05 2015-09-09 中国科学院信息工程研究所 Distributed detection method and system for ARP (Address Resolution Protocol) cheating

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111601309A (en) * 2020-05-29 2020-08-28 广东工业大学 Monitoring method and device for wireless chargeable sensor network
CN115065568A (en) * 2022-08-19 2022-09-16 北京珞安科技有限责任公司 Industrial control network intrusion detection method and system
CN115065568B (en) * 2022-08-19 2022-12-20 北京珞安科技有限责任公司 Industrial control network intrusion detection method and system

Similar Documents

Publication Publication Date Title
JP6453976B2 (en) Network system, control apparatus, communication control method, and communication control program
CN108282497B (en) DDoS attack detection method for SDN control plane
EP3073700B1 (en) Malicious attack detection method and apparatus
JP4774357B2 (en) Statistical information collection system and statistical information collection device
KR101409563B1 (en) Method and apparatus for identifying application protocol
US7843827B2 (en) Method and device for configuring a network device
CN1953392B (en) Detection method for abnormal traffic and packet relay apparatus
KR101295708B1 (en) Apparatus for capturing traffic and apparatus, system and method for analyzing traffic
US20160352761A1 (en) Detection of malware and malicious applications
US20090282478A1 (en) Method and apparatus for processing network attack
RU2014124009A (en) METHOD AND SYSTEM OF STREAMING DATA TRANSFER FOR PROCESSING NETWORK METADATA
CN106416171A (en) Method and device for feature information analysis
WO2011131076A1 (en) Method and data communication device for building a flow forwarding table item
US9992081B2 (en) Scalable generation of inter-autonomous system traffic relations
Afaq et al. Large flows detection, marking, and mitigation based on sFlow standard in SDN
Pekár et al. Adaptive aggregation of flow records
Harrison et al. Carpe elephants: Seize the global heavy hitters
WO2017206499A1 (en) Network attack detection method and attack detection apparatus
US11863584B2 (en) Infection spread attack detection device, attack origin specification method, and program
JP2008118242A (en) Method and device for detecting abnormal traffic, and program
JP6317685B2 (en) Communication monitoring system, communication monitoring method and program
JP2022515990A (en) Systems and methods for monitoring traffic flow in communication networks
CN108667804B (en) DDoS attack detection and protection method and system based on SDN architecture
CN114020734A (en) Flow statistics duplication removing method and device
CN107454052A (en) Network attack detecting method and attack detecting device

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16903879

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16903879

Country of ref document: EP

Kind code of ref document: A1