CN105592041B - Network attack packet snapping method and device - Google Patents
Network attack packet snapping method and device Download PDFInfo
- Publication number
- CN105592041B CN105592041B CN201510469336.7A CN201510469336A CN105592041B CN 105592041 B CN105592041 B CN 105592041B CN 201510469336 A CN201510469336 A CN 201510469336A CN 105592041 B CN105592041 B CN 105592041B
- Authority
- CN
- China
- Prior art keywords
- packet capturing
- packet
- data flow
- strategy
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The application proposes network attack packet snapping method and device.Method includes: when equipment determines data flow hit attack rule, judge whether the attack rule is configured with packet capturing strategy and the packet capturing strategy is opened, if so, judging whether the first stage needs packet capturing according to the packet capturing strategy, if desired, continuous packet capturing then is carried out to the data flow, when continuous packet capturing number reaches preset first threshold value, according to the packet capturing strategy, judge whether to need to carry out second stage packet capturing, if desired it carries out, then continues to carry out discontinuity packet capturing to the data flow.The application realizes selectively packet capturing, reduces the consumption to device resource.
Description
Technical field
This application involves attack-defending technical field more particularly to network attack packet snapping methods and device.
Background technique
How IPS (Intrusion Prevention System, the intrusion prevention of reporting of user are rapidly and accurately handled
System), the attack that detects of the safety equipments such as IDS (Intrusion Detection System, intruding detection system)
(or being attack logs) is always a problem for each security firm of puzzlement.Because while these safety equipments generally all have
Packet capturing function can be only fitted to and carry out packet capturing when detecting particular attack, but client is in use from want of experience
Perhaps packet capturing function being not turned on for the considerations of performance or opening packet capturing function just for part attack, this will lead to
The a large amount of attacks detected do not grab related data packets in real time.When client is to certain attacks or attack logs
Have a question need manufacturer be described in detail or analysis when, manufacturer security study personnel are often due to lacking real time data packet and being difficult
Processing.
The rule base that existing safety equipment packet capturing technology is mainly based upon equipment detection provides unified packet capturing function, and
It is voluntarily configured by client.Such as the rule base one used in current equipment shares 1000 attacks rule, user for this 1000
Rule be arranged respectively at rule hit when whether real-time perfoming packet capturing.
The prior art is primarily present two problems:
First, there is certain influence to equipment performance when opening real-time packet capturing, the rule more frequently hit is opened
Equipment will do it a large amount of packet capturing after real-time packet capturing, this will cause large effect to equipment performance.And if only configuration pin pair
Part rule open packet capturing, then will lead to do not open packet capturing function rule can not real-time packet capturing, once client is to the rule
Hit event have a question needs be confirmed whether be attack when manufacturer can be difficult to handle.
Second, existing packet capturing function is more rough, once packet capturing is opened unless client artificially closes packet capturing function, otherwise
Once there is the rule for opening packet capturing function to be hit, equipment just will do it unconditional packet capturing.A large amount of weights are most probably had in this way
Multiple packet capturing, both brings influence in performance to equipment, also brings inconvenience to data packet analysis personnel.For example will own
The rule of SQL (Structured Query Language, structured query language) injection or scanning probe opens packet capturing function
Can, server is scanned using correlation attack or scanning tools if there is a malicious attacker at this time, then equipment
The message of a SQL injections thousands of or even up to ten thousand or scanning probe may be grabbed.This will cause not analytical attack message
Just.
Summary of the invention
The embodiment of the present application provides network attack packet snapping method and device.
The technical solution of the application is achieved in that
A kind of network attack packet snapping method, this method comprises:
When equipment determines data flow hit attack rule, judge whether the attack rule is configured with packet capturing strategy and this is grabbed
Packet strategy is opened, if so, judging whether the first stage needs packet capturing according to the packet capturing strategy, if desired, then to the data flow
Continuous packet capturing is carried out, when continuous packet capturing number reaches preset first threshold value, according to the packet capturing strategy, judges whether to need to carry out
Second stage packet capturing, if desired carries out, then continues to carry out discontinuity packet capturing to the data flow.
A kind of network attack packet capturing device, the device include:
Hit detection module: upon receiving the data stream, whether detection data stream hits attack rule;
Packet capturing module: when hit detection module detects data flow hit attack rule, whether judge the attack rule
It is configured with packet capturing strategy and the packet capturing strategy is opened, if so, judge whether the first stage needs packet capturing according to the packet capturing strategy,
If desired, then continuous packet capturing is carried out to the data flow, when continuous packet capturing number reaches preset first threshold value, according to the packet capturing plan
Slightly, judge whether to need to carry out second stage packet capturing, if desired carry out, then continue to carry out discontinuity packet capturing to the data flow.
As it can be seen that in the embodiment of the present application, when equipment determines data flow hit attack rule, if the attack rule is configured with
Packet capturing strategy and packet capturing strategy unlatching, then judge whether the first stage needs packet capturing according to the packet capturing strategy, if desired, then right
The data flow carries out continuous packet capturing and, according to the packet capturing strategy, judges whether when continuous packet capturing number reaches preset first threshold value
It needs to carry out second stage packet capturing, if desired carry out, then continue to carry out discontinuity packet capturing to the data flow, to both realize
Selectively packet capturing reduces the consumption to device resource, and controls packet capturing quantity, improves the readable of the packet grabbed
Property.
Detailed description of the invention
Fig. 1 is the network attack packet snapping method flow chart that one embodiment of the application provides;
Fig. 2 is the network attack packet snapping method flow chart that another embodiment of the application provides;
Fig. 3 is the composition schematic diagram of network attack packet capturing device provided by the embodiments of the present application.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, right below in conjunction with the accompanying drawings and the specific embodiments
The present invention is described in further detail.
Fig. 1 is the network attack packet snapping method flow chart that one embodiment of the application provides, the specific steps of which are as follows:
Step 101: equipment receives data flow.
Step 102: when equipment determines data flow hit attack rule, judging whether the attack rule is configured with packet capturing plan
Slightly and the packet capturing strategy is opened, if so, judging whether the first stage needs packet capturing according to the packet capturing strategy, if desired, then right
The data flow carries out continuous packet capturing and, according to the packet capturing strategy, judges whether when continuous packet capturing number reaches preset first threshold value
It needs to carry out second stage packet capturing, if desired carry out, then continue to carry out discontinuity packet capturing to the data flow.
In a kind of embodiment, carrying out discontinuity packet capturing to the data flow includes:
After data flow, which hits the regular number of attack, reaches default second threshold a, the X packet of hit is grabbed, wherein X is full
Sufficient the following conditions:
a+nb<X≤a+nb+c
Wherein, b is preset first hit-count threshold value, and c is preset first packet capturing quantity, and n is just whole greater than 0
Number, and nc≤d, d are preset first packet capturing sum;
Alternatively, grabbing the Y packet of hit, wherein Y meets following between the first preset time and the second preset time
Condition:
e+mf<Y≤e+mf+g
Wherein, e is the number that the data flow has hit attack rule when reaching first preset time, and f is default
The second hit-count threshold value, g is preset second packet capturing quantity, and m is positive integer greater than 0, and mg≤h, h are preset the
Two packet capturings sum.
Fig. 2 is the network attack packet snapping method flow chart that another embodiment of the application provides, the specific steps of which are as follows:
Step 200: configuring packet capturing strategy in advance for the attack rule in equipment.
Specifically, administrator can select to need to attack rule configuration packet capturing strategy for which as needed and which kind of is configured
Packet capturing strategy.Different packet capturing strategies can be configured for different attack rules, identical packet capturing strategy can also be configured.
Include: first stage packet capturing strategy and second stage packet capturing strategy in the present embodiment, in packet capturing strategy, is configuring
When, it can according to need, first stage packet capturing strategy is only opened in configuration, or only opens second stage packet capturing strategy, Huo Zhetong
Shi Kaiqi the first and second stage packet capturing strategy, or simultaneously close off the first and second stage packet capturing strategy.Wherein:
The content of first stage packet capturing strategy are as follows: after hit attack rule, continuous packet capturing preset first threshold value time;
The content of second stage packet capturing strategy are as follows: intermittent packet capturing is carried out according to default packet capturing algorithm, and meets packet capturing knot
Stop packet capturing when beam condition, in which:
Packet capturing algorithm can be one of the following two kinds:
1) packet capturing algorithm one
After data flow, which hits the regular number of attack, reaches default second threshold a, the X packet of hit is grabbed, wherein X is full
Sufficient the following conditions:
a+nb<X≤a+nb+c
Wherein, b is preset first hit-count threshold value, and c is preset first packet capturing quantity, and n is just whole greater than 0
Number, and nc≤d, d are preset first packet capturing sum;
2) packet capturing algorithm two
Between the first preset time t 1 and the second preset time t 2, the Y packet of hit is grabbed, wherein Y meets following
Condition:
e+mf<Y≤e+mf+g
Wherein, e is the number that the data flow has hit attack rule when reaching the first preset time t 1, and f is preset the
Two hit-count threshold values, g are preset second packet capturing quantity, and m is the positive integer greater than 0, and mg≤h, h grab for preset second
Packet sum.
Step 201: table is opened in plant maintenance two: packet capturing Policy Table and packet capturing detail list.
Packet capturing strategy tableau format is as shown in table 1 below, specifically includes that packet capturing strategy ID, the corresponding attack of packet capturing strategy
Whether rule ID, the packet capturing strategy open the first stage packet capturing frequency threshold value (first threshold) of mark, the packet capturing strategy, this is grabbed
Wrap second stage packet capturing algorithm, the accumulative packet capturing quantity, accumulative packet capturing IP quantity of strategy.
Table 1
Packet capturing detail tableau format is as shown in table 2, specifically includes that serial number, packet capturing strategy ID, source IP address, first stage
Whether packet capturing mark, first stage packet capturing counting, second stage packet capturing counting, last time packet capturing time, accumulative hit are needed
Number.
Table 2
Step 202: equipment detects the one attack rule of data packet hit of data flow, then judges that the attack rule is
It is no to be configured with packet capturing strategy, if so, executing step 203;Otherwise, terminate this process.
Step 203: equipment judges whether the packet capturing strategy of attack rule is opened, if so, executing step 204;Otherwise,
Terminate this process.
Step 204: equipment reads the packet capturing strategy of attack rule and obtains the source IP address of the data packet, judges packet capturing
It whether has included packet capturing strategy list item corresponding with the source IP address in detail list (table 2), if so, executing step 207;It is no
Then, step 205 is executed.
Step 205: equipment adds a new list item in packet capturing detail list (table 2), and each ginseng in new list item is arranged
Several values executes step 206 later.
Specifically, the value of the parameters in new list item is set are as follows:
1) " tactful ID " is set to the packet capturing strategy ID of attack rule;
2) " source IP address " is set to the source IP address of the data packet;
3) according to the corresponding packet capturing strategy of attack rule, if the first stage packet capturing strategy in the packet capturing strategy is opened,
"Yes" then is set by " whether the first stage needs packet capturing mark ", otherwise, is set as "No";
4) initial value " 0 " is set by " first stage packet capturing counting ";
5) initial value " 0 " is set by " second stage packet capturing counting ";
6) it will use as default " last time packet capturing time ", such as: 00:00:00;
7) " 1 " is set by " accumulative hit-count ".
Step 206: if the first stage packet capturing strategy of the packet capturing strategy of attack rule is opened, equipment grabs the data
It wraps and saves, " the first stage packet capturing counting " then updated in packet capturing detail list (table 2) in corresponding table item is " 1 ", and update is grabbed
" last time packet capturing time " in packet detail list (table 2) in corresponding table item is current time, will be right in packet capturing Policy Table (table 1)
It answers " accumulative packet capturing quantity " and " accumulative packet capturing IP quantity " in list item to add 1 respectively, terminates this process.
Step 207: equipment will be in packet capturing detail list (table 2) in packet capturing strategy list item corresponding with the source IP address
" accumulative hit-count " plus 1, judge " whether the first stage needs packet capturing mark " in 2 corresponding table item of table for "Yes" still
"No" executes step 208 if "Yes";If "No", step 209 is executed.
Step 208: equipment grabs the data packet and saves, and updates " the first stage packet capturing meter of corresponding table item in table 2
" the accumulative packet capturing quantity " of corresponding table item, terminates this process in number " and " last time packet capturing time " and table 1.
And " first stage packet capturing is judged after " the first stage packet capturing counting " of corresponding table item in equipment update table 2
Whether the value of counting " is equal to " the first stage packet capturing frequency threshold value (first threshold) " of corresponding table item in table 1, if being equal to, needs
" whether the first stage needs packet capturing mark " of corresponding table item in table 2 is changed to "No", to indicate first stage packet capturing
Journey has been completed.
Step 209: equipment finds that the second stage packet capturing strategy in the packet capturing strategy is opened, then is grabbed according to the second stage
Packet strategy in packet capturing algorithm to the data flow carry out discontinuity packet capturing, and when the data flow hits the attack rule every time with
And table 1 is updated when each packet capturing, the corresponding table item in table 2 stops packet capturing when meeting packet capturing termination condition.
If equipment finds that the second stage packet capturing strategy in the packet capturing strategy is closed, directly terminate this process.
Specifically, according to packet capturing algorithm one, then detailed process is as follows for packet capturing:
Step 01: first reading " the accumulative hit-count " of corresponding table item in table 2, whether judgement is somebody's turn to do " accumulative hit-count " value
Not less than the second threshold a in packet capturing algorithm one, if so, executing step 02;Otherwise, terminate this process.
Step 02: reading " the second stage packet capturing counting " of corresponding table item in table 2, judge " second stage packet capturing counting " value
The preset first packet capturing sum d whether being less than in packet capturing algorithm one, if so, executing step 03;Otherwise, terminate this process.
Step 03: according to a, b, c in packet capturing algorithm one, judge corresponding table item in table 2 " accumulative hit-count " whether
Meet: then a+nb < " accumulative hit-count "≤a+nb+c updates corresponding table item in table 2 if so, crawl is currently wrapped and saved
In " second stage packet capturing counting " and " last time packet capturing time ", update " the accumulative packet capturing number in table 1 in corresponding table item
Amount ", wherein n is the positive integer greater than 0.
According to packet capturing algorithm two, then detailed process is as follows for packet capturing:
Step 01: judging whether current time is between t1, t2 in packet capturing algorithm two, if so, executing step 02;It is no
Then, terminate this process.
Step 02: reading " the second stage packet capturing counting " of corresponding table item in table 2, judge " second stage packet capturing counting " value
The h whether being less than in packet capturing algorithm two, if so, executing step 03;Otherwise, terminate this process.
Step 03: according to e, f, g in packet capturing algorithm two, judge corresponding table item in table 2 " accumulative hit-count " whether
Meet: then e+mf < " accumulative hit-count "≤e+mf+g updates corresponding table item in table 2 if so, crawl is currently wrapped and saved
In " second stage packet capturing counting " and " last time packet capturing time ", update " the accumulative packet capturing number in table 1 in corresponding table item
Amount ", wherein m is the positive integer greater than 0.
It should be noted that each parameter in packet capturing algorithm one, two needs rationally setting, if the setting of packet capturing frequency b, f is too
Gao Zehui has larger impact to packet capturing effect, while will increase overhead.In the embodiment of the present application, when using packet capturing algorithm one
When, usually: a >=50,50≤b≤100,5≤c≤20 time;When using packet capturing algorithm two, if the period between t1 and t2
It is in the network flow biggish period, then usually: 40≤f≤60, if the period between t1 and t2 is in network flow
Smaller period (equipment such as used in China, at night 12 points to morning 7 when), f can be set smaller, such as 10
≤f≤30。
It should be noted that administrator can according to need change packet capturing strategy at any time in the embodiment of the present application, such as:
New packet capturing strategy is configured, or changes the partial parameters of existing packet capturing strategy, alternatively, the unlatching of change packet capturing strategy, closing
State etc..
In addition, aging duration T can also be arranged for the list item in packet capturing detail list (table 2), for a long time not to a list item
When corresponding packet does not carry out packet capturing operation, the list item is deleted, specifically, " last in list item any in equipment discovery table 2
When secondary packet capturing time "+aging duration T < present system time, it is automatically deleted the list item.
The advantageous effects of the embodiment of the present application are as follows:
In the embodiment of the present application, when equipment determines data flow hit attack rule, if the attack rule is configured with packet capturing
Strategy and packet capturing strategy unlatching, then judge whether the first stage needs packet capturing according to the packet capturing strategy, if desired, then to the number
Continuous packet capturing is carried out according to stream, according to the packet capturing strategy, to judge whether to need when continuous packet capturing number reaches preset first threshold value
Second stage packet capturing is carried out, is if desired carried out, then continues to carry out discontinuity packet capturing to the data flow, to both realize selection
The packet capturing of property ground, reduces the consumption to device resource, and control packet capturing quantity, improves the readability of the packet grabbed.
Fig. 3 is the composition schematic diagram of network attack packet capturing device provided by the embodiments of the present application, the device mainly includes:
Hit detection module: upon receiving the data stream, whether detection data stream hits attack rule;
Packet capturing module: when hit detection module detects data flow hit attack rule, whether judge the attack rule
It is configured with packet capturing strategy and the packet capturing strategy is opened, if so, judge whether the first stage needs packet capturing according to the packet capturing strategy,
If desired, then continuous packet capturing is carried out to the data flow, when continuous packet capturing number reaches preset first threshold value, according to the packet capturing plan
Slightly, judge whether to need to carry out second stage packet capturing, if desired carry out, then continue to carry out discontinuity packet capturing to the data flow.
In a kind of embodiment, packet capturing module carries out discontinuity packet capturing to the data flow and includes:
After data flow, which hits the regular number of attack, reaches default second threshold a, the X packet of hit is grabbed, wherein X is full
Sufficient the following conditions:
a+nb<X≤a+nb+c
Wherein, b is preset first hit-count threshold value, and c is preset first packet capturing quantity, and n is just whole greater than 0
Number, and nc≤d, d are preset first packet capturing sum;
Alternatively, grabbing the Y packet of hit, wherein Y meets following between the first preset time and the second preset time
Condition:
e+mf<Y≤e+mf+g
Wherein, e is the number that the data flow has hit attack rule when reaching first preset time, and f is default
The second hit-count threshold value, g is preset second packet capturing quantity, and m is positive integer greater than 0, and mg≤h, h are preset the
Two packet capturings sum.
In a kind of embodiment, packet capturing module judges whether the attack rule is configured with packet capturing strategy and the packet capturing strategy is opened
Later, judge whether the first stage needs to further comprise before packet capturing according to the packet capturing strategy:
The source IP address of the data flow is obtained, and according to the source IP of the data flow of the hit attack rule recorded
Location, judges whether the number for hitting the data flow of attack rule is greater than default third threshold value, if so, stopping packet capturing;Otherwise, it holds
Row is described to judge whether the first stage needs the movement of packet capturing according to the packet capturing strategy.
In a kind of embodiment, packet capturing module continue to carry out discontinuity packet capturing to the data flow further comprise:
The time of each packet capturing is recorded, and, when the difference of the time of current time and last time packet capturing is greater than preset value,
The packet capturing deleted for the data flow records.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.
Claims (9)
1. a kind of network attack packet snapping method, which is characterized in that this method comprises:
When equipment determines data flow hit attack rule, judge whether the attack rule is configured with packet capturing strategy and the packet capturing plan
It slightly opens, if so, judging whether the first stage needs packet capturing according to the packet capturing strategy, if desired, then the data flow is carried out
Continuous packet capturing, according to the packet capturing strategy, judges whether to need to carry out second when continuous packet capturing number reaches preset first threshold value
Stage packet capturing, if desired carries out, then continues to carry out discontinuity packet capturing to the data flow.
2. the method according to claim 1, wherein described pair of data flow progress discontinuity packet capturing includes:
After data flow hits and attacks regular number and reach default second threshold a, grab the X packet of hit, wherein X satisfaction with
Lower condition:
a+nb<X≤a+nb+c
Wherein, b is preset first hit-count threshold value, and c is preset first packet capturing quantity, and n is the positive integer greater than 0, and
Nc≤d, d are preset first packet capturing sum;
Alternatively, grabbing the Y packet of hit, wherein Y meets following item between the first preset time and the second preset time
Part:
e+mf<Y≤e+mf+g
Wherein, e is the number that the data flow has hit attack rule when reaching first preset time, and f is preset the
Two hit-count threshold values, g are preset second packet capturing quantity, and m is the positive integer greater than 0, and mg≤h, h grab for preset second
Packet sum.
3. judging whether the attack rule is configured with packet capturing strategy the method according to claim 1, wherein described
And judge whether the first stage needs to further comprise before packet capturing after packet capturing strategy unlatching, according to the packet capturing strategy:
The source IP address of the data flow, and the source IP address of the data flow according to the hit attack rule recorded are obtained, is sentenced
Whether the number of the data flow of disconnected hit attack rule is greater than default third threshold value, if so, stopping packet capturing;Otherwise, institute is executed
It states and judges whether the first stage needs the movement of packet capturing according to the packet capturing strategy.
4. the method according to claim 1, wherein the packet capturing strategy that any two attacks rule configures in equipment
Difference is identical.
5. the method according to claim 1, wherein described continue to carry out the data flow discontinuity packet capturing into one
Step includes:
The time of each packet capturing is recorded,
When current time and the difference of the time of last time packet capturing are greater than preset value, the packet capturing deleted for the data flow is remembered
Record.
6. a kind of network attack packet capturing device, which is characterized in that the device includes:
Hit detection module: upon receiving the data stream, whether detection data stream hits attack rule;
Packet capturing module: when hit detection module detects data flow hit attack rule, judge whether the attack rule configures
The packet capturing strategy and packet capturing strategy is opened, if so, according to the packet capturing strategy judge whether the first stage needs packet capturing, if need
It wants, then continuous packet capturing is carried out to the data flow, when continuous packet capturing number reaches preset first threshold value, according to the packet capturing strategy,
Judge whether to need to carry out second stage packet capturing, if desired carry out, then continues to carry out discontinuity packet capturing to the data flow.
7. device according to claim 6, which is characterized in that the packet capturing module carries out discontinuity packet capturing to the data flow
Include:
After data flow hits and attacks regular number and reach default second threshold a, grab the X packet of hit, wherein X satisfaction with
Lower condition:
a+nb<X≤a+nb+c
Wherein, b is preset first hit-count threshold value, and c is preset first packet capturing quantity, and n is the positive integer greater than 0, and
Nc≤d, d are preset first packet capturing sum;
Alternatively, grabbing the Y packet of hit, wherein Y meets following item between the first preset time and the second preset time
Part:
e+mf<Y≤e+mf+g
Wherein, e is the number that the data flow has hit attack rule when reaching first preset time, and f is preset the
Two hit-count threshold values, g are preset second packet capturing quantity, and m is the positive integer greater than 0, and mg≤h, h grab for preset second
Packet sum.
8. device according to claim 6, which is characterized in that the packet capturing module judges whether the attack rule is configured with
Judge whether the first stage needs taking a step forward for packet capturing after packet capturing strategy and packet capturing strategy unlatching, according to the packet capturing strategy
Include:
The source IP address of the data flow, and the source IP address of the data flow according to the hit attack rule recorded are obtained, is sentenced
Whether the number of the data flow of disconnected hit attack rule is greater than default third threshold value, if so, stopping packet capturing;Otherwise, institute is executed
It states and judges whether the first stage needs the movement of packet capturing according to the packet capturing strategy.
9. device according to claim 6, which is characterized in that the packet capturing module continues to carry out discontinuity to the data flow
Packet capturing further comprises:
The time of each packet capturing is recorded, and, when the difference of the time of current time and last time packet capturing is greater than preset value, delete
For the packet capturing record of the data flow.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510469336.7A CN105592041B (en) | 2015-08-04 | 2015-08-04 | Network attack packet snapping method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510469336.7A CN105592041B (en) | 2015-08-04 | 2015-08-04 | Network attack packet snapping method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105592041A CN105592041A (en) | 2016-05-18 |
CN105592041B true CN105592041B (en) | 2019-01-08 |
Family
ID=55931259
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510469336.7A Active CN105592041B (en) | 2015-08-04 | 2015-08-04 | Network attack packet snapping method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105592041B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111641591B (en) * | 2020-04-30 | 2022-12-06 | 杭州博联智能科技股份有限公司 | Cloud service security defense method, device, equipment and medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1909554A (en) * | 2006-08-18 | 2007-02-07 | 华为技术有限公司 | Method and system for data flow sampling |
CN101141326A (en) * | 2007-09-29 | 2008-03-12 | 北京启明星辰信息技术有限公司 | Flux detecting method and system for self-adaptive sampling |
CN104135490A (en) * | 2014-08-14 | 2014-11-05 | 浪潮(北京)电子信息产业有限公司 | Intrusion detection system (IDS) analysis method and intrusion detection system |
US8958318B1 (en) * | 2011-09-21 | 2015-02-17 | Cisco Technology, Inc. | Event-based capture of packets from a network flow |
CN104601570A (en) * | 2015-01-13 | 2015-05-06 | 国家电网公司 | Network security monitoring method based on bypass monitoring and software packet capturing technology |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140351415A1 (en) * | 2013-05-24 | 2014-11-27 | PacketSled Inc. | Selective packet capture |
-
2015
- 2015-08-04 CN CN201510469336.7A patent/CN105592041B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1909554A (en) * | 2006-08-18 | 2007-02-07 | 华为技术有限公司 | Method and system for data flow sampling |
CN101141326A (en) * | 2007-09-29 | 2008-03-12 | 北京启明星辰信息技术有限公司 | Flux detecting method and system for self-adaptive sampling |
US8958318B1 (en) * | 2011-09-21 | 2015-02-17 | Cisco Technology, Inc. | Event-based capture of packets from a network flow |
CN104135490A (en) * | 2014-08-14 | 2014-11-05 | 浪潮(北京)电子信息产业有限公司 | Intrusion detection system (IDS) analysis method and intrusion detection system |
CN104601570A (en) * | 2015-01-13 | 2015-05-06 | 国家电网公司 | Network security monitoring method based on bypass monitoring and software packet capturing technology |
Also Published As
Publication number | Publication date |
---|---|
CN105592041A (en) | 2016-05-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105141604B (en) | A kind of network security threats detection method and system based on trusted service stream | |
CN105493060B (en) | Sweet end Active Network Security | |
CN106790023B (en) | Network security Alliance Defense method and apparatus | |
CN107370755B (en) | Method for multi-dimensional deep detection of APT (active Power test) attack | |
US7941853B2 (en) | Distributed system and method for the detection of eThreats | |
CN104361283B (en) | The method for protecting Web attacks | |
KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
US8826437B2 (en) | Intelligent system and method for mitigating cyber attacks in critical systems through controlling latency of messages in a communications network | |
CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
KR20100075043A (en) | Management system for security control of irc and http botnet and method thereof | |
CN106650436A (en) | Safety detecting method and device based on local area network | |
CN105635046B (en) | A kind of filtering of database command row blocks auditing method and device | |
CN102045220A (en) | Wooden horse monitoring and auditing method and system thereof | |
CN104008332A (en) | Intrusion detection system based on Android platform | |
US20060037070A1 (en) | Blocking of spam e-mail at a firewall | |
CN108134761A (en) | A kind of APT detection methods, system and device | |
CN106471778A (en) | Attack detecting device, attack detection method and attack detecting program | |
CN114666088A (en) | Method, device, equipment and medium for detecting industrial network data behavior information | |
CN105592041B (en) | Network attack packet snapping method and device | |
CN110493253A (en) | A kind of Botnet analysis method of the home router based on raspberry pie design | |
TW201141155A (en) | Alliance type distributed network intrusion prevention system and method thereof | |
Barabas et al. | Behavioral signature generation using shadow honeypot | |
CN115987588A (en) | Rule matching-based intrusion prevention system self-adaptive protection method and device | |
Hewett et al. | Smart Grid security: Deriving informed decisions from cyber attack game analysis | |
KR20110070182A (en) | Botnet group detecting system using group behavior matrix based on network and botnet group detecting method using group behavior matrix based on network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |