CN105592044B - Message aggression detection method and device - Google Patents
Message aggression detection method and device Download PDFInfo
- Publication number
- CN105592044B CN105592044B CN201510519724.1A CN201510519724A CN105592044B CN 105592044 B CN105592044 B CN 105592044B CN 201510519724 A CN201510519724 A CN 201510519724A CN 105592044 B CN105592044 B CN 105592044B
- Authority
- CN
- China
- Prior art keywords
- message
- serial number
- queue
- temporal
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The present invention provides a kind of message aggression detection method and device, wherein determining temporal characteristics queue corresponding with the type identification this method comprises: receive the message with type identification;The behavioural characteristic for extracting the message determines test serial number corresponding with the behavioural characteristic;The test serial number is added in the temporal characteristics queue, and generates characteristic sequence;It is matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;Respective handling is carried out to the message according to matching result.The present invention can accurately detect the message attacked by time dimension, and correspondingly be evaded processing, and then improve the security performance of system.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of message aggression detection method and devices.
Background technique
IPS (Intrusion Prevention System, intrusion prevention system) is by detecting network message, discovery
Exception, attack load in network message, and the security software system handled.
When traditional IPS detects message, the feature detection of Spatial Dimension is usually only carried out, that is, extract message
Content characteristic, and judge whether the message is attack message according to the content characteristic of message.
However, due to the diversification for attacking load type, in loophole attack, (such as 2014 OpenSSL is high-risk some
Loophole CVE-2014-0224) during, the content characteristic of message can't generate any exception, at this point, if being still based on space dimension
The feature of degree is detected, and can not find such attack load, and then reduce the security performance of system.
Summary of the invention
In view of the drawbacks of the prior art, the present invention provides a kind of message aggression detection method and devices.
The present invention provides a kind of message aggression detection method, is applied to intrusion prevention system IPS equipment, wherein this method packet
It includes:
The message with type identification is received, determines temporal characteristics queue corresponding with the type identification;
The behavioural characteristic for extracting the message determines test serial number corresponding with the behavioural characteristic;
The test serial number is added in the temporal characteristics queue, and generates characteristic sequence;
It is matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;
Respective handling is carried out to the message according to matching result.
The present invention also provides a kind of message aggression detection devices, are applied to IPS equipment, which includes:
Determination unit determines that the time corresponding with the type identification is special for receiving the message with type identification
Levy queue;
Extraction unit determines test serial number corresponding with the behavioural characteristic for extracting the behavioural characteristic of the message;
Generation unit for adding the test serial number in the temporal characteristics queue, and generates characteristic sequence;
Matching unit for being matched in preset temporal aspect library according to the characteristic sequence, and is matched
As a result;
Processing unit, for carrying out respective handling to the message according to matching result.
Message aggression detection method provided by the invention and device pass through when received message has type identification
The corresponding test serial number of message behavioural characteristic is added in temporal characteristics queue corresponding with type identification, and by temporal characteristics
It is matched in preset temporal aspect library in queue by the characteristic sequence that test serial number generates, further to detect the message
Whether it is the message of timing attacks, and respective handling is carried out to the attack message detected.It can be seen that the present invention can be examined accurately
The message attacked by time dimension is measured, and is correspondingly evaded processing, and then improves the security performance of system.
Detailed description of the invention
Fig. 1 is a kind of message aggression detection method flow diagram in the embodiment of the present invention;
Fig. 2 is to assist engine for the treatment process schematic diagram of message in the embodiment of the present invention;
Fig. 3 is a kind of logical construction schematic diagram of message aggression detection device in the embodiment of the present invention;
Fig. 4 is the hardware structure schematic diagram of IPS equipment where message aggression detection device in the embodiment of the present invention.
Specific embodiment
For the purpose for making the application, technical solution and advantage are more clearly understood, referring to the drawings to application scheme
It is described in further detail.
In order to solve the problems in the existing technology, the present invention provides a kind of message aggression detection method and dresses
It sets.
Referring to FIG. 1, being the processing flow schematic diagram of message aggression detection method provided by the invention, message aggression inspection
Survey method can be applied to IPS equipment.Detection method includes the following steps for the message aggression:
Step 101, the message with type identification is received, determines temporal characteristics corresponding with type identification team
Column;
In the embodiment of the present invention, IPS equipment after receiving message, in order to avoid received message occur it is out-of-order, can be with
Order-preserving processing is carried out to received message first, so that received message sequence is original message transmission sequence.For example, can be with
The message carried in the header information of message based on the received sends number and is ranked up to message received in buffer time, it
Subsequent processing successively is carried out to message according to the sequence of arrangement afterwards.Order-preserving processing particularly for message can refer to the prior art
In to the process flow of packet order preserving, details are not described herein by the present invention.
Later, the characteristic based on IPS can be first by the detecting and alarm of IPS equipment itself to the report for carrying out order-preserving processing
Text successively carries out the attack detecting of Spatial Dimension.That is: the content characteristic of received message is obtained, and by the content characteristic default
Space characteristics library in matched, obtain matching result;If determining that the message is attack message according to matching result, determine
The protocol type of the message, and type identification corresponding with the protocol type of the message is added in the message.
Specifically, IPS equipment is preset with space characteristics library, is previously stored in the space characteristics library based on Spatial Dimension
The characteristic information for the attack message that message aggression is summarized.
After IPS equipment receives message, detecting and alarm parses the message, to obtain in message data part
Hold, and extracts the character string of the message data part according to default rule or as needed by detecting and alarm.
Later, detecting and alarm exists using the character string of extraction as the content characteristic of message according to preset multimode matching algorithm
It is matched in preset space characteristics library, to determine whether the message is the message attacked by Spatial Dimension.
Wherein, the preset multimode matching algorithm be by it is most fast in a character string, optimally find multiple modes
The algorithm of character word string, it may be assumed that the spy of multiple modes corresponding with the key message is found in the characteristic information in space characteristics library
The algorithm of property information.For example, multi-pattern matching algorithm provided in the present invention can be AC (AHO-CORASICK) algorithm, WM
(WU-MANBER) algorithm etc..
Detecting and alarm is not also identical according to processing of the different matching results to message in the embodiment of the present invention.Such as:
It, can be with if matching result is according to content characteristic to be matched to corresponding characteristic information in preset space characteristics library
Illustrate that the message is the attack class message of Spatial Dimension.So, determine that the message is empty in the processing information according to content characteristic
Between dimension attack class message when, the message can be abandoned, to avoid being attacked, or can also basis after dropping packets
It needs to administrative staff's report and alarm information;
If matching result is not to be matched to corresponding characteristic information in preset space characteristics library according to content characteristic, can
To determine the message as the attack class message of non-space dimension, then further detect whether the message is to carry out using time dimension
The message of attack.
It is assumed that the characteristic information for the attack message summarized in preset space characteristics library includes: abcd11e;abcd12e;
And abcd13e.And the character string of extracted message data part is abcd11e.So, matching result is the message matching
To the characteristic information in the space characteristics library, determine that the message is the attack message of Spatial Dimension, can by the packet loss, or
Person, when abandoning the message to administrative staff's report and alarm information.If the character string for the message data part extracted is
Dbcd11e, then, matching result is that the message is not matched to the characteristic information in the space characteristics library, then further detection should
Whether message is the message attacked using time dimension.
In the embodiment of the present invention, when received message is to need further to detect whether to be the report attacked using time dimension
Wen Shi can determine the protocol type of the message according to the protocol number in the five-tuple information of the message, that is, check the message
It is the message of which kind of agreement.
The present invention is directed to different protocol types in advance and is provided with different type identifications.The type mark can be used 32
Position integer identifies, for example, can in advance be that SIP (Session Initiation Protocol, session initiation protocol) is arranged
Corresponding type identification be 1, be SAP (Session Announcement Protocol, session announcement protocol) setting pair
The type identification answered is 2, is the corresponding type mark of SSL (Slecure Sockets Layer, Secure Socket Layer) agreement setting
Knowing is 3, and the corresponding type identification for TCP (Transmission Control Protocol, transmission control protocol) setting is
4 etc..
It so, then can be according to pre-set and each association when the message that needs are marked adds type identification
Corresponding type identification is discussed, message is marked.
It, can be to increase an integer field in the control data structure of message, for needing to carry out in the embodiment of the present invention
Corresponding type identification can be added in the integer field of message control data structure, to the message by the message of label
Carry out the attack detecting of time dimension.
In order to avoid the attack that attacker is carried out using time dimension, the embodiment of the present invention can also be for detecting and alarm
IPS equipment be arranged again association's engine (can be using above-mentioned detecting and alarm as leading engine), which is used for having
The attack detecting of the message further progress time dimension of type identification.
Fig. 2 is that association's engine is assisting the treatment process schematic diagram of the message with type identification in the embodiment of the present invention
After engine receives the message of detecting and alarm transmission, the message is parsed first, checks the integer field of message control data structure
In whether there is type identification, if so, obtaining the type identification that carries in message.
Association's engine of the invention is also preset with the corresponding temporal characteristics queue with different type mark (protocol type),
After the type identification carried in obtaining message, it can be identified according to the type and determine corresponding temporal characteristics queue.
Step 102, the behavioural characteristic for extracting the message determines test serial number corresponding with the behavioural characteristic;
Test serial number corresponding with message behavioural characteristic is also preset in the embodiment of the present invention.I.e. previously according to different agreement
The corresponding test serial number of the behavioural characteristic setting of the message of type.
After determining temporal characteristics queue corresponding with the type identification of message carrying, which can be carried out deep
The type of message of message is learnt after degree parsing, and carries out the behavioural characteristic that the type of message that deep analysis obtains is the message.
Later, report corresponding with the behavioural characteristic of the message is searched in the corresponding test serial number of preset and behavioural characteristic
Literary serial number.
For example, the three-way handshake of TCP session include: user end to server send SYN message, server is to client
SYN ACK (confirmation of synchronization) message and client of response are reported according to SYN ACK message to the ACK (confirmation) of server response
Text.So, " 1 " can be for test serial number set by SYN message, for test serial number set by SYN ACK message
It can be " 2 ", " 3 " can be for test serial number set by ACK message.
Furthermore it is also possible to preset a default serial number as the test serial number that can mark arbitrary act feature, usually
In the case of, it can be when determining the message be data message, using default serial number as corresponding with the behavioural characteristic of data message
Test serial number, which can match arbitrary value in temporal aspect library, such as the default serial number can be 0.
Step 103, the test serial number is added in the temporal characteristics queue, and generates characteristic sequence;
Then, which is added to out in temporal characteristics queue corresponding with the type identification of message carrying.
The temporal characteristics queue is the queue of first in first out, and is preset with sequencable feature quantity, for example, temporal characteristics
Queue it is preset can arrayed feature quantity be 5, then being arranged in the 1st when receiving the 6th test serial number in feature queue
Test serial number to be then moved out of the temporal characteristics queue.
After test serial number to be added to the temporal characteristics queue, pass through the report currently arranged in review time feature queue
Literary serial number quantity generates characteristic sequence according to different characteristic sequence generating modes.
When the test serial number quantity added in the temporal characteristics queue is less than the preset feature of temporal characteristics queue
When quantity, preset specific numbers and the test serial number in the temporal characteristics queue are combined, generate test serial number number
Amount is the characteristic sequence of the feature quantity;Alternatively, when the test serial number quantity added in the temporal characteristics queue is described
When the preset feature quantity of temporal characteristics queue, the feature is generated according to the test serial number arranged in the temporal characteristics queue
Sequence.
Specifically, it will again be assumed that temporal characteristics queue it is preset can arrayed feature quantity be 5, add by the test serial number of message
After adding to temporal characteristics queue, it can be generated by following two mode according to the test serial number added in temporal characteristics queue special
Levy sequence:
1, all test serial numbers arranged in the queue of acquisition time feature, according to all test serial numbers in temporal characteristics queue
In put in order and generate characteristic sequence.
1) when the test serial number quantity added in temporal characteristics queue is less than the preset characteristic of temporal characteristics queue
The case where when amount (such as the test serial number is any one position being arranged in the position 1-4 of temporal characteristics queue):
It is assumed that the test serial number for being currently added to temporal characteristics queue is 3, temporal characteristics queue is added to for first
Test serial number (first that is arranged in temporal characteristics queue), then only the test serial number 3 can be regard as characteristic sequence, i.e., it is raw
At characteristic sequence are as follows: 3.
If the test serial number 3 for being currently added to temporal characteristics queue is the 4th message sequence for being added to temporal characteristics queue
Number (the 4th that is arranged in temporal characteristics queue), it is assumed that be arranged in 3 before temporal characteristics queue test serial numbers be successively 5,
10,15, then characteristic sequence generated is then 5,10,15,3.
2) when the test serial number quantity added in temporal characteristics queue is the preset feature quantity of temporal characteristics queue
The case where when (i.e. the test serial number is the 5th be arranged in temporal characteristics queue):
Assuming that the test serial number for being arranged in 3 before temporal characteristics queue is successively 5,10,15,20, then according to time spy
The test serial number characteristic sequence generated arranged in sign queue is then 5,10,15,20,3.
2, preset test serial number and the test serial number in the temporal characteristics queue are combined, generate test serial number
Quantity is the characteristic sequence of the feature quantity.
This feature sequence generating mode is only in when the test serial number quantity added in temporal characteristics queue is less than described
The preset feature quantity of temporal characteristics queue (such as the test serial number be arranged in it is any in the position 1-4 of temporal characteristics queue
One) when the case where.
For example, can be by preset test serial number according to the maximum for arranging to be set as in " X " or 32 integers in advance
Value etc., if being currently added to the test serial number 3 of temporal characteristics queue is first test serial number for being added to temporal characteristics queue
(first that is arranged in temporal characteristics queue), then can be by preset test serial number (by taking " X " as an example) and the test serial number 3
It is combined, generates test serial number quantity and be characterized characteristic sequence X, X of quantity (5), X, X, 3.
If the test serial number 3 for being currently added to temporal characteristics queue is the 4th message sequence for being added to temporal characteristics queue
Number (the 4th that is arranged in temporal characteristics queue), it is assumed that be arranged in 3 before temporal characteristics queue test serial numbers be successively 5,
10,15, then characteristic sequence generated is then X, 5,10,15,3.
Step 104, it is matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;
After generating characteristic sequence according to the test serial number in temporal characteristics queue, then the characteristic sequence of generation can be pressed
It is matched in preset temporal aspect library according to multimode matching algorithm.The preset multi-pattern matching algorithm still can be AC calculation
Method or WM algorithm etc..
Wherein, the attack report that the message aggression based on time dimension is summarized equally is previously stored in the temporal aspect library
The characteristic information of text.The temporal aspect library can be the normal temporal aspect library for preserving normal temporal aspect, be also possible to protect
There is the abnormal temporal aspect library of abnormal temporal aspect.
When temporal aspect library is normal temporal aspect library, if special in preset normal timing according to the characteristic sequence of generation
Sign is matched to corresponding feature in library, then the matching result is then not to be matched in normal temporal aspect library and characteristic sequence
Corresponding feature can determine that the message is that non-sequential attacks class message, and otherwise, matching result is in normal temporal aspect library
It is not matched to feature corresponding with characteristic sequence, can determine that the message is timing attacks class message.
Similarly, when temporal aspect library is abnormal temporal aspect library, if according to the characteristic sequence of generation preset different
Be matched to corresponding feature in normal temporal aspect library, then the matching result be then be not matched in sequence characteristics library when abnormal with
The corresponding feature of characteristic sequence can determine that the message is that non-sequential attacks class message, and otherwise, matching result is sequence when abnormal
Feature corresponding with characteristic sequence is not matched in feature database, can determine that the message is that non-sequential attacks class message.
If it should be noted that generate characteristic sequence in promising 0 test serial number, when carrying out characteristic matching, the report
Literary serial number 0 can be with the arbitrary value in matching characteristic library.
For example, if generate characteristic sequence be 5,0,15,20,3, in being matched to temporal aspect library have 5,8,
15, when 20,3 characteristic information, it may be considered that 0 in characteristic sequence has been matched to 8 in characteristic information 5,8,15,20,3,
So illustrate that this feature sequence 5,0,15,20,3 has been matched to corresponding characteristic information in preset temporal aspect library.
Step 105, respective handling is carried out to the message according to matching result.
Association's engine in the present invention can also perform corresponding processing different matching results.Such as:
When the temporal aspect saved in temporal aspect library be normal timing temporal aspect when, if the matching result be
Feature corresponding with the characteristic sequence is matched in the temporal aspect library, it may be assumed that determine that the message is that non-sequential attacks class report
Text can forward message according to normal flow;If the matching result is is not matched to and institute in the temporal aspect library
State the corresponding feature of characteristic sequence, it may be assumed that when determining that the message is the attack class message of time dimension, the message can be abandoned, with
It avoids being attacked.
When the temporal aspect saved in temporal aspect library is the temporal aspect of abnormal timing, if the matching result is institute
It states and is not matched to feature corresponding with the characteristic sequence in temporal aspect library, it may be assumed that determine that the message is that non-sequential attacks class report
Text can forward message according to normal flow;Otherwise the message is abandoned, to avoid being attacked.
It further, can also be as needed to pipe in dropping packets after determining by the attack of time dimension
Reason personnel issue warning information, so that administrative staff make the precautionary measures in time.
In conclusion message aggression detection method provided by the invention passes through when received message has type identification
The corresponding test serial number of message behavioural characteristic is added in temporal characteristics queue corresponding with type identification, and by temporal characteristics
It is matched in preset temporal aspect library in queue by the characteristic sequence that test serial number generates, further to detect the message
Whether it is the message of timing attacks, and respective handling is carried out to the attack message detected.It can be seen that the present invention can be examined accurately
The message attacked by time dimension is measured, and is correspondingly evaded processing, and then improves the security performance of system.
The present invention also provides a kind of message aggression detection device, Fig. 3 is the structural schematic diagram of the message aggression detection device,
The device can be applied to IPS equipment, which can include determining that unit 301, extraction unit 302, life
At unit 303, matching unit 304 and processing unit 305, in which:
Determination unit 301 determines the time corresponding with the type identification for receiving the message with type identification
Feature queue;
Extraction unit 302 determines message sequence corresponding with the behavioural characteristic for extracting the behavioural characteristic of the message
Number;
Generation unit 303 for adding the test serial number in the temporal characteristics queue, and generates characteristic sequence;
Matching unit 304 for being matched in preset temporal aspect library according to the characteristic sequence, and obtains
With result;
Processing unit 305, for carrying out respective handling to the message according to matching result.
Further, above-mentioned apparatus can also include acquiring unit 306 and identify unit 307, wherein acquiring unit 306
It matches, obtains in preset space characteristics library for obtaining the content characteristic of the message, and by the content characteristic
Matching result;Mark unit 307 is used for when determining that the message is the attack message of Spatial Dimension according to the matching result,
Abandon the attack message of the Spatial Dimension;Determining that the message is the attack report of non-space dimension according to the matching result
Wen Shi determines the protocol type of the message, and type identification corresponding with the protocol type of the message is added to institute
It states in message.
Further, the message sequence that above-mentioned generation unit 303 specifically can be used for adding in the temporal characteristics queue
When number amount is less than the temporal characteristics queue preset feature quantity, by preset specific numbers and the temporal characteristics queue
In test serial number be combined, generate test serial number quantity be the feature quantity characteristic sequence;Alternatively, working as the time
It is special according to the time when test serial number quantity added in feature queue is the temporal characteristics queue preset feature quantity
The test serial number arranged in sign queue generates the characteristic sequence.
Further, the temporal aspect that above-mentioned processing unit 305 can be also used for saving in the temporal aspect library is
When the temporal aspect of normal timing, if the matching result is to have and the matched spy of the characteristic sequence in the temporal aspect library
Sign, is forwarded the message, otherwise abandons the message;Alternatively, when the temporal aspect saved in the temporal aspect library
For abnormal timing temporal aspect when, if the matching result be the temporal aspect library in do not matched with the characteristic sequence
Feature, the message is forwarded, the message is otherwise abandoned.
Further, said extracted unit 302 specifically can be used for preset when determining the message is data message
Serial number is as test serial number corresponding with the behavioural characteristic of the message, wherein it is special that the default serial number can match the timing
Levy arbitrary value in library.
The message aggression detection device that the present invention is applied to IPS equipment can be with above-mentioned message in specific process flow
The process flow of attack detection method is consistent, and details are not described herein.
Above-mentioned apparatus can also pass through hardware realization, message aggression detection device institute of the present invention by software realization
It can refer to shown in Fig. 4 in the hardware structure schematic diagram of the network equipment, basic hardware environment includes central processor CPU, turns
Chip, memory and other hardware are sent out, include wherein machine readable instructions in memory device, CPU reads and executes machine can
Reading instruction executes the function of each unit in Fig. 3.
As can be seen that message aggression provided in an embodiment of the present invention inspection from the embodiment of the above various method and apparatus
Survey method and device, when received message has type identification, by adding the corresponding test serial number of message behavioural characteristic
The characteristic sequence that adds in temporal characteristics queue corresponding with type identification, and will be generated in temporal characteristics queue by test serial number
Matched in preset temporal aspect library, with further detect the message whether be timing attacks message, and to detection
Attack message out carries out respective handling.It can be seen that the present invention can accurately detect the report attacked by time dimension
Text, and correspondingly evaded processing, and then improve the security performance of system.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.
Claims (10)
1. a kind of message aggression detection method is applied to intrusion prevention system IPS equipment, which is characterized in that the described method includes:
The message with type identification is received, determines temporal characteristics queue corresponding with the type identification;Wherein, the tool
The message for having type identification is the attack message of non-space dimension;
The behavioural characteristic for extracting the message determines test serial number corresponding with the behavioural characteristic;
The test serial number is added in the temporal characteristics queue, and generates characteristic sequence;
It is matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;
Respective handling is carried out to the message according to matching result.
2. the method as described in claim 1, which is characterized in that before receiving the message with type identification, the method
Further include:
The content characteristic of the message is obtained, and the content characteristic is matched in preset space characteristics library, is obtained
Matching result;
If determining that the message is the attack message of Spatial Dimension according to the matching result, the attack of the Spatial Dimension is abandoned
Message;
If determining that the message is the attack message of non-space dimension according to the matching result, the agreement of the message is determined
Type, and type identification corresponding with the protocol type of the message is added in the message.
3. the method as described in claim 1, which is characterized in that described to add the message sequence in the temporal characteristics queue
Number, and generate characteristic sequence and specifically include:
When the test serial number quantity added in the temporal characteristics queue is less than the preset feature quantity of temporal characteristics queue
When, preset specific numbers and the test serial number in the temporal characteristics queue are combined, generating test serial number quantity is
The characteristic sequence of the feature quantity;Alternatively,
When the test serial number quantity added in temporal characteristics queue feature quantity preset for the temporal characteristics queue,
The characteristic sequence is generated according to the test serial number arranged in the temporal characteristics queue.
4. the method as described in claim 1, which is characterized in that described to carry out respective handling to the message according to matching result
It specifically includes:
When the temporal aspect saved in the temporal aspect library is the temporal aspect of normal timing, if the matching result is institute
State have in temporal aspect library with the matched feature of the characteristic sequence, the message is forwarded, the message is otherwise abandoned;
Alternatively,
When the temporal aspect saved in the temporal aspect library is the temporal aspect of abnormal timing, if the matching result is institute
It states in temporal aspect library not with the matched feature of the characteristic sequence, the message is forwarded, the report is otherwise abandoned
Text.
5. the method as described in claim 1, which is characterized in that it is described extract the message behavioural characteristic, determine with it is described
The corresponding test serial number of behavioural characteristic specifically includes:
If it is determined that the message is data message, using default serial number as message sequence corresponding with the behavioural characteristic of the message
Number, wherein the default serial number can match arbitrary value in the temporal aspect library.
6. a kind of message aggression detection device, it is applied to IPS equipment, which is characterized in that described device includes:
Determination unit determines temporal characteristics corresponding with type identification team for receiving the message with type identification
Column;Wherein, the message with type identification is the attack message of non-space dimension;
Extraction unit determines test serial number corresponding with the behavioural characteristic for extracting the behavioural characteristic of the message;
Generation unit for adding the test serial number in the temporal characteristics queue, and generates characteristic sequence;
Matching unit for being matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;
Processing unit, for carrying out respective handling to the message according to matching result.
7. device as claimed in claim 6, which is characterized in that described device further include:
Acquiring unit, for obtaining the content characteristic of the message, and by the content characteristic in preset space characteristics library
It is matched, obtains matching result;
Unit is identified, for abandoning institute when determining that the message is the attack message of Spatial Dimension according to the matching result
State the attack message of Spatial Dimension;When determining that the message is the attack message of non-space dimension according to the matching result,
It determines the protocol type of the message, and type identification corresponding with the protocol type of the message is added to the message
In.
8. device as claimed in claim 6, which is characterized in that the generation unit is specifically used for:
When the test serial number quantity added in the temporal characteristics queue is less than the preset feature quantity of temporal characteristics queue
When, preset specific numbers and the test serial number in the temporal characteristics queue are combined, generating test serial number quantity is
The characteristic sequence of the feature quantity;Alternatively,
When the test serial number quantity added in temporal characteristics queue feature quantity preset for the temporal characteristics queue,
The characteristic sequence is generated according to the test serial number arranged in the temporal characteristics queue.
9. device as claimed in claim 6, which is characterized in that the processing unit is specifically used for:
When the temporal aspect saved in the temporal aspect library is the temporal aspect of normal timing, if the matching result is institute
State have in temporal aspect library with the matched feature of the characteristic sequence, the message is forwarded, the message is otherwise abandoned;
Alternatively,
When the temporal aspect saved in the temporal aspect library is the temporal aspect of abnormal timing, if the matching result is institute
It states in temporal aspect library not with the matched feature of the characteristic sequence, the message is forwarded, the report is otherwise abandoned
Text.
10. device as claimed in claim 6, which is characterized in that the extraction unit is specifically used for:
If it is determined that the message is data message, using default serial number as message sequence corresponding with the behavioural characteristic of the message
Number, wherein the default serial number can match arbitrary value in the temporal aspect library.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510519724.1A CN105592044B (en) | 2015-08-21 | 2015-08-21 | Message aggression detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510519724.1A CN105592044B (en) | 2015-08-21 | 2015-08-21 | Message aggression detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105592044A CN105592044A (en) | 2016-05-18 |
CN105592044B true CN105592044B (en) | 2019-05-07 |
Family
ID=55931261
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510519724.1A Active CN105592044B (en) | 2015-08-21 | 2015-08-21 | Message aggression detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105592044B (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107888540B (en) * | 2016-09-29 | 2020-12-25 | 华为技术有限公司 | Network anti-attack method and network equipment |
CN106961393B (en) * | 2017-03-06 | 2020-11-27 | 北京安博通科技股份有限公司 | Detection method and device for UDP (user Datagram protocol) message in network session |
CN106911724B (en) * | 2017-04-27 | 2020-03-06 | 杭州迪普科技股份有限公司 | Message processing method and device |
CN107426285B (en) * | 2017-05-19 | 2022-11-25 | 北京智联安行科技有限公司 | Vehicle-mounted CAN bus safety protection method and device |
CN109246027B (en) * | 2018-09-19 | 2022-02-15 | 腾讯科技(深圳)有限公司 | Network maintenance method and device and terminal equipment |
CN111490992B (en) * | 2020-04-11 | 2021-01-22 | 江苏政采数据科技有限公司 | Intrusion detection method and device based on data flow detection and time sequence feature extraction |
CN112351002B (en) * | 2020-10-21 | 2022-04-26 | 新华三信息安全技术有限公司 | Message detection method, device and equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7181768B1 (en) * | 1999-10-28 | 2007-02-20 | Cigital | Computer intrusion detection system and method based on application monitoring |
CN101034974A (en) * | 2007-03-29 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
CN101388885A (en) * | 2008-07-23 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | Detection method and system for distributed denial of service |
CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
CN101572691A (en) * | 2008-04-30 | 2009-11-04 | 华为技术有限公司 | Method, system and device for intrusion detection |
-
2015
- 2015-08-21 CN CN201510519724.1A patent/CN105592044B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7181768B1 (en) * | 1999-10-28 | 2007-02-20 | Cigital | Computer intrusion detection system and method based on application monitoring |
CN101034974A (en) * | 2007-03-29 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
CN101572691A (en) * | 2008-04-30 | 2009-11-04 | 华为技术有限公司 | Method, system and device for intrusion detection |
CN101388885A (en) * | 2008-07-23 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | Detection method and system for distributed denial of service |
CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
Also Published As
Publication number | Publication date |
---|---|
CN105592044A (en) | 2016-05-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105592044B (en) | Message aggression detection method and device | |
JP6001689B2 (en) | Log analysis apparatus, information processing method, and program | |
US9661008B2 (en) | Network monitoring apparatus, network monitoring method, and network monitoring program | |
CN106453438B (en) | Network attack identification method and device | |
KR102088299B1 (en) | Apparatus and method for detecting drdos | |
CN108111466A (en) | A kind of attack detection method and device | |
CN106470214B (en) | Attack detection method and device | |
EA037617B1 (en) | Method and system for detecting an intrusion in data traffic on a data communication network | |
CN102223267B (en) | IDS (intrusion detection system) detecting method and IDS detecting equipment | |
CN107979581B (en) | Detection method and device for zombie characteristics | |
JP6174520B2 (en) | Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program | |
CN108965347A (en) | A kind of detecting method of distributed denial of service attacking, device and server | |
US20110030059A1 (en) | Method for testing the security posture of a system | |
CN107222491A (en) | A kind of inbreak detection rule creation method based on industrial control network mutation attacks | |
CN103117897A (en) | Method and related device for detecting messages including Cookie information | |
US10348751B2 (en) | Device, system and method for extraction of malicious communication pattern to detect traffic caused by malware using traffic logs | |
CN105407096A (en) | Message data detection method based on stream management | |
CN109474485A (en) | Method, system and storage medium based on network traffic information detection Botnet | |
CN111049784A (en) | Network attack detection method, device, equipment and storage medium | |
CN104660584B (en) | Analysis of Trojan Virus technology based on network session | |
CN103096321A (en) | Method for detecting malicious server and device for the same | |
CN113938312B (en) | Method and device for detecting violent cracking flow | |
US20150222648A1 (en) | Apparatus for analyzing the attack feature dna and method thereof | |
CN115664833A (en) | Network hijacking detection method based on local area network security equipment | |
CN104468601A (en) | P2P worm detecting system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |