CN105812200B - Anomaly detection method and device - Google Patents

Anomaly detection method and device Download PDF

Info

Publication number
CN105812200B
CN105812200B CN201410854233.8A CN201410854233A CN105812200B CN 105812200 B CN105812200 B CN 105812200B CN 201410854233 A CN201410854233 A CN 201410854233A CN 105812200 B CN105812200 B CN 105812200B
Authority
CN
China
Prior art keywords
data
abnormal
unit
abnormal behaviour
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410854233.8A
Other languages
Chinese (zh)
Other versions
CN105812200A (en
Inventor
孙乾
何申
俞诗源
傅珩轩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201410854233.8A priority Critical patent/CN105812200B/en
Publication of CN105812200A publication Critical patent/CN105812200A/en
Application granted granted Critical
Publication of CN105812200B publication Critical patent/CN105812200B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The embodiment of the invention discloses a kind of anomaly detection method and devices, which comprises by testing operation system, establishes abnormal behaviour pattern base;Data collected are compared with the data in the abnormal behaviour pattern base, judge whether data collected are abnormal data by the parser of setting for the data of current transmission in acquisition network;When determining data collected is abnormal data, the abnormal data is recorded;When some type of abnormal data recorded exceeds given threshold, the warning information of abnormal data of the output beyond given threshold.

Description

Anomaly detection method and device
Technical field
The present invention relates to network data detection technique more particularly to a kind of anomaly detection methods and device.
Background technique
Intrusion detection (Intrusion Detection) is detected to the intrusion behavior in network, by collect and Analysis network behavior, security log, Audit data, several passes in the information and computer system that can obtain on other networks The information of key point checks in network or system with the presence or absence of the sign for violating the behavior of security strategy and being attacked.Currently, passing through It is for statistical analysis to acquire network flow data, according to time series, the features such as portfolio changing rule establishes regular traffic mould Type sets normal rule threshold values, once it is more than threshold values that discovery network flow, which deviates normalized curve, it is assumed that be abnormal.Alternatively, Log by acquiring host and the network equipment is for statistical analysis and audits, and accesses feelings according to time series and regular traffic Condition, combing include the white list or regular traffic behavior model of normal log content and changing rule, once there is log Content that white list does not include does not meet regular traffic behavior model and will be identified as exception.
In current intrusion detection, data acquisition source is mainly network flow and system log, its shortcoming is that these Data can only embody the rule of historical situation, but can not really be bonded actual business.For example, once find certain exceptions, Reason is typically all not meet the rule of normal model, but have what relationship with business on earth, affects which layer of business Face can not embody.In addition, encountering demblee form business, random type of law business according to the normal model that time series is established When the case where necessarily will appear wrong report;Encountering, service logic process is especially complex, the extremely hidden situation of attack means Under, it is likely to fail to report.
Summary of the invention
The embodiment of the present invention in order to solve the above technical problems, provide a kind of anomaly detection method and device, by with The relevant data acquisition of business, it is different to position by detecting the variation of related data in the way of the reverse-direction derivation of safe attacking and defending The appearance of Chang Hangwei.
The technical solution of the embodiment of the present invention is achieved in that
A kind of anomaly detection method establishes abnormal behaviour pattern base by testing operation system;The side Method includes:
The data for acquiring current transmission in network, by the parser of setting, to data collected and the exception Data in behavior pattern library are compared, and judge whether data collected are abnormal data;
When determining data collected is abnormal data, the abnormal data is recorded;
When some type of abnormal data recorded exceeds given threshold, abnormal data of the output beyond given threshold Warning information.
It is preferably, described that operation system is tested, comprising:
Test attack message, at least record network level, data plane, system level, operation layer are sent to test port The situation of change of related data in face.
It is preferably, described to establish abnormal behaviour pattern base, comprising:
Safety test is carried out to the operation system in network, records the data variation of the operation system;
According to preset safety behavior hierarchical model, the corresponding relationship of the data Yu data variation mode is established;
The data hierarchy is combed according to the safety behavior hierarchical model, then is wanted for the data setting association after layering Data correlation after each layering is formed abnormal behaviour pattern base by element, the correlating factor.
Preferably, the parser by setting, in data collected and the abnormal behaviour pattern base Data are compared, and judge whether data collected are abnormal data, comprising:
The value-at-risk R of data collected is determined by following formula:
Wherein, the value range of i is 1 to n, and n is safety behavior Total hierachy number table in hierarchical model;
Po (i) ∈ [0,1], Po (i) indicate that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c It determines;
In (i) ∈ [0,1], In (i) indicate i-th layer of abnormal behaviour Intrusion Index, are determined by quantity q and behavior matching degree c It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data.
A kind of unusual checking device, comprising: establish unit, acquisition unit, the first judging unit, recording unit, Two judging units and output unit, in which:
Unit is established, for establishing abnormal behaviour pattern base by testing operation system;
Acquisition unit, for acquiring the data of current transmission in network;
First judging unit, for the parser by setting, to data collected and the abnormal behaviour mode Data in library are compared, and judge whether data collected are abnormal data;When determining data collected for abnormal number According to when, trigger recording unit;
Recording unit, for recording the abnormal data;
Whether second judgment unit, some type of abnormal data for judging that the recording unit is recorded exceed setting Threshold value triggers output unit when beyond given threshold;
Output unit, for exporting the warning information for exceeding the abnormal data of given threshold.
Preferably, described to establish unit, it is also used to send test attack message, at least record network layer to test port Face, data plane, system level, in service layer related data situation of change.
Preferably, described to establish unit, it is also used to carry out safety test to the operation system in network, records the business The data variation of system;According to preset safety behavior hierarchical model, data pass corresponding with data variation mode is established System;The data hierarchy is combed according to the safety behavior hierarchical model, then correlating factor, institute are set for the data after layering It states correlating factor and the data correlation after each layering is formed into abnormal behaviour pattern base.
Preferably, first judging unit is also used to determine the value-at-risk R of data collected by following formula:
Wherein, the value range of i is 1 to n, and n is safety behavior Total hierachy number table in hierarchical model;
Po (i) ∈ [0,1], Po (i) indicate that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c It determines;
In (i) ∈ [0,1], In (i) indicate i-th layer of abnormal behaviour Intrusion Index, are determined by quantity q and behavior matching degree c It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data.
In the embodiment of the present invention, the data of current transmission first in acquisition network, by the parser of setting, to being adopted The data of collection are compared with the data in the abnormal behaviour pattern base, judge whether data collected are abnormal data; When determining data collected is abnormal data, the abnormal data is recorded;Exceed in some type of abnormal data recorded When given threshold, the warning information of abnormal data of the output beyond given threshold.The embodiment of the present invention is by a variety of with business phase The data of pass acquire, and in the way of the reverse-direction derivation of safe attacking and defending, have really been bonded the feature of business, by detecting dependency number According to variation, the appearance of abnormal behaviour can be accurately positioned.The embodiment of the present invention is bonded closely with business, can really be reflected The specific influence for business is attacked, therefore, effective detection is able to carry out for the threat of advanced duration business.The present invention is real Example is applied suitable for all types of network services, especially communicates service type relevant with mobile Internet.
Detailed description of the invention
Fig. 1 is the flow chart of the anomaly detection method of the embodiment of the present invention;
Fig. 2 is the business model schematic diagram of the anomaly detection method of the embodiment of the present invention;
Fig. 3 is the generation schematic diagram of the abnormal behaviour pattern base of the embodiment of the present invention;
Fig. 4 is the composed structure schematic diagram of the unusual checking device of the embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, by the following examples and referring to attached drawing, right The present invention is further described.
Fig. 1 is the flow chart of the anomaly detection method of the embodiment of the present invention, as shown in Figure 1, this exemplary abnormal row For detection method includes the following steps:
Step 101, by testing operation system, abnormal behaviour pattern base is established.
In the embodiment of the present invention, by carrying out dependence test, Lai Jianli abnormal behaviour to the operation system in network system Pattern base.Wherein, business refers to a kind of carrier provided services to the user, for example for telecom operators, short message is exactly A kind of its main business, this business are not self-existent, it is necessary to telecommunication network and note system are relied on, it can be to use Family provides service.Similarly, multimedia message, WLAN, WAP, DNS etc. are all different business.
In the embodiment of the present invention, establishing abnormal behaviour pattern base includes: to test operation system, is to test lead Mouthful send test attack message, at least record network level, data plane, system level, in service layer related data change Change situation.
Safety test is carried out to the operation system in network, records the data variation of the operation system;
According to preset safety behavior hierarchical model, the corresponding relationship of the data Yu data variation mode is established;
The data hierarchy is combed according to the safety behavior hierarchical model, then is wanted for the data setting association after layering Data correlation after each layering is formed abnormal behaviour pattern base by element, the correlating factor.
Step 102, the data for acquiring current transmission in network, by the parser of setting, to data collected with Data in the abnormal behaviour pattern base are compared, and judge whether data collected are abnormal data.
In the embodiment of the present invention, the value-at-risk R of data collected can be determined by following formula:
Wherein, the value range of i is 1 to n, and n is safety behavior Total hierachy number table in hierarchical model;
Po (i) ∈ [0,1], Po (i) indicate that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c It determines;
In (i) ∈ [0,1], In (i) indicate i-th layer of abnormal behaviour Intrusion Index, are determined by quantity q and behavior matching degree c It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data.
Step 103, when determining data collected is abnormal data, the abnormal data is recorded.
In the embodiment of the present invention, when determining that data collected are abnormal data, which is carried out Record.
Step 104, when some type of abnormal data recorded exceeds given threshold, output is different beyond given threshold The warning information of regular data.
It after counting some type of abnormal data beyond predetermined quantity, exports, leads to using such data as abnormal data Know that user makes corresponding prevention.
Below by way of specific example, the essence of the technical solution for embodiment that the present invention is furture elucidated.
Fig. 2 is the business model schematic diagram of the anomaly detection method of the embodiment of the present invention, and the business model in figure is It is designed according to the end pipe cloud framework of mobile Internet, mobile radio communication and internet etc. meet the model at present.Abnormal behaviour Detection system includes four modules, and function is briefly described below:
Acquisition module is connect with network management, data is acquired from network management and service server two parts respectively, from network and business Seen in the angle of layering, contain network security data, data safety data, system secure data, using secure data and industry Business secure data.
For example, flow original for network, is generally acquired by the way of light splitting or mirror image.Light splitting refers in network Optical splitter is installed in link, physically separates light, weaker light all the way is extracted as bypass and is used as analysis; Mirror image refers to from interchanger, the flow of some port A is replicated portion to port B, in this way by holding completely by configuring Access analysis system can analyze relevant flow on mouth B.For device log, generally adopted using syslog mode Collection.Syslog is referred to as system log or system record, is that one kind is used to transmit in the network of Internet protocol (TCP/IP) Record the standard of shelves message.For the proprietary data in system, generally acquired by the way of Telnet, as telnet, Ssh etc..This mode is using script technology, and simulation maintenance personnel's accessing system goes to execute the series of orders set in advance, from And obtain the output of system.
Abnormal behaviour analysis module.The data of acquisition module are compared with the data in abnormal behaviour pattern base, are led to Parser calculating is crossed to analyze with the presence or absence of abnormal behaviour.
Abnormal behaviour pattern base.The pattern base established by serial of methods, wherein including a series of behavior description Data, once certain behaviors are matched to related data, then explanation has met the mode of certain abnormal behaviour.
Displaying and alarm module.For abnormal behaviour analysis module as a result, the analysis result more than threshold values is shown Come and sends alarm.
Fig. 3 is the generation schematic diagram of the abnormal behaviour pattern base of the embodiment of the present invention, as shown in figure 3, set forth below hair Bright is how to establish abnormal behaviour pattern base:
1. benefit carries out safety test to operation system in various manners.Mode is surveyed including but not limited to: security evaluation, infiltration Examination, the safety case investigation result of Zeng Fasheng, safe O&M experience, safe emergency drilling are likely to occur in the business through analysis The security attack etc. of system.
By taking this more universal DDOS security attack test of SYN Flood as an example:
A initiates the TCP connection message (SYN) for being largely directed to 80 ports using network technology to B, but is receiving B really After recognizing message (SYN+ACK), not to A feeding back confirmation message (ACK).In fact, being exactly to have initiated SYN Flood attack to B to survey Examination.B the case where half-connection can occur due to that cannot receive ACK message at this time, and a large amount of half-connection will consume B very More resources, to prevent it from providing stable service.
Login system B checks network connection situation by netstat order, as the following figure shows a large amount of SYN_ RECEIVED half-connection situation.And in no attack, relevant connection is all for LISTEN ESTABLISHED shape State, accordingly, it can be said that the attack causes network connection state that apparent variation has occurred.
In this way, a safety test just completes.This test can allow safety manager, go out on finding certain host Now when a large amount of SYN_RECEIVED half-connection situations, judge SYN Flood security attack event occurred.
This test case is fairly simple, it is possible to illustrate how the variation from critical data more clearly to judge The generation of abnormal behaviour.But for more complicated security exception behavior or security attack behavior etc., simple slave a certain kind The security attack that may occur just is inferred in the variation of critical data, just will appear many wrong reports, therefore the safety of this complexity Abnormal behaviour often will lead to a series of data variation, and there are various incidence relations between these variations, will only own After the data of variation are associated according to the logic of attack, the accuracy of unusual checking could be made to greatly promote.
2. observing and recording the critical data variation of operation system.
Business refers to a kind of carrier provided services to the user, for example for telecom operators, short message is exactly one Kind main business, this business is not self-existent, it is necessary to rely on telecommunication network and note system, can mention to user For service.Similar, multimedia message, WLAN, WAP, DNS etc. is different business.
These data decimation principles are: selection is related to the CIA characteristic (confidentiality, integrality, availability) of core business Related data, all related datas including network, data, system, application and operation layer.
Here the anomalous variation that variation Major Systems occur, such as: uncommitted change, the wave beyond normal amplitude Dynamic, variation to match with known problem or risk etc..
3., in conjunction with safety behavior hierarchical model, establishing the complete or collected works of critical data based on the variation of the critical data of actual measurement With detailed variation pattern.
Here with a kind of more complicated operation layer security incident, i.e., for the malice order behavior based on WAP system, this Kind security attack can make attacker in the case where not being authorized to, and counterfeit other users order certain business, so that this The provider of a little business obtains commercial interest, and attacker can therefrom deduct a percentage, to form interests chain.
When this attack occurs, it can be found that a series of critical data changes:
(1) network level
Passing through netstat-an | grep LISTEN order checks that discovery increased significantly in the port of LISTEN state, By more than ten before, become more than 30.It was found that and the machine connection IP address be all 192.168.100.100.
It is as follows to feed back message sample:
(2) data plane
It is found in the configuration file by more passwd, has more a hack account before account information ratio.Data sample Under such as:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin login
daemon:x:2:2:daemon:/sbin:/sbin login
hack:x:2:2:daemon:/sbin:/sbin login
desktop:x:80:80:desktop:ar b/menu/kde:/sbin login
Find that user logs in that a line of auth log and is canceled by more syslog.conf.Data sample is as follows:
*.notice;*.err;*.warn/usr/adm/syserr.log
*.debug/usr/adm/syslog
*.info/usr/spool/mqueue/sys.log
#auth.*/usr/adm/security
(3) system level
It finds to tail off before operation log quantity entries ratio by history order.The local the last item day to tail off Will is vi bash_history, operator hack.
(4) application
It is changed by content in the tomcat-users.conf of tomcat, operator hack.
It is noted abnormalities the operation of upper transmitting file upload by the journal file access_log that tomcat is serviced.
(5) service layer
The 8080 ports opening on system host is found by connect localhost:8080 order and can be used In the calling of this business processing order of connect, variation is formd with that can not call before.
By md5sum wapgateway.jar order, it is found that the md5 value of business key procedure changes, illustrate this File is distorted or is substituted by people.
It is combed 4. all critical datas are layered according to safety behavior hierarchical model, then correlating factor is respectively set will be each The content of level is associated.
Individual data variation cause due to it is very more, only cannot be judged as sending out by single data variation Certain raw security attack, will lead to a large amount of wrong report in this way.So need for all changes to be associated according to different levels, It is associated with that matched level is more, then the accuracy of judging result is stronger.
For the example shown in 3 points of abovementioned steps, it is associated respectively with IP address and account:
(1) it can be found that this IP address of 192.168.100.100 results in network connection exception from network level.
(2) log of this IP address of 192.168.100.100 login is can be found that from system level, login account is hack。
(3) it can be found that this account of hack has modified the configuration file of system log from data plane.
(4) it can be found that this account of hack has modified the application configuration of tomcat from application, causes the application can To upload script file from client.There is user that the safety problem is utilized from application layer discovery, uploads abnormal wooden horse script.
(5) 8080 ports are opened from service layer discovery this account of hack, and key business program is carried out Modification.
In conclusion just the variation of a series of critical data is associated, is complied fully with by IP and account title Malice occurs and orders a series of variations caused by security incident, so as to accurately judge that malice orders this on the whole Kind abnormal behaviour has occurred really.
Safety behavior hierarchical model: refer to the distinguishing hierarchy mould that can cover all data relevant to service security Type, including but not limited to this five levels of network, data, system, application and business.
5. all data integrate combing and sort out being layered, correlating factor confirms to form abnormal behaviour pattern base, such as Shown in upper figure.Abnormal behaviour is collectively constituted by safety behavior hierarchical model, critical data changing rule and correlating factor three parts Pattern base.
(1) integration combing
This step emphasis is integration, due to security attack numerous types, it is therefore desirable to make big measurement in known range Examination, then in conjunction with the safety case investigation occurred before, integrates out the complete or collected works of a critical data.
For example, then needing integration networks to connect data (netstat), system account according to the signal that above-mentioned malice is ordered Profile data (passwd), system log configuration data (syslog.conf), System Operation Log data (history), Application configuration data (tomcat-users.conf), application access daily record data (access_log), specific transactions port data (connect 8080), key business processing routine data (md5sum wapgateway.jar).
The integration of these data is formed the data complete or collected works that this kind of security attack is ordered for malice, correspondingly, For other attacks, also with identical mode, but it will form different other data acquisition systems.
(2) sort out layering
According to the model of abnormal behaviour pattern base, the characteristics of according to all kinds of critical datas, by the number of previous step integration combing Sorted out according to according to different level:
Network layer: network connection data (netstat)
Data Layer: system account profile data (passwd), system log configuration data (syslog.conf)
System layer: System Operation Log data (history)
Application layer: application configuration data (tomcat-users.conf), application access daily record data (access_log)
Operation layer: specific transactions port data (connect 8080), key business processing routine data (md5sum wapgateway.jar)
Correlating factor confirmation
Network layer: IP address and port numbers
Data Layer: account title
System layer: IP address and account title
Application layer: account title
Operation layer: account title
In this way, being directed to each security attack, can all there are a series of critical data changing features of different levels can be with Association, in this way, can very accurately for exception safety behavior carry out accurate detection.It will be all known Detection method, which is brought together, is formed abnormal behaviour pattern base.Every a line of abnormal behaviour pattern base is both for some The description that some critical data variation characteristic of level carries out reflects certain critical data in the level in security attack Anomalous variation situation, also illustrating can be associated according to what factor and other levels.In actual unusual checking In the process, real-time detector data can then calculate once having matched the different characteristic of different level simultaneously according to correlating factor Specific testing result.
The best practices that above-mentioned safety behavior hierarchical model only sums up at present, in fact can be as the case may be More levels, such as terminal level, wireless level is added.Similarly, the critical data chosen in critical data changing rule, It is also not necessarily limited to these, it should also be to become more as the case may be or reduce.
According to above-mentioned processing, the example for foring an abnormal behaviour pattern base is as shown in table 1 below:
Table 1
Two kinds of abnormal behaviours are described from network and system level respectively in table 1, illustrate the feature of abnormal behaviour, form With a series of contents such as judgment criteria.In fact, both abnormal behaviours are designed around business for core, such as business It does not need to remotely access Intranet maintenance, business needs not exceed 2 hours also impossible attended operations etc..
In the embodiment of the present invention, abnormal behaviour analysis module supervises the collected critical data of acquisition module in real time Control, with regard to being analyzed and being judged accordingly, is higher than threshold values for value-at-risk once discovery meets the variation of abnormal behaviour pattern base The case where alerted.
Value-at-risk Computing Principle is as follows:
Risk (R)=Possibility (P) * Influence (I) * Relevance (Re), i.e. value-at-risk (R)=possibility Property (P) * influence (I) * relevance (Re)
Calculation formula:
N represents total hierachy number in safety behavior hierarchical model;I indicates specific level from 1 to n value;Wherein,
The abnormal behaviour that Po (i) ∈ [0,1] represents i-th layer determines index, is determined by frequency f and behavior matching degree c.Meaning Being that a possibility that level is deeper, then business is actually impacted is bigger (if business has been affected, illustrates the key risk Occur, and the network layer core business that is affected may not necessarily be affected), frequency is higher, and the more high then possibility of matching degree is bigger.
In (i) ∈ [0,1] represents i-th layer of abnormal behaviour Intrusion Index, is determined by quantity q and concrete behavior matching degree c. Be meant that level is more shallow, then coverage is bigger (such as network layer may influence multiple systems), and the overall quantity the big, influence more Greatly, the higher influence of matching degree is bigger.
It is associated with by corresponding relation factor with other layers i layers, then k=1, otherwise k=0.ThereforeIt means and is associated with more, then overall risk with other levels It is higher.
The embodiment of the present invention is acquired by a variety of data relevant to business, in the way of the reverse-direction derivation of safe attacking and defending, It has really been bonded the feature of business, by detecting the variation of related data, the appearance of abnormal behaviour can be accurately positioned.This hair Bright embodiment is bonded closely with business, can really reflect the specific influence attacked for business, therefore, for advanced lasting Property business threat be able to carry out effective detection.The embodiment of the present invention is suitable for all types of network services, especially communicates Service type relevant with mobile Internet.
Fig. 4 is the composed structure schematic diagram of the unusual checking device of the embodiment of the present invention, as shown in figure 4, of the invention The unusual checking device of embodiment include: establish unit 40, acquisition unit 41, the first judging unit 42, recording unit 43, Second judgment unit 44 and output unit 45, in which:
Unit 40 is established, for establishing abnormal behaviour pattern base by testing operation system;
Acquisition unit 41, for acquiring the data of current transmission in network;
First judging unit 42, for the parser by setting, to data collected and the abnormal behaviour mould Data in formula library are compared, and judge whether data collected are abnormal data;When determining that data collected are abnormal When data, trigger recording unit 43;
Recording unit 43, for recording the abnormal data;
Second judgment unit 44 is set for judging whether some type of abnormal data that the recording unit is recorded exceeds Determine threshold value, triggers output unit when beyond given threshold;
Output unit 45, for exporting the warning information for exceeding the abnormal data of given threshold.
It is described to establish unit 40 in the embodiment of the present invention, it is also used to send test attack message to test port, at least remember Record network level, data plane, system level, in service layer related data situation of change.
It is described to establish unit 40 in the embodiment of the present invention, it is also used to carry out the operation system in network safety test, note Record the data variation of the operation system;According to preset safety behavior hierarchical model, the data and data variation side are established The corresponding relationship of formula;The data hierarchy is combed according to the safety behavior hierarchical model, then is the data setting after layering Data correlation after each layering is formed abnormal behaviour pattern base by correlating factor, the correlating factor.
In the embodiment of the present invention, first judging unit 42 is also used to determine the wind of data collected by following formula Danger value R:
Wherein, the value range of i is 1 to n, and n is safety behavior Total hierachy number table in hierarchical model;
Po (i) ∈ [0,1], Po (i) indicate that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c It determines;
In (i) ∈ [0,1], In (i) indicate i-th layer of abnormal behaviour Intrusion Index, are determined by quantity q and behavior matching degree c It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data.
The embodiment of the present invention is acquired by a variety of data relevant to business, in the way of the reverse-direction derivation of safe attacking and defending, It has really been bonded the feature of business, by detecting the variation of related data, the appearance of abnormal behaviour can be accurately positioned.This hair Bright embodiment is bonded closely with business, can really reflect the specific influence attacked for business, therefore, for advanced lasting Property business threat be able to carry out effective detection.The embodiment of the present invention is suitable for all types of network services, especially communicates Service type relevant with mobile Internet.
It will be appreciated by those skilled in the art that managing the reality of unit everywhere in unusual checking device shown in Fig. 4 Existing function can refer to the associated description of aforementioned anomaly detection method and embodiment and understand.Those skilled in the art should Understand, the function of each processing unit can be and running on the program on processor in unusual checking device shown in Fig. 4 It realizes, can also be realized by specific logic circuit.
It, in the absence of conflict, can be in any combination between technical solution documented by the embodiment of the present invention.
In several embodiments provided by the present invention, it should be understood that disclosed method, apparatus and electronic equipment, It may be implemented in other ways.Apparatus embodiments described above are merely indicative, for example, the unit is drawn Point, only a kind of logical function partition, there may be another division manner in actual implementation, such as: multiple units or components can To combine, or it is desirably integrated into another system, or some features can be ignored or not executed.In addition, shown or discussed The mutual coupling of each component part or direct-coupling or communication connection can be through some interfaces, equipment or unit Indirect coupling or communication connection can be electrical, mechanical or other forms.
Above-mentioned unit as illustrated by the separation member, which can be or may not be, to be physically separated, aobvious as unit The component shown can be or may not be physical unit, it can and it is in one place, it may be distributed over multiple network lists In member;Some or all of units can be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated in one processing unit, it can also To be each unit individually as a unit, can also be integrated in one unit with two or more units;It is above-mentioned Integrated unit both can take the form of hardware realization, can also realize in the form of hardware adds application function unit.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer readable storage medium, the program When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned include: movable storage device, it is read-only Memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or The various media that can store program code such as person's CD.
If alternatively, the above-mentioned integrated unit of the embodiment of the present invention is realized in the form of applied function module and as independence Product when selling or using, also can store in a computer readable storage medium.Based on this understanding, this hair The technical solution of bright embodiment substantially in other words the part that contributes to existing technology can in the form of application product body Reveal and, which is stored in a storage medium, including some instructions are with so that a computer is set Standby (can be personal computer, server or network equipment etc.) executes the whole of each embodiment the method for the present invention Or part.And storage medium above-mentioned include: movable storage device, read-only memory (ROM, Read-Only Memory), with Machine accesses various Jie that can store program code such as memory (RAM, Random Access Memory), magnetic or disk Matter.
Scope of protection of the present invention is not limited thereto, those familiar with the art the invention discloses skill It within the scope of art, can easily think of the change or the replacement, should be covered by the protection scope of the present invention.

Claims (4)

1. a kind of anomaly detection method, which is characterized in that by testing operation system, establish abnormal behaviour mode Library;The described method includes:
The data for acquiring current transmission in network, by the parser of setting, to data collected and the abnormal behaviour Data in pattern base are compared, and judge whether data collected are abnormal data;Wherein,
The value-at-risk R of data collected is determined by following formula:
Wherein, the value range of i is 1 to n, and n is safety behavior level Total hierachy number in model;
Poi(f, c) ∈ [0,1], Poi(f, c) indicates that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c It determines;
Ini(q, c) ∈ [0,1], Ini(q, c) indicates i-th layer of abnormal behaviour Intrusion Index, is determined by quantity q and behavior matching degree c It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data;
When determining data collected is abnormal data, the abnormal data is recorded;
When some type of abnormal data recorded exceeds given threshold, the alarm of abnormal data of the output beyond given threshold Information;
It is wherein, described to establish abnormal behaviour pattern base, comprising:
Safety test is carried out to the operation system in network, records the data variation of the operation system;
According to preset safety behavior hierarchical model, the corresponding relationship of the data Yu data variation mode is established;
The data hierarchy is combed according to the safety behavior hierarchical model, then correlating factor is set for the data after layering, Data correlation after each layering is formed abnormal behaviour pattern base by the correlating factor.
2. the method according to claim 1, wherein described test operation system, comprising:
Send test attack message to test port, at least record network level, data plane, system level, in service layer The situation of change of related data.
3. a kind of unusual checking device, which is characterized in that described device includes: to establish unit, acquisition unit, the first judgement Unit, recording unit, second judgment unit and output unit, in which:
Unit is established, for carrying out safety test to the operation system in network, records the data variation of the operation system;Root According to preset safety behavior hierarchical model, the corresponding relationship of the data Yu data variation mode is established;According to the security row The data hierarchy is combed for hierarchical model, then correlating factor is set for the data after layering, the correlating factor is by each point Data correlation after layer forms abnormal behaviour pattern base;
Acquisition unit, for acquiring the data of current transmission in network;
First judging unit, for the parser by setting, in data collected and the abnormal behaviour pattern base Data be compared, judge whether data collected are abnormal data;When determining data collected is abnormal data, Trigger recording unit;It is also used to determine the value-at-risk R of data collected by following formula:
Wherein, the value range of i is 1 to n, and n is safety behavior level mould Total hierachy number in type;
Poi(f, c) ∈ [0,1], Poi(f, c) indicates that i-th layer of abnormal behaviour determines sex index, by frequency f and behavior matching degree c It determines;
Ini(q, c) ∈ [0,1], Ini(q, c) indicates i-th layer of abnormal behaviour Intrusion Index, is determined by quantity q and behavior matching degree c It is fixed;
If i layers can be associated with by relation factor with other layers, k=1, otherwise k=0;
The value-at-risk R data collected for being greater than given threshold are determined as abnormal data;
Recording unit, for recording the abnormal data;
Whether second judgment unit, some type of abnormal data for judging that the recording unit is recorded exceed setting threshold Value, triggers output unit when beyond given threshold;
Output unit, for exporting the warning information for exceeding the abnormal data of given threshold.
4. device according to claim 3, which is characterized in that it is described to establish unit, it is also used to send to test port and survey Try attack message, at least record network level, data plane, system level, in service layer related data situation of change.
CN201410854233.8A 2014-12-31 2014-12-31 Anomaly detection method and device Active CN105812200B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410854233.8A CN105812200B (en) 2014-12-31 2014-12-31 Anomaly detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410854233.8A CN105812200B (en) 2014-12-31 2014-12-31 Anomaly detection method and device

Publications (2)

Publication Number Publication Date
CN105812200A CN105812200A (en) 2016-07-27
CN105812200B true CN105812200B (en) 2019-09-13

Family

ID=56464958

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410854233.8A Active CN105812200B (en) 2014-12-31 2014-12-31 Anomaly detection method and device

Country Status (1)

Country Link
CN (1) CN105812200B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411659A (en) * 2016-11-29 2017-02-15 福建中金在线信息科技有限公司 Business data monitoring method and apparatus
CN106774248B (en) * 2016-12-08 2019-10-22 北京立思辰新技术有限公司 A kind of behavior pattern safety protecting method based on slave computer
CN108268886B (en) * 2017-01-04 2020-10-30 中国移动通信集团四川有限公司 Method and system for identifying plug-in operation
CN108306846B (en) * 2017-01-13 2020-11-24 中国移动通信集团公司 Network access abnormity detection method and system
CN106789352A (en) * 2017-01-25 2017-05-31 北京兰云科技有限公司 A kind of exception flow of network detection method and device
CN107395461A (en) * 2017-08-29 2017-11-24 深信服科技股份有限公司 A kind of safe condition method for expressing and system based on access relation
CN109815725B (en) * 2017-11-20 2020-12-25 北京金融资产交易所有限公司 System and method for realizing data safety processing
CN108255667B (en) * 2017-12-27 2021-07-06 创新先进技术有限公司 Service monitoring method and device and electronic equipment
CN115426653A (en) * 2018-11-02 2022-12-02 华为技术有限公司 Method and device for determining category information
CN109547295A (en) * 2018-12-27 2019-03-29 湖南宸睿通信科技有限公司 A kind of online reparation platform and its restorative procedure of communication network
CN111092900B (en) * 2019-12-24 2022-04-05 北京北信源软件股份有限公司 Method and device for monitoring abnormal connection and scanning behavior of server

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101370008A (en) * 2007-08-13 2009-02-18 杭州安恒信息技术有限公司 System for real-time intrusion detection of SQL injection WEB attacks
CN102355375A (en) * 2011-06-28 2012-02-15 电子科技大学 Distributed abnormal flow detection method with privacy protection function and system
CN102915027A (en) * 2012-11-16 2013-02-06 武汉钢铁(集团)公司 Blast furnace smelting expert system built based on pattern recognition technology and method thereof

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006090354A1 (en) * 2005-02-27 2006-08-31 Insight Solutions Ltd. Detection of misuse of a database
CN1949720A (en) * 2006-09-08 2007-04-18 中山大学 Distributed network invasion detecting system
US8280905B2 (en) * 2007-12-21 2012-10-02 Georgetown University Automated forensic document signatures
CN101572691B (en) * 2008-04-30 2013-10-02 华为技术有限公司 Method, system and device for intrusion detection
CN101826994B (en) * 2010-02-04 2012-07-04 蓝盾信息安全技术股份有限公司 Method and device for acquiring information invading source host
CN102625312A (en) * 2012-04-25 2012-08-01 重庆邮电大学 Sensor network safety system based on delaminated intrusion detection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101370008A (en) * 2007-08-13 2009-02-18 杭州安恒信息技术有限公司 System for real-time intrusion detection of SQL injection WEB attacks
CN102355375A (en) * 2011-06-28 2012-02-15 电子科技大学 Distributed abnormal flow detection method with privacy protection function and system
CN102915027A (en) * 2012-11-16 2013-02-06 武汉钢铁(集团)公司 Blast furnace smelting expert system built based on pattern recognition technology and method thereof

Also Published As

Publication number Publication date
CN105812200A (en) 2016-07-27

Similar Documents

Publication Publication Date Title
CN105812200B (en) Anomaly detection method and device
US11606373B2 (en) Cyber threat defense system protecting email networks with machine learning models
CN112651006B (en) Power grid security situation sensing system
US20210273961A1 (en) Apparatus and method for a cyber-threat defense system
CN103026345B (en) For the dynamic multidimensional pattern of event monitoring priority
CN109660526A (en) A kind of big data analysis method applied to information security field
KR101883400B1 (en) detecting methods and systems of security vulnerability using agentless
US9455999B2 (en) Method and system for protective distribution system (PDS) and infrastructure protection and management
CN106131023A (en) A kind of Information Security Risk strength identifies system
CN107835982A (en) Method and apparatus for management security in a computer network
Bryant et al. Improving SIEM alert metadata aggregation with a novel kill-chain based classification model
CN108989296A (en) A kind of Internet of things system safety comprehensive assessment system and method
Beigh et al. Intrusion Detection and Prevention System: Classification and Quick
KR20100118422A (en) System and method for tracing signature security information
EP2747365A1 (en) Network security management
CN110460611A (en) Full flow attack detecting technology based on machine learning
CN112688971B (en) Function-damaged network security threat identification device and information system
Ali et al. Detection and prevention cyber-attacks for smart buildings via private cloud environment
CN114338171A (en) Black product attack detection method and device
Zhao et al. Research of intrusion detection system based on neural networks
US10135853B2 (en) Multi-tier aggregation for complex event correlation in streams
Bezas et al. Comparative analysis of open source security information & event management systems (SIEMs)
CN110378120A (en) Application programming interfaces attack detection method, device and readable storage medium storing program for executing
CN115396218A (en) Enterprise API (application program interface) safety control method and system based on flow analysis
KR101137694B1 (en) Total security management system for ddos detection-analysis and ddos detection-display method using total security management system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant