CN103746982A - Automatic generation method and system for HTTP (Hyper Text Transport Protocol) network feature code - Google Patents
Automatic generation method and system for HTTP (Hyper Text Transport Protocol) network feature code Download PDFInfo
- Publication number
- CN103746982A CN103746982A CN201310745102.1A CN201310745102A CN103746982A CN 103746982 A CN103746982 A CN 103746982A CN 201310745102 A CN201310745102 A CN 201310745102A CN 103746982 A CN103746982 A CN 103746982A
- Authority
- CN
- China
- Prior art keywords
- cluster
- condition code
- http
- fine granularity
- coarseness
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a kind of http network condition code automatic generation methods, this method comprises: packet condition code generation step, URI condition code generation step and http network condition code total collection generation step, packet condition code generation step is the characteristic statistics extracted for the question-response packet of multiple network samples and packet content, coarseness cluster set is generated by secondary cluster, and then secondary cluster generates fine granularity cluster set on the basis of coarseness cluster set, and the question-response packet condition code set of network sample is generated by fine granularity cluster set
URI condition code generation step is for the flow for being divided into independent one kind in network sample, and the supplement for carrying out the path URI and parameter attribute code is extracted, and generates the condition code set of URI
Eventually by question-response packet condition code set
With the condition code set of URI
Merge and generates condition code total collection Tall.
Description
Technical field
The present invention relates to network safety filed technology, particularly a kind of feature code generating method of unknown HTTP Botnet, more specifically, is a kind of HTTP network characterization code automatic generation method and system thereof.
Background technology
The event that network security is relevant in recent years frequently occurs, and network security has risen becomes the focus of national strategy aspect subject under discussion.But, because generally lacking awareness of safety, computer operating system and application software, netizen comprises the factors such as various leaks, increasing computer quietly becomes " broiler chicken " in Botnet, becomes other people and be engaged in the chess piece of illegal activities such as stealing privacy, attacking network resource, illegitimately make exorbitant profits.
Botnet (Botnet) is a kind of " universal computing platform that build by some non-partner user terminals in invasion cyberspace, can victim Long-distance Control ".Wherein, " non-cooperation " refer to that invaded user terminal does not have perception; " assailant " refers to the effector (Botmaster) formed Botnet to manipulation power; " Long-distance Control " refers to that assailant can control non-partner user terminal by order and control (command and control is abbreviated as C & C) channel one-to-many ground.A controlled victim user terminal becomes a node of Botnet, can be referred to as " corpse main frame ", is commonly called as " broiler chicken ".The order of common Botnet and control protocol mainly contain IRC, HTTP, P2P three types.Because http protocol has good penetrability and centralized control, increasing Botnet effector adopts http protocol as its communication and control agreement.Effector, by a large amount of corpse main frame of Botnet control, can obtain powerful distributed computation ability and abundant information resources deposit.Assailant is easier to initiate distributed denial of service attack (DDoS), online identity is stolen the malicious acts such as (Online Identity Theft), spam (Spam), click fraud (Click Fraud), bit coin excavation (BitCoin Mining).Botnet, as the most effective general Attack Platform in assailant's hand, has become one of security threat of current the Internet maximum.
Why Botnet has so large threat, mainly contains following some reason:
Botnet is from traditional worm and the derivative a kind of new attack form of wooden horse.Worm has and utilizes the advantage of security breaches fast propagation diffusion but have uncontrollability; Wooden horse has the ability to victim's Long-distance Control, but exist, infection speed is slow, management scale is little and the simple shortcoming of control mode.Botnet is to combine both advantages, made up both products not enough and that form, and harmfulness is stronger.
Botnet has the characteristic that high controllability and control logic and attack are separated." broiler chicken " in Botnet can be handled by effector by order and control (command and control) channel, can to certain specific objective, initiate attack in force (ddos attack etc.) at short notice, have the controllability of height.In addition, the bot program on corpse main frame is responsible for control logic, and real strike mission is by effector's dynamic distribution as required.This method can be multiple parts by complete threat splitting object, thereby both can, for task distribution provides good flexibility, can improve again the survivability of Botnet.
Safety measure often lags behind the appearance of corresponding novel Botnet.Detection method based on condition code is a kind of effective method.But the generation technique of traditional characteristic code is mostly only for worm, and these technology cannot efficiently, automatically generate high-quality condition code, therefore cannot to it, effectively control at the Botnet popularization initial stage.
For detection method and the system of Botnet, have much at present, but these systems detect the problems such as most life period expense is large, application deployment is difficult spread that cannot be truly; Traditional intruding detection system (IDS) is although applied widely, can be for the abnormal network behavior of effectively finding to exist in particular network, but, owing to lacking condition code and the respective rule of corresponding Botnet, cannot find in time novel Botnet main frame potential in particular network.Mainly there is following several problem in the extractive technique of condition code at present:
Traditional characteristic code generating algorithm, mostly only for worm, lacks the feature code generating method for HTTP Botnet.The existing feature code generating method overwhelming majority for be the extraction of Worm Signature, due to Botnet order and feature different of controlling communication, these traditional feature code generating methods can not be applicable to the extraction of HTTP Botnet condition code well.
Existing feature code generating method efficiency is low, time overhead is large.Traditional condition code generates and mostly relies on artificial judgment, cannot accomplish extensive automation.Although have a few peoples to propose to intend attempting addressing this problem for the extraction method of Botnet condition code, but the computing cost of these methods is very huge, cannot large-scale promotion application.
Condition code that existing method generates is of low quality, poor availability.Traditional feature code generating method not for the order of HTTP Botnet with control communication feature and consider, the feature code generating method of employing does not have specific aim, the condition code set quantity of generation is large, quality is lower.
Summary of the invention
Technical problem to be solved by this invention is to overcome existing system condition code rise time length and disposes difficult problem, has proposed a kind of HTTP network characterization code automatic generation method and system thereof.
For reaching above-mentioned purpose, the invention provides a kind of HTTP network characterization code automatic generation method, it is characterized in that, described method comprises:
Bag condition code generates step: the characteristic statistics extracting for the question-response bag of multiple network samples and bag content, by secondary cluster, generate coarseness cluster set, and then on the basis of described coarseness cluster set, secondary cluster generates fine granularity cluster set, generates the question-response bag condition code set of described network sample by described fine granularity cluster set
URI condition code generates step: for the flow that is divided into an independent class in described network sample, carry out the supplementary extraction of URI path and parameter attribute code, generate the condition code set of described URI
HTTP network characterization code total collection generates step: by the set of described question-response bag condition code
condition code set with described URI
merge generating feature code total collection T
all.
Above-mentioned HTTP network characterization code automatic generation method, is characterized in that, described bag condition code generates step, comprises:
Data extraction step: the data flow characteristic statistics to described network sample and question-response bag content are extracted;
Secondary sorting procedure: carry out respectively secondary cluster according to described network sample characteristics statistics and described question-response bag content, generate on the basis of described coarseness cluster set, generate described fine granularity cluster set;
Question-response bag condition code generates step: according to described fine granularity cluster set, generate respectively the condition code set of request bag and response packet.
Above-mentioned HTTP network characterization code automatic generation method, is characterized in that, before described data extraction step, also comprises:
White list filtration step: filter and remove the flow of accessing legitimate site in described network sample.
Above-mentioned HTTP network characterization code automatic generation method, is characterized in that, described data extraction step, also comprises:
Data content extraction step: the content of extracting the described question-response bag of http session connection;
Coarseness cluster attributes extraction step: take described network sample as unit, extract the four-dimensional statistical value of described coarseness cluster, comprise: http traffic sum, transmission byte number per second, HTTP packet mean size and HTTP packet sum, obtain coarseness cluster attribute;
Fine granularity cluster attributes extraction step: take each http session as unit, extract the four-dimensional statistical value of described fine granularity cluster, comprise: session request bag number, conversational response bag number, first request bag size, first respond packet size, obtain fine granularity cluster attribute;
Combined data collection step: the content of described question-response bag, described coarseness cluster attribute and described fine granularity cluster attribute are gathered and obtain five-tuple data set
the form of described five-tuple is: < sample id, session id, question-response bag content, coarseness cluster attribute, fine granularity cluster attribute >.
Above-mentioned HTTP network characterization code automatic generation method, is characterized in that, described secondary sorting procedure, also comprises:
Coarseness sorting procedure: to described five-tuple data set
automatically described coarseness cluster attribute is carried out to cluster, obtain coarseness cluster set C, if described coarseness cluster set C only belongs to a described network sample, carry out described URI condition code and generate step;
Fine granularity sorting procedure: take described coarseness cluster set C as basis, to each c
i(c
i∈ C) in all sessions, fine granularity cluster attribute carries out cluster described in Auto-mounting, obtains fine granularity cluster set C ' (C ' ∈ C
i);
Sample coverage determining step: if there is fine granularity cluster c
i' (c
i' ∈ C ') in all sessions derive from k sample, the numerical value of k is greater than 1, is less than or equal to described network number of samples, thinks and the success of described fine granularity cluster generates step otherwise carry out described URI condition code.
Above-mentioned HTTP network characterization code automatic generation method, is characterized in that, described question-response bag condition code generates step, also comprises:
The set of HTTP condition code generates step: to described each fine granularity cluster c
i' (c
i' ∈ C ') in all session connections ask respectively the condition code generation of bag and respond packet, automatically calculate successively token characteristics code, final each fine granularity cluster c
i' obtain respectively the condition code of a request bag and the condition code of a respond packet, form HTTP condition code set W;
Condition code filtration step: described HTTP condition code set W is carried out to filtering screening, remove underproof described condition code, merge the described condition code repeating, obtain the set of described question-response bag condition code
The present invention also provides a kind of HTTP network characterization code automatic creation system to adopt described network characterization automatic generation method, it is characterized in that, described system comprises:
Bag condition code generation module: the characteristic statistics extracting for the question-response bag for multiple network samples and bag content, by secondary cluster, generate coarseness cluster set, and then on the basis of described coarseness cluster set, secondary cluster generates fine granularity cluster set, generates the question-response bag condition code set of described network sample by described fine granularity cluster set
URI condition code generation module: for the flow that is divided into an independent class in described network sample, carry out the supplementary extraction of URI path and parameter attribute code, generate the condition code set of described URI
HTTP network characterization code total collection generation module: by the set of described question-response bag condition code
condition code set with described URI
merge generating feature code total collection T
all.
Above-mentioned HTTP network characterization code automatic creation system, is characterized in that, described bag condition code generation module, comprises:
White list filtering module: filter the flow of removing access legitimate site;
Data extraction module: the data flow characteristic statistics to described network sample and question-response bag content are extracted;
Secondary cluster module: carry out respectively secondary cluster according to described network sample characteristics statistics and described question-response bag content, generate on the basis of described coarseness cluster set, generate described fine granularity cluster set;
Question-response bag condition code generation module: according to described fine granularity cluster set, generate respectively the condition code set of request bag and response packet.
Above-mentioned HTTP network characterization code automatic creation system, is characterized in that, before described data extraction module, also comprises:
White list filtering module: filter and remove the flow of accessing legitimate site in described network sample.
Above-mentioned HTTP network characterization code automatic creation system, is characterized in that, described data extraction module, also comprises:
Data content extraction module: the content of extracting the described question-response bag of http session connection;
Coarseness cluster property extracting module: take described network sample as unit, extract the four-dimensional statistical value of described coarseness cluster, comprise: http traffic sum, transmission byte number per second, HTTP packet mean size and HTTP packet sum, obtain coarseness cluster attribute;
Fine granularity cluster property extracting module: take each http session as unit, extract the four-dimensional statistical value of described fine granularity cluster, comprise: session request bag number, conversational response bag number, first request bag size, first respond packet size, obtain fine granularity cluster attribute;
Combined data collection module: the content of described question-response bag, described coarseness cluster attribute and described fine granularity cluster attribute are gathered and obtain five-tuple data set
the form of described five-tuple is: < sample id, session id, question-response bag content, coarseness cluster attribute, fine granularity cluster attribute >.
Above-mentioned HTTP network characterization code automatic creation system, is characterized in that, described secondary cluster module, also comprises:
Coarseness cluster module: to described five-tuple data set
automatically described coarseness cluster attribute is carried out to cluster, obtain coarseness cluster set C, if described coarseness cluster set C only belongs to a described network sample, by described URI condition code generation module, generate described URI condition code;
Fine granularity cluster module: take described coarseness cluster set C as basis, to each c
i(c
i∈ C) in all sessions, fine granularity cluster attribute carries out cluster described in Auto-mounting, obtains fine granularity cluster set C ' (C ' ∈ C
i);
Sample coverage judge module: if there is fine granularity cluster c
i' (c
i' ∈ C ') in all sessions derive from k sample, the numerical value of k is greater than 1, is less than or equal to described network number of samples, thinks the success of described fine granularity cluster, otherwise by described URI condition code generation module generation URI condition code.
Above-mentioned HTTP network characterization code automatic creation system, is characterized in that, described question-response bag condition code generation module, also comprises:
HTTP condition code set generation module: to described each fine granularity cluster c
i' (c
i' ∈ C ') in all session connections ask respectively the condition code generation of bag and respond packet, automatically calculate successively token characteristics code, final each fine granularity cluster c
i' obtain respectively the condition code of a request bag and the condition code of a respond packet, form HTTP condition code set W;
Condition code filtering module: described HTTP condition code set W is carried out to filtering screening, remove underproof described condition code, merge the described condition code repeating, obtain the set of described question-response bag condition code
Compared with prior art, the present invention is directed to the order of HTTP Botnet and the principle of controlling the statistics similarity of communication data and question-response and include most of Botnet characteristic informations, proposed a kind of HTTP Botnet condition code automatic generation method based on question-response bag.Question-response bag and the ASSOCIATE STATISTICS characteristic of the http communication data of the method to main frame are extracted, by X-means clustering algorithm, HTTP data are carried out to secondary cluster, utilize longest common subsequence algorithm and based on the characterization method of URI, carry out the generation of condition code.
The present invention has following beneficial effect:
1, can automatically extract the communication feature code of HTTP Botnet;
2, improve condition code formation efficiency, shortened the expense in time and space;
3, improved robustness and the adaptability of condition code generation system, the high-quality characteristics code of generation coordinates with the intruding detection system such as such as snort, can realize the detection of large-scale corresponding Botnet.
Accompanying drawing explanation
Fig. 1 is HTTP network characterization code automatic generation method schematic flow sheet of the present invention;
Fig. 2 is HTTP network characterization code automatic generation method detailed process schematic diagram of the present invention;
Fig. 3 is HTTP network characterization code automatic creation system structural representation of the present invention.
Wherein, Reference numeral:
1 bag condition code generation module 2URI condition code generation module
3HTTP network characterization code total collection generation module
11 white list filtering module 12 data extraction module
13 2 cluster module 14 question-response bag condition code generation modules
121 question-response bag extraction module 122 coarseness cluster property extracting module
123 fine granularity cluster property extracting module 124 combined data collection modules
131 coarseness cluster module 132 fine granularity cluster modules
133 sample coverage judge modules
141HTTP condition code set generation module 142 condition code filtering modules
S1~S3, S11~S14, S121~S124, S131~S133, S141~S142: the administration step of various embodiments of the present invention
Embodiment
Below in conjunction with the drawings and specific embodiments, describe the present invention, but not as a limitation of the invention.
The object of the invention is numerous HTTP Botnet samples to classify, automatically produce characteristic of correspondence code for detection of.Advantage of the present invention is: without any need for priori, can generate the communication feature code of Botnet, the Botnet generating feature code that even can encrypt Content of Communication.
Application of the present invention: 1. proposed a kind of efficient method that automatically generates HTTP Botnet condition code for realizing the detection of Botnet on a large scale; 2. in the research of Botnet, according to its network behavior, the Botnet of different samples classified and automatically extract condition code.
The present invention proposes a kind of HTTP network characterization code automatic generation method, based on the accurately method of automation extraction HTTP Botnet condition code of question-response bag, energy.The network behavior analysis of this method based on a large amount of Botnet samples, adopt the question-response bag (first request and first response HTTP packet) of http session in connecting to extract object as condition code, use for reference longest common subsequence algorithm (Longest Common Subsequence is abbreviated as LCS) automation, generate high-quality HTTP Botnet condition code efficiently.The present invention is based on the order of HTTP Botnet and designed a set of condition code automatic creation system based on question-response bag with the similarity principle of controlling communication data.
As depicted in figs. 1 and 2, network characterization code automatic generation method provided by the invention, concrete steps comprise:
Bag condition code generates step S1: the characteristic statistics extracting for the question-response bag of multiple network samples and bag content, by secondary cluster, generate coarseness cluster set, and then secondary cluster generates fine granularity cluster set on the basis of coarseness cluster set, by the question-response bag condition code set of fine granularity cluster set generating network sample
Condition code towards question-response bag generates, according to a large amount of statistics, find, the order of Botnet with control communication to be connected the duration short, in most communication, valuable feature (information of corpse main frame, the binary file name of request, strike order etc.) all concentrates in the question-response bag that http session connects (request first and respond first HTTP bag).Therefore, adopt the question-response bag of HTTP as condition code formation object.The method can greatly reduce packet storage, compare computing cost, can improve the efficiency that condition code generates.
Compared with the condition code generation technique (Polygraph, Autograph etc.) of main flow, the communication feature that the present invention is directed to HTTP Botnet has proposed question-response packet but not all HTTP packets calculate, the formation efficiency of comparing the method and improved condition code with conventional method, has reduced the dual expense of operation time and memory space.
The present invention takes efficient secondary cluster, in the present invention, utilizes classical X-means algorithm, and the question-response bag content of sample data stream statistical property and session is carried out respectively to coarseness and fine-grained secondary cluster.In coarseness cluster, take sample as unit, choose http traffic sum, transmission byte number per second, HTTP packet mean size, the HTTP packet sum four-dimensional cluster attribute as coarseness cluster, this cluster sample similar network behavior can be condensed together (supposing that they belong to same class Botnet); In fine granularity cluster, with the http session unit of being connected to of sample, on coarseness cluster basis to each class in all session connections carry out fine-grained cluster, choose session request bag number, conversational response bag number, first request bag size, the first respond packet size four-dimensional cluster attribute as fine granularity cluster, fine granularity cluster can be aggregated to similar packet together, generates high-quality characteristics code; The method of this secondary cluster can be convenient without understanding Content of Communication in the situation that, effectively packet similar content is condensed together, reduced relatively calculating loaded down with trivial details between mass data bag.
Coarseness of the present invention can be divided in same cluster by packet similar statistical nature fast with fine-grained secondary clustering method, improved the speed that condition code generates, this division methods does not need priori, do not rely on certain content, avoided mass data bag to contrast between any two brought time overhead.
URI condition code generates step S2: for the flow that is divided into an independent class in network sample, carry out the supplementary extraction of URI path and parameter attribute code, generate the condition code set of URI
URI condition code generates step S2 in numerous sample flow cluster process; the flow that often can run into a certain or several samples is divided in separately in a class; adopt in this case a kind of means of supplementing out economy: the URI of the request bag initial row to this sample analyzes, extract path wherein and the required parameter condition code as this sample.Robustness and the adaptability of condition code extraction system have been improved so to a certain extent.
For the sample data of single sample clustering, the failure of fine granularity cluster, the failure of generation question-response bag condition code, will be admitted to URI condition code and generate step S2, carry out based on the HTTP request bag URI path (take first number as end mark) of initial row and the extraction of parameter (parameter name of submitting in URI) condition code: take sample as unit, the request bags all to this sample check, extract path and the parameter set of initial row.For example, initial row content is the packet of GET/weather/getweather.aspx t=1377511384901 & cityno=HTTP/1.1, and extracting path is /weather/getweather.aspx that parameter is t and cityno.Be designated as/weather/getweather.aspx.*t.*cityno of token characteristics code.Finally will obtain the URI condition code set of these samples, be designated as
The URI path that the present invention introduces and parameter attribute extract, and have effectively solved the situation that in traditional characteristic code extracting method, single sample clustering lost efficacy, and have improved to a certain extent robustness and the adaptability of system.
HTTP network characterization code total collection generates step S3: by the set of question-response bag condition code
condition code set with described URI
merge generating feature code total collection T
all.
The set of question-response bag condition code
with the set of URI condition code
merge and obtained final condition code set T
all.Meanwhile, in same coarseness cluster, and have between the sample of public " representative fine granularity cluster " and belong to same class Botnet.
Wherein, bag condition code generates step S1, also comprises:
White list filtration step S11: filter the flow of removing access legitimate site;
First the HTTP data of Botnet sample enter " white list filtering module ".Owing to existing Botnet effector in order to resist detection, in order and control communication stream, mix the generation of legitimate request data (for example accessing Google, Baidu) intention Interference Detection and condition code.Therefore, for the quality that effect characteristics code does not generate, for example, according to third party authority's website rank (ALEX website rank front 500), filter out the HTTP flow of access legitimate site, the HTTP data after filtering are handed to " data extraction module " and process.
Data extraction step S12: the data flow characteristic statistics to network sample and question-response bag content are extracted;
Secondary sorting procedure S13: carry out respectively secondary cluster according to network sample characteristics statistics and question-response bag content, generate on the basis of coarseness cluster set, generate fine granularity cluster set;
Question-response bag condition code generates step S14: according to fine granularity cluster set, generate respectively the condition code set of request bag and response packet.
Wherein, data extraction step S12, also comprises:
Data content extraction step S121: the content of extracting the question-response bag of http session connection;
Coarseness cluster attributes extraction step S122: take network sample as unit, extract the four-dimensional statistical value of coarseness cluster, comprise: http traffic sum, transmission byte number per second, HTTP packet mean size and HTTP packet sum, obtain coarseness cluster attribute;
Fine granularity cluster attributes extraction step S123: take each http session as unit, extract the four-dimensional statistical value of fine granularity cluster, comprise: session request bag number, conversational response bag number, first request bag size, first respond packet size, obtain fine granularity cluster attribute;
Combined data collection step S124: the content of question-response bag, coarseness cluster attribute and fine granularity cluster attribute are gathered and obtain five-tuple data set
the form of five-tuple is: < sample id, session id, question-response bag content, coarseness cluster attribute, fine granularity cluster attribute >.
In data extraction step S12, the HTTP data of each sample are carried out to data flow characteristic statistics and packet content extraction, mainly be divided into three parts: one, the content of the question-response bag (first request and first response HTTP packet) that extraction http session connects; Two, take network sample as unit, extract the four-dimensional statistical value of coarseness cluster, comprise http traffic sum, transmission byte number per second, HTTP packet mean size, HTTP packet sum; Three, take session connection as unit, extract the four-dimensional statistical value of fine granularity cluster, comprise session request bag number, conversational response bag number, first request bag size, first respond packet size.Three parts can be carried out concomitantly simultaneously, finally obtain five-tuple data set
its form is < sample id, session id, question-response bag content, coarseness cluster attribute, fine granularity cluster attribute >: wherein " sample id " the Botnet sample (Data Source) that unique sign is different, this sign does not represent the kind of Botnet, and for example in same local area network (LAN), A, two main frames of B are controlled by same Botnet, both sample id differences; Session id is for the session connection of certain HTTP of unique sign sample data.After extraction by five metadata set
import secondary sorting procedure S13 into.
Wherein, secondary sorting procedure S13, also comprises:
Coarseness sorting procedure S131: to five-tuple data set
automatically coarseness cluster attribute is carried out to cluster, obtain coarseness cluster set C, if coarseness cluster set C only belongs to a network sample, carry out URI condition code and generate step S2;
Fine granularity sorting procedure S132: take coarseness cluster set C as basis, to each c
i(c
i∈ C) in all sessions, Auto-mounting fine granularity cluster attribute carries out cluster, obtains fine granularity cluster set C ' (C ' ∈ C
i);
Sample coverage determining step S133: if there is fine granularity cluster c
i' (c
i' ∈ C ') in all sessions derive from k sample, the numerical value of k is greater than 1, is less than or equal to network number of samples, thinks and fine granularity cluster success generates step S2 otherwise carry out URI condition code.
First, to data set
carry out coarseness cluster, clustering algorithm adopts disclosed X-means algorithm, according to four-dimensional coarseness property value (http traffic sum, transmission byte number per second, HTTP packet mean size, HTTP packet sum), sample is carried out to cluster, obtain coarseness cluster set C.The cluster that only has single sample is deleted, five metadata set of its correspondence
carry out URI condition code and generate step S2.Then on the basis of coarseness with cluster c
i(c
i∈ C) be unit, all session connections of all samples in each coarseness cluster are carried out to cluster according to four-dimensional fine granularity property value (session request bag number, conversational response bag number, first request bag size, first respond packet size), and clustering algorithm is still X-means.In each coarseness cluster, will produce new fine granularity cluster set C ' (C ' ∈ C
i).Check the session connection source situation of each fine granularity cluster in C ', suppose c
i' ∈ C ', if c
i' in session connection derive from least k different sample (k be less than or equal to this coarseness cluster c
imiddle number of samples, is greater than 1, is less than or equal to network number of samples, and concrete numerical value can free setting), such fine granularity cluster c
i' meet the demands.Corresponding sample has " representational cluster "; Otherwise owing to not containing abundant sample, such fine granularity cluster is not representative.If certain coarseness class C
iin certain sample (or multiple sample) there is not the fine granularity cluster (not containing abundant sample size) of any " representative ", to the fine granularity cluster failure of these samples, think and do not find sample similar to them and that quantity is abundant, data set relevant these samples is imported into " URI condition code generation module ".By the fine granularity cluster c meeting the demands
i' carry out question-response bag condition code to generate step S14.
Wherein, question-response bag condition code generates step S14, also comprises:
The set of HTTP condition code generates S141: to each fine granularity cluster c
i' (c
i' ∈ C ') in all session connections ask respectively the condition code generation of bag and respond packet, automatically calculate successively token characteristics code, final each fine granularity cluster c
i' obtain respectively the condition code of a request bag and the condition code of a respond packet, form HTTP condition code set W;
To each fine granularity cluster c
i' in all session connections carry out condition code generation, according to question-response bag, being divided into request bag condition code generates and the generation of respond packet condition code, adopt the generating algorithm of longest common subsequence algorithm (LCS) as condition code, (shape is as t to produce token characteristics code
1.*t
2.*t
3.*t
4, t
irepresent common character string .* represents blank character, before and after representing, in the middle of common characters string, has not matched character string).The flow process of relatively calculating is as follows: supposition exists a, b, c, tetra-session connections of d, first the request bag of a and b first calculates token characteristics code t by LCS, t removes all .* and is converted to text formatting and calculates token characteristics code s with the request bag of c again, and s is converted to text formatting request bag content last and d and calculates final request bag condition code w; The condition code of respond packet is calculated in like manner.Through calculating each fine granularity cluster c
i' will produce the condition code of a request bag and the condition code of a bar response bag, these condition codes are gathered to arrangement, the sample id that mark is related, each coarseness cluster c
iwill obtain a condition code set W.
Condition code filtration step S142: W carries out filtering screening to the set of HTTP condition code, removes underproof condition code, merges the condition code repeating, and obtains the set of question-response bag condition code
Condition code set W to the question-response bag producing carries out corresponding filtering screening, first, and for example, the common characters string t of length too short (length is lower than 4) in token characteristics code
igive and delete; Then common characters string token characteristics code being comprised filters, and HTTP header field field and partial content common, that can often appear in legal data packet are filtered to (for example HTTP/1.1, Cache-Control:no-cache etc.); Finally the token characteristics code repeating is carried out to duplicate removal merging, obtained the condition code set of final question-response bag Botnet
in filter process, may exist the condition code of certain sample because undesirable (too short or be) and all deleted, such sample is considered to generate the failure of question-response condition code, is performed equally URI condition code and generates step S2.
The present invention has adopted automation generating feature code, and the condition code quality generating is high, can be combined with the intruding detection system such as snort and realize the extensive detection to corresponding Botnet.
The present invention also provides a kind of HTTP network characterization code automatic creation system, can be deployed in separately by (for example, in honey jar main frame) in a station server or main frame, obtains all HTTP data that Botnet sample produces; Or native system is deployed in to the gateway location of specified network, with the Botnet detection system interlock on network boundary, reads the Botnet HTTP data that detection system background data base is stored.
A kind of HTTP network characterization code automatic creation system, as shown in Figure 3, comprising: bag condition code generation module 1, URI condition code generation module 2 and HTTP network characterization code total collection generation module 3;
Bag condition code generation module 1: the characteristic statistics extracting for the question-response bag for multiple network samples and bag content, by secondary cluster, generate coarseness cluster set, and then secondary cluster generates fine granularity cluster set on the basis of described coarseness cluster set, by the question-response bag condition code set of fine granularity cluster set generating network sample
URI condition code generation module 2: for be divided into the flow of an independent class for described network sample, carry out the supplementary extraction of URI path and parameter attribute code, generate the condition code set of URI
HTTP network characterization code total collection generation module 3: by the set of question-response bag condition code
condition code set with URI
merge generating feature code total collection T
all.
Wherein, bag condition code generation module 1, comprises:
White list filtering module 11: filter the flow of removing access legitimate site;
Data extraction module 12: the data flow characteristic statistics to network sample and question-response bag content are extracted;
Secondary cluster module 13: carry out respectively secondary cluster according to network sample characteristics statistics and question-response bag content, generate on the basis of coarseness cluster set, generate fine granularity cluster set;
Question-response bag condition code generation module 14: according to fine granularity cluster set, generate respectively the condition code set of request bag and response packet.
Wherein, data extraction module 12, also comprises:
Data content extraction module 121: the content of extracting the question-response bag of http session connection;
Coarseness cluster property extracting module 122: take network sample as unit, extract the four-dimensional statistical value of coarseness cluster, comprise: http traffic sum, transmission byte number per second, HTTP packet mean size and HTTP packet sum, obtain coarseness cluster attribute;
Fine granularity cluster property extracting module 123: take each http session as unit, extract the four-dimensional statistical value of fine granularity cluster, comprise: session request bag number, conversational response bag number, first request bag size, first respond packet size, obtain fine granularity cluster attribute;
Combined data collection module 124: the content of question-response bag, coarseness cluster attribute and fine granularity cluster attribute are gathered and obtain five-tuple data set
the form of five-tuple is: < sample id, session id, question-response bag content, coarseness cluster attribute, fine granularity cluster attribute >.
Wherein, secondary cluster module 13, also comprises:
Coarseness cluster module 131: to five-tuple data set
automatically coarseness cluster attribute is carried out to cluster, obtain coarseness cluster set C, if coarseness cluster set C only belongs to a network sample, by URI condition code generation module, generate URI condition code;
Fine granularity cluster module 132: take coarseness cluster set C as basis, to each c
i(c
i∈ C) in all sessions, Auto-mounting fine granularity cluster attribute carries out cluster, obtains fine granularity cluster set C ' (C ' ∈ C
i);
Sample coverage judge module 133: if there is fine granularity cluster c
i' (c
i' ∈ C ') in all sessions derive from k sample, the numerical value of k is greater than 1, is less than or equal to network number of samples, thinks fine granularity cluster success, otherwise generates URI condition code by URI condition code generation module.
Wherein, question-response bag condition code generation module 14, also comprises:
HTTP condition code set generation module 141: to each fine granularity cluster c
i' (c
i' ∈ C ') in all session connections ask respectively the condition code generation of bag and respond packet, automatically calculate successively token characteristics code, final each fine granularity cluster c
i' obtain respectively the condition code of a request bag and the condition code of a respond packet, form HTTP condition code set W;
Condition code filtering module 142: W carries out filtering screening to the set of HTTP condition code, removes underproof condition code, merges the condition code repeating, and obtains the set of question-response bag condition code
Certainly; the present invention also can have other various embodiments; in the situation that not deviating from spirit of the present invention and essence thereof; those of ordinary skill in the art are when making according to the present invention various corresponding changes and distortion, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (12)
1. a HTTP network characterization code automatic generation method, is characterized in that, described method comprises:
Bag condition code generates step: the characteristic statistics extracting for the question-response bag of multiple network samples and bag content, by secondary cluster, generate coarseness cluster set, and then on the basis of described coarseness cluster set, secondary cluster generates fine granularity cluster set, generates the question-response bag condition code set of described network sample by described fine granularity cluster set
URI condition code generates step: for the flow that is divided into an independent class in described network sample, carry out the supplementary extraction of URI path and parameter attribute code, generate the condition code set of described URI
HTTP network characterization code total collection generates step: by the set of described question-response bag condition code
condition code set with described URI
merge generating feature code total collection T
all.
2. HTTP network characterization code automatic generation method according to claim 1, is characterized in that, described bag condition code generates step, comprises:
Data extraction step: the data flow characteristic statistics to described network sample and question-response bag content are extracted;
Secondary sorting procedure: carry out respectively secondary cluster according to described network sample characteristics statistics and described question-response bag content, generate on the basis of described coarseness cluster set, generate described fine granularity cluster set;
Question-response bag condition code generates step: according to described fine granularity cluster set, generate respectively the condition code set of request bag and response packet.
3. HTTP network characterization code automatic generation method according to claim 2, is characterized in that, before described data extraction step, also comprises:
White list filtration step: filter and remove the flow of accessing legitimate site in described network sample.
4. HTTP network characterization code automatic generation method according to claim 2, is characterized in that, described data extraction step, also comprises:
Data content extraction step: the content of extracting the described question-response bag of http session connection;
Coarseness cluster attributes extraction step: take described network sample as unit, extract the four-dimensional statistical value of described coarseness cluster, comprise: http traffic sum, transmission byte number per second, HTTP packet mean size and HTTP packet sum, obtain coarseness cluster attribute;
Fine granularity cluster attributes extraction step: take each http session as unit, extract the four-dimensional statistical value of described fine granularity cluster, comprise: session request bag number, conversational response bag number, first request bag size, first respond packet size, obtain fine granularity cluster attribute;
Combined data collection step: the content of described question-response bag, described coarseness cluster attribute and described fine granularity cluster attribute are gathered and obtain five-tuple data set
the form of described five-tuple is: < sample id, session id, question-response bag content, coarseness cluster attribute, fine granularity cluster attribute >.
5. HTTP network characterization code automatic generation method according to claim 2, is characterized in that, described secondary sorting procedure, also comprises:
Coarseness sorting procedure: to described five-tuple data set
automatically described coarseness cluster attribute is carried out to cluster, obtain coarseness cluster set C, if described coarseness cluster set C only belongs to a described network sample, carry out described URI condition code and generate step;
Fine granularity sorting procedure: take described coarseness cluster set C as basis, to each c
i(c
i∈ C) in all sessions, fine granularity cluster attribute carries out cluster described in Auto-mounting, obtains fine granularity cluster set C ' (C ' ∈ C
i);
Sample coverage determining step: if there is fine granularity cluster c
i' (c
i' ∈ C ') in all sessions derive from k sample, the numerical value of k is greater than 1, is less than or equal to described network number of samples, thinks and the success of described fine granularity cluster generates step otherwise carry out described URI condition code.
6. HTTP network characterization code automatic generation method according to claim 2, is characterized in that, described question-response bag condition code generates step, also comprises:
The set of HTTP condition code generates step: to described each fine granularity cluster c
i' (c
i' ∈ C ') in all session connections ask respectively the condition code generation of bag and respond packet, automatically calculate successively token characteristics code, final each fine granularity cluster c
i' obtain respectively the condition code of a request bag and the condition code of a respond packet, form HTTP condition code set W;
Condition code filtration step: described HTTP condition code set W is carried out to filtering screening, remove underproof described condition code, merge the described condition code repeating, obtain the set of described question-response bag condition code
7. a HTTP network characterization code automatic creation system, adopts network characterization automatic generation method as described in any one in claim 1-6, it is characterized in that, described system comprises:
Bag condition code generation module: the characteristic statistics extracting for the question-response bag for multiple network samples and bag content, by secondary cluster, generate coarseness cluster set, and then on the basis of described coarseness cluster set, secondary cluster generates fine granularity cluster set, generates the question-response bag condition code set of described network sample by described fine granularity cluster set
URI condition code generation module: for the flow that is divided into an independent class in described network sample, carry out the supplementary extraction of URI path and parameter attribute code, generate the condition code set of described URI
HTTP network characterization code total collection generation module: by the set of described question-response bag condition code
condition code set with described URI
merge generating feature code total collection T
all.
8. HTTP network characterization code automatic creation system according to claim 7, is characterized in that, described bag condition code generation module, comprises:
White list filtering module: filter the flow of removing access legitimate site;
Data extraction module: the data flow characteristic statistics to described network sample and question-response bag content are extracted;
Secondary cluster module: carry out respectively secondary cluster according to described network sample characteristics statistics and described question-response bag content, generate on the basis of described coarseness cluster set, generate described fine granularity cluster set;
Question-response bag condition code generation module: according to described fine granularity cluster set, generate respectively the condition code set of request bag and response packet.
9. HTTP network characterization code automatic creation system according to claim 8, is characterized in that, before described data extraction module, also comprises:
White list filtering module: filter and remove the flow of accessing legitimate site in described network sample.
10. HTTP network characterization code automatic creation system according to claim 8, is characterized in that, described data extraction module, also comprises:
Data content extraction module: the content of extracting the described question-response bag of http session connection;
Coarseness cluster property extracting module: take described network sample as unit, extract the four-dimensional statistical value of described coarseness cluster, comprise: http traffic sum, transmission byte number per second, HTTP packet mean size and HTTP packet sum, obtain coarseness cluster attribute;
Fine granularity cluster property extracting module: take each http session as unit, extract the four-dimensional statistical value of described fine granularity cluster, comprise: session request bag number, conversational response bag number, first request bag size, first respond packet size, obtain fine granularity cluster attribute;
Combined data collection module: the content of described question-response bag, described coarseness cluster attribute and described fine granularity cluster attribute are gathered and obtain five-tuple data set
the form of described five-tuple is: < sample id, session id, question-response bag content, coarseness cluster attribute, fine granularity cluster attribute >.
11. HTTP network characterization code automatic creation systems according to claim 8, is characterized in that, described secondary cluster module, also comprises:
Coarseness cluster module: to described five-tuple data set
automatically described coarseness cluster attribute is carried out to cluster, obtain coarseness cluster set C, if described coarseness cluster set C only belongs to a described network sample, by described URI condition code generation module, generate described URI condition code;
Fine granularity cluster module: take described coarseness cluster set C as basis, to each c
i(c
i∈ C) in all sessions, fine granularity cluster attribute carries out cluster described in Auto-mounting, obtains fine granularity cluster set C ' (C ' ∈ C
i);
Sample coverage judge module: if there is fine granularity cluster c
i' (c
i' ∈ C ') in all sessions derive from k sample, the numerical value of k is greater than 1, is less than or equal to described network number of samples, thinks and the success of described fine granularity cluster generates step otherwise carry out described URI condition code.
12. HTTP network characterization code automatic creation systems according to claim 8, is characterized in that, described question-response bag condition code generation module, also comprises:
HTTP condition code set generation module: to described each fine granularity cluster c
i' (c
i' ∈ C ') in all session connections ask respectively the condition code generation of bag and respond packet, automatically calculate successively token characteristics code, final each fine granularity cluster c
i' obtain respectively the condition code of a request bag and the condition code of a respond packet, form HTTP condition code set W;
Condition code filtering module: described HTTP condition code set W is carried out to filtering screening, remove underproof described condition code, merge the described condition code repeating, obtain the set of described question-response bag condition code
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310745102.1A CN103746982B (en) | 2013-12-30 | 2013-12-30 | A kind of http network condition code automatic generation method and its system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310745102.1A CN103746982B (en) | 2013-12-30 | 2013-12-30 | A kind of http network condition code automatic generation method and its system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103746982A true CN103746982A (en) | 2014-04-23 |
| CN103746982B CN103746982B (en) | 2017-05-31 |
Family
ID=50503969
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310745102.1A Expired - Fee Related CN103746982B (en) | 2013-12-30 | 2013-12-30 | A kind of http network condition code automatic generation method and its system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103746982B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105099834A (en) * | 2015-09-30 | 2015-11-25 | 北京华青融天技术有限责任公司 | Method and device for self-defining feature code |
| WO2016110273A1 (en) * | 2015-01-09 | 2016-07-14 | 北京京东尚科信息技术有限公司 | System and method for limiting access request |
| CN105978897A (en) * | 2016-06-28 | 2016-09-28 | 南京南瑞继保电气有限公司 | Detection method of electricity secondary system botnet |
| CN107222511A (en) * | 2017-07-25 | 2017-09-29 | 深信服科技股份有限公司 | Detection method and device, computer installation and the readable storage medium storing program for executing of Malware |
| CN107592312A (en) * | 2017-09-18 | 2018-01-16 | 济南互信软件有限公司 | A kind of malware detection method based on network traffics |
| CN108287905A (en) * | 2018-01-26 | 2018-07-17 | 华南理工大学 | A kind of extraction of network flow feature and storage method |
| CN108897990A (en) * | 2018-06-06 | 2018-11-27 | 东北大学 | Interaction feature method for parallel selection towards extensive higher-dimension sequence data |
| CN109474452A (en) * | 2017-12-25 | 2019-03-15 | 北京安天网络安全技术有限公司 | Method, system and the storage medium on automatic identification B/S Botnet backstage |
| CN110472031A (en) * | 2019-08-13 | 2019-11-19 | 北京知道创宇信息技术股份有限公司 | A kind of regular expression preparation method, device, electronic equipment and storage medium |
| CN111182002A (en) * | 2020-02-19 | 2020-05-19 | 北京亚鸿世纪科技发展有限公司 | Zombie network detection device based on HTTP (hyper text transport protocol) first question-answer packet clustering analysis |
| CN113381996A (en) * | 2021-06-08 | 2021-09-10 | 中电福富信息科技有限公司 | C & C communication attack detection method based on machine learning |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100162350A1 (en) * | 2008-12-24 | 2010-06-24 | Korea Information Security Agency | Security system of managing irc and http botnets, and method therefor |
| CN102333313A (en) * | 2011-10-18 | 2012-01-25 | 中国科学院计算技术研究所 | Feature code generation method and detection method of mobile botnet |
| CN103297433A (en) * | 2013-05-29 | 2013-09-11 | 中国科学院计算技术研究所 | HTTP botnet detection method and system based on net data stream |
| US8555388B1 (en) * | 2011-05-24 | 2013-10-08 | Palo Alto Networks, Inc. | Heuristic botnet detection |
| US8561188B1 (en) * | 2011-09-30 | 2013-10-15 | Trend Micro, Inc. | Command and control channel detection with query string signature |
| CN103457909A (en) * | 2012-05-29 | 2013-12-18 | 中国移动通信集团湖南有限公司 | Botnet detection method and device |
-
2013
- 2013-12-30 CN CN201310745102.1A patent/CN103746982B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100162350A1 (en) * | 2008-12-24 | 2010-06-24 | Korea Information Security Agency | Security system of managing irc and http botnets, and method therefor |
| US8555388B1 (en) * | 2011-05-24 | 2013-10-08 | Palo Alto Networks, Inc. | Heuristic botnet detection |
| US8561188B1 (en) * | 2011-09-30 | 2013-10-15 | Trend Micro, Inc. | Command and control channel detection with query string signature |
| CN102333313A (en) * | 2011-10-18 | 2012-01-25 | 中国科学院计算技术研究所 | Feature code generation method and detection method of mobile botnet |
| CN103457909A (en) * | 2012-05-29 | 2013-12-18 | 中国移动通信集团湖南有限公司 | Botnet detection method and device |
| CN103297433A (en) * | 2013-05-29 | 2013-09-11 | 中国科学院计算技术研究所 | HTTP botnet detection method and system based on net data stream |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016110273A1 (en) * | 2015-01-09 | 2016-07-14 | 北京京东尚科信息技术有限公司 | System and method for limiting access request |
| US10735501B2 (en) | 2015-01-09 | 2020-08-04 | Beijing Jingdong Shangke Information Technology Co., Ltd. | System and method for limiting access request |
| CN105099834B (en) * | 2015-09-30 | 2018-11-13 | 北京华青融天技术有限责任公司 | A kind of method and apparatus of user-defined feature code |
| CN105099834A (en) * | 2015-09-30 | 2015-11-25 | 北京华青融天技术有限责任公司 | Method and device for self-defining feature code |
| CN105978897A (en) * | 2016-06-28 | 2016-09-28 | 南京南瑞继保电气有限公司 | Detection method of electricity secondary system botnet |
| CN107222511A (en) * | 2017-07-25 | 2017-09-29 | 深信服科技股份有限公司 | Detection method and device, computer installation and the readable storage medium storing program for executing of Malware |
| CN107592312A (en) * | 2017-09-18 | 2018-01-16 | 济南互信软件有限公司 | A kind of malware detection method based on network traffics |
| CN107592312B (en) * | 2017-09-18 | 2021-04-30 | 济南互信软件有限公司 | Malicious software detection method based on network flow |
| CN109474452A (en) * | 2017-12-25 | 2019-03-15 | 北京安天网络安全技术有限公司 | Method, system and the storage medium on automatic identification B/S Botnet backstage |
| CN109474452B (en) * | 2017-12-25 | 2021-09-28 | 北京安天网络安全技术有限公司 | Method, system and storage medium for automatically identifying B/S botnet background |
| CN108287905B (en) * | 2018-01-26 | 2020-04-21 | 华南理工大学 | Method for extracting and storing network flow characteristics |
| CN108287905A (en) * | 2018-01-26 | 2018-07-17 | 华南理工大学 | A kind of extraction of network flow feature and storage method |
| CN108897990A (en) * | 2018-06-06 | 2018-11-27 | 东北大学 | Interaction feature method for parallel selection towards extensive higher-dimension sequence data |
| CN108897990B (en) * | 2018-06-06 | 2021-10-29 | 东北大学 | Interactive feature parallel selection method for large-scale high-dimensional sequence data |
| CN110472031A (en) * | 2019-08-13 | 2019-11-19 | 北京知道创宇信息技术股份有限公司 | A kind of regular expression preparation method, device, electronic equipment and storage medium |
| CN111182002A (en) * | 2020-02-19 | 2020-05-19 | 北京亚鸿世纪科技发展有限公司 | Zombie network detection device based on HTTP (hyper text transport protocol) first question-answer packet clustering analysis |
| CN113381996A (en) * | 2021-06-08 | 2021-09-10 | 中电福富信息科技有限公司 | C & C communication attack detection method based on machine learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103746982B (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103746982A (en) | Automatic generation method and system for HTTP (Hyper Text Transport Protocol) network feature code | |
| CN108616534B (en) | Method and system for preventing DDoS (distributed denial of service) attack of Internet of things equipment based on block chain | |
| CN107231384B (en) | DDoS attack detection and defense method and system for 5g network slices | |
| CN103297433B (en) | The HTTP Botnet detection method of data flow Network Based and system | |
| CN104836702B (en) | Mainframe network unusual checking and sorting technique under a kind of large traffic environment | |
| KR101703446B1 (en) | Network capable of detection DoS attacks and Method for controlling thereof, Gateway and Managing server comprising the network | |
| CN111988285A (en) | Network attack tracing method based on behavior portrait | |
| Zand et al. | Extracting probable command and control signatures for detecting botnets | |
| CN108965248B (en) | P2P botnet detection system and method based on traffic analysis | |
| CN103957203B (en) | A kind of network security protection system | |
| CN107370752B (en) | Efficient remote control Trojan detection method | |
| CN111404914A (en) | Ubiquitous power Internet of things terminal safety protection method under specific attack scene | |
| CN1252555C (en) | Cooperative invading testing system based on distributed data dig | |
| CN104683346A (en) | P2P botnet detection device and method based on flow analysis | |
| CN103457909A (en) | Botnet detection method and device | |
| CN108712369A (en) | A kind of more attribute constraint access control decision system and method for industrial control network | |
| CN114598499A (en) | Network risk behavior analysis method combined with business application | |
| CN104883362A (en) | Method and device for controlling abnormal access behaviors | |
| Amini et al. | Analysis of network traffic flows for centralized botnet detection | |
| CN108737332A (en) | A kind of man-in-the-middle attack prediction technique based on machine learning | |
| CN113645240A (en) | Malicious domain name community mining method based on graph structure | |
| CN107566372B (en) | The secure data optimization of collection method that feature based value is fed back under big data environment | |
| CN110661795A (en) | Vector-level threat information automatic production and distribution system and method | |
| CN100499599C (en) | Rubbish mail filtration system and method based on email server | |
| Yang et al. | [Retracted] Computer User Behavior Anomaly Detection Based on K‐Means Algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170531 Termination date: 20191230 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |