A kind of method and apparatus of user-defined feature code
Technical field
The present invention relates to network safety fileds, in particular to a kind of method and apparatus of user-defined feature code.
Background technology
Currently, as more and more users carry out effective by network to information and rapidly handle, how in user
Use a network for ensureing during information processing the safety of information without being stolen or being usurped by the abnormal behaviour of network hacker
Change more and more important;Abnormal behaviour in order to active detecting hacker protects itself, more and more network users
Intruding detection system (intrusion detection system, IDS) is installed to detect the abnormal behaviour of hacker.
Existing IDS can first obtain the condition code for characterizing abnormal behaviour, then when detecting the abnormal behaviour of hacker
The condition code of the abnormal behaviour got is compared with the condition code in preset feature database in IDS, determines abnormal behaviour
Attack signature, and according to the attack signature of abnormal behaviour to abnormal behaviour carry out respective handling, to ensure the safety of user.
But existing IDS can only carry out the detection of abnormal behaviour according to the condition code of factory default, and working as has others
When abnormal behaviour attacks user, condition codes of the IDS due to being not provided with the abnormal behaviour attacked user, so
The abnormal behaviour that user is subject to cannot be detected, misrepresented deliberately so as to cause abnormal behaviour and occurred the case where failing to report.
Invention content
It, can be in view of this, the embodiment of the present invention is designed to provide a kind of method and apparatus of user-defined feature code
User-defined feature code, without relying on manufacturer or external resource can reach and reduce IDS misrepresenting deliberately and failing to report to abnormal behaviour
Purpose is finally reached the effect that risk is autonomous, controllable.
In a first aspect, an embodiment of the present invention provides a kind of methods of user-defined feature code, including:
Exception field is determined from the datagram of the abnormal behaviour detected;
According to the determining exception field, the attack signature information of the abnormal behaviour is obtained;
According to the obtained attack signature information, condition code is generated;
When the described document information of generation passes through detection, determine that described document information is user-defined feature code.
With reference to first aspect, an embodiment of the present invention provides the first possible embodiments of first aspect, wherein from
Exception field is determined in the field information of the datagram of the abnormal behaviour detected, including:
When detecting abnormal behaviour, the datagram of the abnormal behaviour is obtained;
Multiple field informations in the datagram are obtained, each field information in the multiple field information includes:
Character string included in the information and field of datagram;
According to character string included in the information of the datagram and the field, the exception in the datagram is obtained
Field.
With reference to first aspect, an embodiment of the present invention provides second of possible embodiments of first aspect, wherein root
According to character string included in the information of the datagram and the field, the exception field in the datagram is obtained, including:
When the information of datagram is consistent with the information of preset data report in current data report, it is determined that the datagram
Information is exception field;
When the character string that present field is included in the current data report is consistent with the character string of preset field, then really
The fixed present field is exception field.
With reference to first aspect, an embodiment of the present invention provides the third possible embodiments of first aspect, wherein root
According to the determining exception field, the attack signature information of abnormal behaviour is obtained, including:
Determine the information of the datagram with the exception field in the datagram got;
When having the information for the datagram for matching the exception field in the datagram, determine that the exception field is
Attack signature information.
With reference to first aspect, an embodiment of the present invention provides the 4th kind of possible embodiments of first aspect, wherein
According to the obtained attack signature information, after generating condition code, the method further includes:
The corresponding abnormal behaviour of described document information is detected by the described document information of generation, determines that described document information passes through
Detection.
Second aspect, an embodiment of the present invention provides a kind of devices of user-defined feature code, including:
Exception field determining module, for determining exception field from the datagram of the abnormal behaviour detected;
Attack signature information determination module, according to the determining exception field, the attack for obtaining the abnormal behaviour is special
Reference ceases;
Condition code generation module, for according to the obtained attack signature information, generating condition code;
User-defined feature code determining module, for when the described document information of generation passes through unusual checking, determining institute
It is user-defined feature code to state condition code.
In conjunction with second aspect, an embodiment of the present invention provides the first possible embodiments of second aspect, wherein different
Normal field determining module, including:
Datagram acquiring unit, the datagram for when detecting abnormal behaviour, obtaining the abnormal behaviour;
Field information acquiring unit, for obtaining multiple field informations in the datagram, the multiple field information
In each field information include:Character string included in the information and field of datagram;
Exception field acquiring unit is used for according to character string included in the information of the datagram and the field,
Obtain the exception field in the datagram.
In conjunction with second aspect, an embodiment of the present invention provides second of possible embodiments of second aspect, wherein different
Normal field acquiring unit, including:
First exception field obtains subelement, for when the information of current data report in current data report and preset data report
Information it is consistent when, it is determined that the information of the datagram is exception field;
Second exception field obtains subelement, for when present field is included in the current data report character string with
When the character string of preset field is consistent, it is determined that the present field is exception field.
In conjunction with second aspect, an embodiment of the present invention provides the third possible embodiments of second aspect, wherein attacks
Characteristic information determining module is hit, including:
Datagram message determination unit, for determining the data with the exception field in the datagram got
The information of report;
Attack signature information determination unit, for when the datagram in the datagram with the matching exception field
When information, determine that the exception field is attack signature information.
In conjunction with second aspect, an embodiment of the present invention provides the 4th kind of possible embodiments of second aspect, wherein institute
Stating device further includes:
Detection module is determined for detecting the corresponding abnormal behaviour of described document information by the described document information of generation
Described document information passes through detection.
The method and apparatus of a kind of user-defined feature code provided in an embodiment of the present invention, by from the abnormal behaviour detected
Datagram in determine exception field, user-defined feature code is generated according to determining exception field, so and IDS in the prior art
It can only be compared according to the mode of the signature detection abnormal behaviour of factory default, the user-defined feature that can be generated according to user
Code detects the abnormal behaviour of hacker, reduces IDS and misrepresents deliberately and fail to report situation to abnormal behaviour, and by abnormal behaviour to life
At condition code verified, user-defined feature code will be determined as by the determination condition code of detection, increase user-defined feature
The accuracy rate of code detection abnormal behaviour, allow IDS preferably to protect user, and it is autonomous, controllably to be finally reached risk
Effect.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment cited below particularly, and coordinate
Appended attached drawing, is described in detail below.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached
Figure is briefly described, it should be understood that the following drawings illustrates only certain embodiments of the present invention, therefore is not construed as pair
The restriction of range for those of ordinary skill in the art without creative efforts, can also be according to this
A little attached drawings obtain other relevant attached drawings.
Fig. 1 shows a kind of implementation system involved by a kind of method of user-defined feature code provided in an embodiment of the present invention
Structural schematic diagram;
Fig. 2 shows a kind of flow charts of the method for user-defined feature code of the offer of the embodiment of the present invention 1;
Fig. 3 shows a kind of structural schematic diagram of the device for user-defined feature code that the embodiment of the present invention 3 provides.
Specific implementation mode
Below in conjunction with attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete
Ground describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Usually exist
The component of the embodiment of the present invention described and illustrated in attached drawing can be arranged and be designed with a variety of different configurations herein.Cause
This, the detailed description of the embodiment of the present invention to providing in the accompanying drawings is not intended to limit claimed invention below
Range, but it is merely representative of the selected embodiment of the present invention.Based on the embodiment of the present invention, those skilled in the art are not doing
The every other embodiment obtained under the premise of going out creative work, shall fall within the protection scope of the present invention.
In view of in relevant network security technology, existing IDS can only carry out abnormal according to the condition code of factory default
The detection of behavior, and when there is other abnormal behaviours to attack user, IDS attacks user due to being not provided with
Abnormal behaviour condition code, so cannot be detected to the abnormal behaviour that user is subject to, so as to cause abnormal behaviour mistake
Report and fail to report situation appearance.Based on this, an embodiment of the present invention provides a kind of method and apparatus of user-defined feature code.
Referring to Fig. 1, it illustrates a kind of implementations involved by the method for user-defined feature code provided in an embodiment of the present invention
The structural schematic diagram of system, the system include:The server 100 of IDS is installed, wherein server 100 includes central processing unit
101 and with central processing unit 101 carry out data interaction memory 102.
Server 100, the datagram for when detecting abnormal behaviour, obtaining abnormal behaviour, and the number that will be got
It is sent to central processing unit 101 according to report;Central processing unit 101, for determining different from the datagram of the abnormal behaviour detected
Normal field obtains the attack signature information of abnormal behaviour according to determining exception field, according to obtained attack signature information,
Generate condition code, and when the condition code of generation passes through detection, determine that condition code is user-defined feature code, then by it is determining from
Defined feature code is sent to memory 102;Memory 102 is provided with the feature database of IDS, for determining central processing unit 101
The storage of user-defined feature code in the feature database of IDS.
Server or the computing device of existing disposable type may be used to generate user-defined feature code in server 100
And stored, it no longer repeats one by one here.
The central processing unit of existing any model and type, microprocessor or can may be used in central processing unit 101
Programming device carrys out user-defined feature code, no longer repeats one by one here.
Memory 102 may be used existing any large-capacity storage media and be given birth to the preset condition codes of IDS and user
At user-defined feature code stored, no longer repeat one by one here.
Embodiment 1
Referring to Fig. 2, the present embodiment provides a kind of methods of user-defined feature code, and this method comprises the following steps:
Step 200 determines exception field from the datagram of the abnormal behaviour detected.
Datagram, can by multiple data packet groups at.
Abnormal behaviour includes:SQL injection, APT attacks and rogue program etc..Certain abnormal behaviour can also include existing
Any behavior that can threaten user network information security, no longer repeats one by one here.
Exception field is flow or the abnormal data stream carried caused by the abnormal behaviours such as SQL injection, APT attacks.
Step 202, according to determining exception field, obtain the attack signature information of abnormal behaviour.
Attack signature information, for characterizing abnormal behaviour, carried in the datagram for being under normal conditions abnormal behaviour one
A or multiple exception fields, IDS can be by the attack signature information that get, abnormal behaviour to be identified.
The attack signature information that step 204, basis obtain, generates condition code.
Condition code is the data that abnormal behaviour is identified for IDS, further includes using other than including attack signature information
In the logical organization for matching all network activity features and for checking whether there is matching according to abnormal behaviour definition
The detection window of the communication stream part of item.
Detection window may be any one of following multiple types of data:
Datagram (Packet), for carrying out all condition codes and the survey of all protocol fields to single network datagram
Examination.
It asks (Request), all condition code tests is carried out for the request direction to communication stream.If (agreement is double
To, and both direction may be comprising identical data or when ordering, and this will be highly useful.)
It responds (Response), it is identical as request, but be served only for checking the flow in response direction.
Communication stream (Flow)-be made of multiple datagrams, when detection window is arranged to communication stream, both direction is led to
Letter flow will meet all conditions.Any sequence or tested field for being still susceptible to be forced by condition code structure is tested to point out
Stream direction influence.
Benign triggering probability (Benign Trigger Probability, BTP), this is to weigh user to believe that condition code can
Identify the value of the confidence of network event.High benign triggering probability indicates that condition code may be susceptible to wrong report.Creating condition code
When, user should set BTP to " low (Low) ", to ensure that the default policy of IDS can select the user-defined feature of user's generation
Code.
Step 206, when the condition code of generation passes through detection, determine that condition code is user-defined feature code.
The method of a kind of user-defined feature code provided in this embodiment, by from the datagram of the abnormal behaviour detected
It determines exception field, user-defined feature code is generated according to determining exception field, so and IDS can only be according to factory in the prior art
The mode of the preset signature detection abnormal behaviour of quotient is compared, and the user-defined feature code that can be generated according to user detects hacker
Abnormal behaviour, reduce IDS and misrepresent deliberately and fail to report situation to abnormal behaviour, and by abnormal behaviour to the condition code of generation into
Row verification, will be determined as user-defined feature code by the determination condition code of detection, increase the abnormal row of user-defined feature code detection
For accuracy rate, so that IDS is preferably protected user, be finally reached the effect that risk is autonomous, controllable.
In the related technology, IDS cannot generate user-defined feature code, and in order to generate user-defined feature code, it is necessary to different
The exception field that Chang Hangwei is carried is detected, so, it is determined from the field information of the datagram of the abnormal behaviour detected
Exception field includes the following steps 1 to step 3:
(1) when detecting abnormal behaviour, the datagram of abnormal behaviour is obtained;
(2) multiple field informations in datagram are obtained, each field information in multiple field informations includes:Datagram
Information and field included in character string
(3) according to character string included in the information of datagram and field, the exception field in datagram is obtained.
In step 1, can the abnormal row of user-defined feature code be needed by using attack software or hack tool, triggering
For data flow, and obtain using the network packages analysis tool such as wireshark the datagram of abnormal behaviour.
Quantity is obtained according to preset datagram, obtains the datagram in abnormal behaviour, and getting preset quantity
After datagram, datagram is parsed.
It is, of course, also possible to use other existing any network package analysis softwares that can obtain abnormal behaviour datagram
Tool obtains abnormal behaviour datagram, no longer repeats one by one here.
In step 2, the information of datagram includes the header packet information of datagram length information and datagram, is sealed by network
Packet analysis tool parses the information of the deviation post and each datagram of each datagram of abnormal behaviour in the data file,
Then it according to the datagram length information recorded in the information of datagram deviation post hereof and datagram, reads one by one
And each datagram being analyzed and acquired by, all fields that each datagram includes are parsed, to abnormal row
Completely to be parsed.
When parsing datagram, the header packet information of datagram is parsed first, is then parsed in datagram in addition to packet header
Other data fields (such as character field).The header packet information of datagram includes source IP, source port, destination IP, destination interface
With verification and.
Abnormal behaviour is in order to attack user, it is necessary to be distorted to the normal field for including in datagram, shape
It is written in the computer of user at the attack signature information including exception field, and by attack signature information, and is specifically answering
With the attack signature information is triggered under environment, the attack to user could be completed.So can by length to datagram, with
And whether the content and length of character field in datagram come to having exception field to be detected, so, in step 3, according to number
Character string included in information and field according to report, the exception field obtained in datagram pass through following steps 31 to step 32
Whether at least one mode of description in datagram to there is exception field to judge:
(31) when the information of datagram is consistent with the information of preset data report in current data report, it is determined that datagram
Information is exception field;
(32) when the character string that present field is included in current data report is consistent with the character string of preset field, then really
It is exception field to determine present field.
In step 31, if the information of datagram is datagram length information, determined according to datagram length information
When the length of datagram is consistent with preset datagram length, it is determined that current data report includes exception field;If datagram
Information when being the length information of current detected field, when the length of the length and preset field of present field in current data report
When spending consistent, it is determined that present field is exception field.
Wherein, the content for the character string that the information or preset field of preset data report include, and needs user-defined feature
The exception field of the abnormal behaviour of code is consistent.
By judging whether character string included in the information and field of datagram is consistent with preset content, just
Can determine the exception field that datagram is included, operation is simple, so as to generate it is corresponding with abnormal behaviour from
Defined feature code, to be detected to the abnormal behaviour.
In conclusion by obtaining the datagram of abnormal behaviour, and parse datagram from the datagram got and take
All field characters of band, to be detected to the exception field in field character, so that it is determined that the abnormal word in datagram
Section, to generate user-defined feature code in subsequent steps, so as to so that IDS can generate detection according to the demand of user
The user-defined feature code of different abnormal behaviours, it is user-friendly.
After obtaining the exception field that a certain datagram includes, it can not directly determine that the exception field is exactly to be used for table
Levy abnormal behaviour, it is also necessary to the exception field is further verified, so, according to determining exception field, obtain
The attack signature information of abnormal behaviour, includes the following steps 1 to step 2:
(1) information of the datagram with exception field in the datagram got is determined;
(2) when the information of the datagram in datagram with matching exception field, determine that exception field is attack signature
Information.
Step 1 specifically includes:Judge whether there is the exception field in the datagram of the abnormal behaviour got one by one, such as
Fruit has then datagram identification of the record with the exception field;The quantity of the datagram identification with the exception field is counted, really
Surely the datagram quantity with exception field in the datagram got, so that it is determined that having abnormal word in the datagram got
The information of the datagram of section.
It is by the word of the exception field when judging whether to there is the exception field in the datagram of the abnormal behaviour got
Either length is compared symbol string with the character string of other fields in datagram or length, when other fields in datagram
Character string when either length has with the character string of the exception field or content consistent in length, so that it may to determine in datagram
With the exception field.
Certainly, step 1 can also use existing other modes to determine there is exception field in the datagram got
The information of datagram, no longer repeats one by one here.
Whether can be in step 2 to attack to exception field by being condition to the datagram quantity with exception field
Characteristic information is hit to be judged:So step 2 includes the following steps 21 to step 23:
(21) judge whether the datagram quantity with exception field is more than the threshold value of setting, if it is thening follow the steps
22,23 are thened follow the steps if not;
(22) determine that exception field is attack signature information;
(23) it is the attack signature information of abnormal behaviour to determine exception field not.
It is, of course, also possible to by the judgment mode to other content, come to exception field whether be attack signature information into
Row judges, no longer repeats one by one here.
By above description, be used as Rule of judgment by datagram quantity of the statistics comprising exception field is to exception field
Whether no verified for characterizing abnormal behaviour, can quickly determine the exception field for characterizing just clear abnormal row
For.
In conclusion by determining the information of the datagram with exception field in the datagram got come to abnormal word
Whether section is that attack signature information is judged, can reduce overhead, accelerates the formation speed of user-defined feature code.
Since condition code is user oneself definition, so after generating condition code, also condition code is tested, only
Have through test, just illustrates that condition code is effective, attack signature can effectively be detected;So being obtained in basis
Attack signature information, generate condition code after, the method further comprising the steps of 1 of user-defined feature code:
(1) the corresponding abnormal behaviour of condition code is gone out by the signature detection of generation, determines that condition code passes through detection.
Wherein, step 1 specifically comprises the following steps 11 to 12:
(11) unusual checking is carried out to the corresponding abnormal behaviour of condition code by the condition code of generation;
(12) when the number for going out abnormal behaviour by signature detection in preset detection number is more than preset detection
When threshold value, determine that condition code passes through detection.
In step 1, condition code verification is carried out respectively and unusual checking two parts are carried out to the condition code of generation testing
Card.
Wherein, the content of condition code verification includes but not limited to:Number relatively test, digital scope test, number are enumerated
Test, creates fixed field condition code and datagram search protocol at pattern match.
The digital comparison test that uses, digital scope test, digital enumeration test, pattern match, to create fixed field special
The test mode that sign code and datagram search protocol can use in the prior art, no longer repeats one by one here.
The process of unusual checking includes following below scheme:It is reset by traffic generating tool or datagram to verify user
Whether the condition code of generation, which can be matched to, needs flow to be tested and field, wherein needs to carry in flow to be tested and field
There is the exception field that the condition code that user generates includes;Test whether flow and field can cause repeat alarms by inspection
(alarm is that the included condition code of intruding detection system causes, another alarm is that the condition code generated causes), comes
Achieve the purpose that unusual checking.
In conclusion by being verified and being detected to condition code respectively, it is determined that the validity of condition code ensures user
The condition code of generation can detect corresponding abnormal behaviour, improve detection accuracies of the IDS to hacker's abnormal behaviour.
Embodiment 2
The present embodiment is related to the method for another user-defined feature code, specifically includes following steps 1 to step 6:
(1) attack data flow crawl
By come the specific abnormal behaviour that compares needed for understanding, by using attack software or hack tool, needed for triggering
The network package analysis software tool of Free Online can be used (such as in the attack data flow of crawl, crawl attack data flow
Wireshark etc.).
(2) data-flow analysis is attacked
After having captured attack data flow, by network package analysis software tool open datagram, obtain in attack data
Protocol massages type field length and construction feature, wherein crucial function includes:The constructed fuction of message data report;Hair
Send and receive message data report function and parsing after obtained field structure, protocol characteristic, the text of every class message data report
Field.
In step 2, the length of the deviation post and each datagram of each datagram in the data file is parsed first
Degree, then the length of the deviation post and datagram according to datagram hereof, reads a complete datagram, then
According to protocol specifications such as IP/TCP/UDP, the header packet information of datagram, including source IP, source port, destination IP, destination are parsed
Mouth verifies and finally parses the other parts (such as character field) in datagram in addition to packet header;By recycling this mistake
Journey can parse all datagrams in data file, to complete the parsing to attack traffic.
(3) attack signatures generation
The information obtained according to step 2) further extracts and summarizes to attack signature;Wherein, attack signature includes
The format character of interactive process information and message data report, the character field feature in datagram;Above-mentioned attack signature is extracted, so
Afterwards one by one to the field record parsed, the feature of fixed field is first recorded, variable field portions are compared using repetition
Method, judge whether regular or randomness to observe variable field.
By above method, the feature of attack is extracted, finally obtains character field feature, protocol header function
Feature etc..
(4) feature is extracted, signature package is carried out according to specific format
Ready range of information is answered before user-defined feature code.Condition code can be very shirtsleeve operation, can also
It is the highly complex operation that different information are checked by particular order.
This range of information includes:The reason of creating this user-defined feature code, this user-defined feature code " Severity "
(seriousness), this user-defined feature code technical information reference, this user-defined feature code flux and flow direction to be checked direction, this
The specified conditions that user-defined feature code is used for searching for the agreement (also referred to as influencing agreement) of flow, this user-defined feature code forms,
Such as want matched field value and pattern and this user-defined feature code by the specific hardware or software platform of this flow effect
(also referred to as influencing packet).
A) structure of condition code
The condition code that intruding detection system provides is supported very comprehensive.Normal mode matching in addition to support and digital test
Outside, also allow condition code that there is complicated structure, it can sort and be grouped test, to realize accurately detection.
B) logical organization tested
Provide one group of simple but very powerful logical construct, when user being allow to create self-defined signature character can
Feature with almost all of network activity.This logical construct provide finer feature chip segment is grouped and
The method of sequence (with required any sequence):Digital test and pattern match.
C) other condition code components
Other than the mechanism of condition code itself, it is also necessary to which some other information could work normally:
Detection window-detection window is the communication stream that intruding detection system checks whether there is occurrence according to attack definition
Part.Detection window may be any one of following:
Datagram-must carry out single network datagram all condition code tests (and all protocol fields).
Request-must the request direction of convection current carry out all condition code tests.If (agreement be it is two-way, and two
When direction may include identical data or order, this will be highly useful.)
Response-identical as request, but be served only for checking the flow in response direction.
For stream-when detection window is arranged to stream, the communication stream of both direction will meet all conditions.Test is still easy
It is influenced in the stream direction that any sequence or tested field forced by condition code structure are pointed out.
BTP- this be weigh user believe condition code can recognize that network event confidence value.High benign triggering probability,
(BTP) indicate that condition code may be susceptible to wrong report.When creating condition code, user should set BTP to " Low (low) ", with
Ensure that default policy can select the condition code of user.
(5) condition code is compared with attack data flow
User-defined feature commonly uses two class basic tests:
Pattern match-pattern match can be used for matching ASCII or string of binary characters.It supports common regular expressions
Formula constructs.
Number compares-is tested according to selected digital comparison, and number relatively can be used for testing whether that matching one is given
Value or the value within the scope of some.
(6) condition code imports intruding detection system
Before self-defined signature character is deployed to intruding detection system production environment, it is necessary to thoroughly be surveyed to it
Examination.The definition of mistake can cause to report by mistake, fail to report and performance issue, and these are all very not to the safety and reliability of network
Profit.It is exactly test signature during entire deployment using comprehensive test plan to avoid these problems, best bet
Whether feature can be compared as expection.
Following verification operation is included at least in test plan:
It is reset using traffic generating tool or datagram to verify whether User Defined signature character can be matched to needs
The flow of detection, field.
Whether causing repeat alarms by inspection test flow, (alarm is the included condition code of intruding detection system
Cause, another alarm is that other user-defined feature codes cause) reach this purpose.
After confirming equal triggered as normal, so that it may condition code to be imported to the intruding detection system in production environment.
The method of a kind of user-defined feature code provided in this embodiment, by from the datagram of the abnormal behaviour detected
It determines exception field, user-defined feature code is generated according to determining exception field, so and IDS can only be according to factory in the prior art
The mode of the preset signature detection abnormal behaviour of quotient is compared, and the user-defined feature code that can be generated according to user detects hacker
Abnormal behaviour, reduce IDS and misrepresent deliberately and fail to report situation to abnormal behaviour, and by abnormal behaviour to the condition code of generation into
Row verification, will be determined as user-defined feature code by the determination condition code of detection, increase the abnormal row of user-defined feature code detection
For accuracy rate, so that IDS is preferably protected user, be finally reached the effect that risk is autonomous, controllable.
Embodiment 3
The present embodiment provides a kind of devices of user-defined feature code, are user-defined feature codes in example for executing above-mentioned
The device of method, the user-defined feature code includes:Exception field determining module 300, attack signature information determination module 302, spy
Levy code generation module 304 and user-defined feature code determining module 306;
Exception field determining module 300, for determining exception field from the datagram of the abnormal behaviour detected;Attack
Characteristic information determining module 302 is connect with exception field determining module 300, according to determining exception field, obtains abnormal behaviour
Attack signature information;Condition code generation module 304 is connect with attack signature information determination module 302, is obtained for basis
Attack signature information generates condition code;User-defined feature code determining module 306, connect with condition code generation module 304, is used for
When the condition code of generation passes through unusual checking, determine that condition code is user-defined feature code.
In the related technology, IDS cannot generate user-defined feature code, and in order to generate user-defined feature code, it is necessary to different
The exception field that Chang Hangwei is carried is detected, so, exception field determining module 300, including:
Datagram acquiring unit, the datagram for when detecting abnormal behaviour, obtaining abnormal behaviour;Field information obtains
Unit is taken, for obtaining multiple field informations in datagram, each field information in multiple field informations includes:Datagram
Information and field included in character string;Exception field acquiring unit, for according to institute in the information and field of datagram
Including character string, obtain datagram in exception field.
Abnormal behaviour is in order to attack user, it is necessary to be distorted to the normal field for including in datagram, shape
It is written in the computer of user at the attack signature information including exception field, and by attack signature information, and is specifically answering
With the attack signature information is triggered under environment, the attack to user could be completed.So can by length to datagram, with
And whether the content and length of character field in datagram come to having exception field to be detected, so, exception field obtains single
Member, including:
First exception field obtains subelement, for when the information of current data report in current data report and preset data report
Information it is consistent when, it is determined that the information of datagram is exception field;Second exception field obtains subelement, for working as current number
When the character string for being included according to present field in report is consistent with the character string of preset field, it is determined that present field is abnormal word
Section.
By above description, by judge character string included in the information and field of datagram whether with it is preset
Content is consistent, so that it may to determine exception field that datagram is included, operation is simple, so as to generate with it is abnormal
The corresponding user-defined feature code of behavior, to be detected to the abnormal behaviour.
In conclusion by obtaining the datagram of abnormal behaviour, and parse datagram from the datagram got and take
All field characters of band, to be detected to the exception field in field character, so that it is determined that the abnormal word in datagram
Section, to generate user-defined feature code in subsequent steps, so as to so that IDS can generate detection according to the demand of user
The user-defined feature code of different abnormal behaviours, it is user-friendly.
After obtaining the exception field that a certain datagram includes, it can not directly determine that the exception field is exactly to be used for table
Levy abnormal behaviour, it is also necessary to the exception field is further verified, so, attack signature information determination module 302,
Including:
Datagram message determination unit, the letter for determining the datagram with exception field in the datagram got
Breath;Attack signature information determination unit, for when having the information for the datagram for matching exception field in datagram, determining different
Normal field is attack signature information.
In conclusion by determining the information of the datagram with exception field in the datagram got come to abnormal word
Whether section is that attack signature information is judged, can reduce overhead, accelerates the formation speed of user-defined feature code.
Since condition code is user oneself definition, so after generating condition code, also condition code is tested, only
Have through test, just illustrates that condition code is effective, attack signature can effectively be detected;So user-defined feature
Code device further include:
Detection module determines that condition code is logical for going out the corresponding abnormal behaviour of condition code by the signature detection of generation
Cross detection.
In conclusion by being verified and being detected to condition code, it is determined that the validity of condition code ensures that user generates
Condition code can detect corresponding abnormal behaviour, improve detection accuracies of the IDS to hacker's abnormal behaviour.
The device of a kind of user-defined feature code provided in this embodiment, by from the datagram of the abnormal behaviour detected
It determines exception field, user-defined feature code is generated according to determining exception field, so and IDS can only be according to factory in the prior art
The mode of the preset signature detection abnormal behaviour of quotient is compared, and the user-defined feature code that can be generated according to user detects hacker
Abnormal behaviour, reduce IDS and misrepresent deliberately and fail to report situation to abnormal behaviour, and by abnormal behaviour to the condition code of generation into
Row verification, will be determined as user-defined feature code by the determination condition code of detection, increase the abnormal row of user-defined feature code detection
For accuracy rate, so that IDS is preferably protected user, be finally reached the effect that risk is autonomous, controllable.
The computer program product of the method for the progress user-defined feature code that the embodiment of the present invention is provided, including store
The computer readable storage medium of program code, the instruction that said program code includes can be used for executing in previous methods embodiment
The method, specific implementation can be found in embodiment of the method, and details are not described herein.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with
It realizes by another way.The apparatus embodiments described above are merely exemplary, for example, the division of the unit,
Only a kind of division of logic function, formula that in actual implementation, there may be another division manner, in another example, multiple units or component can
To combine or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or beg for
The mutual coupling, direct-coupling or communication connection of opinion can be by some communication interfaces, device or unit it is indirect
Coupling or communication connection can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, you can be located at a place, or may be distributed over multiple
In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also
It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in a computer read/write memory medium.Based on this understanding, technical scheme of the present invention is substantially in other words
The part of the part that contributes to existing technology or the technical solution can be expressed in the form of software products, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be
People's computer, server or special hardware equipment etc.) execute all or part of step of each embodiment the method for the present invention
Suddenly.And storage medium above-mentioned includes:Read-only memory (ROM, Read-Only Memory), random access memory (RAM,
Random Access Memory) etc. the various media that can store program code.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.