CN105592044B - Message aggression detection method and device - Google Patents

Message aggression detection method and device Download PDF

Info

Publication number
CN105592044B
CN105592044B CN201510519724.1A CN201510519724A CN105592044B CN 105592044 B CN105592044 B CN 105592044B CN 201510519724 A CN201510519724 A CN 201510519724A CN 105592044 B CN105592044 B CN 105592044B
Authority
CN
China
Prior art keywords
message
serial number
queue
temporal
characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510519724.1A
Other languages
Chinese (zh)
Other versions
CN105592044A (en
Inventor
石岩
梁力文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201510519724.1A priority Critical patent/CN105592044B/en
Publication of CN105592044A publication Critical patent/CN105592044A/en
Application granted granted Critical
Publication of CN105592044B publication Critical patent/CN105592044B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The present invention provides a kind of message aggression detection method and device, wherein determining temporal characteristics queue corresponding with the type identification this method comprises: receive the message with type identification;The behavioural characteristic for extracting the message determines test serial number corresponding with the behavioural characteristic;The test serial number is added in the temporal characteristics queue, and generates characteristic sequence;It is matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;Respective handling is carried out to the message according to matching result.The present invention can accurately detect the message attacked by time dimension, and correspondingly be evaded processing, and then improve the security performance of system.

Description

Message aggression detection method and device
Technical field
The present invention relates to field of communication technology more particularly to a kind of message aggression detection method and devices.
Background technique
IPS (Intrusion Prevention System, intrusion prevention system) is by detecting network message, discovery Exception, attack load in network message, and the security software system handled.
When traditional IPS detects message, the feature detection of Spatial Dimension is usually only carried out, that is, extract message Content characteristic, and judge whether the message is attack message according to the content characteristic of message.
However, due to the diversification for attacking load type, in loophole attack, (such as 2014 OpenSSL is high-risk some Loophole CVE-2014-0224) during, the content characteristic of message can't generate any exception, at this point, if being still based on space dimension The feature of degree is detected, and can not find such attack load, and then reduce the security performance of system.
Summary of the invention
In view of the drawbacks of the prior art, the present invention provides a kind of message aggression detection method and devices.
The present invention provides a kind of message aggression detection method, is applied to intrusion prevention system IPS equipment, wherein this method packet It includes:
The message with type identification is received, determines temporal characteristics queue corresponding with the type identification;
The behavioural characteristic for extracting the message determines test serial number corresponding with the behavioural characteristic;
The test serial number is added in the temporal characteristics queue, and generates characteristic sequence;
It is matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;
Respective handling is carried out to the message according to matching result.
The present invention also provides a kind of message aggression detection devices, are applied to IPS equipment, which includes:
Determination unit determines that the time corresponding with the type identification is special for receiving the message with type identification Levy queue;
Extraction unit determines test serial number corresponding with the behavioural characteristic for extracting the behavioural characteristic of the message;
Generation unit for adding the test serial number in the temporal characteristics queue, and generates characteristic sequence;
Matching unit for being matched in preset temporal aspect library according to the characteristic sequence, and is matched As a result;
Processing unit, for carrying out respective handling to the message according to matching result.
Message aggression detection method provided by the invention and device pass through when received message has type identification The corresponding test serial number of message behavioural characteristic is added in temporal characteristics queue corresponding with type identification, and by temporal characteristics It is matched in preset temporal aspect library in queue by the characteristic sequence that test serial number generates, further to detect the message Whether it is the message of timing attacks, and respective handling is carried out to the attack message detected.It can be seen that the present invention can be examined accurately The message attacked by time dimension is measured, and is correspondingly evaded processing, and then improves the security performance of system.
Detailed description of the invention
Fig. 1 is a kind of message aggression detection method flow diagram in the embodiment of the present invention;
Fig. 2 is to assist engine for the treatment process schematic diagram of message in the embodiment of the present invention;
Fig. 3 is a kind of logical construction schematic diagram of message aggression detection device in the embodiment of the present invention;
Fig. 4 is the hardware structure schematic diagram of IPS equipment where message aggression detection device in the embodiment of the present invention.
Specific embodiment
For the purpose for making the application, technical solution and advantage are more clearly understood, referring to the drawings to application scheme It is described in further detail.
In order to solve the problems in the existing technology, the present invention provides a kind of message aggression detection method and dresses It sets.
Referring to FIG. 1, being the processing flow schematic diagram of message aggression detection method provided by the invention, message aggression inspection Survey method can be applied to IPS equipment.Detection method includes the following steps for the message aggression:
Step 101, the message with type identification is received, determines temporal characteristics corresponding with type identification team Column;
In the embodiment of the present invention, IPS equipment after receiving message, in order to avoid received message occur it is out-of-order, can be with Order-preserving processing is carried out to received message first, so that received message sequence is original message transmission sequence.For example, can be with The message carried in the header information of message based on the received sends number and is ranked up to message received in buffer time, it Subsequent processing successively is carried out to message according to the sequence of arrangement afterwards.Order-preserving processing particularly for message can refer to the prior art In to the process flow of packet order preserving, details are not described herein by the present invention.
Later, the characteristic based on IPS can be first by the detecting and alarm of IPS equipment itself to the report for carrying out order-preserving processing Text successively carries out the attack detecting of Spatial Dimension.That is: the content characteristic of received message is obtained, and by the content characteristic default Space characteristics library in matched, obtain matching result;If determining that the message is attack message according to matching result, determine The protocol type of the message, and type identification corresponding with the protocol type of the message is added in the message.
Specifically, IPS equipment is preset with space characteristics library, is previously stored in the space characteristics library based on Spatial Dimension The characteristic information for the attack message that message aggression is summarized.
After IPS equipment receives message, detecting and alarm parses the message, to obtain in message data part Hold, and extracts the character string of the message data part according to default rule or as needed by detecting and alarm.
Later, detecting and alarm exists using the character string of extraction as the content characteristic of message according to preset multimode matching algorithm It is matched in preset space characteristics library, to determine whether the message is the message attacked by Spatial Dimension.
Wherein, the preset multimode matching algorithm be by it is most fast in a character string, optimally find multiple modes The algorithm of character word string, it may be assumed that the spy of multiple modes corresponding with the key message is found in the characteristic information in space characteristics library The algorithm of property information.For example, multi-pattern matching algorithm provided in the present invention can be AC (AHO-CORASICK) algorithm, WM (WU-MANBER) algorithm etc..
Detecting and alarm is not also identical according to processing of the different matching results to message in the embodiment of the present invention.Such as:
It, can be with if matching result is according to content characteristic to be matched to corresponding characteristic information in preset space characteristics library Illustrate that the message is the attack class message of Spatial Dimension.So, determine that the message is empty in the processing information according to content characteristic Between dimension attack class message when, the message can be abandoned, to avoid being attacked, or can also basis after dropping packets It needs to administrative staff's report and alarm information;
If matching result is not to be matched to corresponding characteristic information in preset space characteristics library according to content characteristic, can To determine the message as the attack class message of non-space dimension, then further detect whether the message is to carry out using time dimension The message of attack.
It is assumed that the characteristic information for the attack message summarized in preset space characteristics library includes: abcd11e;abcd12e; And abcd13e.And the character string of extracted message data part is abcd11e.So, matching result is the message matching To the characteristic information in the space characteristics library, determine that the message is the attack message of Spatial Dimension, can by the packet loss, or Person, when abandoning the message to administrative staff's report and alarm information.If the character string for the message data part extracted is Dbcd11e, then, matching result is that the message is not matched to the characteristic information in the space characteristics library, then further detection should Whether message is the message attacked using time dimension.
In the embodiment of the present invention, when received message is to need further to detect whether to be the report attacked using time dimension Wen Shi can determine the protocol type of the message according to the protocol number in the five-tuple information of the message, that is, check the message It is the message of which kind of agreement.
The present invention is directed to different protocol types in advance and is provided with different type identifications.The type mark can be used 32 Position integer identifies, for example, can in advance be that SIP (Session Initiation Protocol, session initiation protocol) is arranged Corresponding type identification be 1, be SAP (Session Announcement Protocol, session announcement protocol) setting pair The type identification answered is 2, is the corresponding type mark of SSL (Slecure Sockets Layer, Secure Socket Layer) agreement setting Knowing is 3, and the corresponding type identification for TCP (Transmission Control Protocol, transmission control protocol) setting is 4 etc..
It so, then can be according to pre-set and each association when the message that needs are marked adds type identification Corresponding type identification is discussed, message is marked.
It, can be to increase an integer field in the control data structure of message, for needing to carry out in the embodiment of the present invention Corresponding type identification can be added in the integer field of message control data structure, to the message by the message of label Carry out the attack detecting of time dimension.
In order to avoid the attack that attacker is carried out using time dimension, the embodiment of the present invention can also be for detecting and alarm IPS equipment be arranged again association's engine (can be using above-mentioned detecting and alarm as leading engine), which is used for having The attack detecting of the message further progress time dimension of type identification.
Fig. 2 is that association's engine is assisting the treatment process schematic diagram of the message with type identification in the embodiment of the present invention After engine receives the message of detecting and alarm transmission, the message is parsed first, checks the integer field of message control data structure In whether there is type identification, if so, obtaining the type identification that carries in message.
Association's engine of the invention is also preset with the corresponding temporal characteristics queue with different type mark (protocol type), After the type identification carried in obtaining message, it can be identified according to the type and determine corresponding temporal characteristics queue.
Step 102, the behavioural characteristic for extracting the message determines test serial number corresponding with the behavioural characteristic;
Test serial number corresponding with message behavioural characteristic is also preset in the embodiment of the present invention.I.e. previously according to different agreement The corresponding test serial number of the behavioural characteristic setting of the message of type.
After determining temporal characteristics queue corresponding with the type identification of message carrying, which can be carried out deep The type of message of message is learnt after degree parsing, and carries out the behavioural characteristic that the type of message that deep analysis obtains is the message.
Later, report corresponding with the behavioural characteristic of the message is searched in the corresponding test serial number of preset and behavioural characteristic Literary serial number.
For example, the three-way handshake of TCP session include: user end to server send SYN message, server is to client SYN ACK (confirmation of synchronization) message and client of response are reported according to SYN ACK message to the ACK (confirmation) of server response Text.So, " 1 " can be for test serial number set by SYN message, for test serial number set by SYN ACK message It can be " 2 ", " 3 " can be for test serial number set by ACK message.
Furthermore it is also possible to preset a default serial number as the test serial number that can mark arbitrary act feature, usually In the case of, it can be when determining the message be data message, using default serial number as corresponding with the behavioural characteristic of data message Test serial number, which can match arbitrary value in temporal aspect library, such as the default serial number can be 0.
Step 103, the test serial number is added in the temporal characteristics queue, and generates characteristic sequence;
Then, which is added to out in temporal characteristics queue corresponding with the type identification of message carrying.
The temporal characteristics queue is the queue of first in first out, and is preset with sequencable feature quantity, for example, temporal characteristics Queue it is preset can arrayed feature quantity be 5, then being arranged in the 1st when receiving the 6th test serial number in feature queue Test serial number to be then moved out of the temporal characteristics queue.
After test serial number to be added to the temporal characteristics queue, pass through the report currently arranged in review time feature queue Literary serial number quantity generates characteristic sequence according to different characteristic sequence generating modes.
When the test serial number quantity added in the temporal characteristics queue is less than the preset feature of temporal characteristics queue When quantity, preset specific numbers and the test serial number in the temporal characteristics queue are combined, generate test serial number number Amount is the characteristic sequence of the feature quantity;Alternatively, when the test serial number quantity added in the temporal characteristics queue is described When the preset feature quantity of temporal characteristics queue, the feature is generated according to the test serial number arranged in the temporal characteristics queue Sequence.
Specifically, it will again be assumed that temporal characteristics queue it is preset can arrayed feature quantity be 5, add by the test serial number of message After adding to temporal characteristics queue, it can be generated by following two mode according to the test serial number added in temporal characteristics queue special Levy sequence:
1, all test serial numbers arranged in the queue of acquisition time feature, according to all test serial numbers in temporal characteristics queue In put in order and generate characteristic sequence.
1) when the test serial number quantity added in temporal characteristics queue is less than the preset characteristic of temporal characteristics queue The case where when amount (such as the test serial number is any one position being arranged in the position 1-4 of temporal characteristics queue):
It is assumed that the test serial number for being currently added to temporal characteristics queue is 3, temporal characteristics queue is added to for first Test serial number (first that is arranged in temporal characteristics queue), then only the test serial number 3 can be regard as characteristic sequence, i.e., it is raw At characteristic sequence are as follows: 3.
If the test serial number 3 for being currently added to temporal characteristics queue is the 4th message sequence for being added to temporal characteristics queue Number (the 4th that is arranged in temporal characteristics queue), it is assumed that be arranged in 3 before temporal characteristics queue test serial numbers be successively 5, 10,15, then characteristic sequence generated is then 5,10,15,3.
2) when the test serial number quantity added in temporal characteristics queue is the preset feature quantity of temporal characteristics queue The case where when (i.e. the test serial number is the 5th be arranged in temporal characteristics queue):
Assuming that the test serial number for being arranged in 3 before temporal characteristics queue is successively 5,10,15,20, then according to time spy The test serial number characteristic sequence generated arranged in sign queue is then 5,10,15,20,3.
2, preset test serial number and the test serial number in the temporal characteristics queue are combined, generate test serial number Quantity is the characteristic sequence of the feature quantity.
This feature sequence generating mode is only in when the test serial number quantity added in temporal characteristics queue is less than described The preset feature quantity of temporal characteristics queue (such as the test serial number be arranged in it is any in the position 1-4 of temporal characteristics queue One) when the case where.
For example, can be by preset test serial number according to the maximum for arranging to be set as in " X " or 32 integers in advance Value etc., if being currently added to the test serial number 3 of temporal characteristics queue is first test serial number for being added to temporal characteristics queue (first that is arranged in temporal characteristics queue), then can be by preset test serial number (by taking " X " as an example) and the test serial number 3 It is combined, generates test serial number quantity and be characterized characteristic sequence X, X of quantity (5), X, X, 3.
If the test serial number 3 for being currently added to temporal characteristics queue is the 4th message sequence for being added to temporal characteristics queue Number (the 4th that is arranged in temporal characteristics queue), it is assumed that be arranged in 3 before temporal characteristics queue test serial numbers be successively 5, 10,15, then characteristic sequence generated is then X, 5,10,15,3.
Step 104, it is matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;
After generating characteristic sequence according to the test serial number in temporal characteristics queue, then the characteristic sequence of generation can be pressed It is matched in preset temporal aspect library according to multimode matching algorithm.The preset multi-pattern matching algorithm still can be AC calculation Method or WM algorithm etc..
Wherein, the attack report that the message aggression based on time dimension is summarized equally is previously stored in the temporal aspect library The characteristic information of text.The temporal aspect library can be the normal temporal aspect library for preserving normal temporal aspect, be also possible to protect There is the abnormal temporal aspect library of abnormal temporal aspect.
When temporal aspect library is normal temporal aspect library, if special in preset normal timing according to the characteristic sequence of generation Sign is matched to corresponding feature in library, then the matching result is then not to be matched in normal temporal aspect library and characteristic sequence Corresponding feature can determine that the message is that non-sequential attacks class message, and otherwise, matching result is in normal temporal aspect library It is not matched to feature corresponding with characteristic sequence, can determine that the message is timing attacks class message.
Similarly, when temporal aspect library is abnormal temporal aspect library, if according to the characteristic sequence of generation preset different Be matched to corresponding feature in normal temporal aspect library, then the matching result be then be not matched in sequence characteristics library when abnormal with The corresponding feature of characteristic sequence can determine that the message is that non-sequential attacks class message, and otherwise, matching result is sequence when abnormal Feature corresponding with characteristic sequence is not matched in feature database, can determine that the message is that non-sequential attacks class message.
If it should be noted that generate characteristic sequence in promising 0 test serial number, when carrying out characteristic matching, the report Literary serial number 0 can be with the arbitrary value in matching characteristic library.
For example, if generate characteristic sequence be 5,0,15,20,3, in being matched to temporal aspect library have 5,8, 15, when 20,3 characteristic information, it may be considered that 0 in characteristic sequence has been matched to 8 in characteristic information 5,8,15,20,3, So illustrate that this feature sequence 5,0,15,20,3 has been matched to corresponding characteristic information in preset temporal aspect library.
Step 105, respective handling is carried out to the message according to matching result.
Association's engine in the present invention can also perform corresponding processing different matching results.Such as:
When the temporal aspect saved in temporal aspect library be normal timing temporal aspect when, if the matching result be Feature corresponding with the characteristic sequence is matched in the temporal aspect library, it may be assumed that determine that the message is that non-sequential attacks class report Text can forward message according to normal flow;If the matching result is is not matched to and institute in the temporal aspect library State the corresponding feature of characteristic sequence, it may be assumed that when determining that the message is the attack class message of time dimension, the message can be abandoned, with It avoids being attacked.
When the temporal aspect saved in temporal aspect library is the temporal aspect of abnormal timing, if the matching result is institute It states and is not matched to feature corresponding with the characteristic sequence in temporal aspect library, it may be assumed that determine that the message is that non-sequential attacks class report Text can forward message according to normal flow;Otherwise the message is abandoned, to avoid being attacked.
It further, can also be as needed to pipe in dropping packets after determining by the attack of time dimension Reason personnel issue warning information, so that administrative staff make the precautionary measures in time.
In conclusion message aggression detection method provided by the invention passes through when received message has type identification The corresponding test serial number of message behavioural characteristic is added in temporal characteristics queue corresponding with type identification, and by temporal characteristics It is matched in preset temporal aspect library in queue by the characteristic sequence that test serial number generates, further to detect the message Whether it is the message of timing attacks, and respective handling is carried out to the attack message detected.It can be seen that the present invention can be examined accurately The message attacked by time dimension is measured, and is correspondingly evaded processing, and then improves the security performance of system.
The present invention also provides a kind of message aggression detection device, Fig. 3 is the structural schematic diagram of the message aggression detection device, The device can be applied to IPS equipment, which can include determining that unit 301, extraction unit 302, life At unit 303, matching unit 304 and processing unit 305, in which:
Determination unit 301 determines the time corresponding with the type identification for receiving the message with type identification Feature queue;
Extraction unit 302 determines message sequence corresponding with the behavioural characteristic for extracting the behavioural characteristic of the message Number;
Generation unit 303 for adding the test serial number in the temporal characteristics queue, and generates characteristic sequence;
Matching unit 304 for being matched in preset temporal aspect library according to the characteristic sequence, and obtains With result;
Processing unit 305, for carrying out respective handling to the message according to matching result.
Further, above-mentioned apparatus can also include acquiring unit 306 and identify unit 307, wherein acquiring unit 306 It matches, obtains in preset space characteristics library for obtaining the content characteristic of the message, and by the content characteristic Matching result;Mark unit 307 is used for when determining that the message is the attack message of Spatial Dimension according to the matching result, Abandon the attack message of the Spatial Dimension;Determining that the message is the attack report of non-space dimension according to the matching result Wen Shi determines the protocol type of the message, and type identification corresponding with the protocol type of the message is added to institute It states in message.
Further, the message sequence that above-mentioned generation unit 303 specifically can be used for adding in the temporal characteristics queue When number amount is less than the temporal characteristics queue preset feature quantity, by preset specific numbers and the temporal characteristics queue In test serial number be combined, generate test serial number quantity be the feature quantity characteristic sequence;Alternatively, working as the time It is special according to the time when test serial number quantity added in feature queue is the temporal characteristics queue preset feature quantity The test serial number arranged in sign queue generates the characteristic sequence.
Further, the temporal aspect that above-mentioned processing unit 305 can be also used for saving in the temporal aspect library is When the temporal aspect of normal timing, if the matching result is to have and the matched spy of the characteristic sequence in the temporal aspect library Sign, is forwarded the message, otherwise abandons the message;Alternatively, when the temporal aspect saved in the temporal aspect library For abnormal timing temporal aspect when, if the matching result be the temporal aspect library in do not matched with the characteristic sequence Feature, the message is forwarded, the message is otherwise abandoned.
Further, said extracted unit 302 specifically can be used for preset when determining the message is data message Serial number is as test serial number corresponding with the behavioural characteristic of the message, wherein it is special that the default serial number can match the timing Levy arbitrary value in library.
The message aggression detection device that the present invention is applied to IPS equipment can be with above-mentioned message in specific process flow The process flow of attack detection method is consistent, and details are not described herein.
Above-mentioned apparatus can also pass through hardware realization, message aggression detection device institute of the present invention by software realization It can refer to shown in Fig. 4 in the hardware structure schematic diagram of the network equipment, basic hardware environment includes central processor CPU, turns Chip, memory and other hardware are sent out, include wherein machine readable instructions in memory device, CPU reads and executes machine can Reading instruction executes the function of each unit in Fig. 3.
As can be seen that message aggression provided in an embodiment of the present invention inspection from the embodiment of the above various method and apparatus Survey method and device, when received message has type identification, by adding the corresponding test serial number of message behavioural characteristic The characteristic sequence that adds in temporal characteristics queue corresponding with type identification, and will be generated in temporal characteristics queue by test serial number Matched in preset temporal aspect library, with further detect the message whether be timing attacks message, and to detection Attack message out carries out respective handling.It can be seen that the present invention can accurately detect the report attacked by time dimension Text, and correspondingly evaded processing, and then improve the security performance of system.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.

Claims (10)

1. a kind of message aggression detection method is applied to intrusion prevention system IPS equipment, which is characterized in that the described method includes:
The message with type identification is received, determines temporal characteristics queue corresponding with the type identification;Wherein, the tool The message for having type identification is the attack message of non-space dimension;
The behavioural characteristic for extracting the message determines test serial number corresponding with the behavioural characteristic;
The test serial number is added in the temporal characteristics queue, and generates characteristic sequence;
It is matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;
Respective handling is carried out to the message according to matching result.
2. the method as described in claim 1, which is characterized in that before receiving the message with type identification, the method Further include:
The content characteristic of the message is obtained, and the content characteristic is matched in preset space characteristics library, is obtained Matching result;
If determining that the message is the attack message of Spatial Dimension according to the matching result, the attack of the Spatial Dimension is abandoned Message;
If determining that the message is the attack message of non-space dimension according to the matching result, the agreement of the message is determined Type, and type identification corresponding with the protocol type of the message is added in the message.
3. the method as described in claim 1, which is characterized in that described to add the message sequence in the temporal characteristics queue Number, and generate characteristic sequence and specifically include:
When the test serial number quantity added in the temporal characteristics queue is less than the preset feature quantity of temporal characteristics queue When, preset specific numbers and the test serial number in the temporal characteristics queue are combined, generating test serial number quantity is The characteristic sequence of the feature quantity;Alternatively,
When the test serial number quantity added in temporal characteristics queue feature quantity preset for the temporal characteristics queue, The characteristic sequence is generated according to the test serial number arranged in the temporal characteristics queue.
4. the method as described in claim 1, which is characterized in that described to carry out respective handling to the message according to matching result It specifically includes:
When the temporal aspect saved in the temporal aspect library is the temporal aspect of normal timing, if the matching result is institute State have in temporal aspect library with the matched feature of the characteristic sequence, the message is forwarded, the message is otherwise abandoned; Alternatively,
When the temporal aspect saved in the temporal aspect library is the temporal aspect of abnormal timing, if the matching result is institute It states in temporal aspect library not with the matched feature of the characteristic sequence, the message is forwarded, the report is otherwise abandoned Text.
5. the method as described in claim 1, which is characterized in that it is described extract the message behavioural characteristic, determine with it is described The corresponding test serial number of behavioural characteristic specifically includes:
If it is determined that the message is data message, using default serial number as message sequence corresponding with the behavioural characteristic of the message Number, wherein the default serial number can match arbitrary value in the temporal aspect library.
6. a kind of message aggression detection device, it is applied to IPS equipment, which is characterized in that described device includes:
Determination unit determines temporal characteristics corresponding with type identification team for receiving the message with type identification Column;Wherein, the message with type identification is the attack message of non-space dimension;
Extraction unit determines test serial number corresponding with the behavioural characteristic for extracting the behavioural characteristic of the message;
Generation unit for adding the test serial number in the temporal characteristics queue, and generates characteristic sequence;
Matching unit for being matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;
Processing unit, for carrying out respective handling to the message according to matching result.
7. device as claimed in claim 6, which is characterized in that described device further include:
Acquiring unit, for obtaining the content characteristic of the message, and by the content characteristic in preset space characteristics library It is matched, obtains matching result;
Unit is identified, for abandoning institute when determining that the message is the attack message of Spatial Dimension according to the matching result State the attack message of Spatial Dimension;When determining that the message is the attack message of non-space dimension according to the matching result, It determines the protocol type of the message, and type identification corresponding with the protocol type of the message is added to the message In.
8. device as claimed in claim 6, which is characterized in that the generation unit is specifically used for:
When the test serial number quantity added in the temporal characteristics queue is less than the preset feature quantity of temporal characteristics queue When, preset specific numbers and the test serial number in the temporal characteristics queue are combined, generating test serial number quantity is The characteristic sequence of the feature quantity;Alternatively,
When the test serial number quantity added in temporal characteristics queue feature quantity preset for the temporal characteristics queue, The characteristic sequence is generated according to the test serial number arranged in the temporal characteristics queue.
9. device as claimed in claim 6, which is characterized in that the processing unit is specifically used for:
When the temporal aspect saved in the temporal aspect library is the temporal aspect of normal timing, if the matching result is institute State have in temporal aspect library with the matched feature of the characteristic sequence, the message is forwarded, the message is otherwise abandoned; Alternatively,
When the temporal aspect saved in the temporal aspect library is the temporal aspect of abnormal timing, if the matching result is institute It states in temporal aspect library not with the matched feature of the characteristic sequence, the message is forwarded, the report is otherwise abandoned Text.
10. device as claimed in claim 6, which is characterized in that the extraction unit is specifically used for:
If it is determined that the message is data message, using default serial number as message sequence corresponding with the behavioural characteristic of the message Number, wherein the default serial number can match arbitrary value in the temporal aspect library.
CN201510519724.1A 2015-08-21 2015-08-21 Message aggression detection method and device Active CN105592044B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510519724.1A CN105592044B (en) 2015-08-21 2015-08-21 Message aggression detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510519724.1A CN105592044B (en) 2015-08-21 2015-08-21 Message aggression detection method and device

Publications (2)

Publication Number Publication Date
CN105592044A CN105592044A (en) 2016-05-18
CN105592044B true CN105592044B (en) 2019-05-07

Family

ID=55931261

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510519724.1A Active CN105592044B (en) 2015-08-21 2015-08-21 Message aggression detection method and device

Country Status (1)

Country Link
CN (1) CN105592044B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107888540B (en) * 2016-09-29 2020-12-25 华为技术有限公司 Network anti-attack method and network equipment
CN106961393B (en) * 2017-03-06 2020-11-27 北京安博通科技股份有限公司 Detection method and device for UDP (user Datagram protocol) message in network session
CN106911724B (en) * 2017-04-27 2020-03-06 杭州迪普科技股份有限公司 Message processing method and device
CN107426285B (en) * 2017-05-19 2022-11-25 北京智联安行科技有限公司 Vehicle-mounted CAN bus safety protection method and device
CN109246027B (en) * 2018-09-19 2022-02-15 腾讯科技(深圳)有限公司 Network maintenance method and device and terminal equipment
CN111490992B (en) * 2020-04-11 2021-01-22 江苏政采数据科技有限公司 Intrusion detection method and device based on data flow detection and time sequence feature extraction
CN112351002B (en) * 2020-10-21 2022-04-26 新华三信息安全技术有限公司 Message detection method, device and equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7181768B1 (en) * 1999-10-28 2007-02-20 Cigital Computer intrusion detection system and method based on application monitoring
CN101034974A (en) * 2007-03-29 2007-09-12 北京启明星辰信息技术有限公司 Associative attack analysis and detection method and device based on the time sequence and event sequence
CN101388885A (en) * 2008-07-23 2009-03-18 成都市华为赛门铁克科技有限公司 Detection method and system for distributed denial of service
CN101547129A (en) * 2009-05-05 2009-09-30 中国科学院计算技术研究所 Method and system for detecting distributed denial of service attack
CN101572691A (en) * 2008-04-30 2009-11-04 华为技术有限公司 Method, system and device for intrusion detection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7181768B1 (en) * 1999-10-28 2007-02-20 Cigital Computer intrusion detection system and method based on application monitoring
CN101034974A (en) * 2007-03-29 2007-09-12 北京启明星辰信息技术有限公司 Associative attack analysis and detection method and device based on the time sequence and event sequence
CN101572691A (en) * 2008-04-30 2009-11-04 华为技术有限公司 Method, system and device for intrusion detection
CN101388885A (en) * 2008-07-23 2009-03-18 成都市华为赛门铁克科技有限公司 Detection method and system for distributed denial of service
CN101547129A (en) * 2009-05-05 2009-09-30 中国科学院计算技术研究所 Method and system for detecting distributed denial of service attack

Also Published As

Publication number Publication date
CN105592044A (en) 2016-05-18

Similar Documents

Publication Publication Date Title
CN105592044B (en) Message aggression detection method and device
JP6001689B2 (en) Log analysis apparatus, information processing method, and program
US9661008B2 (en) Network monitoring apparatus, network monitoring method, and network monitoring program
CN106453438B (en) Network attack identification method and device
KR102088299B1 (en) Apparatus and method for detecting drdos
CN108111466A (en) A kind of attack detection method and device
CN106470214B (en) Attack detection method and device
EA037617B1 (en) Method and system for detecting an intrusion in data traffic on a data communication network
CN102223267B (en) IDS (intrusion detection system) detecting method and IDS detecting equipment
CN107979581B (en) Detection method and device for zombie characteristics
JP6174520B2 (en) Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program
CN108965347A (en) A kind of detecting method of distributed denial of service attacking, device and server
US20110030059A1 (en) Method for testing the security posture of a system
CN107222491A (en) A kind of inbreak detection rule creation method based on industrial control network mutation attacks
CN103117897A (en) Method and related device for detecting messages including Cookie information
US10348751B2 (en) Device, system and method for extraction of malicious communication pattern to detect traffic caused by malware using traffic logs
CN105407096A (en) Message data detection method based on stream management
CN109474485A (en) Method, system and storage medium based on network traffic information detection Botnet
CN111049784A (en) Network attack detection method, device, equipment and storage medium
CN104660584B (en) Analysis of Trojan Virus technology based on network session
CN103096321A (en) Method for detecting malicious server and device for the same
CN113938312B (en) Method and device for detecting violent cracking flow
US20150222648A1 (en) Apparatus for analyzing the attack feature dna and method thereof
CN115664833A (en) Network hijacking detection method based on local area network security equipment
CN104468601A (en) P2P worm detecting system and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant