CN105812200B - Anomaly detection method and device - Google Patents
Anomaly detection method and device Download PDFInfo
- Publication number
- CN105812200B CN105812200B CN201410854233.8A CN201410854233A CN105812200B CN 105812200 B CN105812200 B CN 105812200B CN 201410854233 A CN201410854233 A CN 201410854233A CN 105812200 B CN105812200 B CN 105812200B
- Authority
- CN
- China
- Prior art keywords
- data
- abnormal
- unit
- abnormal behaviour
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The embodiment of the invention discloses a kind of anomaly detection method and devices, which comprises by testing operation system, establishes abnormal behaviour pattern base;Data collected are compared with the data in the abnormal behaviour pattern base, judge whether data collected are abnormal data by the parser of setting for the data of current transmission in acquisition network;When determining data collected is abnormal data, the abnormal data is recorded;When some type of abnormal data recorded exceeds given threshold, the warning information of abnormal data of the output beyond given threshold.
Description
Technical field
The present invention relates to network data detection technique more particularly to a kind of anomaly detection methods and device.
Background technique
Intrusion detection (Intrusion Detection) is detected to the intrusion behavior in network, by collect and
Analysis network behavior, security log, Audit data, several passes in the information and computer system that can obtain on other networks
The information of key point checks in network or system with the presence or absence of the sign for violating the behavior of security strategy and being attacked.Currently, passing through
It is for statistical analysis to acquire network flow data, according to time series, the features such as portfolio changing rule establishes regular traffic mould
Type sets normal rule threshold values, once it is more than threshold values that discovery network flow, which deviates normalized curve, it is assumed that be abnormal.Alternatively,
Log by acquiring host and the network equipment is for statistical analysis and audits, and accesses feelings according to time series and regular traffic
Condition, combing include the white list or regular traffic behavior model of normal log content and changing rule, once there is log
Content that white list does not include does not meet regular traffic behavior model and will be identified as exception.
In current intrusion detection, data acquisition source is mainly network flow and system log, its shortcoming is that these
Data can only embody the rule of historical situation, but can not really be bonded actual business.For example, once find certain exceptions,
Reason is typically all not meet the rule of normal model, but have what relationship with business on earth, affects which layer of business
Face can not embody.In addition, encountering demblee form business, random type of law business according to the normal model that time series is established
When the case where necessarily will appear wrong report;Encountering, service logic process is especially complex, the extremely hidden situation of attack means
Under, it is likely to fail to report.
Summary of the invention
The embodiment of the present invention in order to solve the above technical problems, provide a kind of anomaly detection method and device, by with
The relevant data acquisition of business, it is different to position by detecting the variation of related data in the way of the reverse-direction derivation of safe attacking and defending
The appearance of Chang Hangwei.
The technical solution of the embodiment of the present invention is achieved in that
A kind of anomaly detection method establishes abnormal behaviour pattern base by testing operation system;The side
Method includes:
The data for acquiring current transmission in network, by the parser of setting, to data collected and the exception
Data in behavior pattern library are compared, and judge whether data collected are abnormal data;
When determining data collected is abnormal data, the abnormal data is recorded;
When some type of abnormal data recorded exceeds given threshold, abnormal data of the output beyond given threshold
Warning information.
It is preferably, described that operation system is tested, comprising:
Test attack message, at least record network level, data plane, system level, operation layer are sent to test port
The situation of change of related data in face.
It is preferably, described to establish abnormal behaviour pattern base, comprising:
Safety test is carried out to the operation system in network, records the data variation of the operation system;
According to preset safety behavior hierarchical model, the corresponding relationship of the data Yu data variation mode is established;
The data hierarchy is combed according to the safety behavior hierarchical model, then is wanted for the data setting association after layering
Data correlation after each layering is formed abnormal behaviour pattern base by element, the correlating factor.
Preferably, the parser by setting, in data collected and the abnormal behaviour pattern base
Data are compared, and judge whether data collected are abnormal data, comprising:
The value-at-risk R of data collected is determined by following formula:
Wherein, the value range of i is 1 to n, and n is safety behavior
Total hierachy number table in hierarchical model;
Po (i) ∈ [0,1], Po (i) indicate that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c
It determines;
In (i) ∈ [0,1], In (i) indicate i-th layer of abnormal behaviour Intrusion Index, are determined by quantity q and behavior matching degree c
It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data.
A kind of unusual checking device, comprising: establish unit, acquisition unit, the first judging unit, recording unit,
Two judging units and output unit, in which:
Unit is established, for establishing abnormal behaviour pattern base by testing operation system;
Acquisition unit, for acquiring the data of current transmission in network;
First judging unit, for the parser by setting, to data collected and the abnormal behaviour mode
Data in library are compared, and judge whether data collected are abnormal data;When determining data collected for abnormal number
According to when, trigger recording unit;
Recording unit, for recording the abnormal data;
Whether second judgment unit, some type of abnormal data for judging that the recording unit is recorded exceed setting
Threshold value triggers output unit when beyond given threshold;
Output unit, for exporting the warning information for exceeding the abnormal data of given threshold.
Preferably, described to establish unit, it is also used to send test attack message, at least record network layer to test port
Face, data plane, system level, in service layer related data situation of change.
Preferably, described to establish unit, it is also used to carry out safety test to the operation system in network, records the business
The data variation of system;According to preset safety behavior hierarchical model, data pass corresponding with data variation mode is established
System;The data hierarchy is combed according to the safety behavior hierarchical model, then correlating factor, institute are set for the data after layering
It states correlating factor and the data correlation after each layering is formed into abnormal behaviour pattern base.
Preferably, first judging unit is also used to determine the value-at-risk R of data collected by following formula:
Wherein, the value range of i is 1 to n, and n is safety behavior
Total hierachy number table in hierarchical model;
Po (i) ∈ [0,1], Po (i) indicate that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c
It determines;
In (i) ∈ [0,1], In (i) indicate i-th layer of abnormal behaviour Intrusion Index, are determined by quantity q and behavior matching degree c
It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data.
In the embodiment of the present invention, the data of current transmission first in acquisition network, by the parser of setting, to being adopted
The data of collection are compared with the data in the abnormal behaviour pattern base, judge whether data collected are abnormal data;
When determining data collected is abnormal data, the abnormal data is recorded;Exceed in some type of abnormal data recorded
When given threshold, the warning information of abnormal data of the output beyond given threshold.The embodiment of the present invention is by a variety of with business phase
The data of pass acquire, and in the way of the reverse-direction derivation of safe attacking and defending, have really been bonded the feature of business, by detecting dependency number
According to variation, the appearance of abnormal behaviour can be accurately positioned.The embodiment of the present invention is bonded closely with business, can really be reflected
The specific influence for business is attacked, therefore, effective detection is able to carry out for the threat of advanced duration business.The present invention is real
Example is applied suitable for all types of network services, especially communicates service type relevant with mobile Internet.
Detailed description of the invention
Fig. 1 is the flow chart of the anomaly detection method of the embodiment of the present invention;
Fig. 2 is the business model schematic diagram of the anomaly detection method of the embodiment of the present invention;
Fig. 3 is the generation schematic diagram of the abnormal behaviour pattern base of the embodiment of the present invention;
Fig. 4 is the composed structure schematic diagram of the unusual checking device of the embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, by the following examples and referring to attached drawing, right
The present invention is further described.
Fig. 1 is the flow chart of the anomaly detection method of the embodiment of the present invention, as shown in Figure 1, this exemplary abnormal row
For detection method includes the following steps:
Step 101, by testing operation system, abnormal behaviour pattern base is established.
In the embodiment of the present invention, by carrying out dependence test, Lai Jianli abnormal behaviour to the operation system in network system
Pattern base.Wherein, business refers to a kind of carrier provided services to the user, for example for telecom operators, short message is exactly
A kind of its main business, this business are not self-existent, it is necessary to telecommunication network and note system are relied on, it can be to use
Family provides service.Similarly, multimedia message, WLAN, WAP, DNS etc. are all different business.
In the embodiment of the present invention, establishing abnormal behaviour pattern base includes: to test operation system, is to test lead
Mouthful send test attack message, at least record network level, data plane, system level, in service layer related data change
Change situation.
Safety test is carried out to the operation system in network, records the data variation of the operation system;
According to preset safety behavior hierarchical model, the corresponding relationship of the data Yu data variation mode is established;
The data hierarchy is combed according to the safety behavior hierarchical model, then is wanted for the data setting association after layering
Data correlation after each layering is formed abnormal behaviour pattern base by element, the correlating factor.
Step 102, the data for acquiring current transmission in network, by the parser of setting, to data collected with
Data in the abnormal behaviour pattern base are compared, and judge whether data collected are abnormal data.
In the embodiment of the present invention, the value-at-risk R of data collected can be determined by following formula:
Wherein, the value range of i is 1 to n, and n is safety behavior
Total hierachy number table in hierarchical model;
Po (i) ∈ [0,1], Po (i) indicate that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c
It determines;
In (i) ∈ [0,1], In (i) indicate i-th layer of abnormal behaviour Intrusion Index, are determined by quantity q and behavior matching degree c
It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data.
Step 103, when determining data collected is abnormal data, the abnormal data is recorded.
In the embodiment of the present invention, when determining that data collected are abnormal data, which is carried out
Record.
Step 104, when some type of abnormal data recorded exceeds given threshold, output is different beyond given threshold
The warning information of regular data.
It after counting some type of abnormal data beyond predetermined quantity, exports, leads to using such data as abnormal data
Know that user makes corresponding prevention.
Below by way of specific example, the essence of the technical solution for embodiment that the present invention is furture elucidated.
Fig. 2 is the business model schematic diagram of the anomaly detection method of the embodiment of the present invention, and the business model in figure is
It is designed according to the end pipe cloud framework of mobile Internet, mobile radio communication and internet etc. meet the model at present.Abnormal behaviour
Detection system includes four modules, and function is briefly described below:
Acquisition module is connect with network management, data is acquired from network management and service server two parts respectively, from network and business
Seen in the angle of layering, contain network security data, data safety data, system secure data, using secure data and industry
Business secure data.
For example, flow original for network, is generally acquired by the way of light splitting or mirror image.Light splitting refers in network
Optical splitter is installed in link, physically separates light, weaker light all the way is extracted as bypass and is used as analysis;
Mirror image refers to from interchanger, the flow of some port A is replicated portion to port B, in this way by holding completely by configuring
Access analysis system can analyze relevant flow on mouth B.For device log, generally adopted using syslog mode
Collection.Syslog is referred to as system log or system record, is that one kind is used to transmit in the network of Internet protocol (TCP/IP)
Record the standard of shelves message.For the proprietary data in system, generally acquired by the way of Telnet, as telnet,
Ssh etc..This mode is using script technology, and simulation maintenance personnel's accessing system goes to execute the series of orders set in advance, from
And obtain the output of system.
Abnormal behaviour analysis module.The data of acquisition module are compared with the data in abnormal behaviour pattern base, are led to
Parser calculating is crossed to analyze with the presence or absence of abnormal behaviour.
Abnormal behaviour pattern base.The pattern base established by serial of methods, wherein including a series of behavior description
Data, once certain behaviors are matched to related data, then explanation has met the mode of certain abnormal behaviour.
Displaying and alarm module.For abnormal behaviour analysis module as a result, the analysis result more than threshold values is shown
Come and sends alarm.
Fig. 3 is the generation schematic diagram of the abnormal behaviour pattern base of the embodiment of the present invention, as shown in figure 3, set forth below hair
Bright is how to establish abnormal behaviour pattern base:
1. benefit carries out safety test to operation system in various manners.Mode is surveyed including but not limited to: security evaluation, infiltration
Examination, the safety case investigation result of Zeng Fasheng, safe O&M experience, safe emergency drilling are likely to occur in the business through analysis
The security attack etc. of system.
By taking this more universal DDOS security attack test of SYN Flood as an example:
A initiates the TCP connection message (SYN) for being largely directed to 80 ports using network technology to B, but is receiving B really
After recognizing message (SYN+ACK), not to A feeding back confirmation message (ACK).In fact, being exactly to have initiated SYN Flood attack to B to survey
Examination.B the case where half-connection can occur due to that cannot receive ACK message at this time, and a large amount of half-connection will consume B very
More resources, to prevent it from providing stable service.
Login system B checks network connection situation by netstat order, as the following figure shows a large amount of SYN_
RECEIVED half-connection situation.And in no attack, relevant connection is all for LISTEN ESTABLISHED shape
State, accordingly, it can be said that the attack causes network connection state that apparent variation has occurred.
In this way, a safety test just completes.This test can allow safety manager, go out on finding certain host
Now when a large amount of SYN_RECEIVED half-connection situations, judge SYN Flood security attack event occurred.
This test case is fairly simple, it is possible to illustrate how the variation from critical data more clearly to judge
The generation of abnormal behaviour.But for more complicated security exception behavior or security attack behavior etc., simple slave a certain kind
The security attack that may occur just is inferred in the variation of critical data, just will appear many wrong reports, therefore the safety of this complexity
Abnormal behaviour often will lead to a series of data variation, and there are various incidence relations between these variations, will only own
After the data of variation are associated according to the logic of attack, the accuracy of unusual checking could be made to greatly promote.
2. observing and recording the critical data variation of operation system.
Business refers to a kind of carrier provided services to the user, for example for telecom operators, short message is exactly one
Kind main business, this business is not self-existent, it is necessary to rely on telecommunication network and note system, can mention to user
For service.Similar, multimedia message, WLAN, WAP, DNS etc. is different business.
These data decimation principles are: selection is related to the CIA characteristic (confidentiality, integrality, availability) of core business
Related data, all related datas including network, data, system, application and operation layer.
Here the anomalous variation that variation Major Systems occur, such as: uncommitted change, the wave beyond normal amplitude
Dynamic, variation to match with known problem or risk etc..
3., in conjunction with safety behavior hierarchical model, establishing the complete or collected works of critical data based on the variation of the critical data of actual measurement
With detailed variation pattern.
Here with a kind of more complicated operation layer security incident, i.e., for the malice order behavior based on WAP system, this
Kind security attack can make attacker in the case where not being authorized to, and counterfeit other users order certain business, so that this
The provider of a little business obtains commercial interest, and attacker can therefrom deduct a percentage, to form interests chain.
When this attack occurs, it can be found that a series of critical data changes:
(1) network level
Passing through netstat-an | grep LISTEN order checks that discovery increased significantly in the port of LISTEN state,
By more than ten before, become more than 30.It was found that and the machine connection IP address be all 192.168.100.100.
It is as follows to feed back message sample:
(2) data plane
It is found in the configuration file by more passwd, has more a hack account before account information ratio.Data sample
Under such as:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin login
daemon:x:2:2:daemon:/sbin:/sbin login
hack:x:2:2:daemon:/sbin:/sbin login
desktop:x:80:80:desktop:ar b/menu/kde:/sbin login
Find that user logs in that a line of auth log and is canceled by more syslog.conf.Data sample is as follows:
*.notice;*.err;*.warn/usr/adm/syserr.log
*.debug/usr/adm/syslog
*.info/usr/spool/mqueue/sys.log
#auth.*/usr/adm/security
(3) system level
It finds to tail off before operation log quantity entries ratio by history order.The local the last item day to tail off
Will is vi bash_history, operator hack.
(4) application
It is changed by content in the tomcat-users.conf of tomcat, operator hack.
It is noted abnormalities the operation of upper transmitting file upload by the journal file access_log that tomcat is serviced.
(5) service layer
The 8080 ports opening on system host is found by connect localhost:8080 order and can be used
In the calling of this business processing order of connect, variation is formd with that can not call before.
By md5sum wapgateway.jar order, it is found that the md5 value of business key procedure changes, illustrate this
File is distorted or is substituted by people.
It is combed 4. all critical datas are layered according to safety behavior hierarchical model, then correlating factor is respectively set will be each
The content of level is associated.
Individual data variation cause due to it is very more, only cannot be judged as sending out by single data variation
Certain raw security attack, will lead to a large amount of wrong report in this way.So need for all changes to be associated according to different levels,
It is associated with that matched level is more, then the accuracy of judging result is stronger.
For the example shown in 3 points of abovementioned steps, it is associated respectively with IP address and account:
(1) it can be found that this IP address of 192.168.100.100 results in network connection exception from network level.
(2) log of this IP address of 192.168.100.100 login is can be found that from system level, login account is
hack。
(3) it can be found that this account of hack has modified the configuration file of system log from data plane.
(4) it can be found that this account of hack has modified the application configuration of tomcat from application, causes the application can
To upload script file from client.There is user that the safety problem is utilized from application layer discovery, uploads abnormal wooden horse script.
(5) 8080 ports are opened from service layer discovery this account of hack, and key business program is carried out
Modification.
In conclusion just the variation of a series of critical data is associated, is complied fully with by IP and account title
Malice occurs and orders a series of variations caused by security incident, so as to accurately judge that malice orders this on the whole
Kind abnormal behaviour has occurred really.
Safety behavior hierarchical model: refer to the distinguishing hierarchy mould that can cover all data relevant to service security
Type, including but not limited to this five levels of network, data, system, application and business.
5. all data integrate combing and sort out being layered, correlating factor confirms to form abnormal behaviour pattern base, such as
Shown in upper figure.Abnormal behaviour is collectively constituted by safety behavior hierarchical model, critical data changing rule and correlating factor three parts
Pattern base.
(1) integration combing
This step emphasis is integration, due to security attack numerous types, it is therefore desirable to make big measurement in known range
Examination, then in conjunction with the safety case investigation occurred before, integrates out the complete or collected works of a critical data.
For example, then needing integration networks to connect data (netstat), system account according to the signal that above-mentioned malice is ordered
Profile data (passwd), system log configuration data (syslog.conf), System Operation Log data (history),
Application configuration data (tomcat-users.conf), application access daily record data (access_log), specific transactions port data
(connect 8080), key business processing routine data (md5sum wapgateway.jar).
The integration of these data is formed the data complete or collected works that this kind of security attack is ordered for malice, correspondingly,
For other attacks, also with identical mode, but it will form different other data acquisition systems.
(2) sort out layering
According to the model of abnormal behaviour pattern base, the characteristics of according to all kinds of critical datas, by the number of previous step integration combing
Sorted out according to according to different level:
Network layer: network connection data (netstat)
Data Layer: system account profile data (passwd), system log configuration data (syslog.conf)
System layer: System Operation Log data (history)
Application layer: application configuration data (tomcat-users.conf), application access daily record data (access_log)
Operation layer: specific transactions port data (connect 8080), key business processing routine data (md5sum
wapgateway.jar)
Correlating factor confirmation
Network layer: IP address and port numbers
Data Layer: account title
System layer: IP address and account title
Application layer: account title
Operation layer: account title
In this way, being directed to each security attack, can all there are a series of critical data changing features of different levels can be with
Association, in this way, can very accurately for exception safety behavior carry out accurate detection.It will be all known
Detection method, which is brought together, is formed abnormal behaviour pattern base.Every a line of abnormal behaviour pattern base is both for some
The description that some critical data variation characteristic of level carries out reflects certain critical data in the level in security attack
Anomalous variation situation, also illustrating can be associated according to what factor and other levels.In actual unusual checking
In the process, real-time detector data can then calculate once having matched the different characteristic of different level simultaneously according to correlating factor
Specific testing result.
The best practices that above-mentioned safety behavior hierarchical model only sums up at present, in fact can be as the case may be
More levels, such as terminal level, wireless level is added.Similarly, the critical data chosen in critical data changing rule,
It is also not necessarily limited to these, it should also be to become more as the case may be or reduce.
According to above-mentioned processing, the example for foring an abnormal behaviour pattern base is as shown in table 1 below:
Table 1
Two kinds of abnormal behaviours are described from network and system level respectively in table 1, illustrate the feature of abnormal behaviour, form
With a series of contents such as judgment criteria.In fact, both abnormal behaviours are designed around business for core, such as business
It does not need to remotely access Intranet maintenance, business needs not exceed 2 hours also impossible attended operations etc..
In the embodiment of the present invention, abnormal behaviour analysis module supervises the collected critical data of acquisition module in real time
Control, with regard to being analyzed and being judged accordingly, is higher than threshold values for value-at-risk once discovery meets the variation of abnormal behaviour pattern base
The case where alerted.
Value-at-risk Computing Principle is as follows:
Risk (R)=Possibility (P) * Influence (I) * Relevance (Re), i.e. value-at-risk (R)=possibility
Property (P) * influence (I) * relevance (Re)
Calculation formula:
N represents total hierachy number in safety behavior hierarchical model;I indicates specific level from 1 to n value;Wherein,
The abnormal behaviour that Po (i) ∈ [0,1] represents i-th layer determines index, is determined by frequency f and behavior matching degree c.Meaning
Being that a possibility that level is deeper, then business is actually impacted is bigger (if business has been affected, illustrates the key risk
Occur, and the network layer core business that is affected may not necessarily be affected), frequency is higher, and the more high then possibility of matching degree is bigger.
In (i) ∈ [0,1] represents i-th layer of abnormal behaviour Intrusion Index, is determined by quantity q and concrete behavior matching degree c.
Be meant that level is more shallow, then coverage is bigger (such as network layer may influence multiple systems), and the overall quantity the big, influence more
Greatly, the higher influence of matching degree is bigger.
It is associated with by corresponding relation factor with other layers i layers, then k=1, otherwise k=0.ThereforeIt means and is associated with more, then overall risk with other levels
It is higher.
The embodiment of the present invention is acquired by a variety of data relevant to business, in the way of the reverse-direction derivation of safe attacking and defending,
It has really been bonded the feature of business, by detecting the variation of related data, the appearance of abnormal behaviour can be accurately positioned.This hair
Bright embodiment is bonded closely with business, can really reflect the specific influence attacked for business, therefore, for advanced lasting
Property business threat be able to carry out effective detection.The embodiment of the present invention is suitable for all types of network services, especially communicates
Service type relevant with mobile Internet.
Fig. 4 is the composed structure schematic diagram of the unusual checking device of the embodiment of the present invention, as shown in figure 4, of the invention
The unusual checking device of embodiment include: establish unit 40, acquisition unit 41, the first judging unit 42, recording unit 43,
Second judgment unit 44 and output unit 45, in which:
Unit 40 is established, for establishing abnormal behaviour pattern base by testing operation system;
Acquisition unit 41, for acquiring the data of current transmission in network;
First judging unit 42, for the parser by setting, to data collected and the abnormal behaviour mould
Data in formula library are compared, and judge whether data collected are abnormal data;When determining that data collected are abnormal
When data, trigger recording unit 43;
Recording unit 43, for recording the abnormal data;
Second judgment unit 44 is set for judging whether some type of abnormal data that the recording unit is recorded exceeds
Determine threshold value, triggers output unit when beyond given threshold;
Output unit 45, for exporting the warning information for exceeding the abnormal data of given threshold.
It is described to establish unit 40 in the embodiment of the present invention, it is also used to send test attack message to test port, at least remember
Record network level, data plane, system level, in service layer related data situation of change.
It is described to establish unit 40 in the embodiment of the present invention, it is also used to carry out the operation system in network safety test, note
Record the data variation of the operation system;According to preset safety behavior hierarchical model, the data and data variation side are established
The corresponding relationship of formula;The data hierarchy is combed according to the safety behavior hierarchical model, then is the data setting after layering
Data correlation after each layering is formed abnormal behaviour pattern base by correlating factor, the correlating factor.
In the embodiment of the present invention, first judging unit 42 is also used to determine the wind of data collected by following formula
Danger value R:
Wherein, the value range of i is 1 to n, and n is safety behavior
Total hierachy number table in hierarchical model;
Po (i) ∈ [0,1], Po (i) indicate that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c
It determines;
In (i) ∈ [0,1], In (i) indicate i-th layer of abnormal behaviour Intrusion Index, are determined by quantity q and behavior matching degree c
It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data.
The embodiment of the present invention is acquired by a variety of data relevant to business, in the way of the reverse-direction derivation of safe attacking and defending,
It has really been bonded the feature of business, by detecting the variation of related data, the appearance of abnormal behaviour can be accurately positioned.This hair
Bright embodiment is bonded closely with business, can really reflect the specific influence attacked for business, therefore, for advanced lasting
Property business threat be able to carry out effective detection.The embodiment of the present invention is suitable for all types of network services, especially communicates
Service type relevant with mobile Internet.
It will be appreciated by those skilled in the art that managing the reality of unit everywhere in unusual checking device shown in Fig. 4
Existing function can refer to the associated description of aforementioned anomaly detection method and embodiment and understand.Those skilled in the art should
Understand, the function of each processing unit can be and running on the program on processor in unusual checking device shown in Fig. 4
It realizes, can also be realized by specific logic circuit.
It, in the absence of conflict, can be in any combination between technical solution documented by the embodiment of the present invention.
In several embodiments provided by the present invention, it should be understood that disclosed method, apparatus and electronic equipment,
It may be implemented in other ways.Apparatus embodiments described above are merely indicative, for example, the unit is drawn
Point, only a kind of logical function partition, there may be another division manner in actual implementation, such as: multiple units or components can
To combine, or it is desirably integrated into another system, or some features can be ignored or not executed.In addition, shown or discussed
The mutual coupling of each component part or direct-coupling or communication connection can be through some interfaces, equipment or unit
Indirect coupling or communication connection can be electrical, mechanical or other forms.
Above-mentioned unit as illustrated by the separation member, which can be or may not be, to be physically separated, aobvious as unit
The component shown can be or may not be physical unit, it can and it is in one place, it may be distributed over multiple network lists
In member;Some or all of units can be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated in one processing unit, it can also
To be each unit individually as a unit, can also be integrated in one unit with two or more units;It is above-mentioned
Integrated unit both can take the form of hardware realization, can also realize in the form of hardware adds application function unit.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer readable storage medium, the program
When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned include: movable storage device, it is read-only
Memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or
The various media that can store program code such as person's CD.
If alternatively, the above-mentioned integrated unit of the embodiment of the present invention is realized in the form of applied function module and as independence
Product when selling or using, also can store in a computer readable storage medium.Based on this understanding, this hair
The technical solution of bright embodiment substantially in other words the part that contributes to existing technology can in the form of application product body
Reveal and, which is stored in a storage medium, including some instructions are with so that a computer is set
Standby (can be personal computer, server or network equipment etc.) executes the whole of each embodiment the method for the present invention
Or part.And storage medium above-mentioned include: movable storage device, read-only memory (ROM, Read-Only Memory), with
Machine accesses various Jie that can store program code such as memory (RAM, Random Access Memory), magnetic or disk
Matter.
Scope of protection of the present invention is not limited thereto, those familiar with the art the invention discloses skill
It within the scope of art, can easily think of the change or the replacement, should be covered by the protection scope of the present invention.
Claims (4)
1. a kind of anomaly detection method, which is characterized in that by testing operation system, establish abnormal behaviour mode
Library;The described method includes:
The data for acquiring current transmission in network, by the parser of setting, to data collected and the abnormal behaviour
Data in pattern base are compared, and judge whether data collected are abnormal data;Wherein,
The value-at-risk R of data collected is determined by following formula:
Wherein, the value range of i is 1 to n, and n is safety behavior level
Total hierachy number in model;
Poi(f, c) ∈ [0,1], Poi(f, c) indicates that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c
It determines;
Ini(q, c) ∈ [0,1], Ini(q, c) indicates i-th layer of abnormal behaviour Intrusion Index, is determined by quantity q and behavior matching degree c
It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data;
When determining data collected is abnormal data, the abnormal data is recorded;
When some type of abnormal data recorded exceeds given threshold, the alarm of abnormal data of the output beyond given threshold
Information;
It is wherein, described to establish abnormal behaviour pattern base, comprising:
Safety test is carried out to the operation system in network, records the data variation of the operation system;
According to preset safety behavior hierarchical model, the corresponding relationship of the data Yu data variation mode is established;
The data hierarchy is combed according to the safety behavior hierarchical model, then correlating factor is set for the data after layering,
Data correlation after each layering is formed abnormal behaviour pattern base by the correlating factor.
2. the method according to claim 1, wherein described test operation system, comprising:
Send test attack message to test port, at least record network level, data plane, system level, in service layer
The situation of change of related data.
3. a kind of unusual checking device, which is characterized in that described device includes: to establish unit, acquisition unit, the first judgement
Unit, recording unit, second judgment unit and output unit, in which:
Unit is established, for carrying out safety test to the operation system in network, records the data variation of the operation system;Root
According to preset safety behavior hierarchical model, the corresponding relationship of the data Yu data variation mode is established;According to the security row
The data hierarchy is combed for hierarchical model, then correlating factor is set for the data after layering, the correlating factor is by each point
Data correlation after layer forms abnormal behaviour pattern base;
Acquisition unit, for acquiring the data of current transmission in network;
First judging unit, for the parser by setting, in data collected and the abnormal behaviour pattern base
Data be compared, judge whether data collected are abnormal data;When determining data collected is abnormal data,
Trigger recording unit;It is also used to determine the value-at-risk R of data collected by following formula:
Wherein, the value range of i is 1 to n, and n is safety behavior level mould
Total hierachy number in type;
Poi(f, c) ∈ [0,1], Poi(f, c) indicates that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c
It determines;
Ini(q, c) ∈ [0,1], Ini(q, c) indicates i-th layer of abnormal behaviour Intrusion Index, is determined by quantity q and behavior matching degree c
It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data;
Recording unit, for recording the abnormal data;
Whether second judgment unit, some type of abnormal data for judging that the recording unit is recorded exceed setting threshold
Value, triggers output unit when beyond given threshold;
Output unit, for exporting the warning information for exceeding the abnormal data of given threshold.
4. device according to claim 3, which is characterized in that it is described to establish unit, it is also used to send to test port and survey
Try attack message, at least record network level, data plane, system level, in service layer related data situation of change.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410854233.8A CN105812200B (en) | 2014-12-31 | 2014-12-31 | Anomaly detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410854233.8A CN105812200B (en) | 2014-12-31 | 2014-12-31 | Anomaly detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105812200A CN105812200A (en) | 2016-07-27 |
CN105812200B true CN105812200B (en) | 2019-09-13 |
Family
ID=56464958
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410854233.8A Active CN105812200B (en) | 2014-12-31 | 2014-12-31 | Anomaly detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105812200B (en) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106411659A (en) * | 2016-11-29 | 2017-02-15 | 福建中金在线信息科技有限公司 | Business data monitoring method and apparatus |
CN106774248B (en) * | 2016-12-08 | 2019-10-22 | 北京立思辰新技术有限公司 | A kind of behavior pattern safety protecting method based on slave computer |
CN108268886B (en) * | 2017-01-04 | 2020-10-30 | 中国移动通信集团四川有限公司 | Method and system for identifying plug-in operation |
CN108306846B (en) * | 2017-01-13 | 2020-11-24 | 中国移动通信集团公司 | Network access abnormity detection method and system |
CN106789352A (en) * | 2017-01-25 | 2017-05-31 | 北京兰云科技有限公司 | A kind of exception flow of network detection method and device |
CN107395461A (en) * | 2017-08-29 | 2017-11-24 | 深信服科技股份有限公司 | A kind of safe condition method for expressing and system based on access relation |
CN109815725B (en) * | 2017-11-20 | 2020-12-25 | 北京金融资产交易所有限公司 | System and method for realizing data safety processing |
CN108255667B (en) * | 2017-12-27 | 2021-07-06 | 创新先进技术有限公司 | Service monitoring method and device and electronic equipment |
CN115426653A (en) * | 2018-11-02 | 2022-12-02 | 华为技术有限公司 | Method and device for determining category information |
CN109547295A (en) * | 2018-12-27 | 2019-03-29 | 湖南宸睿通信科技有限公司 | A kind of online reparation platform and its restorative procedure of communication network |
CN111092900B (en) * | 2019-12-24 | 2022-04-05 | 北京北信源软件股份有限公司 | Method and device for monitoring abnormal connection and scanning behavior of server |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101370008A (en) * | 2007-08-13 | 2009-02-18 | 杭州安恒信息技术有限公司 | System for real-time intrusion detection of SQL injection WEB attacks |
CN102355375A (en) * | 2011-06-28 | 2012-02-15 | 电子科技大学 | Distributed abnormal flow detection method with privacy protection function and system |
CN102915027A (en) * | 2012-11-16 | 2013-02-06 | 武汉钢铁(集团)公司 | Blast furnace smelting expert system built based on pattern recognition technology and method thereof |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2006090354A1 (en) * | 2005-02-27 | 2006-08-31 | Insight Solutions Ltd. | Detection of misuse of a database |
CN1949720A (en) * | 2006-09-08 | 2007-04-18 | 中山大学 | Distributed network invasion detecting system |
US8280905B2 (en) * | 2007-12-21 | 2012-10-02 | Georgetown University | Automated forensic document signatures |
CN101572691B (en) * | 2008-04-30 | 2013-10-02 | 华为技术有限公司 | Method, system and device for intrusion detection |
CN101826994B (en) * | 2010-02-04 | 2012-07-04 | 蓝盾信息安全技术股份有限公司 | Method and device for acquiring information invading source host |
CN102625312A (en) * | 2012-04-25 | 2012-08-01 | 重庆邮电大学 | Sensor network safety system based on delaminated intrusion detection |
-
2014
- 2014-12-31 CN CN201410854233.8A patent/CN105812200B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101370008A (en) * | 2007-08-13 | 2009-02-18 | 杭州安恒信息技术有限公司 | System for real-time intrusion detection of SQL injection WEB attacks |
CN102355375A (en) * | 2011-06-28 | 2012-02-15 | 电子科技大学 | Distributed abnormal flow detection method with privacy protection function and system |
CN102915027A (en) * | 2012-11-16 | 2013-02-06 | 武汉钢铁(集团)公司 | Blast furnace smelting expert system built based on pattern recognition technology and method thereof |
Also Published As
Publication number | Publication date |
---|---|
CN105812200A (en) | 2016-07-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105812200B (en) | Anomaly detection method and device | |
US11606373B2 (en) | Cyber threat defense system protecting email networks with machine learning models | |
CN112651006B (en) | Power grid security situation sensing system | |
US20210273961A1 (en) | Apparatus and method for a cyber-threat defense system | |
CN103026345B (en) | For the dynamic multidimensional pattern of event monitoring priority | |
CN109660526A (en) | A kind of big data analysis method applied to information security field | |
KR101883400B1 (en) | detecting methods and systems of security vulnerability using agentless | |
US9455999B2 (en) | Method and system for protective distribution system (PDS) and infrastructure protection and management | |
CN106131023A (en) | A kind of Information Security Risk strength identifies system | |
CN107835982A (en) | Method and apparatus for management security in a computer network | |
Bryant et al. | Improving SIEM alert metadata aggregation with a novel kill-chain based classification model | |
CN108989296A (en) | A kind of Internet of things system safety comprehensive assessment system and method | |
Beigh et al. | Intrusion Detection and Prevention System: Classification and Quick | |
KR20100118422A (en) | System and method for tracing signature security information | |
EP2747365A1 (en) | Network security management | |
CN110460611A (en) | Full flow attack detecting technology based on machine learning | |
CN112688971B (en) | Function-damaged network security threat identification device and information system | |
Ali et al. | Detection and prevention cyber-attacks for smart buildings via private cloud environment | |
CN114338171A (en) | Black product attack detection method and device | |
Zhao et al. | Research of intrusion detection system based on neural networks | |
US10135853B2 (en) | Multi-tier aggregation for complex event correlation in streams | |
Bezas et al. | Comparative analysis of open source security information & event management systems (SIEMs) | |
CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing | |
CN115396218A (en) | Enterprise API (application program interface) safety control method and system based on flow analysis | |
KR101137694B1 (en) | Total security management system for ddos detection-analysis and ddos detection-display method using total security management system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |