CN105592041B - Network attack packet snapping method and device - Google Patents

Network attack packet snapping method and device Download PDF

Info

Publication number
CN105592041B
CN105592041B CN201510469336.7A CN201510469336A CN105592041B CN 105592041 B CN105592041 B CN 105592041B CN 201510469336 A CN201510469336 A CN 201510469336A CN 105592041 B CN105592041 B CN 105592041B
Authority
CN
China
Prior art keywords
packet capturing
packet
data flow
strategy
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510469336.7A
Other languages
Chinese (zh)
Other versions
CN105592041A (en
Inventor
张惊申
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201510469336.7A priority Critical patent/CN105592041B/en
Publication of CN105592041A publication Critical patent/CN105592041A/en
Application granted granted Critical
Publication of CN105592041B publication Critical patent/CN105592041B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The application proposes network attack packet snapping method and device.Method includes: when equipment determines data flow hit attack rule, judge whether the attack rule is configured with packet capturing strategy and the packet capturing strategy is opened, if so, judging whether the first stage needs packet capturing according to the packet capturing strategy, if desired, continuous packet capturing then is carried out to the data flow, when continuous packet capturing number reaches preset first threshold value, according to the packet capturing strategy, judge whether to need to carry out second stage packet capturing, if desired it carries out, then continues to carry out discontinuity packet capturing to the data flow.The application realizes selectively packet capturing, reduces the consumption to device resource.

Description

Network attack packet snapping method and device
Technical field
This application involves attack-defending technical field more particularly to network attack packet snapping methods and device.
Background technique
How IPS (Intrusion Prevention System, the intrusion prevention of reporting of user are rapidly and accurately handled System), the attack that detects of the safety equipments such as IDS (Intrusion Detection System, intruding detection system) (or being attack logs) is always a problem for each security firm of puzzlement.Because while these safety equipments generally all have Packet capturing function can be only fitted to and carry out packet capturing when detecting particular attack, but client is in use from want of experience Perhaps packet capturing function being not turned on for the considerations of performance or opening packet capturing function just for part attack, this will lead to The a large amount of attacks detected do not grab related data packets in real time.When client is to certain attacks or attack logs Have a question need manufacturer be described in detail or analysis when, manufacturer security study personnel are often due to lacking real time data packet and being difficult Processing.
The rule base that existing safety equipment packet capturing technology is mainly based upon equipment detection provides unified packet capturing function, and It is voluntarily configured by client.Such as the rule base one used in current equipment shares 1000 attacks rule, user for this 1000 Rule be arranged respectively at rule hit when whether real-time perfoming packet capturing.
The prior art is primarily present two problems:
First, there is certain influence to equipment performance when opening real-time packet capturing, the rule more frequently hit is opened Equipment will do it a large amount of packet capturing after real-time packet capturing, this will cause large effect to equipment performance.And if only configuration pin pair Part rule open packet capturing, then will lead to do not open packet capturing function rule can not real-time packet capturing, once client is to the rule Hit event have a question needs be confirmed whether be attack when manufacturer can be difficult to handle.
Second, existing packet capturing function is more rough, once packet capturing is opened unless client artificially closes packet capturing function, otherwise Once there is the rule for opening packet capturing function to be hit, equipment just will do it unconditional packet capturing.A large amount of weights are most probably had in this way Multiple packet capturing, both brings influence in performance to equipment, also brings inconvenience to data packet analysis personnel.For example will own The rule of SQL (Structured Query Language, structured query language) injection or scanning probe opens packet capturing function Can, server is scanned using correlation attack or scanning tools if there is a malicious attacker at this time, then equipment The message of a SQL injections thousands of or even up to ten thousand or scanning probe may be grabbed.This will cause not analytical attack message Just.
Summary of the invention
The embodiment of the present application provides network attack packet snapping method and device.
The technical solution of the application is achieved in that
A kind of network attack packet snapping method, this method comprises:
When equipment determines data flow hit attack rule, judge whether the attack rule is configured with packet capturing strategy and this is grabbed Packet strategy is opened, if so, judging whether the first stage needs packet capturing according to the packet capturing strategy, if desired, then to the data flow Continuous packet capturing is carried out, when continuous packet capturing number reaches preset first threshold value, according to the packet capturing strategy, judges whether to need to carry out Second stage packet capturing, if desired carries out, then continues to carry out discontinuity packet capturing to the data flow.
A kind of network attack packet capturing device, the device include:
Hit detection module: upon receiving the data stream, whether detection data stream hits attack rule;
Packet capturing module: when hit detection module detects data flow hit attack rule, whether judge the attack rule It is configured with packet capturing strategy and the packet capturing strategy is opened, if so, judge whether the first stage needs packet capturing according to the packet capturing strategy, If desired, then continuous packet capturing is carried out to the data flow, when continuous packet capturing number reaches preset first threshold value, according to the packet capturing plan Slightly, judge whether to need to carry out second stage packet capturing, if desired carry out, then continue to carry out discontinuity packet capturing to the data flow.
As it can be seen that in the embodiment of the present application, when equipment determines data flow hit attack rule, if the attack rule is configured with Packet capturing strategy and packet capturing strategy unlatching, then judge whether the first stage needs packet capturing according to the packet capturing strategy, if desired, then right The data flow carries out continuous packet capturing and, according to the packet capturing strategy, judges whether when continuous packet capturing number reaches preset first threshold value It needs to carry out second stage packet capturing, if desired carry out, then continue to carry out discontinuity packet capturing to the data flow, to both realize Selectively packet capturing reduces the consumption to device resource, and controls packet capturing quantity, improves the readable of the packet grabbed Property.
Detailed description of the invention
Fig. 1 is the network attack packet snapping method flow chart that one embodiment of the application provides;
Fig. 2 is the network attack packet snapping method flow chart that another embodiment of the application provides;
Fig. 3 is the composition schematic diagram of network attack packet capturing device provided by the embodiments of the present application.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, right below in conjunction with the accompanying drawings and the specific embodiments The present invention is described in further detail.
Fig. 1 is the network attack packet snapping method flow chart that one embodiment of the application provides, the specific steps of which are as follows:
Step 101: equipment receives data flow.
Step 102: when equipment determines data flow hit attack rule, judging whether the attack rule is configured with packet capturing plan Slightly and the packet capturing strategy is opened, if so, judging whether the first stage needs packet capturing according to the packet capturing strategy, if desired, then right The data flow carries out continuous packet capturing and, according to the packet capturing strategy, judges whether when continuous packet capturing number reaches preset first threshold value It needs to carry out second stage packet capturing, if desired carry out, then continue to carry out discontinuity packet capturing to the data flow.
In a kind of embodiment, carrying out discontinuity packet capturing to the data flow includes:
After data flow, which hits the regular number of attack, reaches default second threshold a, the X packet of hit is grabbed, wherein X is full Sufficient the following conditions:
a+nb<X≤a+nb+c
Wherein, b is preset first hit-count threshold value, and c is preset first packet capturing quantity, and n is just whole greater than 0 Number, and nc≤d, d are preset first packet capturing sum;
Alternatively, grabbing the Y packet of hit, wherein Y meets following between the first preset time and the second preset time Condition:
e+mf<Y≤e+mf+g
Wherein, e is the number that the data flow has hit attack rule when reaching first preset time, and f is default The second hit-count threshold value, g is preset second packet capturing quantity, and m is positive integer greater than 0, and mg≤h, h are preset the Two packet capturings sum.
Fig. 2 is the network attack packet snapping method flow chart that another embodiment of the application provides, the specific steps of which are as follows:
Step 200: configuring packet capturing strategy in advance for the attack rule in equipment.
Specifically, administrator can select to need to attack rule configuration packet capturing strategy for which as needed and which kind of is configured Packet capturing strategy.Different packet capturing strategies can be configured for different attack rules, identical packet capturing strategy can also be configured.
Include: first stage packet capturing strategy and second stage packet capturing strategy in the present embodiment, in packet capturing strategy, is configuring When, it can according to need, first stage packet capturing strategy is only opened in configuration, or only opens second stage packet capturing strategy, Huo Zhetong Shi Kaiqi the first and second stage packet capturing strategy, or simultaneously close off the first and second stage packet capturing strategy.Wherein:
The content of first stage packet capturing strategy are as follows: after hit attack rule, continuous packet capturing preset first threshold value time;
The content of second stage packet capturing strategy are as follows: intermittent packet capturing is carried out according to default packet capturing algorithm, and meets packet capturing knot Stop packet capturing when beam condition, in which:
Packet capturing algorithm can be one of the following two kinds:
1) packet capturing algorithm one
After data flow, which hits the regular number of attack, reaches default second threshold a, the X packet of hit is grabbed, wherein X is full Sufficient the following conditions:
a+nb<X≤a+nb+c
Wherein, b is preset first hit-count threshold value, and c is preset first packet capturing quantity, and n is just whole greater than 0 Number, and nc≤d, d are preset first packet capturing sum;
2) packet capturing algorithm two
Between the first preset time t 1 and the second preset time t 2, the Y packet of hit is grabbed, wherein Y meets following Condition:
e+mf<Y≤e+mf+g
Wherein, e is the number that the data flow has hit attack rule when reaching the first preset time t 1, and f is preset the Two hit-count threshold values, g are preset second packet capturing quantity, and m is the positive integer greater than 0, and mg≤h, h grab for preset second Packet sum.
Step 201: table is opened in plant maintenance two: packet capturing Policy Table and packet capturing detail list.
Packet capturing strategy tableau format is as shown in table 1 below, specifically includes that packet capturing strategy ID, the corresponding attack of packet capturing strategy Whether rule ID, the packet capturing strategy open the first stage packet capturing frequency threshold value (first threshold) of mark, the packet capturing strategy, this is grabbed Wrap second stage packet capturing algorithm, the accumulative packet capturing quantity, accumulative packet capturing IP quantity of strategy.
Table 1
Packet capturing detail tableau format is as shown in table 2, specifically includes that serial number, packet capturing strategy ID, source IP address, first stage Whether packet capturing mark, first stage packet capturing counting, second stage packet capturing counting, last time packet capturing time, accumulative hit are needed Number.
Table 2
Step 202: equipment detects the one attack rule of data packet hit of data flow, then judges that the attack rule is It is no to be configured with packet capturing strategy, if so, executing step 203;Otherwise, terminate this process.
Step 203: equipment judges whether the packet capturing strategy of attack rule is opened, if so, executing step 204;Otherwise, Terminate this process.
Step 204: equipment reads the packet capturing strategy of attack rule and obtains the source IP address of the data packet, judges packet capturing It whether has included packet capturing strategy list item corresponding with the source IP address in detail list (table 2), if so, executing step 207;It is no Then, step 205 is executed.
Step 205: equipment adds a new list item in packet capturing detail list (table 2), and each ginseng in new list item is arranged Several values executes step 206 later.
Specifically, the value of the parameters in new list item is set are as follows:
1) " tactful ID " is set to the packet capturing strategy ID of attack rule;
2) " source IP address " is set to the source IP address of the data packet;
3) according to the corresponding packet capturing strategy of attack rule, if the first stage packet capturing strategy in the packet capturing strategy is opened, "Yes" then is set by " whether the first stage needs packet capturing mark ", otherwise, is set as "No";
4) initial value " 0 " is set by " first stage packet capturing counting ";
5) initial value " 0 " is set by " second stage packet capturing counting ";
6) it will use as default " last time packet capturing time ", such as: 00:00:00;
7) " 1 " is set by " accumulative hit-count ".
Step 206: if the first stage packet capturing strategy of the packet capturing strategy of attack rule is opened, equipment grabs the data It wraps and saves, " the first stage packet capturing counting " then updated in packet capturing detail list (table 2) in corresponding table item is " 1 ", and update is grabbed " last time packet capturing time " in packet detail list (table 2) in corresponding table item is current time, will be right in packet capturing Policy Table (table 1) It answers " accumulative packet capturing quantity " and " accumulative packet capturing IP quantity " in list item to add 1 respectively, terminates this process.
Step 207: equipment will be in packet capturing detail list (table 2) in packet capturing strategy list item corresponding with the source IP address " accumulative hit-count " plus 1, judge " whether the first stage needs packet capturing mark " in 2 corresponding table item of table for "Yes" still "No" executes step 208 if "Yes";If "No", step 209 is executed.
Step 208: equipment grabs the data packet and saves, and updates " the first stage packet capturing meter of corresponding table item in table 2 " the accumulative packet capturing quantity " of corresponding table item, terminates this process in number " and " last time packet capturing time " and table 1.
And " first stage packet capturing is judged after " the first stage packet capturing counting " of corresponding table item in equipment update table 2 Whether the value of counting " is equal to " the first stage packet capturing frequency threshold value (first threshold) " of corresponding table item in table 1, if being equal to, needs " whether the first stage needs packet capturing mark " of corresponding table item in table 2 is changed to "No", to indicate first stage packet capturing Journey has been completed.
Step 209: equipment finds that the second stage packet capturing strategy in the packet capturing strategy is opened, then is grabbed according to the second stage Packet strategy in packet capturing algorithm to the data flow carry out discontinuity packet capturing, and when the data flow hits the attack rule every time with And table 1 is updated when each packet capturing, the corresponding table item in table 2 stops packet capturing when meeting packet capturing termination condition.
If equipment finds that the second stage packet capturing strategy in the packet capturing strategy is closed, directly terminate this process.
Specifically, according to packet capturing algorithm one, then detailed process is as follows for packet capturing:
Step 01: first reading " the accumulative hit-count " of corresponding table item in table 2, whether judgement is somebody's turn to do " accumulative hit-count " value Not less than the second threshold a in packet capturing algorithm one, if so, executing step 02;Otherwise, terminate this process.
Step 02: reading " the second stage packet capturing counting " of corresponding table item in table 2, judge " second stage packet capturing counting " value The preset first packet capturing sum d whether being less than in packet capturing algorithm one, if so, executing step 03;Otherwise, terminate this process.
Step 03: according to a, b, c in packet capturing algorithm one, judge corresponding table item in table 2 " accumulative hit-count " whether Meet: then a+nb < " accumulative hit-count "≤a+nb+c updates corresponding table item in table 2 if so, crawl is currently wrapped and saved In " second stage packet capturing counting " and " last time packet capturing time ", update " the accumulative packet capturing number in table 1 in corresponding table item Amount ", wherein n is the positive integer greater than 0.
According to packet capturing algorithm two, then detailed process is as follows for packet capturing:
Step 01: judging whether current time is between t1, t2 in packet capturing algorithm two, if so, executing step 02;It is no Then, terminate this process.
Step 02: reading " the second stage packet capturing counting " of corresponding table item in table 2, judge " second stage packet capturing counting " value The h whether being less than in packet capturing algorithm two, if so, executing step 03;Otherwise, terminate this process.
Step 03: according to e, f, g in packet capturing algorithm two, judge corresponding table item in table 2 " accumulative hit-count " whether Meet: then e+mf < " accumulative hit-count "≤e+mf+g updates corresponding table item in table 2 if so, crawl is currently wrapped and saved In " second stage packet capturing counting " and " last time packet capturing time ", update " the accumulative packet capturing number in table 1 in corresponding table item Amount ", wherein m is the positive integer greater than 0.
It should be noted that each parameter in packet capturing algorithm one, two needs rationally setting, if the setting of packet capturing frequency b, f is too Gao Zehui has larger impact to packet capturing effect, while will increase overhead.In the embodiment of the present application, when using packet capturing algorithm one When, usually: a >=50,50≤b≤100,5≤c≤20 time;When using packet capturing algorithm two, if the period between t1 and t2 It is in the network flow biggish period, then usually: 40≤f≤60, if the period between t1 and t2 is in network flow Smaller period (equipment such as used in China, at night 12 points to morning 7 when), f can be set smaller, such as 10 ≤f≤30。
It should be noted that administrator can according to need change packet capturing strategy at any time in the embodiment of the present application, such as: New packet capturing strategy is configured, or changes the partial parameters of existing packet capturing strategy, alternatively, the unlatching of change packet capturing strategy, closing State etc..
In addition, aging duration T can also be arranged for the list item in packet capturing detail list (table 2), for a long time not to a list item When corresponding packet does not carry out packet capturing operation, the list item is deleted, specifically, " last in list item any in equipment discovery table 2 When secondary packet capturing time "+aging duration T < present system time, it is automatically deleted the list item.
The advantageous effects of the embodiment of the present application are as follows:
In the embodiment of the present application, when equipment determines data flow hit attack rule, if the attack rule is configured with packet capturing Strategy and packet capturing strategy unlatching, then judge whether the first stage needs packet capturing according to the packet capturing strategy, if desired, then to the number Continuous packet capturing is carried out according to stream, according to the packet capturing strategy, to judge whether to need when continuous packet capturing number reaches preset first threshold value Second stage packet capturing is carried out, is if desired carried out, then continues to carry out discontinuity packet capturing to the data flow, to both realize selection The packet capturing of property ground, reduces the consumption to device resource, and control packet capturing quantity, improves the readability of the packet grabbed.
Fig. 3 is the composition schematic diagram of network attack packet capturing device provided by the embodiments of the present application, the device mainly includes:
Hit detection module: upon receiving the data stream, whether detection data stream hits attack rule;
Packet capturing module: when hit detection module detects data flow hit attack rule, whether judge the attack rule It is configured with packet capturing strategy and the packet capturing strategy is opened, if so, judge whether the first stage needs packet capturing according to the packet capturing strategy, If desired, then continuous packet capturing is carried out to the data flow, when continuous packet capturing number reaches preset first threshold value, according to the packet capturing plan Slightly, judge whether to need to carry out second stage packet capturing, if desired carry out, then continue to carry out discontinuity packet capturing to the data flow.
In a kind of embodiment, packet capturing module carries out discontinuity packet capturing to the data flow and includes:
After data flow, which hits the regular number of attack, reaches default second threshold a, the X packet of hit is grabbed, wherein X is full Sufficient the following conditions:
a+nb<X≤a+nb+c
Wherein, b is preset first hit-count threshold value, and c is preset first packet capturing quantity, and n is just whole greater than 0 Number, and nc≤d, d are preset first packet capturing sum;
Alternatively, grabbing the Y packet of hit, wherein Y meets following between the first preset time and the second preset time Condition:
e+mf<Y≤e+mf+g
Wherein, e is the number that the data flow has hit attack rule when reaching first preset time, and f is default The second hit-count threshold value, g is preset second packet capturing quantity, and m is positive integer greater than 0, and mg≤h, h are preset the Two packet capturings sum.
In a kind of embodiment, packet capturing module judges whether the attack rule is configured with packet capturing strategy and the packet capturing strategy is opened Later, judge whether the first stage needs to further comprise before packet capturing according to the packet capturing strategy:
The source IP address of the data flow is obtained, and according to the source IP of the data flow of the hit attack rule recorded Location, judges whether the number for hitting the data flow of attack rule is greater than default third threshold value, if so, stopping packet capturing;Otherwise, it holds Row is described to judge whether the first stage needs the movement of packet capturing according to the packet capturing strategy.
In a kind of embodiment, packet capturing module continue to carry out discontinuity packet capturing to the data flow further comprise:
The time of each packet capturing is recorded, and, when the difference of the time of current time and last time packet capturing is greater than preset value, The packet capturing deleted for the data flow records.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.

Claims (9)

1. a kind of network attack packet snapping method, which is characterized in that this method comprises:
When equipment determines data flow hit attack rule, judge whether the attack rule is configured with packet capturing strategy and the packet capturing plan It slightly opens, if so, judging whether the first stage needs packet capturing according to the packet capturing strategy, if desired, then the data flow is carried out Continuous packet capturing, according to the packet capturing strategy, judges whether to need to carry out second when continuous packet capturing number reaches preset first threshold value Stage packet capturing, if desired carries out, then continues to carry out discontinuity packet capturing to the data flow.
2. the method according to claim 1, wherein described pair of data flow progress discontinuity packet capturing includes:
After data flow hits and attacks regular number and reach default second threshold a, grab the X packet of hit, wherein X satisfaction with Lower condition:
a+nb<X≤a+nb+c
Wherein, b is preset first hit-count threshold value, and c is preset first packet capturing quantity, and n is the positive integer greater than 0, and Nc≤d, d are preset first packet capturing sum;
Alternatively, grabbing the Y packet of hit, wherein Y meets following item between the first preset time and the second preset time Part:
e+mf<Y≤e+mf+g
Wherein, e is the number that the data flow has hit attack rule when reaching first preset time, and f is preset the Two hit-count threshold values, g are preset second packet capturing quantity, and m is the positive integer greater than 0, and mg≤h, h grab for preset second Packet sum.
3. judging whether the attack rule is configured with packet capturing strategy the method according to claim 1, wherein described And judge whether the first stage needs to further comprise before packet capturing after packet capturing strategy unlatching, according to the packet capturing strategy:
The source IP address of the data flow, and the source IP address of the data flow according to the hit attack rule recorded are obtained, is sentenced Whether the number of the data flow of disconnected hit attack rule is greater than default third threshold value, if so, stopping packet capturing;Otherwise, institute is executed It states and judges whether the first stage needs the movement of packet capturing according to the packet capturing strategy.
4. the method according to claim 1, wherein the packet capturing strategy that any two attacks rule configures in equipment Difference is identical.
5. the method according to claim 1, wherein described continue to carry out the data flow discontinuity packet capturing into one Step includes:
The time of each packet capturing is recorded,
When current time and the difference of the time of last time packet capturing are greater than preset value, the packet capturing deleted for the data flow is remembered Record.
6. a kind of network attack packet capturing device, which is characterized in that the device includes:
Hit detection module: upon receiving the data stream, whether detection data stream hits attack rule;
Packet capturing module: when hit detection module detects data flow hit attack rule, judge whether the attack rule configures The packet capturing strategy and packet capturing strategy is opened, if so, according to the packet capturing strategy judge whether the first stage needs packet capturing, if need It wants, then continuous packet capturing is carried out to the data flow, when continuous packet capturing number reaches preset first threshold value, according to the packet capturing strategy, Judge whether to need to carry out second stage packet capturing, if desired carry out, then continues to carry out discontinuity packet capturing to the data flow.
7. device according to claim 6, which is characterized in that the packet capturing module carries out discontinuity packet capturing to the data flow Include:
After data flow hits and attacks regular number and reach default second threshold a, grab the X packet of hit, wherein X satisfaction with Lower condition:
a+nb<X≤a+nb+c
Wherein, b is preset first hit-count threshold value, and c is preset first packet capturing quantity, and n is the positive integer greater than 0, and Nc≤d, d are preset first packet capturing sum;
Alternatively, grabbing the Y packet of hit, wherein Y meets following item between the first preset time and the second preset time Part:
e+mf<Y≤e+mf+g
Wherein, e is the number that the data flow has hit attack rule when reaching first preset time, and f is preset the Two hit-count threshold values, g are preset second packet capturing quantity, and m is the positive integer greater than 0, and mg≤h, h grab for preset second Packet sum.
8. device according to claim 6, which is characterized in that the packet capturing module judges whether the attack rule is configured with Judge whether the first stage needs taking a step forward for packet capturing after packet capturing strategy and packet capturing strategy unlatching, according to the packet capturing strategy Include:
The source IP address of the data flow, and the source IP address of the data flow according to the hit attack rule recorded are obtained, is sentenced Whether the number of the data flow of disconnected hit attack rule is greater than default third threshold value, if so, stopping packet capturing;Otherwise, institute is executed It states and judges whether the first stage needs the movement of packet capturing according to the packet capturing strategy.
9. device according to claim 6, which is characterized in that the packet capturing module continues to carry out discontinuity to the data flow Packet capturing further comprises:
The time of each packet capturing is recorded, and, when the difference of the time of current time and last time packet capturing is greater than preset value, delete For the packet capturing record of the data flow.
CN201510469336.7A 2015-08-04 2015-08-04 Network attack packet snapping method and device Active CN105592041B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510469336.7A CN105592041B (en) 2015-08-04 2015-08-04 Network attack packet snapping method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510469336.7A CN105592041B (en) 2015-08-04 2015-08-04 Network attack packet snapping method and device

Publications (2)

Publication Number Publication Date
CN105592041A CN105592041A (en) 2016-05-18
CN105592041B true CN105592041B (en) 2019-01-08

Family

ID=55931259

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510469336.7A Active CN105592041B (en) 2015-08-04 2015-08-04 Network attack packet snapping method and device

Country Status (1)

Country Link
CN (1) CN105592041B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111641591B (en) * 2020-04-30 2022-12-06 杭州博联智能科技股份有限公司 Cloud service security defense method, device, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909554A (en) * 2006-08-18 2007-02-07 华为技术有限公司 Method and system for data flow sampling
CN101141326A (en) * 2007-09-29 2008-03-12 北京启明星辰信息技术有限公司 Flux detecting method and system for self-adaptive sampling
CN104135490A (en) * 2014-08-14 2014-11-05 浪潮(北京)电子信息产业有限公司 Intrusion detection system (IDS) analysis method and intrusion detection system
US8958318B1 (en) * 2011-09-21 2015-02-17 Cisco Technology, Inc. Event-based capture of packets from a network flow
CN104601570A (en) * 2015-01-13 2015-05-06 国家电网公司 Network security monitoring method based on bypass monitoring and software packet capturing technology

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140351415A1 (en) * 2013-05-24 2014-11-27 PacketSled Inc. Selective packet capture

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909554A (en) * 2006-08-18 2007-02-07 华为技术有限公司 Method and system for data flow sampling
CN101141326A (en) * 2007-09-29 2008-03-12 北京启明星辰信息技术有限公司 Flux detecting method and system for self-adaptive sampling
US8958318B1 (en) * 2011-09-21 2015-02-17 Cisco Technology, Inc. Event-based capture of packets from a network flow
CN104135490A (en) * 2014-08-14 2014-11-05 浪潮(北京)电子信息产业有限公司 Intrusion detection system (IDS) analysis method and intrusion detection system
CN104601570A (en) * 2015-01-13 2015-05-06 国家电网公司 Network security monitoring method based on bypass monitoring and software packet capturing technology

Also Published As

Publication number Publication date
CN105592041A (en) 2016-05-18

Similar Documents

Publication Publication Date Title
CN105141604B (en) A kind of network security threats detection method and system based on trusted service stream
CN105493060B (en) Sweet end Active Network Security
CN106790023B (en) Network security Alliance Defense method and apparatus
CN107370755B (en) Method for multi-dimensional deep detection of APT (active Power test) attack
US7941853B2 (en) Distributed system and method for the detection of eThreats
CN104361283B (en) The method for protecting Web attacks
KR101070614B1 (en) Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation
US8826437B2 (en) Intelligent system and method for mitigating cyber attacks in critical systems through controlling latency of messages in a communications network
CN108289088A (en) Abnormal traffic detection system and method based on business model
KR20100075043A (en) Management system for security control of irc and http botnet and method thereof
CN106650436A (en) Safety detecting method and device based on local area network
CN105635046B (en) A kind of filtering of database command row blocks auditing method and device
CN102045220A (en) Wooden horse monitoring and auditing method and system thereof
CN104008332A (en) Intrusion detection system based on Android platform
US20060037070A1 (en) Blocking of spam e-mail at a firewall
CN108134761A (en) A kind of APT detection methods, system and device
CN106471778A (en) Attack detecting device, attack detection method and attack detecting program
CN114666088A (en) Method, device, equipment and medium for detecting industrial network data behavior information
CN105592041B (en) Network attack packet snapping method and device
CN110493253A (en) A kind of Botnet analysis method of the home router based on raspberry pie design
TW201141155A (en) Alliance type distributed network intrusion prevention system and method thereof
Barabas et al. Behavioral signature generation using shadow honeypot
CN115987588A (en) Rule matching-based intrusion prevention system self-adaptive protection method and device
Hewett et al. Smart Grid security: Deriving informed decisions from cyber attack game analysis
KR20110070182A (en) Botnet group detecting system using group behavior matrix based on network and botnet group detecting method using group behavior matrix based on network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant