WO2021243663A1 - Session detection method and apparatus, and detection device and computer storage medium - Google Patents

Session detection method and apparatus, and detection device and computer storage medium Download PDF

Info

Publication number
WO2021243663A1
WO2021243663A1 PCT/CN2020/094457 CN2020094457W WO2021243663A1 WO 2021243663 A1 WO2021243663 A1 WO 2021243663A1 CN 2020094457 W CN2020094457 W CN 2020094457W WO 2021243663 A1 WO2021243663 A1 WO 2021243663A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
detected
feature vector
detection device
static
Prior art date
Application number
PCT/CN2020/094457
Other languages
French (fr)
Chinese (zh)
Inventor
罗元海
Original Assignee
深圳市欢太科技有限公司
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市欢太科技有限公司, Oppo广东移动通信有限公司 filed Critical 深圳市欢太科技有限公司
Priority to PCT/CN2020/094457 priority Critical patent/WO2021243663A1/en
Priority to CN202080099533.3A priority patent/CN115398860A/en
Publication of WO2021243663A1 publication Critical patent/WO2021243663A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the embodiments of the present application relate to, but are not limited to, the field of network security, and in particular, to a session detection method, device, detection device, and computer storage medium.
  • malicious session data include the malicious session data generated by the user terminal on the network, and also include the malicious session data generated by the illegal service provider (SP) sending data packets to the user terminal.
  • SP illegal service provider
  • the embodiments of the present application provide a session detection method, device, detection equipment, and computer storage medium.
  • a session detection method including: a detection device obtains a session to be detected transmitted between two network nodes;
  • Determining a feature vector of the session to be detected where the feature vector is used to characterize the static feature of the network layer and/or the static feature of the transport layer;
  • a session detection device including:
  • a determining unit configured to determine a feature vector of the session to be detected, where the feature vector is used to characterize the static feature of the network layer and/or the static feature of the transport layer;
  • the detection unit is configured to determine whether the session to be detected is a malicious session based on the feature vector of the session to be detected.
  • a detection device including: a memory and a processor,
  • the memory stores a computer program that can run on the processor
  • a computer storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement the steps in the foregoing method.
  • a chip including a processor, configured to call and run a computer program from a memory, so that a device installed with the chip executes the steps in the above method.
  • a computer program product in a sixth aspect, includes a computer storage medium, and the computer storage medium stores computer program code.
  • the computer program code includes instructions that can be executed by at least one processor. When the instructions are executed by the at least one processor, the steps in the above-mentioned method are implemented.
  • the detection device obtains the session to be detected transmitted between two network nodes; determines the feature vector of the session to be detected, and the feature vector is used to characterize the static characteristics of the network layer and/or the static characteristics of the transmission layer; based on The feature vector of the session to be detected, to determine whether the session to be detected is a malicious session.
  • the static characteristics of the network layer and/or the static characteristics of the transmission layer corresponding to the normal session data and the malicious session data in the session data are different, the static characteristics and/or transmission of the network layer used to characterize the session to be detected are different.
  • the feature vector of the static feature of the layer determines whether the session to be detected is a malicious session, so that different types of malicious sessions can be easily detected, and the versatility of session detection is improved.
  • FIG. 1 is a schematic diagram of a system architecture of a session detection method provided by an embodiment of this application;
  • FIG. 2 is a schematic diagram of the implementation process of a session detection method provided by an embodiment of the application
  • FIG. 3 is a schematic diagram of the implementation process of another session detection method provided by an embodiment of the application.
  • FIG. 4 is a schematic diagram of a process for determining a feature vector of a session to be detected according to an embodiment of this application;
  • FIG. 5 is a schematic diagram of a process for generating a model file according to an embodiment of the application
  • FIG. 6 is a schematic diagram of another process of generating a model file provided by an embodiment of the application.
  • FIG. 7 is a schematic diagram of the composition structure of a session detection device provided by an embodiment of the application.
  • FIG. 8 is a schematic diagram of a hardware entity of a detection device provided by an embodiment of this application.
  • FIG. 9 is a schematic structural diagram of a chip provided by an embodiment of the present application.
  • the business security detection and protection schemes in related technologies are generally aimed at a specific business.
  • the detection device first needs to obtain various detailed information of the business.
  • the detailed information includes the parameter information received by the interface of the business server (for example, request Data or access service data), returned parameter information, interface function, correlation information between the interface function and other interfaces, common attack methods for this type of interface, etc., and then use these detailed information to attack this business Modeling, and finally matching the data of the accessed business according to the model, and discovering the malicious request data.
  • detection equipment requires a deep understanding of specific services and attack methods, but usually the types of services are intricate and the attack methods are varied, one by one, the workload of analysis and modeling is very large, and it is inevitable to miss the analysis of certain services.
  • the detection methods in related technologies cannot be universal; in addition, because some business data is sensitive and plaintext data cannot be provided, it is impossible to model these sensitive data, which makes the coverage of detection methods in related technologies insufficient.
  • this application provides a general service security detection and protection idea based on session analysis.
  • session data will be generated, while normal session data and malicious session data are reflected in The sequence of the data packet or the data structure of the data packet is different, and by analyzing the sequence of the underlying data packet or the data structure of the data packet, the normal session data and the malicious session data can be distinguished, thereby realizing general business security protection.
  • FIG. 1 is a schematic diagram of the system architecture of a session detection method provided by an embodiment of the application. As shown in FIG. 1
  • the terminal 11 may be a device used by a user to access the service server 12, such as a desktop computer, a mobile phone, and a tablet computer shown in FIG. Media players, smart speakers, navigation devices, display devices, smart bracelets and other wearable devices, virtual reality (VR) devices, augmented reality (Augmented Reality, AR) devices, pedometers, digital TVs, etc. at least one.
  • the user can access the service server 12 when logging in to the website through the application in the terminal 11.
  • the application can be a dedicated client of the website or a browser client. The user can access by entering the website URL Business server 12.
  • the business server 12 may be a service device that provides website functions.
  • the business server 12 shown in FIG. 1 is a server cluster composed of multiple business servers. In some embodiments, the business server 12 may be an independent business server. The application does not limit the composition structure of the business server 12.
  • the forwarding device 13 may be used to capture the communication data between the terminal 11 and the service server 12.
  • the communication data may be an access request sent by the terminal 11 to the service server 12, and/or the access request sent by the service server 12 to the terminal 11 The corresponding visit result.
  • Communication data can be understood as traffic data, and the forwarding device 13 can continuously capture the communication data.
  • the forwarding device can package the captured communication data of a preset duration into a capture file (file in pcap format), or The captured communication data of a preset size is packaged into a captured file, and then the forwarding device can send the captured file to the detection device.
  • the forwarding device may be a switch.
  • the forwarding device 13 may use a packet capture method based on a Data Plane Development Kit (DPDK) to capture communication data.
  • DPDK Data Plane Development Kit
  • the forwarding device 13 may be a device with a mirroring port, and the mirroring port can be connected to a detection device, so that the mirroring port can mirror the traffic of the communication port, thereby obtaining communication data of a preset duration or a preset size Communication data.
  • the captured file may include the access request and/or the access result.
  • the detection device 14 may be a device for detecting whether the session in the captured file is a malicious session.
  • the detection device 14 is used for real-time analysis of the session between the terminal 11 and the service server 12, so as to detect malicious sessions in time and stop the loss in time, so as to protect the safe operation of the network.
  • the forwarding device 13 is provided between the terminal 11 and the service server 12 to obtain communication data between the terminal 11 and the service server 12, and the detection device 14 is connected to the forwarding device 13 to detect communication Whether the session in the data is malicious.
  • the connection between the terminal 11 and the forwarding device 13, the connection between the forwarding device 13 and the detection device 14, or the connection between the forwarding device 13 and the service server 12 may be a wired connection or a wireless connection.
  • the forwarding device 13 and the detection device 14 in the embodiment of the present application can be set in any two network nodes that have traffic data, so that the forwarding device 13 and the detection device 14 can detect that the two network nodes Whether the transmitted session is malicious.
  • the embodiment of the present application does not limit the location where the forwarding device 13 is set.
  • the forwarding device 13 and the detecting device 14 may be two separate physical entities, or the forwarding device 13 and the detecting device 14 may be set as one physical entity.
  • Fig. 2 is a schematic diagram of the implementation process of a session detection method provided by an embodiment of the application. As shown in Fig. 2, the method is applied to a detection device, and the method includes:
  • the detection device obtains a session to be detected transmitted between two network nodes.
  • the two network nodes may be a terminal and a service server, respectively. In another embodiment, the two network nodes may be two nodes in the network with flow data transmission.
  • the session in the embodiments of this application may refer to a group of data packets divided by quintuples.
  • the quintuple is a communication term and refers to the source Internet Protocol (IP) address, source port, and destination IP address. , Destination port and transport layer protocol.
  • IP Internet Protocol
  • the session to be detected may include M data packets, and M is an integer greater than or equal to 1.
  • the IP address and/or source port and/or destination IP address and/or destination port and/or transport layer protocol of the M data packets are the same.
  • Data packet is the unit of data in Transmission Control Protocol (TCP)/IP protocol communication transmission.
  • TCP Transmission Control Protocol
  • the forwarding device can obtain the traffic data transmitted between the two nodes, form a grab file, and send the grab file to the detection device, In this way, the detection device obtains the captured file, and obtains the session to be detected from the captured file.
  • the session to be detected may include: an access request sent by the terminal to the service server, and/or an access result sent by the service server to the terminal.
  • the forwarding device may directly send the session to be detected to the detection device, so that the detection device obtains the session to be detected.
  • the detection device determines a feature vector of the session to be detected, where the feature vector is a vector that characterizes the static feature of the network layer and/or the static feature of the transport layer.
  • the feature vector may be determined based on the static attribute information of the network layer and/or the static attribute information of the transport layer of the session to be detected.
  • the detection device may perform statistical analysis on the static attribute information of the network layer and/or the static attribute information of the transmission layer, and then use the vector converted from the statistical analysis result as the feature vector.
  • the detection device may use the vector converted from the static attribute information of the network layer and/or the static attribute information of the transmission layer as the feature vector.
  • the detection device may perform other operations on the static attribute information of the network layer and/or the static attribute information of the transmission layer to obtain the feature vector.
  • any method that can convert the static attribute information of the network layer and/or the static attribute information of the transmission layer into a feature vector should fall within the protection scope of the present application.
  • the static attribute information of the network layer is used to characterize the static characteristics of the network layer
  • the static attribute information of the transmission layer is used to characterize the static characteristics of the transmission layer.
  • the detection device can obtain the static attribute information of the network layer and/or the transport layer of the session to be detected by extracting characteristic information for each of the M data packets in the session to be detected.
  • Static attribute information The static attribute information of the network layer and/or the static attribute information of the transport layer in the embodiment of the present application may refer to the static attribute information and/or transmission of the network layer of each data packet in the M data packets of the session to be detected The static attribute information of the layer.
  • the static attribute information of the network layer of the data packet may be a class, method, variable or code block modified by a static modifier in the network layer (IP layer).
  • the static attribute information of the transport layer of the data packet may be a class, method, variable or code block modified by a static modifier in the transport layer (TCP layer).
  • the static attribute information may include not only the static attribute information of the header part, but also the static attribute information of the data part. That is, the static attribute information of the transport layer may include the static attribute information of the data part, for example, static attribute information. It can be a character used to characterize "confirmation" or "correct” in the data part. For example, in an application scenario, when a user logs in, after entering the account and password, a login request is sent to the business server. When the business server determines that the account and password match, the data part of the returned data packet includes the characterizing password "Correct" characters.
  • the data part of the returned data packet includes the characters used to characterize the "wrong” password, the characters used to characterize the "correct” and the character used to characterize " The characters "error” can be static attribute information in the data packet.
  • the static attribute information may only include the header part of the data packet, or only include the data part of the data packet.
  • the detection device determines whether the session to be detected is a malicious session based on the feature vector of the session to be detected.
  • the detection device may input the feature vector of the session to be detected into a specific classifier that is pre-trained, so as to determine whether the session to be detected is a malicious session based on the classification result of the specific classifier.
  • the detection device can determine whether the static attribute information in the feature vector of the session to be detected meets the set attribute information conditions, and when the determination is yes, it determines that the session to be detected is a malicious session; otherwise, Determined as a normal session or a non-malicious session.
  • the detection device may determine whether the static attribute information of the network layer of the session to be detected meets the set first sub-attribute information, and/or determine whether the static attribute information of the transport layer of the session to be detected meets the set The second sub-attribute information.
  • whether the static attribute information satisfies the set attribute information conditions may include: whether a certain parameter of the static attribute information is within the set range, if it is determined to be satisfied, otherwise it is determined not to be satisfied, or at least one of the static attribute information Whether the two parameters are both within at least two set ranges, if they are both, it is determined to be satisfied, otherwise, it is determined not to be satisfied.
  • the static characteristics of the network layer and/or the static characteristics of the transport layer corresponding to the normal session data and the malicious session data in the session data are different, the static characteristics of the network layer used to characterize the session to be detected are different.
  • the feature vector of the feature and/or the static feature of the transport layer determines whether the session to be detected is a malicious session, so that different types of malicious sessions can be easily detected, which improves the versatility of session detection.
  • FIG. 3 is a schematic diagram of the implementation process of another session detection method provided by an embodiment of the application. As shown in FIG. 3, the method includes:
  • the forwarding device captures communication data, and generates a capture file based on the captured communication data.
  • the communication data may be data that flows into the forwarding device within a preset time period.
  • the communication data may include: an access request sent by the terminal to the service server, and/or an access result sent by the service server to the terminal.
  • the forwarding device sends the captured file to the detection device, and the detection device receives the captured file sent by the forwarding device.
  • the size of the captured file sent by the forwarding device to the detection device each time may be the same, or the size of the captured file may be within a set range.
  • the forwarding device sends a captured file to the detection device every specific period of time.
  • the forwarding device can forward all communication data between two network nodes to the detection device, that is, the detection device can detect all the communication data transmitted between the two network nodes, so as to determine Whether all sessions forwarded by the forwarding device are malicious sessions.
  • the forwarding device may collect communication data between two network nodes in a sampling manner, so that the load of the forwarding device and the detection device can be reduced.
  • the detection device parses the captured file to obtain a data packet set.
  • the captured file can be a pcap file.
  • the overall structure of the pcap file is in the form of file header-data packet header 1-data packet 1-data packet header 2-data packet 2.
  • the purpose of parsing pacp is to obtain data packet 1 in the pacp file Packet 2 and so on, where data packet 1 and data packet 2 are data packets transmitted between the terminal and the service server, so as to obtain a data packet set. It should be understood that there may be N data packets in the data packet set, and N is an integer greater than or equal to 1.
  • the detection device determines at least one session from the data packet set, and uses at least part of the at least one session as a session to be detected.
  • the feature information of the data packets included in any session of the at least one session is the same, and the feature information includes at least one of the five-tuples.
  • the feature information includes all of the five-tuple, that is, the feature information includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol.
  • the characteristic information may include parts of a five-tuple.
  • the characteristic information may include a source IP address, a source port, and a transport layer protocol.
  • determining at least one session from the data packet set can be achieved in the following way: the detection device first extracts the characteristic information of each data packet in the data packet set, and then performs session aggregation analysis on the data packet set based on the characteristic information To determine at least one conversation.
  • the detection device may extract the quintuple information of each of the N data packets included in the data packet set, and then perform session aggregation analysis on the N data packets based on the quintuple information , Obtain at least one session (P sessions), P is an integer greater than or equal to 1, and P is less than or equal to N.
  • P sessions at least one session (P sessions)
  • P is an integer greater than or equal to 1
  • P is less than or equal to N.
  • the detection device can classify N data packets according to the quintuple information, and mark the data packets with the same quintuple as the same session, thereby obtaining P sessions.
  • Each of the P sessions includes The quintuple of the data packet is the same.
  • the detection device When the detection device obtains P sessions, it may use all or part of the P sessions as the sessions to be detected. For example, in an implementation manner, the detection device may regard all P sessions as sessions to be detected. In another implementation manner, the detection device may use part of the P sessions (for example, one session) as the session to be detected.
  • the detection device extracts at least one piece of static attribute information corresponding to the at least one data packet one-to-one from the at least one data packet included in the session to be detected.
  • the static attribute information may include: static attribute information of the network layer and/or static attribute information of the transport layer.
  • the static attribute information of the network layer may include certain field information of the IP header
  • the static attribute information of the transport layer may include certain field information of the TCP header and/or the static attributes of the data part of the data packet. information.
  • the static attribute information of the network layer may include: at least one of the header length ip.hl, the data length ip.len, and the lifetime ip.ttl; the static attribute information of the transport layer may include: the destination port tcp At least one of .dport, static data tcp.data, and buffer remaining space tcp.win. It should be understood that the embodiments of this application only provide a schematic enumeration of static attribute information of the network layer and static attribute information of the transport layer.
  • the static attribute information of the network layer and the static attribute information of the transport layer may also include other static attributes.
  • the attribute information may be replaced by other static attribute information.
  • the other static attribute information may be, for example, the source address of the IP header, the destination address of the IP header, or the source port of the TCP header.
  • the detection device determines the feature vector of the session to be detected based on at least one piece of static attribute information.
  • the detection device may perform statistical analysis on at least one static attribute information to obtain statistical information, and then use the vector converted from the statistical information as the feature vector of the session to be detected.
  • the statistical analysis may include: at least one of count, minimum value, maximum value, accumulated value, average value, mean square error, and standard deviation.
  • the content included in the static attribute information can be selected according to actual conditions, and the static attribute information corresponding to the data packets in different scenarios can be different.
  • the detection device can perform statistical analysis on these static attribute information.
  • the statistical analysis includes but not It is limited to at least one of count, minimum min, maximum max, sum sum, and average avg. It should be understood that statistical analysis can be to calculate the statistical value of each type of attribute information included in the static attribute information. Corresponding count values of M ip.hl, calculating count values of M ip.len corresponding to M data packets one-to-one, etc.
  • the detection device can then splice the obtained statistical values to obtain the feature vector of the session to be detected.
  • the static attribute information includes ip.ttl and tcp.win.
  • the statistical analysis includes count count, minimum min, maximum max, sum sum, and Take average avg as an example, the feature vector of the session to be detected can be: (count(ip.ttl), min(ip.ttl), max(ip.ttl), sum(ip.ttl), avg(ip.ttl), count(tcp.win), min(tcp.win), max(tcp.win), sum(tcp.win), avg(tcp.win)).
  • the detection device determines whether the session to be detected is a malicious session based on the feature vector of the session to be detected.
  • the detection device may determine a specific classifier, input the feature vector of the session to be detected into the specific classifier, obtain the classification result of the session to be detected, and then determine whether the session to be detected is a malicious session based on the classification result.
  • the specific classifier may include a weight matrix, each column of the weight matrix is a weight parameter between the feature vector and each category, and the detection device can determine the classification result of the session to be detected based on the feature vector and the weight matrix Then, based on the classification result, it can be determined whether the session to be detected is a malicious session.
  • the classifier can be a classification model, and a specific classifier can be obtained by inputting a trained model file into the prediction program, where the model file can include parameters such as a weight matrix.
  • the specific classifier may be a binary classifier, and the specific classifier is used to output a first classification result that characterizes the session to be detected as a normal session, or is used to output a second classification result that characterizes the session to be detected as a malicious session result.
  • the specific classifier may be a multi-point classifier, and the specific classifier is used to output the classification results of different levels of maliciousness. In this way, when the detection device obtains the classification result of the session to be detected from the multi-point classifier, it is based on the classification result. To determine whether the session to be detected is a malicious session.
  • the purpose of the classifier may be to treat the to-be-detected session corresponding to a count greater than a certain threshold as a malicious session.
  • the determination of malicious conversations not only depends on the dimension of count, but also on the minimum, maximum, accumulated value, average, mean square deviation, and standard deviation. At least one dimension, so that the predicted classification result can be jointly determined based on various parameters, thereby improving the accuracy of the prediction result.
  • the specific classifiers in the embodiments of this application may include: decision tree classifiers, random forest classifiers, gradient boosting decision tree (Gradient Boosting Decision Tree, GBDT) classifiers, support vector machine (Support Vector Machine, SVM) classifiers And one of the neural network classifiers.
  • decision tree classifiers random forest classifiers
  • gradient boosting decision tree Gradient Boosting Decision Tree, GBDT
  • GBDT gradient boosting decision tree
  • SVM Support Vector Machine
  • the method for obtaining a specific classifier can be obtained in the following ways: the detection device first obtains at least one training session, and each training session in the at least one training session corresponds to a real category; then determines the feature vector of each training session; and then obtains the initial classification Based on the real category corresponding to each training session and the feature vector of each training session, the initial classifier is trained to obtain a specific classifier.
  • the initial classifier may include an initial matrix.
  • the initial matrix is a matrix randomly generated by the detection device.
  • the purpose of training the classifier is to train the initial matrix to obtain the weight matrix.
  • the training method used when training the initial classifier in the embodiment of the application may be one of a decision tree training method, a random forest training method, a GBDT training method, an SVM training method, a neural network training method, and the like. It should be understood that the selection of a specific classifier should correspond to the training method. For example, if the specific classifier is an SVM classifier, the training method should be an SVM training method.
  • the detection device determining the feature vector of each training session can be implemented in the following manner: the detection device extracts at least one data packet one-to-one corresponding to the at least one data packet from the at least one data packet included in each training session.
  • Static attribute information includes: static attribute information of the network layer and/or static attribute information of the transmission layer; based on at least one static attribute information, the feature vector of each training session is determined.
  • the detection device determines the feature vector of each training session based on the at least one static attribute information, which may include: the detection device pairs at least one static attribute corresponding to at least one data packet included in each training session on a one-to-one basis. Perform statistical analysis on the information to obtain statistical information; use the vector transformed from the statistical information as the feature vector of each training session.
  • the method for the detection device to determine the feature vector of the training session can be the same as the method for determining the feature vector of the session to be detected.
  • the method for the detection device to determine the feature vector of the training session can be the same as the method for determining the feature vector of the session to be detected.
  • the description in the method refer to the method of determining the feature vector of the session to be detected.
  • the detection device sends prompt information to the forwarding device.
  • the prompt information is used to indicate whether there is a malicious session in the session to be detected, and is used to indicate that if a malicious session exists in the session to be detected, intercept and/or combat the existing malicious session.
  • the prompt information may include information about whether the one session is a malicious session; when the detection session is at least two sessions, the prompt information may include each of the at least two sessions. Whether it is a malicious session information.
  • the prompt information may further include: an interception strategy and/or an attack strategy corresponding to the classification result of the session to be detected.
  • the detection device can determine the interception strategy and/or the strike strategy according to the degree of maliciousness corresponding to the classification result. The higher the degree of maliciousness corresponding to the classification result, the stronger the determined interception strategy and/or strike strategy.
  • the stronger the degree of maliciousness of the session the greater the strength of the determined interception strategy and/or strike strategy. Conversely, the smaller the degree of maliciousness of the determined session, the lower the strength of the determined interception strategy and/or strike strategy. For example, when it is determined that a certain session is a normal session, the session will not be intercepted or attacked.
  • the interception strategy and/or the strike strategy may be a strategy that needs to be implemented for each of one or at least two sessions included in the session to be detected. For example, when some of the sessions to be detected are normal sessions, the implemented strategy is not to intercept or attack; when some of the sessions to be detected are malicious sessions with a lesser degree of maliciousness, implement The strategy is to intercept but not attack; when some of the sessions to be detected are malicious sessions with a greater degree of maliciousness, the implemented strategy is to intercept and attack.
  • statistical information is obtained by performing statistical analysis on at least one static attribute information, and the vector transformed by the statistical information is used as the feature vector of the session to be detected, so that the obtained feature vector can reflect the characteristics in multiple dimensions.
  • the specific classifier and the feature vector of the session to be detected are used to classify the session to be detected, the specific classifier can synthesize the different attribute information included in the static attribute information and the type of statistical analysis to determine whether the session to be detected is a malicious session. , Which can further improve the accuracy of the session classification to be detected.
  • FIG. 4 is a schematic diagram of a process for determining the feature vector of a session to be detected according to an embodiment of the application.
  • the detection device performs feature extraction to obtain the feature vector of the session to be detected. It can be achieved through the following steps S401 to S407:
  • the detection device obtains the pacp file, parses the data packets in the pcap file, and obtains a data packet set.
  • the detection device performs session aggregation on the data packets in the pcap file according to the 5-tuple (source IP, destination IP, source port, destination port, and protocol number), and marks the same 5-tuple as the same session (one time). Business interaction process).
  • the detection device extracts statistical characteristics in units of sessions: first extract the static attributes of the IP layer and the TCP layer of each data packet in the session, such as ip.hl, ip.len, ip.ttl, tcp.dport, tcp. data, tcp.win, etc.; then based on the session to calculate the statistical value of these static attributes, the statistical value includes but not limited to at least one of count, minimum, maximum, sum and average, etc.
  • the sequence obtained by splicing the obtained statistical values by the detection device is the feature vector of the session.
  • the feature vector can be (count(ip.ttl), min(ip.ttl), max(ip.ttl), sum (ip.ttl), avg(ip.ttl), count(tcp.win), min(tcp.win), max(tcp.win), sum(tcp.win), avg(tcp.win)... .
  • Figure 5 is a schematic diagram of a process for generating a model file provided by an embodiment of this application. As shown in Figure 5, during the implementation of this application, the way of generating a model file can be implemented through the following steps S501 to S507:
  • the detection device selects a batch of labeled training samples (indicating that the sample is malicious or normal) (a session is a sample).
  • the training sample may include session 1 (session1), and label 1 (label 1) corresponding to session 1 ),..., session K, label K (label K) corresponding to session K, K is an integer greater than or equal to 1.
  • the detection device extracts the feature vectors of the samples one by one until the feature vectors of all training set samples are obtained.
  • the detection device inputs the feature vector and the label of its corresponding sample into the machine learning training program for training.
  • the machine learning model used here can choose decision tree, random forest, GBDT, SVM, neural network, etc., and the detection device can combine these common Models (such as decision trees, random forests, GBDT, SVM, and neural networks) are all tried again, and the best model is selected according to the test results.
  • the detection device obtains the model file.
  • the detection method of the detection device is the core part of the solution, and the detection device can include two parts: a training unit and a detection unit.
  • FIG. 6 is a schematic diagram of another process for generating a model file provided by an embodiment of this application.
  • the training unit of the detection device can train the training sample to obtain the model file, and the detection unit of the detection device can use the model file to obtain the detection result of the sample to be detected.
  • the method of generating model files in the example can be implemented through the following steps S601 to S619:
  • the testing device selects training samples.
  • the detection device performs feature extraction on each sample in the training sample.
  • the detection device obtains the feature vectors of all training set samples.
  • the detection device uses the feature vectors of all training set samples to perform model training.
  • the detection device obtains the model file.
  • the testing device determines the sample to be tested, and the sample to be tested may be the session to be tested in the embodiment of the present application.
  • the testing device performs feature extraction on the sample to be tested.
  • the detection device obtains the feature vector of the sample to be detected.
  • the detection device uses the feature vector of the sample to be detected and the model file to perform model prediction.
  • the detection device obtains the detection result of the sample to be detected.
  • the detection device analyzes and models the network layer and transport layer data of the network data packet generated by the interaction between the user and the service to distinguish between normal service interaction data and malicious service interaction data.
  • Obtaining business layer data and business logic can realize detection and protection, solve the problems of insufficient versatility, insufficient coverage and heavy workload of existing solutions, improve the versatility and coverage of the model, and reduce the cost of modeling.
  • the embodiment of the present application provides a session detection device, which includes each unit included and each module included in each unit, which can be implemented by a processor in a detection device; of course, it can also be Specific logic circuit implementation; in the implementation process, the processor can be a central processing unit (CPU), a microprocessor (MPU), a digital signal processor (DSP), or a field programmable gate array (FPGA), etc.
  • the processor can be a central processing unit (CPU), a microprocessor (MPU), a digital signal processor (DSP), or a field programmable gate array (FPGA), etc.
  • FIG. 7 is a schematic diagram of the composition structure of a session detection device provided by an embodiment of the application. As shown in FIG. 7, the session detection device 70 includes:
  • the obtaining unit 71 is configured to obtain a session to be detected transmitted between two network nodes;
  • the determining unit 72 is configured to determine the feature vector of the session to be detected, and the feature vector is used to characterize the static feature of the network layer and/or the static feature of the transport layer;
  • the detection unit 73 is configured to determine whether the session to be detected is a malicious session based on the feature vector of the session to be detected.
  • the obtaining unit 71 is further configured to parse the captured file sent by the forwarding device to obtain a data packet set; determine at least one session from the data packet set, and use at least part of the at least one session as the session to be detected ; Wherein, the characteristic information of the data packets included in any session is the same, and the characteristic information includes at least one of the five-tuples.
  • the obtaining unit 71 is further configured to extract characteristic information of each data packet in the data packet set; perform session aggregation analysis on the data packet set based on the characteristic information to determine at least one session.
  • the determining unit 72 is further configured to extract at least one piece of static attribute information corresponding to at least one data packet from at least one data packet included in the session to be detected; the static attribute information includes: static state of the network layer The attribute information and/or the static attribute information of the transport layer; based on at least one static attribute information, the feature vector of the session to be detected is determined.
  • the static attribute information of the network layer includes: at least one of header length, data length, and time to live; the static attribute information of the transport layer includes: at least one of target port, static data, and remaining space of the buffer.
  • the determining unit 72 is further configured to perform statistical analysis on at least one static attribute information to obtain statistical information; and use the vector transformed by the statistical information as the feature vector of the session to be detected.
  • the statistical analysis includes: at least one of count, minimum, maximum, accumulated value, average, mean square error, and standard deviation.
  • the detection unit 73 is further configured to determine a specific classifier, and input the feature vector of the session to be detected into the specific classifier to obtain the classification result of the session to be detected; based on the classification result, determine whether the session to be detected is malicious Conversation.
  • the session detection device 70 further includes:
  • the training unit 74 is configured to obtain at least one training session, and each training session in the at least one training session corresponds to a real category; to determine the feature vector of each training session; to obtain an initial classifier based on the real category corresponding to each training session Train the initial classifier with the feature vector of each training session to obtain a specific classifier.
  • the session detection device 70 further includes:
  • the sending unit 75 is configured to send prompt information to the forwarding device.
  • the prompt information is used to indicate whether there is a malicious session in the session to be detected, and is used to indicate that the malicious session exists in the session to be detected. Interception and/or strike.
  • the prompt information further includes: an interception strategy and/or an attack strategy corresponding to the classification result of the session to be detected.
  • the session detection method is implemented in the form of a software function module and sold or used as an independent product, it can also be stored in a computer readable storage medium.
  • the technical solutions of the embodiments of the present application can be embodied in the form of a software product in essence or a part that contributes to related technologies.
  • the computer software product is stored in a storage medium and includes a number of instructions to enable One detection device executes all or part of the methods described in the various embodiments of this application.
  • the aforementioned storage media include: U disk, mobile hard disk, read only memory (Read Only Memory, ROM), magnetic disk or optical disk and other media that can store program codes. In this way, the embodiments of the present application are not limited to any specific combination of hardware and software.
  • FIG. 8 is a schematic diagram of the hardware entity of a detection device provided by an embodiment of the application.
  • the hardware entity of the detection device 80 includes a processor 81 and a memory 82, where the memory 82 stores There is a computer program that can run on the processor 81, and the processor 81 implements the steps in the session detection method of any of the foregoing embodiments when the processor 81 executes the program.
  • the memory 82 stores computer programs that can run on the processor.
  • the memory 82 is configured to store instructions and applications executable by the processor 81. It can also cache the processor 81 and the modules in the detection device 80 to be processed or have been processed.
  • Data for example, image data, audio data, voice communication data, and video communication data
  • FLASH flash memory
  • RAM random access memory
  • the processor 81 executes the program, the steps of any one of the above-mentioned session detection methods are implemented.
  • the processor 81 generally controls the overall operation of the detection device 80.
  • the embodiment of the present application provides a computer-readable storage medium, and the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to realize the operation of any of the above embodiments.
  • the steps of the session detection method are described in detail below.
  • FIG. 9 is a schematic structural diagram of a chip provided by an embodiment of the present application.
  • the chip 90 shown in FIG. 9 includes a processor 91, and the processor 91 can call and run a computer program from the memory to implement the steps of the method executed by the detection device in the embodiment of the present application.
  • the chip 90 may further include a memory 92.
  • the processor 91 may call and run a computer program from the memory 92 to implement the steps of the method executed by the detection device in the embodiment of the present application.
  • the memory 92 may be a separate device independent of the processor 91, or may be integrated in the processor 91.
  • the chip 90 may also include an input interface 93.
  • the processor 91 can control the input interface 93 to communicate with other devices or chips, and specifically, can obtain information or data sent by other devices or chips.
  • the chip 90 may further include an output interface 94.
  • the processor 91 can control the output interface 94 to communicate with other devices or chips, specifically, can output information or data to other devices or chips.
  • the chip can be applied to the network device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • the chip can implement the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • the chip can be applied to the detection device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the detection device in each method of the embodiment of the present application.
  • the chip can implement the corresponding process implemented by the detection device in each method of the embodiment of the present application.
  • the chip mentioned in the embodiment of the present application may also be called a system-level chip, a system-on-chip, a system-on-chip, or a system-on-chip, etc.
  • the embodiments of the present application provide a computer program product.
  • the computer program product includes a computer storage medium.
  • the computer storage medium stores computer program code.
  • the computer program code includes instructions that can be executed by at least one processor. The steps of the method executed by the detection device in the above method are implemented.
  • the processor of the embodiment of the present application may be an integrated circuit chip with signal processing capability.
  • the steps of the foregoing method embodiments can be completed by hardware integrated logic circuits in the processor or instructions in the form of software.
  • the aforementioned processor can be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (ASIC), a ready-made programmable gate array (Field Programmable Gate Array, FPGA) or other Programming logic devices, discrete gates or transistor logic devices, discrete hardware components.
  • DSP Digital Signal Processor
  • ASIC application specific integrated circuit
  • FPGA ready-made programmable gate array
  • the methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field, such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers.
  • the storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.
  • the memory in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), and electrically available Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be a random access memory (Random Access Memory, RAM), which is used as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • DRAM synchronous dynamic random access memory
  • DDR SDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • Enhanced SDRAM, ESDRAM Enhanced Synchronous Dynamic Random Access Memory
  • Synchronous Link Dynamic Random Access Memory Synchronous Link Dynamic Random Access Memory
  • DR RAM Direct Rambus RAM
  • the memory in the embodiment of the present application may also be static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is to say, the memory in the embodiments of the present application is intended to include, but is not limited to, these and any other suitable types of memory.
  • the size of the sequence numbers of the above-mentioned processes does not mean the order of execution, and the execution order of each process should be determined by its function and internal logic, and should not correspond to the embodiments of the present application.
  • the implementation process constitutes any limitation.
  • the serial numbers of the foregoing embodiments of the present application are for description only, and do not represent the superiority or inferiority of the embodiments.
  • the detection device executes any step in the embodiments of the present application, and the processor of the detection device may execute the step.
  • the embodiment of the present application does not limit the sequence in which the detection device executes the following steps.
  • the methods used to process data in different embodiments may be the same method or different methods. It should also be noted that any step in the embodiment of the present application can be independently executed by the detection device, that is, when the detection device executes any step in the foregoing embodiment, it may not rely on the execution of other steps.
  • the disclosed device and method can be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, such as: multiple units or components can be combined, or It can be integrated into another system, or some features can be ignored or not implemented.
  • the coupling, or direct coupling, or communication connection between the components shown or discussed can be indirect coupling or communication connection through some interfaces, devices or units, and can be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units; they may be located in one place or distributed on multiple network units; Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • the functional units in the embodiments of the present application may all be integrated into one processing unit, or each unit may be individually used as a unit, or two or more units may be integrated into one unit; the above-mentioned integration
  • the unit of can be implemented in the form of hardware, or in the form of hardware plus software functional units.
  • the foregoing program can be stored in a computer readable storage medium (computer storage medium).
  • the steps included in the foregoing method embodiment are executed; and the foregoing storage medium includes: various media that can store program codes, such as a mobile storage device, a read only memory (ROM), a magnetic disk, or an optical disc.
  • the aforementioned integrated unit of this application is implemented in the form of a software function module and sold or used as an independent product, it may also be stored in a computer readable storage medium.
  • the computer software product is stored in a storage medium and includes a number of instructions to enable A computer device (which may be a personal computer, a server, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: removable storage devices, ROMs, magnetic disks, or optical disks and other media that can store program codes.
  • the embodiments of this application provide a session detection method, device, detection device, computer storage medium, chip, and computer program product.
  • the detection device uses the static state of the network layer to characterize the session to be detected.
  • the feature vector of the feature and/or the static feature of the transport layer determines whether the session to be detected is a malicious session, so that different types of malicious sessions can be easily detected, which improves the versatility of session detection.

Abstract

Disclosed is a session detection method, comprising: a detection device obtaining a session to be detected that is transmitted between two network nodes; determining a feature vector of said session, wherein the feature vector is a vector representing a static feature of a network layer and/or a static feature of a transmission layer; and determining, on the basis of the feature vector of said session, whether said session is a malicious session. Further disclosed are a session detection apparatus, a detection device, a computer storage medium, a chip and a computer program product.

Description

一种会话检测方法、装置、检测设备及计算机存储介质Session detection method, device, detection equipment and computer storage medium 技术领域Technical field
本申请实施例涉及但不限于网络安全领域,尤其涉及一种会话检测方法、装置、检测设备及计算机存储介质。The embodiments of the present application relate to, but are not limited to, the field of network security, and in particular, to a session detection method, device, detection device, and computer storage medium.
背景技术Background technique
随着移动互联网应用的广泛使用,网络安全性是许多技术人员所考虑的问题。在网络会话中存在着很多恶意会话数据,这些恶意会话数据包括用户终端对网络产生的恶意会话数据,也包括非法服务提供商(Service Provider,SP)向用户终端发送数据包产生的恶意会话数据,技术人员需要检测并消除这种恶意会话数据,以保护网络的安全运行。With the widespread use of mobile Internet applications, network security is a concern for many technicians. There are a lot of malicious session data in the network session. These malicious session data include the malicious session data generated by the user terminal on the network, and also include the malicious session data generated by the illegal service provider (SP) sending data packets to the user terminal. Technicians need to detect and eliminate this malicious session data to protect the safe operation of the network.
然而,在网络中有许多不同类型的恶意会话数据,导致恶意会话数据的检测困难。However, there are many different types of malicious session data in the network, which makes the detection of malicious session data difficult.
发明内容Summary of the invention
本申请实施例提供一种会话检测方法、装置、检测设备及计算机存储介质。The embodiments of the present application provide a session detection method, device, detection equipment, and computer storage medium.
第一方面,提供一种会话检测方法,包括:检测设备获得在两个网络节点之间传输的待检测会话;In a first aspect, a session detection method is provided, including: a detection device obtains a session to be detected transmitted between two network nodes;
确定所述待检测会话的特征向量,所述特征向量用于表征网络层的静态特征和/或传输层的静态特征;Determining a feature vector of the session to be detected, where the feature vector is used to characterize the static feature of the network layer and/or the static feature of the transport layer;
基于所述待检测会话的特征向量,确定所述待检测会话是否为恶意会话。Based on the feature vector of the session to be detected, it is determined whether the session to be detected is a malicious session.
第二方面,提供一种会话检测装置,包括:In a second aspect, a session detection device is provided, including:
获得单元,用于获得在两个网络节点之间传输的待检测会话;An obtaining unit for obtaining the to-be-detected session transmitted between two network nodes;
确定单元,用于确定所述待检测会话的特征向量,所述特征向量用于表征网络层的静态特征和/或传输层的静态特征;A determining unit, configured to determine a feature vector of the session to be detected, where the feature vector is used to characterize the static feature of the network layer and/or the static feature of the transport layer;
检测单元,用于基于所述待检测会话的特征向量,确定所述待检测会话是否为恶意会话。The detection unit is configured to determine whether the session to be detected is a malicious session based on the feature vector of the session to be detected.
第三方面,提供一种检测设备,包括:存储器和处理器,In a third aspect, a detection device is provided, including: a memory and a processor,
所述存储器存储有可在处理器上运行的计算机程序,The memory stores a computer program that can run on the processor,
所述处理器执行所述程序时实现上述方法中的步骤。When the processor executes the program, the steps in the above method are implemented.
第四方面,提供一种计算机存储介质,所述计算机存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行, 以实现上述方法中的步骤。In a fourth aspect, a computer storage medium is provided, the computer storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement the steps in the foregoing method.
第五方面,提供一种芯片,包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有所述芯片的设备执行上述方法中的步骤。In a fifth aspect, a chip is provided, including a processor, configured to call and run a computer program from a memory, so that a device installed with the chip executes the steps in the above method.
第六方面,提供一种计算机程序产品,所述计算机程序产品包括计算机存储介质,所述计算机存储介质存储计算机程序代码,所述计算机程序代码包括能够由至少一个处理器执行的指令,当所述指令由所述至少一个处理器执行时实现上述的方法中的步骤。In a sixth aspect, a computer program product is provided. The computer program product includes a computer storage medium, and the computer storage medium stores computer program code. The computer program code includes instructions that can be executed by at least one processor. When the instructions are executed by the at least one processor, the steps in the above-mentioned method are implemented.
本申请实施例中,检测设备获得在两个网络节点之间传输的待检测会话;确定待检测会话的特征向量,特征向量用于表征网络层的静态特征和/或传输层的静态特征;基于待检测会话的特征向量,确定待检测会话是否为恶意会话。如此,由于会话数据中正常会话数据和恶意会话数据所对应的网络层的静态特征和/或传输层的静态特征不同,因此,通过待检测会话的用于表征网络层的静态特征和/或传输层的静态特征的特征向量,确定该待检测会话是否为恶意会话,从而容易检测出不同类型的恶意会话,提高了会话检测的通用性。In the embodiment of the present application, the detection device obtains the session to be detected transmitted between two network nodes; determines the feature vector of the session to be detected, and the feature vector is used to characterize the static characteristics of the network layer and/or the static characteristics of the transmission layer; based on The feature vector of the session to be detected, to determine whether the session to be detected is a malicious session. In this way, since the static characteristics of the network layer and/or the static characteristics of the transmission layer corresponding to the normal session data and the malicious session data in the session data are different, the static characteristics and/or transmission of the network layer used to characterize the session to be detected are different. The feature vector of the static feature of the layer determines whether the session to be detected is a malicious session, so that different types of malicious sessions can be easily detected, and the versatility of session detection is improved.
附图说明Description of the drawings
图1为本申请实施例提供的一种会话检测方法的系统架构示意图;FIG. 1 is a schematic diagram of a system architecture of a session detection method provided by an embodiment of this application;
图2为本申请实施例提供的一种会话检测方法的实现流程示意图;2 is a schematic diagram of the implementation process of a session detection method provided by an embodiment of the application;
图3为本申请实施例提供的另一种会话检测方法的实现流程示意图;3 is a schematic diagram of the implementation process of another session detection method provided by an embodiment of the application;
图4为本申请实施例提供的一种确定待检测会话的特征向量的流程示意图;FIG. 4 is a schematic diagram of a process for determining a feature vector of a session to be detected according to an embodiment of this application;
图5为本申请实施例提供的一种生成模型文件的流程示意图;FIG. 5 is a schematic diagram of a process for generating a model file according to an embodiment of the application;
图6为本申请实施例提供的另一种生成模型文件的流程示意图;FIG. 6 is a schematic diagram of another process of generating a model file provided by an embodiment of the application;
图7为本申请实施例提供的一种会话检测装置的组成结构示意图;FIG. 7 is a schematic diagram of the composition structure of a session detection device provided by an embodiment of the application;
图8为本申请实施例提供的一种检测设备的硬件实体示意图;FIG. 8 is a schematic diagram of a hardware entity of a detection device provided by an embodiment of this application;
图9是本申请实施例提供的一种芯片的结构示意图。FIG. 9 is a schematic structural diagram of a chip provided by an embodiment of the present application.
具体实施方式detailed description
下面将通过实施例并结合附图具体地对本申请的技术方案以及本申请的技术方案如何解决上述技术问题进行详细说明。下面这几个具体的实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例中不再赘述。Hereinafter, the technical solution of the present application and how the technical solution of the present application solves the above-mentioned technical problems will be described in detail through the embodiments and the accompanying drawings. The following specific embodiments can be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments.
需要说明的是:在本申请实例中,“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that in the examples of this application, "first", "second", etc. are used to distinguish similar objects, and not necessarily used to describe a specific sequence or sequence.
另外,本申请实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present application can be combined arbitrarily without conflict.
为了避免互联网中的业务系统受到安全威胁,例如常见的有垃圾评论、撞库、盗号、刷量等安全威胁,需要进行业务安全防护,本方案就是为了检测和防护这些业务安全问题而设计的。In order to avoid security threats to business systems on the Internet, such as common security threats such as spam comments, database crashes, account theft, and swipes, business security protection is required. This solution is designed to detect and protect these business security issues.
相关技术中的业务安全检测和防护方案一般是针对具体的某个业务,例如,检测设备首先需要获取业务的各种详细信息,这些详细信息包括业务服务器的接口所接收的参数信息(例如,请求数据或访问业务的数据)、返回的参数信息、接口的功能、该接口的功能与其它接口之间的关联信息、针对该类型的接口常见的攻击手法等等,然后根据这些详细信息对这个业务建模,最后根据模型对访问业务的数据进行匹配,发现其中恶意的请求数据。The business security detection and protection schemes in related technologies are generally aimed at a specific business. For example, the detection device first needs to obtain various detailed information of the business. The detailed information includes the parameter information received by the interface of the business server (for example, request Data or access service data), returned parameter information, interface function, correlation information between the interface function and other interfaces, common attack methods for this type of interface, etc., and then use these detailed information to attack this business Modeling, and finally matching the data of the accessed business according to the model, and discovering the malicious request data.
但是,由于检测设备需要深入理解具体的业务和攻击手段,但是通常情况下业务类型错综复杂,攻击手段变化多端,一一去分析和建模工作量非常大,并且难免漏掉对某些业务的分析,导致相关技术中的检测方法无法通用;另外,由于有些业务数据敏感,无法提供明文数据,导致无法对这些敏感数据进行建模,从而使得相关技术中的检测方法覆盖面不足。However, because detection equipment requires a deep understanding of specific services and attack methods, but usually the types of services are intricate and the attack methods are varied, one by one, the workload of analysis and modeling is very large, and it is inevitable to miss the analysis of certain services. , The detection methods in related technologies cannot be universal; in addition, because some business data is sensitive and plaintext data cannot be provided, it is impossible to model these sensitive data, which makes the coverage of detection methods in related technologies insufficient.
至少基于以上原因,本申请提供一种基于会话分析的通用业务安全检测和防护的思路,由于用户的终端与服务器进行交互的过程中,会产生会话数据,而正常会话数据和恶意会话数据反映在数据包的序列或者数据包的数据结构不同,而通过分析这些底层的数据包的序列或者数据包的数据结构,就可以区分正常会话数据和恶意会话数据,从而实现通用的业务安全防护。For at least the above reasons, this application provides a general service security detection and protection idea based on session analysis. As the user’s terminal interacts with the server, session data will be generated, while normal session data and malicious session data are reflected in The sequence of the data packet or the data structure of the data packet is different, and by analyzing the sequence of the underlying data packet or the data structure of the data packet, the normal session data and the malicious session data can be distinguished, thereby realizing general business security protection.
图1为本申请实施例提供的一种会话检测方法的系统架构示意图,如图1所示,系统10可以包括用户侧的终端11、业务服务器12、转发设备13以及检测设备14。FIG. 1 is a schematic diagram of the system architecture of a session detection method provided by an embodiment of the application. As shown in FIG.
终端11可以是用户访问业务服务器12所使用的设备,例如图1中所示的台式电脑、手机以及平板电脑等,或者,终端还可以包括服务器、笔记本电脑、掌上电脑、个人数字助理、便捷式媒体播放器、智能音箱、导航装置、显示设备、智能手环等可穿戴设备、虚拟现实(Virtual Reality,VR)设备、增强现实(Augmented Reality,AR)设备、计步器以及数字电视等中的至少一个。用户可以通过终端11中的应用程序,登录网站时将会访问业务服务器12,该应用程序可以是网站的专用客户端,也可以是浏览器客户端,用户可以通过输入网站网址的方式,来访问业务服务器12。The terminal 11 may be a device used by a user to access the service server 12, such as a desktop computer, a mobile phone, and a tablet computer shown in FIG. Media players, smart speakers, navigation devices, display devices, smart bracelets and other wearable devices, virtual reality (VR) devices, augmented reality (Augmented Reality, AR) devices, pedometers, digital TVs, etc. at least one. The user can access the service server 12 when logging in to the website through the application in the terminal 11. The application can be a dedicated client of the website or a browser client. The user can access by entering the website URL Business server 12.
业务服务器12可以是提供网站功能的服务设备,图1所示出的业务服务器12是由多个业务服务器构成的服务器集群,在一些实施例中,业务服务器12可以是一个独立的业务服务器,本申请对该业务服务器12的组成结构不做限定。The business server 12 may be a service device that provides website functions. The business server 12 shown in FIG. 1 is a server cluster composed of multiple business servers. In some embodiments, the business server 12 may be an independent business server. The application does not limit the composition structure of the business server 12.
转发设备13可以用于抓取终端11与业务服务器12之间的通信数据,通信数据可以是终端11向业务服务器12发送的访问请求,和/或,业务服 务器12向终端11发送的与访问请求对应的访问结果。通信数据可以理解为流量数据,转发设备13可以持续地抓取通信数据,例如,转发设备可以将抓取的预设时长的通信数据打包为抓取文件(pcap格式的文件),或者,可以将抓取的预设大小的通信数据打包为抓取文件,接着,转发设备可以将抓取文件向检测设备发送。在一种实施方式中,转发设备可以是交换机。The forwarding device 13 may be used to capture the communication data between the terminal 11 and the service server 12. The communication data may be an access request sent by the terminal 11 to the service server 12, and/or the access request sent by the service server 12 to the terminal 11 The corresponding visit result. Communication data can be understood as traffic data, and the forwarding device 13 can continuously capture the communication data. For example, the forwarding device can package the captured communication data of a preset duration into a capture file (file in pcap format), or The captured communication data of a preset size is packaged into a captured file, and then the forwarding device can send the captured file to the detection device. In one embodiment, the forwarding device may be a switch.
转发设备13可以采用基于数据面开发套件(Data Plane Development Kit,DPDK)抓包的方式进行通信数据的抓取。在一种方式中,转发设备13可以是具有镜像端口的设备,该镜像端口可以连接检测设备,从而镜像端口可以对通信端口的流量进行镜像,从而得到预设时长的通信数据或者预设大小的通信数据。应理解,抓取文件中可以包括访问请求和/或访问结果。The forwarding device 13 may use a packet capture method based on a Data Plane Development Kit (DPDK) to capture communication data. In one manner, the forwarding device 13 may be a device with a mirroring port, and the mirroring port can be connected to a detection device, so that the mirroring port can mirror the traffic of the communication port, thereby obtaining communication data of a preset duration or a preset size Communication data. It should be understood that the captured file may include the access request and/or the access result.
检测设备14可以是为检测抓取文件中的会话是否为恶意会话的设备。检测设备14用于对终端11和业务服务器12之间的会话实时分析,以便及时发现恶意会话,以及时止损,从而保护网络的安全运行。The detection device 14 may be a device for detecting whether the session in the captured file is a malicious session. The detection device 14 is used for real-time analysis of the session between the terminal 11 and the service server 12, so as to detect malicious sessions in time and stop the loss in time, so as to protect the safe operation of the network.
在图1所示的实施例中,转发设备13设置在终端11与业务服务器12之间,以获取终端11与业务服务器12之间的通信数据,检测设备14与转发设备13相连,以检测通信数据中的会话是否为恶意会话。在本申请实施例中,终端11与转发设备13之间的连接、转发设备13与检测设备14之间的连接或者转发设备13与业务服务器12之间的连接,可以是有线连接或者无线连接。In the embodiment shown in FIG. 1, the forwarding device 13 is provided between the terminal 11 and the service server 12 to obtain communication data between the terminal 11 and the service server 12, and the detection device 14 is connected to the forwarding device 13 to detect communication Whether the session in the data is malicious. In the embodiment of the present application, the connection between the terminal 11 and the forwarding device 13, the connection between the forwarding device 13 and the detection device 14, or the connection between the forwarding device 13 and the service server 12 may be a wired connection or a wireless connection.
在一些实施例中,本申请实施例中转发设备13和检测设备14可以设置在任意两个存在流量数据的网络节点中,从而通过转发设备13和检测设备14,可以检测到两个网络节点中传输的会话是否为恶意会话。本申请实施例对转发设备13所设置的位置并不做限制。In some embodiments, the forwarding device 13 and the detection device 14 in the embodiment of the present application can be set in any two network nodes that have traffic data, so that the forwarding device 13 and the detection device 14 can detect that the two network nodes Whether the transmitted session is malicious. The embodiment of the present application does not limit the location where the forwarding device 13 is set.
在一些实施例中,转发设备13和检测设备14可以是两个单独的物理实体中,或者,转发设备13和检测设备14可以设置成一个物理实体。In some embodiments, the forwarding device 13 and the detecting device 14 may be two separate physical entities, or the forwarding device 13 and the detecting device 14 may be set as one physical entity.
图2为本申请实施例提供的一种会话检测方法的实现流程示意图,如图2所示,该方法应用于检测设备,该方法包括:Fig. 2 is a schematic diagram of the implementation process of a session detection method provided by an embodiment of the application. As shown in Fig. 2, the method is applied to a detection device, and the method includes:
S201、检测设备获得在两个网络节点之间传输的待检测会话。S201. The detection device obtains a session to be detected transmitted between two network nodes.
在一种实施方式中,两个网络节点可以分别是终端和业务服务器。在另一种实施方式中,两个网络节点可以是网络中的具有流量数据传输的两个节点。In an embodiment, the two network nodes may be a terminal and a service server, respectively. In another embodiment, the two network nodes may be two nodes in the network with flow data transmission.
本申请实施例中的会话可以是指通过五元组来划分的一组数据包,五元组是通信术语,是指源网际互连协议(Internet Protocol,IP)地址,源端口,目的IP地址,目的端口和传输层协议。例如,待检测会话中可以包括有M个数据包,M为大于或等于1的整数。M个数据包的IP地址和/或源端口和/或目的IP地址和/或目的端口和/或传输层协议相同。数据包是传输 控制协议(Transmission Control Protocol,TCP)/IP协议通信传输中的数据单位。The session in the embodiments of this application may refer to a group of data packets divided by quintuples. The quintuple is a communication term and refers to the source Internet Protocol (IP) address, source port, and destination IP address. , Destination port and transport layer protocol. For example, the session to be detected may include M data packets, and M is an integer greater than or equal to 1. The IP address and/or source port and/or destination IP address and/or destination port and/or transport layer protocol of the M data packets are the same. Data packet is the unit of data in Transmission Control Protocol (TCP)/IP protocol communication transmission.
在两个网络节点之间具有流量传输的情况下,在一种实施方式中,转发设备可以获取在两个节点之间传输的流量数据,并形成抓取文件,发送抓取文件给检测设备,从而检测设备得到抓取文件,并从抓取文件中得到待检测会话。其中,待检测会话中可以包括:终端向业务服务器发送的访问请求,和/或,业务服务器向终端发送的访问结果。在另一种实施方式中,转发设备可以直接将待检测会话发送给检测设备,从而检测设备得到待检测会话。In the case of traffic transmission between two network nodes, in one embodiment, the forwarding device can obtain the traffic data transmitted between the two nodes, form a grab file, and send the grab file to the detection device, In this way, the detection device obtains the captured file, and obtains the session to be detected from the captured file. Wherein, the session to be detected may include: an access request sent by the terminal to the service server, and/or an access result sent by the service server to the terminal. In another implementation manner, the forwarding device may directly send the session to be detected to the detection device, so that the detection device obtains the session to be detected.
S203、检测设备确定待检测会话的特征向量,特征向量为表征网络层的静态特征和/或传输层的静态特征的向量。S203. The detection device determines a feature vector of the session to be detected, where the feature vector is a vector that characterizes the static feature of the network layer and/or the static feature of the transport layer.
在一种实施方式中,特征向量可以基于待检测会话的网络层的静态属性信息和/或传输层的静态属性信息确定。例如,检测设备可以对网络层的静态属性信息和/或传输层的静态属性信息进行统计分析,然后将统计分析的结果转化的向量作为特征向量。再例如,检测设备可以将网络层的静态属性信息和/或传输层的静态属性信息转化的向量作为特征向量。又例如,检测设备可以对网络层的静态属性信息和/或传输层的静态属性信息进行其它操作得到特征向量。在本申请实施例中,任何能够将网络层的静态属性信息和/或传输层的静态属性信息转化为特征向量的方式,都应该在本申请的保护范围之内。在本申请实施例中,网络层的静态属性信息用于表征网络层的静态特征,传输层的静态属性信息用于表征传输层的静态特征。In an embodiment, the feature vector may be determined based on the static attribute information of the network layer and/or the static attribute information of the transport layer of the session to be detected. For example, the detection device may perform statistical analysis on the static attribute information of the network layer and/or the static attribute information of the transmission layer, and then use the vector converted from the statistical analysis result as the feature vector. For another example, the detection device may use the vector converted from the static attribute information of the network layer and/or the static attribute information of the transmission layer as the feature vector. For another example, the detection device may perform other operations on the static attribute information of the network layer and/or the static attribute information of the transmission layer to obtain the feature vector. In the embodiments of the present application, any method that can convert the static attribute information of the network layer and/or the static attribute information of the transmission layer into a feature vector should fall within the protection scope of the present application. In the embodiment of the present application, the static attribute information of the network layer is used to characterize the static characteristics of the network layer, and the static attribute information of the transmission layer is used to characterize the static characteristics of the transmission layer.
在本申请实施例中,检测设备可以通过对待检测会话中的M个数据包中的每个数据包,进行特征信息提取的方式得到待检测会话的网络层的静态属性信息和/或传输层的静态属性信息。本申请实施例中的网络层的静态属性信息和/或传输层的静态属性信息,可以是指待检测会话的M个数据包中,每个数据包的网络层的静态属性信息和/或传输层的静态属性信息。In the embodiment of the present application, the detection device can obtain the static attribute information of the network layer and/or the transport layer of the session to be detected by extracting characteristic information for each of the M data packets in the session to be detected. Static attribute information. The static attribute information of the network layer and/or the static attribute information of the transport layer in the embodiment of the present application may refer to the static attribute information and/or transmission of the network layer of each data packet in the M data packets of the session to be detected The static attribute information of the layer.
在一种实施方式中,数据包的网络层的静态属性信息可以是网络层(IP层)中的被静态(static)修饰符修饰的类、方法、变量或代码块等。数据包的传输层的静态属性信息可以是传输层(TCP层)中的被静态(static)修饰符修饰的类、方法、变量或代码块等。In an embodiment, the static attribute information of the network layer of the data packet may be a class, method, variable or code block modified by a static modifier in the network layer (IP layer). The static attribute information of the transport layer of the data packet may be a class, method, variable or code block modified by a static modifier in the transport layer (TCP layer).
在一种实施方式中,静态属性信息可以不仅包括包头部分的静态属性信息,还包括数据部分的静态属性信息,即传输层的静态属性信息可以包括数据部分的静态属性信息,例如,静态属性信息可以是数据部分中的用于表征“确认”或“正确”的字符。例如,在一个应用场景中,当用户进行登录时,输入账号和密码之后,向业务服务器发送登录请求,业务服务器在确定到账号和密码匹配时,返回的数据包的数据部分包括用于表征密码“正确”的字符,在业务服务器在确定到账号和密码不匹配时,返回的数据包的数据部分包括用于表征密码“错误”的字符,用于表征“正确” 的字符和用于表征“错误”的字符,都可以是数据包中的静态属性信息。In one embodiment, the static attribute information may include not only the static attribute information of the header part, but also the static attribute information of the data part. That is, the static attribute information of the transport layer may include the static attribute information of the data part, for example, static attribute information. It can be a character used to characterize "confirmation" or "correct" in the data part. For example, in an application scenario, when a user logs in, after entering the account and password, a login request is sent to the business server. When the business server determines that the account and password match, the data part of the returned data packet includes the characterizing password "Correct" characters. When the business server determines that the account number and password do not match, the data part of the returned data packet includes the characters used to characterize the "wrong" password, the characters used to characterize the "correct" and the character used to characterize " The characters "error" can be static attribute information in the data packet.
在另一种实施方式中,静态属性信息可以只包括数据包的包头部分,或者,只包括数据包的数据部分。In another implementation manner, the static attribute information may only include the header part of the data packet, or only include the data part of the data packet.
S205、检测设备基于待检测会话的特征向量,确定待检测会话是否为恶意会话。S205. The detection device determines whether the session to be detected is a malicious session based on the feature vector of the session to be detected.
在一种实施方式中,检测设备可以将待检测会话的特征向量输入至预先训练完成的特定分类器中,从而基于特定分类器的分类结果,确定待检测的会话是否为恶意会话。In an embodiment, the detection device may input the feature vector of the session to be detected into a specific classifier that is pre-trained, so as to determine whether the session to be detected is a malicious session based on the classification result of the specific classifier.
在另一种实施方式中,检测设备可以对待检测会话的特征向量中的静态属性信息进行是否满足设定的属性信息条件的判断,在确定为是时,确定待检测会话为恶意会话,否则,确定为正常会话或非恶意会话。在一些实施例中,检测设备可以判断待检测会话的网络层的静态属性信息是否满足设定的第一子属性信息,和/或,判断待检测会话的传输层的静态属性信息是否满足设定的第二子属性信息。其中,静态属性信息是否满足设定的属性信息条件,可以包括:静态属性信息的某一个参数是否在设定的范围内,若是则确定满足,否则确定不满足,或者,静态属性信息中的至少两个参数是否均分别在设定的至少两个范围内,若均是则确定满足,否则确定不满足。In another implementation manner, the detection device can determine whether the static attribute information in the feature vector of the session to be detected meets the set attribute information conditions, and when the determination is yes, it determines that the session to be detected is a malicious session; otherwise, Determined as a normal session or a non-malicious session. In some embodiments, the detection device may determine whether the static attribute information of the network layer of the session to be detected meets the set first sub-attribute information, and/or determine whether the static attribute information of the transport layer of the session to be detected meets the set The second sub-attribute information. Among them, whether the static attribute information satisfies the set attribute information conditions may include: whether a certain parameter of the static attribute information is within the set range, if it is determined to be satisfied, otherwise it is determined not to be satisfied, or at least one of the static attribute information Whether the two parameters are both within at least two set ranges, if they are both, it is determined to be satisfied, otherwise, it is determined not to be satisfied.
在本申请实施例中,由于会话数据中正常会话数据和恶意会话数据所对应的网络层的静态特征和/或传输层的静态特征不同,因此,通过待检测会话的用于表征网络层的静态特征和/或传输层的静态特征的特征向量,确定该待检测会话是否为恶意会话,从而容易检测出不同类型的恶意会话,提高了会话检测的通用性。In the embodiment of the present application, since the static characteristics of the network layer and/or the static characteristics of the transport layer corresponding to the normal session data and the malicious session data in the session data are different, the static characteristics of the network layer used to characterize the session to be detected are different. The feature vector of the feature and/or the static feature of the transport layer determines whether the session to be detected is a malicious session, so that different types of malicious sessions can be easily detected, which improves the versatility of session detection.
图3为本申请实施例提供的另一种会话检测方法的实现流程示意图,如图3所示,该方法包括:FIG. 3 is a schematic diagram of the implementation process of another session detection method provided by an embodiment of the application. As shown in FIG. 3, the method includes:
S301、转发设备抓取通信数据,并基于抓取的通信数据生成抓取文件。S301. The forwarding device captures communication data, and generates a capture file based on the captured communication data.
通信数据可以为预设时长内流入至转发设备的数据。通信数据可以包括:终端向业务服务器发送的访问请求,和/或,业务服务器向终端发送的访问结果。The communication data may be data that flows into the forwarding device within a preset time period. The communication data may include: an access request sent by the terminal to the service server, and/or an access result sent by the service server to the terminal.
S303、转发设备向检测设备发送抓取文件,检测设备接收转发设备发送的抓取文件。S303. The forwarding device sends the captured file to the detection device, and the detection device receives the captured file sent by the forwarding device.
在一种实施方式中,转发设备每次向检测设备发送的抓取文件的大小可以相同,或者抓取文件的大小在设定范围内。在另一种实施方式中,转发设备每隔特定时长向检测设备发送一个抓取文件。In an implementation manner, the size of the captured file sent by the forwarding device to the detection device each time may be the same, or the size of the captured file may be within a set range. In another implementation manner, the forwarding device sends a captured file to the detection device every specific period of time.
在本申请实施例中,转发设备可以将两个网络节点之间的通信数据都转发至检测设备,即检测设备能够检测到所有的在两个网络节点之间传输的通信数据,从而能够确定出所有经过转发设备转发的会话是否为恶意会 话。在另一种实施方式中,转发设备可以通过抽样采集的方式采集两个网络节点之间的通信数据,从而能够减小转发设备和检测设备的负载。In the embodiment of the present application, the forwarding device can forward all communication data between two network nodes to the detection device, that is, the detection device can detect all the communication data transmitted between the two network nodes, so as to determine Whether all sessions forwarded by the forwarding device are malicious sessions. In another implementation manner, the forwarding device may collect communication data between two network nodes in a sampling manner, so that the load of the forwarding device and the detection device can be reduced.
S305、检测设备解析抓取文件,得到数据包集合。S305. The detection device parses the captured file to obtain a data packet set.
抓取文件可以是pcap文件,pcap文件的总体结构为文件头-数据包头1-数据包1-数据包头2-数据包2等形式,解析pacp的目的就是得到pacp文件中的数据包1、数据包2等,其中,数据包1和数据包2等为在终端和业务服务器之间传输的数据包,从而得到数据包集合。应理解,数据包集合中可以有N个数据包,N为大于或等于1的整数。The captured file can be a pcap file. The overall structure of the pcap file is in the form of file header-data packet header 1-data packet 1-data packet header 2-data packet 2. The purpose of parsing pacp is to obtain data packet 1 in the pacp file Packet 2 and so on, where data packet 1 and data packet 2 are data packets transmitted between the terminal and the service server, so as to obtain a data packet set. It should be understood that there may be N data packets in the data packet set, and N is an integer greater than or equal to 1.
S307、检测设备从数据包集合中,确定至少一个会话,将至少一个会话的至少部分会话作为待检测会话。S307. The detection device determines at least one session from the data packet set, and uses at least part of the at least one session as a session to be detected.
其中,至少一个会话的任一会话中包括的数据包的特征信息相同,特征信息包括五元组中的至少一个。The feature information of the data packets included in any session of the at least one session is the same, and the feature information includes at least one of the five-tuples.
在本申请实施例中,特征信息包括五元组中的全部,即特征信息包括源IP地址,源端口,目的IP地址,目的端口和传输层协议。在其它实施例中,特征信息可以包括五元组的部分,例如,特征信息可以包括源IP地址、源端口和传输层协议。In the embodiment of the present application, the feature information includes all of the five-tuple, that is, the feature information includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol. In other embodiments, the characteristic information may include parts of a five-tuple. For example, the characteristic information may include a source IP address, a source port, and a transport layer protocol.
在实施过程中,从数据包集合中,确定至少一个会话,可以通过以下方式实现:检测设备首先提取数据包集合中每个数据包的特征信息,然后基于特征信息对数据包集合进行会话聚合分析,确定至少一个会话。In the implementation process, determining at least one session from the data packet set can be achieved in the following way: the detection device first extracts the characteristic information of each data packet in the data packet set, and then performs session aggregation analysis on the data packet set based on the characteristic information To determine at least one conversation.
例如,在一种实施方式中,检测设备可以提取数据包集合中包括的N个数据包中每一数据包的五元组信息,然后基于五元组信息对这N个数据包进行会话聚合分析,得到至少一个会话(P个会话),P为大于或等于1的整数,P小于或等于N。通过这种方式,检测设备可以通过五元组信息对N个数据包进行分类,将五元组相同的数据包标记为同一个会话,从而得到P个会话,P个会话中每一会话中包括的数据包的五元组相同。For example, in one embodiment, the detection device may extract the quintuple information of each of the N data packets included in the data packet set, and then perform session aggregation analysis on the N data packets based on the quintuple information , Obtain at least one session (P sessions), P is an integer greater than or equal to 1, and P is less than or equal to N. In this way, the detection device can classify N data packets according to the quintuple information, and mark the data packets with the same quintuple as the same session, thereby obtaining P sessions. Each of the P sessions includes The quintuple of the data packet is the same.
检测设备在得到P个会话时,可以将P个会话的全部或者部分作为待检测会话。例如,在一种实施方式中,检测设备可以将P个会话全部作为待检测会话。在另一种实施方式中,检测设备可以将P个会话中的部分会话(例如一个会话)作为待检测会话。When the detection device obtains P sessions, it may use all or part of the P sessions as the sessions to be detected. For example, in an implementation manner, the detection device may regard all P sessions as sessions to be detected. In another implementation manner, the detection device may use part of the P sessions (for example, one session) as the session to be detected.
S309、检测设备从待检测会话包括的至少一个数据包中,提取与至少一个数据包一一对应的至少一个静态属性信息。S309. The detection device extracts at least one piece of static attribute information corresponding to the at least one data packet one-to-one from the at least one data packet included in the session to be detected.
其中,静态属性信息可以包括:网络层的静态属性信息和/或传输层的静态属性信息。网络层(IP层)的静态属性信息可以包括IP包头的某些字段信息,传输层(TCP层)的静态属性信息可以包括TCP包头的某些字段信息和/或数据包的数据部分的静态属性信息。Wherein, the static attribute information may include: static attribute information of the network layer and/or static attribute information of the transport layer. The static attribute information of the network layer (IP layer) may include certain field information of the IP header, and the static attribute information of the transport layer (TCP layer) may include certain field information of the TCP header and/or the static attributes of the data part of the data packet. information.
在一种实施方式中,网络层的静态属性信息可以包括:首部长度ip.hl、数据长度ip.len和生存时间ip.ttl中的至少一个;传输层的静态属性信息可以包括:目标端口tcp.dport、静态数据tcp.data和缓冲区剩余空间tcp.win 中的至少一个。需要理解的是,本申请实施例只是提供了一种网络层的静态属性信息和传输层的静态属性信息的示意性列举,网络层的静态属性信息和传输层的静态属性信息还可以包括其它静态属性信息或用其它静态属性信息代替,其它静态属性信息可以例如是IP包头的源地址、IP包头的目的地址或者TCP包头的源端口等。In an embodiment, the static attribute information of the network layer may include: at least one of the header length ip.hl, the data length ip.len, and the lifetime ip.ttl; the static attribute information of the transport layer may include: the destination port tcp At least one of .dport, static data tcp.data, and buffer remaining space tcp.win. It should be understood that the embodiments of this application only provide a schematic enumeration of static attribute information of the network layer and static attribute information of the transport layer. The static attribute information of the network layer and the static attribute information of the transport layer may also include other static attributes. The attribute information may be replaced by other static attribute information. The other static attribute information may be, for example, the source address of the IP header, the destination address of the IP header, or the source port of the TCP header.
S311、检测设备基于至少一个静态属性信息,确定待检测会话的特征向量。S311. The detection device determines the feature vector of the session to be detected based on at least one piece of static attribute information.
在一种实施方式中,检测设备可以对至少一个静态属性信息进行统计分析,得到统计信息,然后将通过统计信息转化的向量作为待检测会话的特征向量。其中,统计分析可以包括:计数、最小值、最大值,累加值、平均值、均方差和标准差中的至少一个。In one embodiment, the detection device may perform statistical analysis on at least one static attribute information to obtain statistical information, and then use the vector converted from the statistical information as the feature vector of the session to be detected. Wherein, the statistical analysis may include: at least one of count, minimum value, maximum value, accumulated value, average value, mean square error, and standard deviation.
在本申请实施例中,静态属性信息包括的内容可以根据实际情况选择,不同场景中的数据包对应的静态属性信息可以不同。例如,以静态属性信息包括ip.hl、ip.len、ip.ttl、tcp.dport、tcp.data以及tcp.win为例,检测设备可以对这些静态属性信息进行统计分析,统计分析包括但不限于计数count、最小值min、最大值max,求和sum以及平均avg等中的至少一个。需理解,统计分析可以为分别计算静态属性信息中包括的每一种属性信息的统计值,例如,统计分析ip.hl和ip.len的count值时,可以分别计算与M个数据包一一对应的M个ip.hl的count值、计算与M个数据包一一对应的M个ip.len的count值等。In the embodiment of the present application, the content included in the static attribute information can be selected according to actual conditions, and the static attribute information corresponding to the data packets in different scenarios can be different. For example, taking static attribute information including ip.hl, ip.len, ip.ttl, tcp.dport, tcp.data, and tcp.win as an example, the detection device can perform statistical analysis on these static attribute information. The statistical analysis includes but not It is limited to at least one of count, minimum min, maximum max, sum sum, and average avg. It should be understood that statistical analysis can be to calculate the statistical value of each type of attribute information included in the static attribute information. Corresponding count values of M ip.hl, calculating count values of M ip.len corresponding to M data packets one-to-one, etc.
检测设备接着可以对得到的统计值进行拼接得到待检测会话的特征向量,以静态属性信息包括ip.ttl和tcp.win,统计分析包括计数count、最小值min、最大值max,求和sum以及平均avg为例,待检测会话的特征向量可以为:(count(ip.ttl),min(ip.ttl),max(ip.ttl),sum(ip.ttl),avg(ip.ttl),count(tcp.win),min(tcp.win),max(tcp.win),sum(tcp.win),avg(tcp.win))。The detection device can then splice the obtained statistical values to obtain the feature vector of the session to be detected. The static attribute information includes ip.ttl and tcp.win. The statistical analysis includes count count, minimum min, maximum max, sum sum, and Take average avg as an example, the feature vector of the session to be detected can be: (count(ip.ttl), min(ip.ttl), max(ip.ttl), sum(ip.ttl), avg(ip.ttl), count(tcp.win), min(tcp.win), max(tcp.win), sum(tcp.win), avg(tcp.win)).
S313、检测设备基于待检测会话的特征向量,确定待检测会话是否为恶意会话。S313. The detection device determines whether the session to be detected is a malicious session based on the feature vector of the session to be detected.
在一种实施方式中,检测设备可以确定特定分类器,将待检测会话的特征向量输入至特定分类器中,得到待检测会话的分类结果,然后基于分类结果确定待检测会话是否为恶意会话。In an embodiment, the detection device may determine a specific classifier, input the feature vector of the session to be detected into the specific classifier, obtain the classification result of the session to be detected, and then determine whether the session to be detected is a malicious session based on the classification result.
在一种实施方式中,特定分类器可以包括权重矩阵,权重矩阵的每一列为特征向量与每一类别之间的权重参数,检测设备可以基于特征向量和权重矩阵,确定待检测会话的分类结果,接着可以基于分类结果确定待检测会话是否为恶意会话。In an embodiment, the specific classifier may include a weight matrix, each column of the weight matrix is a weight parameter between the feature vector and each category, and the detection device can determine the classification result of the session to be detected based on the feature vector and the weight matrix Then, based on the classification result, it can be determined whether the session to be detected is a malicious session.
分类器可以是分类模型,特定分类器可以将训练完成的模型文件输入至预测程序中得到,其中,模型文件中可以包括权重矩阵等参数。The classifier can be a classification model, and a specific classifier can be obtained by inputting a trained model file into the prediction program, where the model file can include parameters such as a weight matrix.
在一种实施方式中,特定分类器可以是二分分类器,特定分类器用于输出表征待检测会话为正常会话的第一分类结果,或者,用于输出表征待 检测会话为恶意会话的第二分类结果。在另一种实施方式中,特定分类器可以是多分分类器,特定分类器用于输出不同恶意程度的分类结果,这样,检测设备在从多分分类器得到待检测会话的分类结果时,根据分类结果的恶意程度来确定待检测会话是否为恶意会话。In an embodiment, the specific classifier may be a binary classifier, and the specific classifier is used to output a first classification result that characterizes the session to be detected as a normal session, or is used to output a second classification result that characterizes the session to be detected as a malicious session result. In another embodiment, the specific classifier may be a multi-point classifier, and the specific classifier is used to output the classification results of different levels of maliciousness. In this way, when the detection device obtains the classification result of the session to be detected from the multi-point classifier, it is based on the classification result. To determine whether the session to be detected is a malicious session.
以对至少一个静态属性信息进行计数分析为例,能够理解,如果一个待检测会话中包括的数据包过多,则表明存在频繁访问的情况,如此可以确定该待检测会话为恶意会话,从而特定分类器的目的可以是将大于特定阈值的计数所对应的待检测会话作为恶意会话。在本申请实施例中,由于设置了分类器,对恶意会话的确定不仅仅依托于计数这一个维度,还可以依托于最小值、最大值,累加值、平均值、均方差和标准差中的至少一个维度,从而预测得到的分类结果可以基于多方面参数共同确定,从而提高了预测结果的准确性。Taking the counting analysis of at least one static attribute information as an example, it can be understood that if too many data packets are included in a session to be detected, it indicates that there is frequent access. In this way, it can be determined that the session to be detected is a malicious session. The purpose of the classifier may be to treat the to-be-detected session corresponding to a count greater than a certain threshold as a malicious session. In the embodiment of this application, due to the setting of a classifier, the determination of malicious conversations not only depends on the dimension of count, but also on the minimum, maximum, accumulated value, average, mean square deviation, and standard deviation. At least one dimension, so that the predicted classification result can be jointly determined based on various parameters, thereby improving the accuracy of the prediction result.
本申请实施例中的特定分类器可以包括:决策树分类器、随机森林分类器、梯度提升迭代决策树(Gradient Boosting Decision Tree,GBDT)分类器、支持向量机(Support Vector Machine,SVM)分类器以及神经网络分类器等中的一个。The specific classifiers in the embodiments of this application may include: decision tree classifiers, random forest classifiers, gradient boosting decision tree (Gradient Boosting Decision Tree, GBDT) classifiers, support vector machine (Support Vector Machine, SVM) classifiers And one of the neural network classifiers.
特定分类器的获得方法可以通过以下方式获得:检测设备首先获得至少一个训练会话,至少一个训练会话中的每一训练会话对应有真实类别;接着确定每一训练会话的特征向量;然后获得初始分类器,基于每一训练会话对应的真实类别和每一训练会话的特征向量,训练初始分类器,得到特定分类器。The method for obtaining a specific classifier can be obtained in the following ways: the detection device first obtains at least one training session, and each training session in the at least one training session corresponds to a real category; then determines the feature vector of each training session; and then obtains the initial classification Based on the real category corresponding to each training session and the feature vector of each training session, the initial classifier is trained to obtain a specific classifier.
初始分类器可以包括初始矩阵,初始矩阵是检测设备随机生成的矩阵,训练分类器的目的就是训练初始矩阵,从而得到权重矩阵。The initial classifier may include an initial matrix. The initial matrix is a matrix randomly generated by the detection device. The purpose of training the classifier is to train the initial matrix to obtain the weight matrix.
本申请实施例中对初始分类器进行训练时所采用的训练方法可以为决策树训练方法、随机森林训练方法、GBDT训练方法、SVM训练方法以及神经网络训练方法等中的一个。应理解,特定分类器的选择应与训练方法相对应,例如,特定分类器为SVM分类器,则训练方法应为SVM训练方法。The training method used when training the initial classifier in the embodiment of the application may be one of a decision tree training method, a random forest training method, a GBDT training method, an SVM training method, a neural network training method, and the like. It should be understood that the selection of a specific classifier should correspond to the training method. For example, if the specific classifier is an SVM classifier, the training method should be an SVM training method.
在一种实施方式中,检测设备确定每一训练会话的特征向量可以通过以下方式实现:检测设备从每一训练会话包括的至少一个数据包中,提取与至少一个数据包一一对应的至少一个静态属性信息;静态属性信息包括:网络层的静态属性信息和/或传输层的静态属性信息;基于至少一个静态属性信息,确定每一训练会话的特征向量。In one embodiment, the detection device determining the feature vector of each training session can be implemented in the following manner: the detection device extracts at least one data packet one-to-one corresponding to the at least one data packet from the at least one data packet included in each training session. Static attribute information; the static attribute information includes: static attribute information of the network layer and/or static attribute information of the transmission layer; based on at least one static attribute information, the feature vector of each training session is determined.
在一种实施方式中,检测设备基于至少一个静态属性信息,确定每一训练会话的特征向量,可以包括:检测设备对与每一训练会话包括的至少一个数据包一一对应的至少一个静态属性信息进行统计分析,得到统计信息;将通过统计信息转化的向量作为每一训练会话的特征向量。In an embodiment, the detection device determines the feature vector of each training session based on the at least one static attribute information, which may include: the detection device pairs at least one static attribute corresponding to at least one data packet included in each training session on a one-to-one basis. Perform statistical analysis on the information to obtain statistical information; use the vector transformed from the statistical information as the feature vector of each training session.
其中,检测设备确定训练会话的特征向量的方式,可以与确定待检测 会话的特征向量的方式相同,确定训练会话的特征向量的方法中未描述的内容,可以参照确定待检测会话的特征向量的方法中的描述。Among them, the method for the detection device to determine the feature vector of the training session can be the same as the method for determining the feature vector of the session to be detected. For the content not described in the method for determining the feature vector of the training session, refer to the method of determining the feature vector of the session to be detected. The description in the method.
S315、检测设备向转发设备发送提示信息。S315. The detection device sends prompt information to the forwarding device.
提示信息用于指示待检测会话中是否存在恶意会话的信息,并用于指示在待检测会话中存在恶意会话的情况下,对存在的恶意会话进行拦截和/或打击。The prompt information is used to indicate whether there is a malicious session in the session to be detected, and is used to indicate that if a malicious session exists in the session to be detected, intercept and/or combat the existing malicious session.
应理解的是,在检测会话为一个会话时,提示信息可以包括该一个会话是否为恶意会话的信息;在检测会话为至少两个会话时,提示信息可以包括该至少两个会话中每个会话是否为恶意会话的信息。It should be understood that when the detection session is one session, the prompt information may include information about whether the one session is a malicious session; when the detection session is at least two sessions, the prompt information may include each of the at least two sessions. Whether it is a malicious session information.
在一种实施方式中,提示信息还可以包括:与待检测会话的分类结果对应的拦截策略和/或打击策略。例如,检测设备可以根据分类结果所对应的恶意程度,来确定拦截策略和/或打击策略,分类结果所对应的恶意程度越高,确定的拦截策略和/或打击策略的强度就越强。In an embodiment, the prompt information may further include: an interception strategy and/or an attack strategy corresponding to the classification result of the session to be detected. For example, the detection device can determine the interception strategy and/or the strike strategy according to the degree of maliciousness corresponding to the classification result. The higher the degree of maliciousness corresponding to the classification result, the stronger the determined interception strategy and/or strike strategy.
应理解的是,会话的恶意程度越强,确定的拦截策略和/或打击策略的强度越大,反之,确定的会话的恶意程度越小,确定的拦截策略和/或打击策略的强度越小,例如,确定某一会话为正常会话时,对该会话不进行拦截或打击。It should be understood that the stronger the degree of maliciousness of the session, the greater the strength of the determined interception strategy and/or strike strategy. Conversely, the smaller the degree of maliciousness of the determined session, the lower the strength of the determined interception strategy and/or strike strategy. For example, when it is determined that a certain session is a normal session, the session will not be intercepted or attacked.
在本申请实施例中,拦截策略和/或打击策略可以为对待检测会话中包括的一个或至少两个会话中每一会话需实施的策略。例如,在待检测会话中的某些会话是正常会话的情况下,实施的策略为不拦截或不打击;在待检测会话中某些会话为恶意程度较小的恶意会话的情况下,实施的策略为拦截但不打击;在待检测会话中某些会话为恶意程度较大的恶意会话的情况下,实施的策略为拦截且打击。In the embodiment of the present application, the interception strategy and/or the strike strategy may be a strategy that needs to be implemented for each of one or at least two sessions included in the session to be detected. For example, when some of the sessions to be detected are normal sessions, the implemented strategy is not to intercept or attack; when some of the sessions to be detected are malicious sessions with a lesser degree of maliciousness, implement The strategy is to intercept but not attack; when some of the sessions to be detected are malicious sessions with a greater degree of maliciousness, the implemented strategy is to intercept and attack.
在本申请实施例中,通过对至少一个静态属性信息进行统计分析,得到统计信息,并将通过统计信息转化的向量作为待检测会话的特征向量,从而得到的特征向量能够反映多个维度下的特征,从而提高了待检测会话分类的准确性。并且,由于通过特定分类器和待检测会话的特征向量,对待检测会话进行分类,特定分类器能够综合静态属性信息中包括的不同属性信息和统计分析的类型,来确定待检测会话是否为恶意会话,从而能够进一步提高了待检测会话分类的准确性。In the embodiment of the present application, statistical information is obtained by performing statistical analysis on at least one static attribute information, and the vector transformed by the statistical information is used as the feature vector of the session to be detected, so that the obtained feature vector can reflect the characteristics in multiple dimensions. Features, thereby improving the accuracy of the session classification to be detected. In addition, because the specific classifier and the feature vector of the session to be detected are used to classify the session to be detected, the specific classifier can synthesize the different attribute information included in the static attribute information and the type of statistical analysis to determine whether the session to be detected is a malicious session. , Which can further improve the accuracy of the session classification to be detected.
图4为本申请实施例提供的一种确定待检测会话的特征向量的流程示意图,如图4所示,在本申请的实施过程中,检测设备进行特征提取得到待检测会话的特征向量的过程可以通过以下S401~S407的步骤实现:FIG. 4 is a schematic diagram of a process for determining the feature vector of a session to be detected according to an embodiment of the application. As shown in FIG. 4, in the implementation process of this application, the detection device performs feature extraction to obtain the feature vector of the session to be detected. It can be achieved through the following steps S401 to S407:
S401、检测设备获得pacp文件,解析pcap文件里的数据包,得到数据包集合。S401. The detection device obtains the pacp file, parses the data packets in the pcap file, and obtains a data packet set.
S403、检测设备根据5元组(源IP、目的IP、源端口、目的端口和协议号)对pcap文件里的数据包进行会话聚合,将5元组相同的数据包标记 为同一个会话(一次业务交互过程)。S403. The detection device performs session aggregation on the data packets in the pcap file according to the 5-tuple (source IP, destination IP, source port, destination port, and protocol number), and marks the same 5-tuple as the same session (one time). Business interaction process).
S405、检测设备以会话为单位提取统计特征:首先提取会话中每个数据包的IP层静态属性和TCP层静态属性,如ip.hl、ip.len、ip.ttl、tcp.dport、tcp.data、tcp.win等等;然后基于会话来计算这些静态属性的统计值,统计值包括但不限于计数、最小值、最大值,求和和平均等中的至少一个。S405. The detection device extracts statistical characteristics in units of sessions: first extract the static attributes of the IP layer and the TCP layer of each data packet in the session, such as ip.hl, ip.len, ip.ttl, tcp.dport, tcp. data, tcp.win, etc.; then based on the session to calculate the statistical value of these static attributes, the statistical value includes but not limited to at least one of count, minimum, maximum, sum and average, etc.
S407、检测设备将得到的统计值拼接起来得到的序列即是此会话的特征向量,例如特征向量可以为(count(ip.ttl),min(ip.ttl),max(ip.ttl),sum(ip.ttl),avg(ip.ttl),count(tcp.win),min(tcp.win),max(tcp.win),sum(tcp.win),avg(tcp.win)......)。S407. The sequence obtained by splicing the obtained statistical values by the detection device is the feature vector of the session. For example, the feature vector can be (count(ip.ttl), min(ip.ttl), max(ip.ttl), sum (ip.ttl), avg(ip.ttl), count(tcp.win), min(tcp.win), max(tcp.win), sum(tcp.win), avg(tcp.win)... ...).
图5为本申请实施例提供的一种生成模型文件的流程示意图,如图5所示,在本申请的实施过程中,生成模型文件的方式可以通过以下S501~S507的步骤实现:Figure 5 is a schematic diagram of a process for generating a model file provided by an embodiment of this application. As shown in Figure 5, during the implementation of this application, the way of generating a model file can be implemented through the following steps S501 to S507:
S501、检测设备选取一批带标签(指明此样本属于恶意或者正常)的训练样本(一个会话为一个样本),例如,训练样本可以包括会话1(session1),会话1对应的标签1(label 1),......,会话K,会话K对应的标签K(label K),K为大于或等于1的整数。S501. The detection device selects a batch of labeled training samples (indicating that the sample is malicious or normal) (a session is a sample). For example, the training sample may include session 1 (session1), and label 1 (label 1) corresponding to session 1 ),..., session K, label K (label K) corresponding to session K, K is an integer greater than or equal to 1.
S503、检测设备逐个提取样本的特征向量,直到得到所有训练集样本的特征向量,特征向量可以为(count(tcp.win),min(tcp.win),max(tcp.win),sum(tcp.win),avg(tcp.win)......)。S503. The detection device extracts the feature vectors of the samples one by one until the feature vectors of all training set samples are obtained. The feature vectors can be (count(tcp.win), min(tcp.win), max(tcp.win), sum(tcp .win), avg(tcp.win)......).
S505、检测设备将特征向量和它所对应样本的标签输入机器学习训练程序中训练,这里使用的机器学习模型可以选择决策树、随机森林、GBDT、SVM、神经网络等,检测设备可以将这些常见模型(例如决策树、随机森林、GBDT、SVM以及神经网络)都尝试一遍,并根据测试效果来决定选择最优的模型。S505. The detection device inputs the feature vector and the label of its corresponding sample into the machine learning training program for training. The machine learning model used here can choose decision tree, random forest, GBDT, SVM, neural network, etc., and the detection device can combine these common Models (such as decision trees, random forests, GBDT, SVM, and neural networks) are all tried again, and the best model is selected according to the test results.
S507、检测设备在训练完成后,得到模型文件。S507. After the training is completed, the detection device obtains the model file.
在本申请实施例中,检测设备的检测方法是本方案的核心部分,检测设备可以包括训练单元和检测单元两大部分,图6为本申请实施例提供的另一种生成模型文件的流程示意图,如图6所示,在本申请是实施例过程中,检测设备的训练单元可以对训练样本进行训练得到模型文件,检测设备的检测单元可以利用模型文件得到待检测样本的检测结果,本实施例中的生成模型文件的方法可以通过以下步骤S601~S619实现:In the embodiment of this application, the detection method of the detection device is the core part of the solution, and the detection device can include two parts: a training unit and a detection unit. FIG. 6 is a schematic diagram of another process for generating a model file provided by an embodiment of this application. As shown in FIG. 6, in the process of the embodiment of this application, the training unit of the detection device can train the training sample to obtain the model file, and the detection unit of the detection device can use the model file to obtain the detection result of the sample to be detected. The method of generating model files in the example can be implemented through the following steps S601 to S619:
S601、检测设备选取训练样本。S601. The testing device selects training samples.
S603、检测设备对训练样本中的每一样本进行特征提取。S603. The detection device performs feature extraction on each sample in the training sample.
S605、检测设备得到所有训练集样本的特征向量。S605. The detection device obtains the feature vectors of all training set samples.
S607、检测设备利用所有训练集样本的特征向量进行模型训练。S607. The detection device uses the feature vectors of all training set samples to perform model training.
S609、检测设备得到模型文件。S609. The detection device obtains the model file.
S611、检测设备确定待检测样本,待检测样本可以是本申请实施例中的待检测会话。S611. The testing device determines the sample to be tested, and the sample to be tested may be the session to be tested in the embodiment of the present application.
S613、检测设备对待检测样本进行特征提取。S613. The testing device performs feature extraction on the sample to be tested.
S615、检测设备得到待检测样本的特征向量。S615. The detection device obtains the feature vector of the sample to be detected.
S617、检测设备利用待检测样本的特征向量和模型文件进行模型预测。S617. The detection device uses the feature vector of the sample to be detected and the model file to perform model prediction.
S619、检测设备得到待检测样本的检测结果。S619. The detection device obtains the detection result of the sample to be detected.
在本申请实施例中,检测设备基于对用户和业务之间交互产生的网络数据包的网络层和传输层数据,进行分析和建模来区分正常的业务交互数据和恶意的业务交互数据,无需获取业务层数据和业务逻辑即可实现检测和防护,解决了已有方案通用性不够、覆盖面不足和工作量大的问题,提高了模型的通用性和覆盖面,降低了建模成本。In the embodiment of the present application, the detection device analyzes and models the network layer and transport layer data of the network data packet generated by the interaction between the user and the service to distinguish between normal service interaction data and malicious service interaction data. Obtaining business layer data and business logic can realize detection and protection, solve the problems of insufficient versatility, insufficient coverage and heavy workload of existing solutions, improve the versatility and coverage of the model, and reduce the cost of modeling.
基于前述的实施例,本申请实施例提供一种会话检测装置,该装置包括所包括的各单元、以及各单元所包括的各模块,可以通过检测设备中的处理器来实现;当然也可通过具体的逻辑电路实现;在实施的过程中,处理器可以为中央处理器(CPU)、微处理器(MPU)、数字信号处理器(DSP)或现场可编程门阵列(FPGA)等。Based on the foregoing embodiment, the embodiment of the present application provides a session detection device, which includes each unit included and each module included in each unit, which can be implemented by a processor in a detection device; of course, it can also be Specific logic circuit implementation; in the implementation process, the processor can be a central processing unit (CPU), a microprocessor (MPU), a digital signal processor (DSP), or a field programmable gate array (FPGA), etc.
图7为本申请实施例提供的一种会话检测装置的组成结构示意图,如图7所示,会话检测装置70包括:FIG. 7 is a schematic diagram of the composition structure of a session detection device provided by an embodiment of the application. As shown in FIG. 7, the session detection device 70 includes:
获得单元71,用于获得在两个网络节点之间传输的待检测会话;The obtaining unit 71 is configured to obtain a session to be detected transmitted between two network nodes;
确定单元72,用于确定待检测会话的特征向量,特征向量用于表征网络层的静态特征和/或传输层的静态特征;The determining unit 72 is configured to determine the feature vector of the session to be detected, and the feature vector is used to characterize the static feature of the network layer and/or the static feature of the transport layer;
检测单元73,用于基于待检测会话的特征向量,确定待检测会话是否为恶意会话。The detection unit 73 is configured to determine whether the session to be detected is a malicious session based on the feature vector of the session to be detected.
在一些实施例中,获得单元71,还用于解析转发设备发送的抓取文件,得到数据包集合;从数据包集合中,确定至少一个会话,将至少一个会话的至少部分会话作为待检测会话;其中,任一会话中包括的数据包的特征信息相同,特征信息包括五元组中的至少一个。In some embodiments, the obtaining unit 71 is further configured to parse the captured file sent by the forwarding device to obtain a data packet set; determine at least one session from the data packet set, and use at least part of the at least one session as the session to be detected ; Wherein, the characteristic information of the data packets included in any session is the same, and the characteristic information includes at least one of the five-tuples.
在一些实施例中,获得单元71,还用于提取数据包集合中每个数据包的特征信息;基于特征信息对数据包集合进行会话聚合分析,确定至少一个会话。In some embodiments, the obtaining unit 71 is further configured to extract characteristic information of each data packet in the data packet set; perform session aggregation analysis on the data packet set based on the characteristic information to determine at least one session.
在一些实施例中,确定单元72,还用于从待检测会话包括的至少一个数据包中,提取与至少一个数据包一一对应的至少一个静态属性信息;静态属性信息包括:网络层的静态属性信息和/或传输层的静态属性信息;基于至少一个静态属性信息,确定待检测会话的特征向量。In some embodiments, the determining unit 72 is further configured to extract at least one piece of static attribute information corresponding to at least one data packet from at least one data packet included in the session to be detected; the static attribute information includes: static state of the network layer The attribute information and/or the static attribute information of the transport layer; based on at least one static attribute information, the feature vector of the session to be detected is determined.
在一些实施例中,网络层的静态属性信息包括:首部长度、数据长度和生存时间中的至少一个;传输层的静态属性信息包括:目标端口、静态数据和缓冲区剩余空间中的至少一个。In some embodiments, the static attribute information of the network layer includes: at least one of header length, data length, and time to live; the static attribute information of the transport layer includes: at least one of target port, static data, and remaining space of the buffer.
在一些实施例中,确定单元72,还用于对至少一个静态属性信息进行统计分析,得到统计信息;将通过统计信息转化的向量作为待检测会话的 特征向量。In some embodiments, the determining unit 72 is further configured to perform statistical analysis on at least one static attribute information to obtain statistical information; and use the vector transformed by the statistical information as the feature vector of the session to be detected.
在一些实施例中,统计分析包括:计数、最小值、最大值,累加值、平均值、均方差和标准差中的至少一个。In some embodiments, the statistical analysis includes: at least one of count, minimum, maximum, accumulated value, average, mean square error, and standard deviation.
在一些实施例中,检测单元73,还用于确定特定分类器,将待检测会话的特征向量输入至特定分类器中,得到待检测会话的分类结果;基于分类结果确定待检测会话是否为恶意会话。In some embodiments, the detection unit 73 is further configured to determine a specific classifier, and input the feature vector of the session to be detected into the specific classifier to obtain the classification result of the session to be detected; based on the classification result, determine whether the session to be detected is malicious Conversation.
在一些实施例中,会话检测装置70还包括:In some embodiments, the session detection device 70 further includes:
训练单元74,用于获得至少一个训练会话,至少一个训练会话中的每一训练会话对应有真实类别;确定每一训练会话的特征向量;获得初始分类器,基于每一训练会话对应的真实类别和每一训练会话的特征向量,训练初始分类器,得到特定分类器。The training unit 74 is configured to obtain at least one training session, and each training session in the at least one training session corresponds to a real category; to determine the feature vector of each training session; to obtain an initial classifier based on the real category corresponding to each training session Train the initial classifier with the feature vector of each training session to obtain a specific classifier.
在一些实施例中,会话检测装置70还包括:In some embodiments, the session detection device 70 further includes:
发送单元75,用于向转发设备发送提示信息,提示信息用于指示待检测会话中是否存在恶意会话的信息,并用于指示在待检测会话中存在恶意会话的情况下,对存在的恶意会话进行拦截和/或打击。The sending unit 75 is configured to send prompt information to the forwarding device. The prompt information is used to indicate whether there is a malicious session in the session to be detected, and is used to indicate that the malicious session exists in the session to be detected. Interception and/or strike.
在一些实施例中,提示信息还包括:与待检测会话的分类结果对应的拦截策略和/或打击策略。In some embodiments, the prompt information further includes: an interception strategy and/or an attack strategy corresponding to the classification result of the session to be detected.
以上装置实施例的描述,与上述方法实施例的描述是类似的,具有同方法实施例相似的有益效果。对于本申请装置实施例中未披露的技术细节,请参照本申请方法实施例的描述而理解。The description of the above device embodiment is similar to the description of the above method embodiment, and has similar beneficial effects as the method embodiment. For technical details not disclosed in the device embodiments of the present application, please refer to the description of the method embodiments of the present application for understanding.
需要说明的是,本申请实施例中,如果以软件功能模块的形式实现上述的会话检测方法,并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台检测设备执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read Only Memory,ROM)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本申请实施例不限制于任何特定的硬件和软件结合。It should be noted that, in the embodiments of the present application, if the above-mentioned session detection method is implemented in the form of a software function module and sold or used as an independent product, it can also be stored in a computer readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present application can be embodied in the form of a software product in essence or a part that contributes to related technologies. The computer software product is stored in a storage medium and includes a number of instructions to enable One detection device executes all or part of the methods described in the various embodiments of this application. The aforementioned storage media include: U disk, mobile hard disk, read only memory (Read Only Memory, ROM), magnetic disk or optical disk and other media that can store program codes. In this way, the embodiments of the present application are not limited to any specific combination of hardware and software.
需要说明的是,图8为本申请实施例提供的一种检测设备的硬件实体示意图,如图8所示,该检测设备80的硬件实体包括:处理器81和存储器82,其中,存储器82存储有可在处理器81上运行的计算机程序,处理器81执行程序时实现上述任一实施例的会话检测方法中的步骤。It should be noted that FIG. 8 is a schematic diagram of the hardware entity of a detection device provided by an embodiment of the application. As shown in FIG. 8, the hardware entity of the detection device 80 includes a processor 81 and a memory 82, where the memory 82 stores There is a computer program that can run on the processor 81, and the processor 81 implements the steps in the session detection method of any of the foregoing embodiments when the processor 81 executes the program.
存储器82存储有可在处理器上运行的计算机程序,存储器82配置为存储由处理器81可执行的指令和应用,还可以缓存待处理器81以及检测设备80中各模块待处理或已经处理的数据(例如,图像数据、音频数据、语音通信数据和视频通信数据),可以通过闪存(FLASH)或随机访问存 储器(Random Access Memory,RAM)实现。The memory 82 stores computer programs that can run on the processor. The memory 82 is configured to store instructions and applications executable by the processor 81. It can also cache the processor 81 and the modules in the detection device 80 to be processed or have been processed. Data (for example, image data, audio data, voice communication data, and video communication data) can be implemented by flash memory (FLASH) or random access memory (RAM).
处理器81执行程序时实现上述任一项的会话检测方法的步骤。处理器81通常控制检测设备80的总体操作。When the processor 81 executes the program, the steps of any one of the above-mentioned session detection methods are implemented. The processor 81 generally controls the overall operation of the detection device 80.
本申请实施例提供一种计算机可读存储介质,计算机可读存储介质存储有一个或者多个程序,该一个或者多个程序可被一个或者多个处理器执行,以实现如上任一实施例的会话检测方法的步骤。The embodiment of the present application provides a computer-readable storage medium, and the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to realize the operation of any of the above embodiments. The steps of the session detection method.
图9是本申请实施例提供的一种芯片的结构示意图。图9所示的芯片90包括处理器91,处理器91可以从存储器中调用并运行计算机程序,以实现本申请实施例中检测设备执行的方法的步骤。FIG. 9 is a schematic structural diagram of a chip provided by an embodiment of the present application. The chip 90 shown in FIG. 9 includes a processor 91, and the processor 91 can call and run a computer program from the memory to implement the steps of the method executed by the detection device in the embodiment of the present application.
可选地,如图9所示,芯片90还可以包括存储器92。其中,处理器91可以从存储器92中调用并运行计算机程序,以实现本申请实施例中检测设备执行的方法的步骤。Optionally, as shown in FIG. 9, the chip 90 may further include a memory 92. The processor 91 may call and run a computer program from the memory 92 to implement the steps of the method executed by the detection device in the embodiment of the present application.
其中,存储器92可以是独立于处理器91的一个单独的器件,也可以集成在处理器91中。The memory 92 may be a separate device independent of the processor 91, or may be integrated in the processor 91.
可选地,该芯片90还可以包括输入接口93。其中,处理器91可以控制该输入接口93与其他设备或芯片进行通信,具体地,可以获取其他设备或芯片发送的信息或数据。Optionally, the chip 90 may also include an input interface 93. The processor 91 can control the input interface 93 to communicate with other devices or chips, and specifically, can obtain information or data sent by other devices or chips.
可选地,该芯片90还可以包括输出接口94。其中,处理器91可以控制该输出接口94与其他设备或芯片进行通信,具体地,可以向其他设备或芯片输出信息或数据。Optionally, the chip 90 may further include an output interface 94. The processor 91 can control the output interface 94 to communicate with other devices or chips, specifically, can output information or data to other devices or chips.
可选地,该芯片可应用于本申请实施例中的网络设备,并且该芯片可以实现本申请实施例的各个方法中由网络设备实现的相应流程,为了简洁,在此不再赘述。Optionally, the chip can be applied to the network device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the network device in each method of the embodiment of the present application. For the sake of brevity, details are not described herein again.
可选地,该芯片可应用于本申请实施例中的检测设备,并且该芯片可以实现本申请实施例的各个方法中由检测设备实现的相应流程,为了简洁,在此不再赘述。Optionally, the chip can be applied to the detection device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the detection device in each method of the embodiment of the present application. For the sake of brevity, details are not described herein again.
应理解,本申请实施例提到的芯片还可以称为系统级芯片,系统芯片,芯片系统或片上系统芯片等。It should be understood that the chip mentioned in the embodiment of the present application may also be called a system-level chip, a system-on-chip, a system-on-chip, or a system-on-chip, etc.
本申请实施例提供一种计算机程序产品,计算机程序产品包括计算机存储介质,计算机存储介质存储计算机程序代码,计算机程序代码包括能够由至少一个处理器执行的指令,当指令由至少一个处理器执行时实现上述方法中检测设备执行的方法的步骤。The embodiments of the present application provide a computer program product. The computer program product includes a computer storage medium. The computer storage medium stores computer program code. The computer program code includes instructions that can be executed by at least one processor. The steps of the method executed by the detection device in the above method are implemented.
这里需要指出的是:以上检测设备、计算机存储介质、芯片以及计算机程序产品实施例的描述,与上述方法实施例的描述是类似的,具有同方法实施例相似的有益效果。对于本申请检测设备、计算机存储介质、芯片以及计算机程序产品实施例中未披露的技术细节,请参照本申请方法实施例的描述而理解。It should be pointed out here that the description of the above detection device, computer storage medium, chip, and computer program product embodiment is similar to the description of the above method embodiment, and has similar beneficial effects as the method embodiment. For technical details not disclosed in the embodiments of the testing equipment, computer storage media, chips, and computer program products of the present application, please refer to the description of the method embodiments of the present application for understanding.
应理解,本申请实施例的处理器可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法实施例的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤。It should be understood that the processor of the embodiment of the present application may be an integrated circuit chip with signal processing capability. In the implementation process, the steps of the foregoing method embodiments can be completed by hardware integrated logic circuits in the processor or instructions in the form of software. The aforementioned processor can be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (ASIC), a ready-made programmable gate array (Field Programmable Gate Array, FPGA) or other Programming logic devices, discrete gates or transistor logic devices, discrete hardware components. The methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field, such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.
可以理解,本申请实施例中的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)。应注意,本文描述的系统和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), and electrically available Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. The volatile memory may be a random access memory (Random Access Memory, RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (Double Data Rate SDRAM, DDR SDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced SDRAM, ESDRAM), Synchronous Link Dynamic Random Access Memory (Synchlink DRAM, SLDRAM) ) And Direct Rambus RAM (DR RAM). It should be noted that the memories of the systems and methods described herein are intended to include, but are not limited to, these and any other suitable types of memories.
应理解,上述存储器为示例性但不是限制性说明,例如,本申请实施例中的存储器还可以是静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synch link DRAM,SLDRAM)以及直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)等等。也就是说,本申请实施例中的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It should be understood that the foregoing memory is exemplary but not restrictive. For example, the memory in the embodiment of the present application may also be static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is to say, the memory in the embodiments of the present application is intended to include, but is not limited to, these and any other suitable types of memory.
应理解,说明书通篇中提到的“一个实施例”或“一实施例”或“本申请实施例”或“前述实施例”意味着与实施例有关的特定特征、结构或特性包括在本申请的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”或“在一实施例中”或“本申请实施例”或“前述实施例”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。It should be understood that “one embodiment” or “an embodiment” or “an embodiment of the present application” or “the foregoing embodiment” mentioned throughout the specification means that a specific feature, structure, or characteristic related to the embodiment is included in this In at least one embodiment of the application. Therefore, the appearances of "in one embodiment" or "in an embodiment" or "an embodiment of the present application" or "the foregoing embodiment" appearing in various places throughout the specification do not necessarily refer to the same embodiment. In addition, these specific features, structures, or characteristics can be combined in one or more embodiments in any suitable manner. It should be understood that, in the various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the order of execution, and the execution order of each process should be determined by its function and internal logic, and should not correspond to the embodiments of the present application. The implementation process constitutes any limitation. The serial numbers of the foregoing embodiments of the present application are for description only, and do not represent the superiority or inferiority of the embodiments.
在未做特殊说明的情况下,检测设备执行本申请实施例中的任一步骤,可以是检测设备的处理器执行该步骤。除非特殊说明,本申请实施例并不限定检测设备执行下述步骤的先后顺序。另外,不同实施例中对数据进行处理所采用的方式可以是相同的方法或不同的方法。还需说明的是,本申请实施例中的任一步骤是检测设备可以独立执行的,即检测设备执行上述实施例中的任一步骤时,可以不依赖于其它步骤的执行。Unless otherwise specified, the detection device executes any step in the embodiments of the present application, and the processor of the detection device may execute the step. Unless otherwise specified, the embodiment of the present application does not limit the sequence in which the detection device executes the following steps. In addition, the methods used to process data in different embodiments may be the same method or different methods. It should also be noted that any step in the embodiment of the present application can be independently executed by the detection device, that is, when the detection device executes any step in the foregoing embodiment, it may not rely on the execution of other steps.
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided in this application, it should be understood that the disclosed device and method can be implemented in other ways. The device embodiments described above are merely illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, such as: multiple units or components can be combined, or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the coupling, or direct coupling, or communication connection between the components shown or discussed can be indirect coupling or communication connection through some interfaces, devices or units, and can be electrical, mechanical or other forms. of.
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元;既可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units; they may be located in one place or distributed on multiple network units; Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请各实施例中的各功能单元可以全部集成在一个处理单元中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, the functional units in the embodiments of the present application may all be integrated into one processing unit, or each unit may be individually used as a unit, or two or more units may be integrated into one unit; the above-mentioned integration The unit of can be implemented in the form of hardware, or in the form of hardware plus software functional units.
本申请所提供的几个方法实施例中所揭露的方法,在不冲突的情况下可以任意组合,得到新的方法实施例。The methods disclosed in the several method embodiments provided in this application can be combined arbitrarily without conflict to obtain new method embodiments.
本申请所提供的几个产品实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的产品实施例。The features disclosed in the several product embodiments provided in this application can be combined arbitrarily without conflict to obtain new product embodiments.
本申请所提供的几个方法或设备实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的方法实施例或设备实施例。The features disclosed in the several method or device embodiments provided in this application can be combined arbitrarily without conflict to obtain a new method embodiment or device embodiment.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步 骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于计算机可读取存储介质(计算机存储介质)中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(Read Only Memory,ROM)、磁碟或者光盘等各种可以存储程序代码的介质。A person of ordinary skill in the art can understand that all or part of the steps in the above method embodiments can be implemented by a program instructing relevant hardware. The foregoing program can be stored in a computer readable storage medium (computer storage medium). When executed, the steps included in the foregoing method embodiment are executed; and the foregoing storage medium includes: various media that can store program codes, such as a mobile storage device, a read only memory (ROM), a magnetic disk, or an optical disc.
或者,本申请上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括:移动存储设备、ROM、磁碟或者光盘等各种可以存储程序代码的介质。Alternatively, if the aforementioned integrated unit of this application is implemented in the form of a software function module and sold or used as an independent product, it may also be stored in a computer readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present application can be embodied in the form of a software product in essence or a part that contributes to related technologies. The computer software product is stored in a storage medium and includes a number of instructions to enable A computer device (which may be a personal computer, a server, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application. The aforementioned storage media include: removable storage devices, ROMs, magnetic disks, or optical disks and other media that can store program codes.
以上所述,仅为本申请的实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only the implementation manners of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Covered in the scope of protection of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.
工业实用性Industrial applicability
本申请实施例提供了一种会话检测方法、装置、检测设备、计算机存储介质、芯片及计算机程序产品,采用本申请中的会话检测方案,检测设备通过待检测会话的用于表征网络层的静态特征和/或传输层的静态特征的特征向量,确定该待检测会话是否为恶意会话,从而容易检测出不同类型的恶意会话,提高了会话检测的通用性。The embodiments of this application provide a session detection method, device, detection device, computer storage medium, chip, and computer program product. Using the session detection scheme in this application, the detection device uses the static state of the network layer to characterize the session to be detected. The feature vector of the feature and/or the static feature of the transport layer determines whether the session to be detected is a malicious session, so that different types of malicious sessions can be easily detected, which improves the versatility of session detection.

Claims (16)

  1. 一种会话检测方法,包括:A session detection method, including:
    检测设备获得在两个网络节点之间传输的待检测会话;The detection device obtains the to-be-detected session transmitted between two network nodes;
    确定所述待检测会话的特征向量,所述特征向量为表征网络层的静态特征和/或传输层的静态特征的向量;Determining a feature vector of the session to be detected, where the feature vector is a vector that characterizes the static feature of the network layer and/or the static feature of the transport layer;
    基于所述待检测会话的特征向量,确定所述待检测会话是否为恶意会话。Based on the feature vector of the session to be detected, it is determined whether the session to be detected is a malicious session.
  2. 根据权利要求1所述的方法,其中,所述检测设备获得在两个网络节点之间传输的待检测会话,包括:The method according to claim 1, wherein said detecting device obtains a session to be detected transmitted between two network nodes, comprising:
    所述检测设备解析转发设备发送的抓取文件,得到数据包集合;The detection device parses the captured file sent by the forwarding device to obtain a data packet set;
    从所述数据包集合中,确定至少一个会话,将所述至少一个会话的至少部分会话作为所述待检测会话;Determine at least one session from the set of data packets, and use at least part of the at least one session as the session to be detected;
    其中,任一所述会话中包括的数据包的特征信息相同,所述特征信息包括五元组中的至少一个。Wherein, the feature information of the data packets included in any one of the sessions is the same, and the feature information includes at least one of the five-tuples.
  3. 根据权利要求2所述的方法,其中,所述从所述数据包集合中,确定至少一个会话,包括:The method according to claim 2, wherein the determining at least one session from the set of data packets comprises:
    提取所述数据包集合中每个数据包的特征信息;Extracting characteristic information of each data packet in the data packet set;
    基于所述特征信息对所述数据包集合进行会话聚合分析,确定所述至少一个会话。Perform session aggregation analysis on the data packet set based on the characteristic information to determine the at least one session.
  4. 根据权利要求1至3任一项所述的方法,其中,所述确定所述待检测会话的特征向量,包括:The method according to any one of claims 1 to 3, wherein the determining the feature vector of the session to be detected includes:
    从所述待检测会话包括的至少一个数据包中,提取与所述至少一个数据包一一对应的至少一个静态属性信息;所述静态属性信息包括:网络层的静态属性信息和/或传输层的静态属性信息;Extract at least one static attribute information corresponding to the at least one data packet from at least one data packet included in the session to be detected; the static attribute information includes: static attribute information of the network layer and/or transport layer Static property information;
    基于所述至少一个静态属性信息,确定所述待检测会话的特征向量。Based on the at least one static attribute information, a feature vector of the session to be detected is determined.
  5. 根据权利要求4所述的方法,其中,所述网络层的静态属性信息包括:首部长度、数据长度和生存时间中的至少一个;所述传输层的静态属性信息包括:目标端口、静态数据和缓冲区剩余空间中的至少一个。The method according to claim 4, wherein the static attribute information of the network layer includes: at least one of header length, data length, and time to live; the static attribute information of the transport layer includes: target port, static data, and At least one of the remaining space in the buffer.
  6. 根据权利要求4或5所述的方法,其中,所述基于所述至少一个静态属性信息,确定所述待检测会话的特征向量,包括:The method according to claim 4 or 5, wherein the determining the feature vector of the session to be detected based on the at least one static attribute information comprises:
    对所述至少一个静态属性信息进行统计分析,得到统计信息;Performing statistical analysis on the at least one static attribute information to obtain statistical information;
    将通过所述统计信息转化的向量作为所述待检测会话的特征向量。The vector transformed by the statistical information is used as the feature vector of the session to be detected.
  7. 根据权利要求6所述的方法,其中,所述统计分析包括:计数、最小值、最大值,累加值、平均值、均方差和标准差中的至少一个。The method according to claim 6, wherein the statistical analysis includes at least one of count, minimum value, maximum value, accumulated value, average value, mean square error, and standard deviation.
  8. 根据权利要求1至7任一项所述的方法,其中,所述基于所述待检测会话的特征向量,确定所述待检测会话是否为恶意会话,包括:The method according to any one of claims 1 to 7, wherein the determining whether the session to be detected is a malicious session based on the feature vector of the session to be detected comprises:
    确定特定分类器,将所述待检测会话的特征向量输入至特定分类器中, 得到所述待检测会话的分类结果;Determine a specific classifier, input the feature vector of the to-be-detected session into the specific classifier, and obtain a classification result of the to-be-detected session;
    基于所述分类结果确定所述待检测会话是否为恶意会话。Determine whether the session to be detected is a malicious session based on the classification result.
  9. 根据权利要求8所述的方法,其中,所述方法还包括:The method according to claim 8, wherein the method further comprises:
    获得至少一个训练会话,所述至少一个训练会话中的每一训练会话对应有真实类别;Obtaining at least one training session, and each training session in the at least one training session corresponds to a real category;
    确定所述每一训练会话的特征向量;Determining the feature vector of each training session;
    获得初始分类器,基于所述每一训练会话对应的真实类别和所述每一训练会话的特征向量,训练所述初始分类器,得到所述特定分类器。Obtain an initial classifier, and train the initial classifier based on the true category corresponding to each training session and the feature vector of each training session to obtain the specific classifier.
  10. 根据权利要求1至9任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 1 to 9, wherein the method further comprises:
    向转发设备发送提示信息,所述提示信息用于指示所述待检测会话中是否存在恶意会话的信息,并用于指示在所述待检测会话中存在恶意会话的情况下,对存在的恶意会话进行拦截和/或打击。Send prompt information to the forwarding device, where the prompt information is used to indicate whether there is a malicious session in the to-be-detected session, and is used to indicate that if there is a malicious session in the to-be-detected session, perform the operation on the existing malicious session. Interception and/or strike.
  11. 根据权利要求10所述的方法,其中,所述提示信息还包括:与待检测会话的分类结果对应的拦截策略和/或打击策略。The method according to claim 10, wherein the prompt information further comprises: an interception strategy and/or an attack strategy corresponding to the classification result of the session to be detected.
  12. 一种会话检测装置,包括:A session detection device includes:
    获得单元,用于获得在两个网络节点之间传输的待检测会话;An obtaining unit for obtaining the to-be-detected session transmitted between two network nodes;
    确定单元,用于确定所述待检测会话的特征向量,所述特征向量用于表征网络层的静态特征和/或传输层的静态特征;A determining unit, configured to determine a feature vector of the session to be detected, where the feature vector is used to characterize the static feature of the network layer and/or the static feature of the transport layer;
    检测单元,用于基于所述待检测会话的特征向量,确定所述待检测会话是否为恶意会话。The detection unit is configured to determine whether the session to be detected is a malicious session based on the feature vector of the session to be detected.
  13. 一种检测设备,包括:存储器和处理器,A detection device, including: a memory and a processor,
    所述存储器存储有可在处理器上运行的计算机程序,The memory stores a computer program that can run on the processor,
    所述处理器执行所述程序时实现权利要求1至11任一项所述方法中的步骤。When the processor executes the program, the steps in the method according to any one of claims 1 to 11 are implemented.
  14. 一种计算机存储介质,所述计算机存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现权利要求1至11任一项所述方法中的步骤。A computer storage medium that stores one or more programs, and the one or more programs can be executed by one or more processors to implement the method described in any one of claims 1 to 11 A step of.
  15. 一种芯片,包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有所述芯片的设备执行如权利要求1至11任一项所述方法中的步骤。A chip comprising: a processor, configured to call and run a computer program from a memory, so that a device installed with the chip executes the steps in the method according to any one of claims 1 to 11.
  16. 一种计算机程序产品,所述计算机程序产品包括计算机存储介质,所述计算机存储介质存储计算机程序代码,所述计算机程序代码包括能够由至少一个处理器执行的指令,当所述指令由所述至少一个处理器执行时实现权利要求1至11中任一项所述的方法中的步骤。A computer program product includes a computer storage medium, the computer storage medium stores computer program code, and the computer program code includes instructions that can be executed by at least one processor. When executed by a processor, the steps in the method described in any one of claims 1 to 11 are implemented.
PCT/CN2020/094457 2020-06-04 2020-06-04 Session detection method and apparatus, and detection device and computer storage medium WO2021243663A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2020/094457 WO2021243663A1 (en) 2020-06-04 2020-06-04 Session detection method and apparatus, and detection device and computer storage medium
CN202080099533.3A CN115398860A (en) 2020-06-04 2020-06-04 Session detection method, device, detection equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/094457 WO2021243663A1 (en) 2020-06-04 2020-06-04 Session detection method and apparatus, and detection device and computer storage medium

Publications (1)

Publication Number Publication Date
WO2021243663A1 true WO2021243663A1 (en) 2021-12-09

Family

ID=78831574

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/094457 WO2021243663A1 (en) 2020-06-04 2020-06-04 Session detection method and apparatus, and detection device and computer storage medium

Country Status (2)

Country Link
CN (1) CN115398860A (en)
WO (1) WO2021243663A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114300146A (en) * 2022-01-11 2022-04-08 大理楠诺互联网科技有限公司 User information safety processing method and system applied to intelligent medical treatment
CN114363032A (en) * 2021-12-29 2022-04-15 安天科技集团股份有限公司 Network attack detection method and device, computer equipment and storage medium
CN114584491A (en) * 2022-04-21 2022-06-03 腾讯科技(深圳)有限公司 Detection method, detection device, storage medium, equipment and program product
CN115834436A (en) * 2022-11-24 2023-03-21 中国联合网络通信集团有限公司 Network connectivity detection method, device and storage medium
CN116112263A (en) * 2023-02-13 2023-05-12 山东云天安全技术有限公司 Message processing method, electronic equipment and storage medium
CN116359715A (en) * 2023-05-26 2023-06-30 南京芯驰半导体科技有限公司 Multi-chip testing method and device, electronic equipment and storage medium
CN116366371A (en) * 2023-05-30 2023-06-30 广东维信智联科技有限公司 Session security assessment system based on computer
CN117792800A (en) * 2024-02-28 2024-03-29 四川合佳科技有限公司 Information verification method and system based on Internet of things security evaluation system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116033048B (en) * 2023-03-31 2024-04-09 中汽数据(天津)有限公司 Multi-protocol analysis method of Internet of things, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506556A (en) * 2016-12-29 2017-03-15 北京神州绿盟信息安全科技股份有限公司 A kind of network flow abnormal detecting method and device
US10419449B1 (en) * 2017-11-03 2019-09-17 EMC IP Holding Company LLC Aggregating network sessions into meta-sessions for ranking and classification
CN111191767A (en) * 2019-12-17 2020-05-22 博雅信安科技(北京)有限公司 Vectorization-based malicious traffic attack type judgment method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506556A (en) * 2016-12-29 2017-03-15 北京神州绿盟信息安全科技股份有限公司 A kind of network flow abnormal detecting method and device
US10419449B1 (en) * 2017-11-03 2019-09-17 EMC IP Holding Company LLC Aggregating network sessions into meta-sessions for ranking and classification
CN111191767A (en) * 2019-12-17 2020-05-22 博雅信安科技(北京)有限公司 Vectorization-based malicious traffic attack type judgment method

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363032B (en) * 2021-12-29 2023-08-15 安天科技集团股份有限公司 Network attack detection method, device, computer equipment and storage medium
CN114363032A (en) * 2021-12-29 2022-04-15 安天科技集团股份有限公司 Network attack detection method and device, computer equipment and storage medium
CN114300146A (en) * 2022-01-11 2022-04-08 大理楠诺互联网科技有限公司 User information safety processing method and system applied to intelligent medical treatment
CN114584491A (en) * 2022-04-21 2022-06-03 腾讯科技(深圳)有限公司 Detection method, detection device, storage medium, equipment and program product
CN114584491B (en) * 2022-04-21 2023-09-08 腾讯科技(深圳)有限公司 Detection method, detection device, storage medium and detection equipment
CN115834436A (en) * 2022-11-24 2023-03-21 中国联合网络通信集团有限公司 Network connectivity detection method, device and storage medium
CN115834436B (en) * 2022-11-24 2024-05-03 中国联合网络通信集团有限公司 Network connectivity detection method, device and storage medium
CN116112263B (en) * 2023-02-13 2023-10-27 山东云天安全技术有限公司 Message processing method, electronic equipment and storage medium
CN116112263A (en) * 2023-02-13 2023-05-12 山东云天安全技术有限公司 Message processing method, electronic equipment and storage medium
CN116359715A (en) * 2023-05-26 2023-06-30 南京芯驰半导体科技有限公司 Multi-chip testing method and device, electronic equipment and storage medium
CN116359715B (en) * 2023-05-26 2023-11-03 南京芯驰半导体科技有限公司 Multi-chip testing method and device, electronic equipment and storage medium
CN116366371A (en) * 2023-05-30 2023-06-30 广东维信智联科技有限公司 Session security assessment system based on computer
CN116366371B (en) * 2023-05-30 2023-10-27 广东维信智联科技有限公司 Session security assessment system based on computer
CN117792800A (en) * 2024-02-28 2024-03-29 四川合佳科技有限公司 Information verification method and system based on Internet of things security evaluation system
CN117792800B (en) * 2024-02-28 2024-05-03 四川合佳科技有限公司 Information verification method and system based on Internet of things security evaluation system

Also Published As

Publication number Publication date
CN115398860A (en) 2022-11-25

Similar Documents

Publication Publication Date Title
WO2021243663A1 (en) Session detection method and apparatus, and detection device and computer storage medium
CN112003870B (en) Network encryption traffic identification method and device based on deep learning
US9253208B1 (en) System and method for automated phishing detection rule evolution
CN110213227B (en) Network data flow detection method and device
CN105939350B (en) Network access control method and system
CN108737333B (en) Data detection method and device
US9148439B2 (en) Method for predicting and detecting network intrusion in a computer network
CN112235264B (en) Network traffic identification method and device based on deep migration learning
US11488177B2 (en) Detecting fraud using machine-learning
CN108768883B (en) Network traffic identification method and device
US20090055930A1 (en) Content Security by Network Switch
JP2006279930A (en) Method and device for detecting and blocking unauthorized access
WO2021139641A1 (en) Web attack detection method and device, electronic apparatus, and storage medium
US20220263823A1 (en) Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium
US20230231882A1 (en) Honeypot identification method, apparatus, device, and medium based on cyberspace mapping
US20220311793A1 (en) Worm Detection Method and Network Device
CN109688153A (en) Use threat detection on the zero of host application/program to user agent mapping
Wang et al. Identifying DApps and user behaviors on ethereum via encrypted traffic
CN111953665A (en) Server attack access identification method and system, computer equipment and storage medium
WO2019043804A1 (en) Log analysis device, log analysis method, and computer-readable recording medium
CN113132329A (en) WEBSHELL detection method, device, equipment and storage medium
CN110417748A (en) A kind of attack detection method and device
CN112839055B (en) Network application identification method and device for TLS encrypted traffic and electronic equipment
JP2023536972A (en) Low latency identification of network device properties
CN111209998A (en) Training method and device of machine learning model based on data type

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20939226

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 28/04/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 20939226

Country of ref document: EP

Kind code of ref document: A1