CN105978897A - Detection method of electricity secondary system botnet - Google Patents
Detection method of electricity secondary system botnet Download PDFInfo
- Publication number
- CN105978897A CN105978897A CN201610488613.3A CN201610488613A CN105978897A CN 105978897 A CN105978897 A CN 105978897A CN 201610488613 A CN201610488613 A CN 201610488613A CN 105978897 A CN105978897 A CN 105978897A
- Authority
- CN
- China
- Prior art keywords
- stream
- sequence
- module
- flow
- botnet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 33
- 230000005611 electricity Effects 0.000 title abstract description 3
- 238000000034 method Methods 0.000 claims abstract description 32
- 230000003595 spectral effect Effects 0.000 claims description 16
- 238000000605 extraction Methods 0.000 claims description 15
- 230000002085 persistent effect Effects 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 6
- 239000000284 extract Substances 0.000 claims description 4
- 238000004088 simulation Methods 0.000 claims description 2
- 230000006870 function Effects 0.000 description 10
- 230000006399 behavior Effects 0.000 description 9
- 238000005259 measurement Methods 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 239000000203 mixture Substances 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000005311 autocorrelation function Methods 0.000 description 2
- 238000000205 computational method Methods 0.000 description 2
- 230000001186 cumulative effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- 238000001228 spectrum Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 239000000654 additive Substances 0.000 description 1
- 230000000996 additive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000012636 effector Substances 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 235000012907 honey Nutrition 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a detection method of an electricity secondary system botnet. A packet capturing module is used for capturing a packet and serializing a message; a protocol recognition module is used for analyzing the message protocol and matching the protocol according to a preset white list; a group stream module is used for generating a group stream record for the message according to quintet stream; a stream sequence splicing module is used for serializing the stream record as the stream sequence according to a rule; a stream sequence feature extracting module is used for extracting the stream sequence feature and generating a bot feature library; the feature matching module is used for judging whether the feature of a to be detected stream sequence meets one botnet in the bot feature library. Through the adoption of the detection method disclosed by the invention, the consumption of the computing resource can be reduced, and the method has good adaptability and detection accuracy.
Description
Technical field
The invention belongs to Automation of Electric Systems communication technology and technical field of network security, particularly to a kind of electricity
Force system Network Analyzer and Botnet detection technique.
Background technology
Botnet refers to implant rogue program in multiple devices by various means, makes the corpse effector can phase
To facilitating and being centrally controlled these equipment, issue various instructions to these in check equipment and carry out corresponding malice
Movable attacking network.Along with global power system and the high speed development of Internet technology, electric power secondary system
Scale and complexity are more and more higher, and popularizing of intelligent equipment and ethernet communication more enriches function bringing
Meanwhile, also favourable condition is created for the deployment of Botnet and propagation.
Botnet detection method is broadly divided into two kinds, and the first is based on analyzing suspicious binary executable,
This method captures suspicious binary file, analytical attack record and activity inventory generally by honey jar, finds
And destroy Botnet, this methods analyst cycle is long, consumes resource greatly, poor real;The second is based on dividing
Analysis network flow, analyzes the field feature of network message by deep packet inspection method or analyzes the behavior of flow
Feature and linked character, thus find out the diversity of botnet flow and normal discharge, find Botnet with this,
But due to the complexity of network traffics, the accuracy of this method is relatively low.
Botnet detection method in existing wide area network detects also for the Botnet of Power Secondary network
Not having specific aim, the procotol used in electric power secondary system is the most fixing, as a example by station level network,
Be typically 103,61850, DNP, have the 101 and 104 of latticed form under a few cases, in addition
All protocol massages are construed as unconventional agreement, all may be produced by bot program, it is possible to association
View knows method for distinguishing detection Botnet.But use the stipulations such as 103,61850 to carry out propagating when bot program and
Time movable, protocol recognition method will lose efficacy, and now need the traffic behavior analysis with wider application scope
Method supplements detection, but traffic behavior is analyzed method and related to substantial amounts of calculating, need to consume sizable CPU and
Memory source.
It is thus desirable to a kind of can be for the feature of electric power secondary system, by protocol recognition method, traffic behavior analysis
Method combines, and also has good adaptability and detection is accurate on the basis of being substantially reduced calculating resource consumption
The Botnet detection means of rate, this case thus produces.
Summary of the invention
The purpose of the present invention, is to provide the detection method of a kind of electric power secondary system Botnet, and it can reduce
Calculate the consumption of resource, there is good adaptability and Detection accuracy.
In order to reach above-mentioned purpose, the solution of the present invention is:
The detection method of a kind of electric power secondary system Botnet, comprises the steps:
Step one: after the message sequential that corpse malicious code is produced by packet capturing module, output is to organizing flow module;
Step 2: incoming message is pressed agreement, source port, destination interface, source IP and purpose IP by group flow module
Group stream, obtain flow set of records ends, every stream record including at least this stream the stream time started, stream the end time,
Message total and total amount of byte, stream set of records ends output is to stream sequences assembly module;
Step 3: every stream record in stream set of records ends is assembled into stream sequence by stream sequences assembly module, output
To stream sequence signature extraction module;
Step 4: stream sequence signature extraction module extracts the mean flow time interval of each stream sequence, mean flow is held
Continuous time and mean flow byte number;
Step 5: stream sequence signature extraction module convection current sequence carries out 01 serializing, uses circulation auto-correlation side
Method calculates the most notable frequency of 01 sequence, and calculates the most notable frequency of the power spectral density function of 01 sequence;
Step 6: stream sequence signature extraction module uses X-means clustering algorithm to mean flow time interval, puts down
Current-sharing persistent period, mean flow byte number, the most notable frequency of 01 sequence and power spectral density function the most aobvious
Write frequency these five stream sequence signature to cluster respectively, and calculate the average of each classification, standard deviation and clustering result quality;
Step 7: circulation performs step one and exports each corpse maliciously to step 6, stream sequence signature extraction module
The flow fingerprint of code, comprise mean flow time interval, the mean flow persistent period, mean flow byte number, 01
The classification that the most notable frequency of sequence, the most notable frequency these five of power spectral density function flow sequence signature is equal
Value, Category criteria is poor, clustering result quality and characteristic matching number threshold value and characteristic similarity score threshold, use
Default step-length adjusts characteristic matching number threshold value and characteristic similarity score threshold automatically, makes total rate of false alarm and leakage
Report rate minimizes value in adjusting range;
Step 8: packet capturing module reception message to be analyzed, as input, exports after sequential to protocol identification module;
Step 9: protocol identification module is analysed to message output extremely group flow module group stream, according to step 2 to step
After rapid five process, the stream sequence signature to be analyzed generated is inputted to characteristic matching module;
Step 10: characteristic matching module comparison stream to be analyzed sequence signature and " flow fingerprint " storehouse, if feature
Join number and exceed characteristic matching number threshold value, and characteristic similarity score exceedes characteristic similarity score threshold, then
Being analysed to flow series processing is this Botnet stream sequence, if meeting a plurality of fingerprint, is then obtained by characteristic similarity
Dividing maximum stream series processing is this Botnet stream sequence, records and produces alarm.
The detailed content of above-mentioned steps one is: collect known corpse malicious code sample, in experimental situation one by one
Disposing malicious code sample, experimental situation simulates electric power secondary system network structure, when extracting feature, and each portion
Administration's one, appoints and runs by and propagate, after the long enough time, and all messages in record network, and carry out
After sequential, output is to organizing flow module.
In above-mentioned steps three, by stream record be assembled into stream sequence method be: by stream record according to agreement, source IP,
Purpose IP and destination interface are assembled into stream sequence, the stream that agreement, source IP, purpose IP and destination interface are identical
Record is sequentially arranged into a stream sequence.
In above-mentioned steps five, convection current sequence carries out the process of 01 serializing and is: refer to between a less time
Splitting a stream sequence every t, if stream sequence total duration is T, T=Nt, N are positive integer, at a t
In, if there being stream to start, then it is set to 1, otherwise sets to 0, obtain 01 sequence of an a length of N.
In above-mentioned steps nine, before stream sequence signature detection, first carry out agreement white list by protocol identification module
Detection, resolve the protocol comparison in incoming message, with predefined white list according to protocol architecture, if being not belonging to
White list, then being processed as belonging to exception message, record and produce alarm, if belonging to white list, being then analysed to
Message output is to group flow module group stream.
After using such scheme, the invention has the beneficial effects as follows:
(1) for the procotol used in the feature of Power Secondary network, i.e. electric power secondary system relatively
Be fixing, as a example by station level network, it is common that 103,61850, DNP, have network shape under a few cases
Formula 101 and 104, all protocol massages in addition are construed as unconventional agreement, all may be by deadlock
Corpse program produces, and the method therefore using protocol identification is pre-configured with agreement white list in detection program, can
Effectively to detect Botnet.
(2) when the stipulations such as bot program use 103,61850 carry out propagating and being movable, protocol recognition method
To lose efficacy, so traffic behavior is analyzed method and had wider application scope, but traffic behavior is analyzed method and is related to
And substantial amounts of calculating, need to consume sizable CPU and memory source, for the feature of electric power secondary system,
Present invention uses protocol recognition method and the means combined based on the behavior analysis method flowing sequence signature,
Also good adaptability and Detection accuracy is had on the basis of being substantially reduced the consumption of calculating resource.
(3) present invention is when describing stream sequence periodicity, uses the circulation the most notable frequency of auto-correlation and energy spectrum
The means that the most notable frequency of density combines describe, and compared with additive method such as power spectral density, have calculating
Measure little, low in resources consumption advantage.
(4) detection program of the present invention is integrated in electric power secondary system in existing device Network Analyzer,
Need not add new equipment, it is not required that change existing network framework, be conducive to being embodied as.
Accompanying drawing explanation
Fig. 1 is the integrated stand composition of each module of the present invention;
Fig. 2 be in the present invention corpse stream sequence signature fingerprint set up process schematic;
Fig. 3 is the present invention detection process schematic to station level message mirror.
Detailed description of the invention
Below with reference to accompanying drawing, technical scheme is described in detail.
The present invention provides the detection method of a kind of electric power secondary system Botnet, and Fig. 1 describes each mould of the present invention
The overall architecture of block, is made up of six modules, be respectively packet capturing module, protocol identification module, group flow module,
Stream sequences assembly module, stream sequence signature extraction module and characteristic matching module, wherein, packet capturing module packet capturing is also
Sequential message, protocol identification module analytic message agreement is also pressed the white list match protocol preset, is organized flow module
Message being pressed five-tuple group stream and generates stream record, sequence of rules chemical conversion stream sequence is pressed in stream record by stream sequences assembly module
Row, stream sequence signature extraction module extracts stream sequence signature and generates corpse feature database, and characteristic matching module judges
Treat certain the Botnet whether feature of flow measurement sequence meets in corpse feature database.
What Fig. 2 described the corpse stream sequence signature fingerprint of the present invention sets up process, each corpse malicious code
" flow fingerprint " is by mean flow time interval, mean flow persistent period, mean flow byte number, circulation auto-correlation
The most notable frequency f1, the most notable frequency f of energy spectral density2These five streams the classification average of sequence signature, classification marks
Accurate poor, clustering result quality and characteristic matching number threshold value σ1maxWith characteristic similarity score threshold σ2maxComposition,
Wherein, characteristic matching number threshold value refers to, for mean flow time interval, mean flow persistent period, mean flow
Byte number, the circulation the most notable frequency of auto-correlation, five features of the most notable frequency of energy spectral density, treat flow measurement sequence
The minimum number of the feature that feature matches with known corpse stream sequence signature;Characteristic similarity score threshold is
Referring to, treat each feature of flow measurement sequence, and the degree that matches of known corpse stream sequence signature, by a value
Describe, the minima of the cumulative sum of the matching value of all features;Meet or exceed characteristic matching number threshold the most simultaneously
When value and characteristic similarity score threshold, treat that flow measurement sequence can be considered as just the stream sequence that corresponding Botnet produces
Row.
Fig. 3 describes the present invention detection process to station level message mirror, employs protocol recognition method and base
In the means that the behavior analysis method of stream sequence signature combines, on the basis being substantially reduced the consumption calculating resource
On also have good adaptability and Detection accuracy.
The step that the present invention comprises is as follows:
Step one: the message sequential that corpse malicious code is produced by packet capturing module, specifically collects known corpse
Malicious code sample, such as BlackEnergy, SDbot, Zbot etc., but is not limited to this, in experimental situation
In dispose malicious code sample one by one, experimental situation simulation electric power secondary system network structure, can be by multiple void
Plan machine realizes, it is also possible to put realization by actual load, when extracting feature, disposes one every time, appoints and runs by and pass
Broadcast, after the long enough time, all messages in record network, and carry out sequential, it is designated as G, and exports
To organizing flow module;
Step 2: the message in G is pressed agreement, source port, destination interface, source IP, purpose by group flow module
IP group flows, and obtains flowing set of records ends G1, every stream record at least should comprise the stream time started of this stream, stream knot
Bundle time, message total and total amount of byte, stream set of records ends output is to stream sequences assembly module;Wherein, stream is
Referring within a period of time, a transfer of unidirectional message flow between source address and destination address, all messages have identical
Transport layer source, destination slogan, protocol number and source port, destination address, i.e. five-tuple content is identical, stream
Describe is once specific communication activity between two end systems;
Step 3: by G1Composition stream sequence, note stream arrangement set is G2;
Step 3: stream sequences assembly module will stream set of records ends G1In every stream record according to agreement, source IP,
Purpose IP, destination interface are assembled into stream sequence, the stream note that agreement, source IP, purpose IP, destination interface are identical
Record is sequentially arranged into a stream sequence, and note stream arrangement set is G2, all stream sequences export to flowing sequence
Row characteristic extracting module;Wherein, stream sequence refers within a period of time, and a particular source is specific with one
The sequence of the produced stream of communication between destination address and specific purpose port, stream sequence description is a period of time
The overall permanence that between interior two end systems, homogeneous communication is movable, such as 80 ends of end system A request end system B
Mouthful, asking repeatedly continuously in a period of time, AB produces multiple streams, then these streams are by stream time started ordered set
The sequence become is a stream sequence;
Step 4: for G2In each stream sequence, stream sequence signature extraction module extracts each stream sequence
Mean flow time interval, mean flow persistent period and mean flow byte number;
Step 5: stream sequence signature extraction module is to G2In each stream sequence carry out 01 serializing, use follows
Ring autocorrelation method calculates the most notable frequency of 01 sequence, and calculates the power spectral density function of 01 sequence
Notable frequency, uses the most notable frequency of the power spectral density function of 01 sequence to describe 01 sequence periodicity;Its
In, 01 serializing refers to split a stream sequence, if stream sequence always continues by less time interval t
Between be that T, t make even the 1/4, T=Nt of current-sharing time interval, N is positive integer, in a t, if there being stream to open
Begin, be then set to 1, otherwise set to 0, obtain 01 sequence of an a length of N.
If 01 arrangement set is S, circulation autocorrelation method is used to calculate the most notable frequency of each sequence in S
f1, computational methods such as below equation:
The item number of 01 sequence f is standardized as the integral number power of 2, and front P the element choosing sequence f is constituted
Subsequence, meet:
P=2n,P≤M,2n+1> M n ∈ Q
Wherein, P is the element number after 01 sequence f standardization, and M is the element number that 01 sequence f is original,
Q is nature manifold.
The discrete auto-correlation function of 01 sequence f:
The discrete Cyclic Autocorrelation Function of 01 sequence f:
The circulation the most notable frequency of auto-correlation calculates:
Calculating power spectral density function Φ for each sequence in S, the energy spectrum that can obtain sequence according to Φ is close
The most notable frequency f of degree function2, computational methods such as below equation:
The discrete Fourier transform of 01 sequence f:
The power spectral density function of 01 sequence f:
The item number of 01 sequence f is standardized as the integral number power of 2, and front P the element choosing sequence f is constituted
Subsequence, meet:
P=2n,P≤M,2n+1> M n ∈ Q
Wherein, P is the element number after 01 sequence f standardization, and M is the element number that 01 sequence f is original,
Q is nature manifold.
After obtaining power spectral density function Φ (k), choose the maximum k (k ≠ 0) of Φ, be calculated frequency f2:
Step 6: above step comprises mean flow time interval, the mean flow persistent period, mean flow byte number,
The most notable frequency f of 01 sequence1, the most notable frequency f of power spectral density function2Totally 5 stream sequence signatures,
Using X-means clustering algorithm, cluster each feature respectively, each feature can obtain several cluster set,
In actual station level environment, gather normal discharge mix with the botnet flow in step one, for mixed traffic weight
Multiple step 2 to step 5, flows characteristic vector T [i] of sequence for each, respectively each with each feature
Cluster set compares, if T [i] is in [c-2sd, c+2sd], c is the average of this cluster set, and sd is standard deviation, then
Characteristic matching number σ1Increase by 1, characteristic similarity score σ2Increase Qc*QTi, wherein QcFor hit classification
Clustering result quality, QTiStream sequence T quality on i attribute, i.e. stream sequence signature quality, quality QTi=
Exp (-β * sd/c), β is 2.5, represents regulation parameter, the f of stream sequence1Quality by circulating auto-correlation high specific
Value replaces, f2Quality is replaced by the quality of mean flow time interval, if σ1Reach characteristic matching number threshold value σ1max,
σ2Reach characteristic similarity score threshold σ2max, then it is assumed that this stream sequence belongs to corresponding corpse stream sequence, from
Dynamic adjustment σ1maxAnd σ2maxValue, σ1maxTest one by one from 0~5, step-length 1, σ2maxTest one by one from 0~5,
Step-length 0.1, makes rate of false alarm and rate of failing to report all reach minimum;
Step 7: repeat step one and arrive step 6, can get " the flow fingerprint " of each corpse malicious code,
By mean flow time interval, mean flow persistent period, mean flow byte number, frequency f1, frequency f2Each cluster
The average of classification, standard deviation, clustering result quality and σ1maxAnd σ2maxComposition, uses default step-length automatically to adjust
Characteristic matching number threshold value and characteristic similarity score threshold, make total rate of false alarm and rate of failing to report in adjusting range
Minimize value;Wherein, characteristic matching number threshold value refers to, lasting for mean flow time interval, mean flow
Time, mean flow byte number, the most notable frequency of 01 sequence, the most notable frequency five of power spectral density function
Individual feature, treats the minimum number of the feature that flow measurement sequence signature matches with known corpse stream sequence signature;Feature
Similarity score threshold value refers to, treats each feature of flow measurement sequence, with the phase of known corpse stream sequence signature
Join degree, describe by a value, the minima of the cumulative sum of the matching value of all features;Reach or super the most simultaneously
When crossing characteristic matching number threshold value and characteristic similarity score threshold, treat that flow measurement sequence can be considered as just corresponding stiff
The stream sequence that corpse network produces;
Step 8: step one to step 7 is the extraction process of Botnet " flow fingerprint ", by fingerprint base with
Detection program division is deployed in the interior Network Analyzer in station, and Network Analyzer needs to connect core switch mirror port, adopts
Collect message mirror of entirely standing;Packet capturing module reception message to be analyzed, as input, exports to protocol identification after sequential
Module;
Step 9: configuration protocol white list, enters detection by the protocol configuration being likely to occur in existing station level network
Program, such as IEC60870-5-103, IEC61850, DNP etc.;Protocol identification module resolves according to protocol architecture
Protocol comparison in incoming message, with predefined white list, if being not belonging to white list, then is processed as belonging to abnormal
Message, records and produces alarm, if belonging to white list, is then analysed to message output extremely group flow module group stream,
After processing according to step 2 to step 5, the stream sequence signature to be analyzed generated is inputted to characteristic matching module;
Step 10: for each stream sequence to be analyzed, characteristic matching module comparison stream to be analyzed sequence signature
With " flow fingerprint " storehouse, calculate characteristic matching number σ of every fingerprint in fingerprint base1With levy similarity score
σ2If, σ1Reach the σ in fingerprint1max, σ2Reach the σ in fingerprint2max, then it is assumed that stream sequence to be analyzed belongs to
In this Botnet, it is processed as this Botnet stream sequence, if meeting a plurality of fingerprint, then by σ2Maximum stream
Series processing is Botnet stream sequence, records and produces alarm.
In sum, present invention uses protocol recognition method and behavior analysis method phase based on stream sequence signature
In conjunction with means, be substantially reduced calculate resource consumption on the basis of also have good adaptability and detection standard
Really rate.The present invention is directed to electric power secondary system agreement single, stream the relatively-stationary feature of sequence pattern, one be inspection
Abnormal protocol massages in survey grid network, two be the stream sequence signature in detection network whether with previously known corpse
The stream sequence signature that program produces matches, and judges whether there is Botnet in Power Secondary network with this, and two
The means of kind combine, and also have good adaptability and detection on the basis of being substantially reduced the consumption calculating resource
Accuracy rate, the safe operation for electric power secondary system provides safeguard.
Above example is only the technological thought that the present invention is described, it is impossible to limit protection scope of the present invention with this,
Every technological thought proposed according to the present invention, any change done on the basis of technical scheme, each fall within this
Within invention protection domain.
Claims (5)
1. the detection method of an electric power secondary system Botnet, it is characterised in that comprise the steps:
Step one: after the message sequential that corpse malicious code is produced by packet capturing module, output is to organizing flow module;
Step 2: incoming message is pressed agreement, source port, destination interface, source IP and purpose IP by group flow module
Group stream, obtain flow set of records ends, every stream record including at least this stream the stream time started, stream the end time,
Message total and total amount of byte, stream set of records ends output is to stream sequences assembly module;
Step 3: every stream record in stream set of records ends is assembled into stream sequence by stream sequences assembly module, output
To stream sequence signature extraction module;
Step 4: stream sequence signature extraction module extracts the mean flow time interval of each stream sequence, mean flow is held
Continuous time and mean flow byte number;
Step 5: stream sequence signature extraction module convection current sequence carries out 01 serializing, uses circulation auto-correlation side
Method calculates the most notable frequency of 01 sequence, and calculates the most notable frequency of the power spectral density function of 01 sequence;
Step 6: stream sequence signature extraction module uses X-means clustering algorithm to mean flow time interval, puts down
Current-sharing persistent period, mean flow byte number, the most notable frequency of 01 sequence and power spectral density function the most aobvious
Write frequency these five stream sequence signature to cluster respectively, and calculate the average of each classification, standard deviation and clustering result quality;
Step 7: circulation performs step one and exports each corpse maliciously to step 6, stream sequence signature extraction module
The flow fingerprint of code, comprise mean flow time interval, the mean flow persistent period, mean flow byte number, 01
The classification that the most notable frequency of sequence, the most notable frequency these five of power spectral density function flow sequence signature is equal
Value, Category criteria is poor, clustering result quality and characteristic matching number threshold value and characteristic similarity score threshold, use
Default step-length adjusts characteristic matching number threshold value and characteristic similarity score threshold automatically, makes total rate of false alarm and leakage
Report rate minimizes value in adjusting range;
Step 8: packet capturing module reception message to be analyzed, as input, exports after sequential to protocol identification module;
Step 9: protocol identification module is analysed to message output extremely group flow module group stream, according to step 2 to step
After rapid five process, the stream sequence signature to be analyzed generated is inputted to characteristic matching module;
Step 10: characteristic matching module comparison stream to be analyzed sequence signature and " flow fingerprint " storehouse, if feature
Join number and exceed characteristic matching number threshold value, and characteristic similarity score exceedes characteristic similarity score threshold, then
Being analysed to flow series processing is this Botnet stream sequence, if meeting a plurality of fingerprint, is then obtained by characteristic similarity
Dividing maximum stream series processing is this Botnet stream sequence, records and produces alarm.
The detection method of a kind of electric power secondary system Botnet the most as claimed in claim 1, its feature exists
Detailed content in described step one is: collect known corpse malicious code sample, portion one by one in experimental situation
Administration's malicious code sample, experimental situation simulation electric power secondary system network structure, when extracting feature, dispose every time
One, appoints and runs by and propagate, after the long enough time, and all messages in record network, and when carrying out
After sequence, output is to organizing flow module.
The detection method of a kind of electric power secondary system Botnet the most as claimed in claim 1, its feature exists
In:, in described step 3, by the method that stream record is assembled into stream sequence be: stream is recorded according to agreement, source
IP, purpose IP and destination interface are assembled into stream sequence, and agreement, source IP, purpose IP and destination interface are identical
Stream record be sequentially arranged into one stream sequence.
The detection method of a kind of electric power secondary system Botnet the most as claimed in claim 1, its feature exists
In: in described step 5, convection current sequence carries out the process of 01 serializing and is: between referring to a less time
Splitting a stream sequence every t, if stream sequence total duration is T, T=Nt, N are positive integer, at a t
In, if there being stream to start, then it is set to 1, otherwise sets to 0, obtain 01 sequence of an a length of N.
The detection method of a kind of electric power secondary system Botnet the most as claimed in claim 1, its feature exists
In: in described step 9, before stream sequence signature detection, first carry out agreement white list by protocol identification module
Detection, resolve the protocol comparison in incoming message, with predefined white list according to protocol architecture, if being not belonging to
White list, then being processed as belonging to exception message, record and produce alarm, if belonging to white list, being then analysed to
Message output is to group flow module group stream.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610488613.3A CN105978897B (en) | 2016-06-28 | 2016-06-28 | A kind of detection method of electric power secondary system Botnet |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610488613.3A CN105978897B (en) | 2016-06-28 | 2016-06-28 | A kind of detection method of electric power secondary system Botnet |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105978897A true CN105978897A (en) | 2016-09-28 |
CN105978897B CN105978897B (en) | 2019-05-07 |
Family
ID=57019380
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610488613.3A Expired - Fee Related CN105978897B (en) | 2016-06-28 | 2016-06-28 | A kind of detection method of electric power secondary system Botnet |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105978897B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108566340A (en) * | 2018-02-05 | 2018-09-21 | 中国科学院信息工程研究所 | Network flow fining sorting technique based on dynamic time warping algorithm and device |
CN109617893A (en) * | 2018-12-27 | 2019-04-12 | 北京神州绿盟信息安全科技股份有限公司 | A kind of means of defence, device and the storage medium of Botnet ddos attack |
CN110287699A (en) * | 2019-06-12 | 2019-09-27 | 杭州迪普科技股份有限公司 | The feature extracting method and device of application program |
CN110381083A (en) * | 2019-08-07 | 2019-10-25 | 浙江双成电气有限公司 | A kind of smart grid communication abnormality detection method based on time series |
CN110912860A (en) * | 2018-09-18 | 2020-03-24 | 北京数安鑫云信息技术有限公司 | Method and device for detecting pseudo periodic access behavior |
CN112565183A (en) * | 2020-10-29 | 2021-03-26 | 中国船舶重工集团公司第七0九研究所 | Network flow abnormity detection method and device based on flow dynamic time warping algorithm |
CN113271322A (en) * | 2021-07-20 | 2021-08-17 | 北京明略软件系统有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
CN114374528A (en) * | 2021-11-24 | 2022-04-19 | 河南中裕广恒科技股份有限公司 | Data security detection method and device, electronic equipment and medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102333313A (en) * | 2011-10-18 | 2012-01-25 | 中国科学院计算技术研究所 | Feature code generation method and detection method of mobile botnet |
CN103746982A (en) * | 2013-12-30 | 2014-04-23 | 中国科学院计算技术研究所 | Automatic generation method and system for HTTP (Hyper Text Transport Protocol) network feature code |
CN104168272A (en) * | 2014-08-04 | 2014-11-26 | 国家电网公司 | Trojan horse detection method based on communication behavior clustering |
CN105187411A (en) * | 2015-08-18 | 2015-12-23 | 福建省海峡信息技术有限公司 | Distributed abnormal detection method for network data stream |
-
2016
- 2016-06-28 CN CN201610488613.3A patent/CN105978897B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102333313A (en) * | 2011-10-18 | 2012-01-25 | 中国科学院计算技术研究所 | Feature code generation method and detection method of mobile botnet |
CN103746982A (en) * | 2013-12-30 | 2014-04-23 | 中国科学院计算技术研究所 | Automatic generation method and system for HTTP (Hyper Text Transport Protocol) network feature code |
CN104168272A (en) * | 2014-08-04 | 2014-11-26 | 国家电网公司 | Trojan horse detection method based on communication behavior clustering |
CN105187411A (en) * | 2015-08-18 | 2015-12-23 | 福建省海峡信息技术有限公司 | Distributed abnormal detection method for network data stream |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108566340A (en) * | 2018-02-05 | 2018-09-21 | 中国科学院信息工程研究所 | Network flow fining sorting technique based on dynamic time warping algorithm and device |
CN110912860B (en) * | 2018-09-18 | 2022-02-18 | 北京数安鑫云信息技术有限公司 | Method and device for detecting pseudo periodic access behavior |
CN110912860A (en) * | 2018-09-18 | 2020-03-24 | 北京数安鑫云信息技术有限公司 | Method and device for detecting pseudo periodic access behavior |
CN109617893A (en) * | 2018-12-27 | 2019-04-12 | 北京神州绿盟信息安全科技股份有限公司 | A kind of means of defence, device and the storage medium of Botnet ddos attack |
CN109617893B (en) * | 2018-12-27 | 2021-06-25 | 绿盟科技集团股份有限公司 | Method and device for preventing botnet DDoS attack and storage medium |
CN110287699A (en) * | 2019-06-12 | 2019-09-27 | 杭州迪普科技股份有限公司 | The feature extracting method and device of application program |
CN110287699B (en) * | 2019-06-12 | 2021-02-26 | 杭州迪普科技股份有限公司 | Application program feature extraction method and device |
CN110381083A (en) * | 2019-08-07 | 2019-10-25 | 浙江双成电气有限公司 | A kind of smart grid communication abnormality detection method based on time series |
CN110381083B (en) * | 2019-08-07 | 2022-02-18 | 浙江双成电气有限公司 | Smart power grid communication anomaly detection method based on time sequence |
CN112565183A (en) * | 2020-10-29 | 2021-03-26 | 中国船舶重工集团公司第七0九研究所 | Network flow abnormity detection method and device based on flow dynamic time warping algorithm |
CN113271322B (en) * | 2021-07-20 | 2021-11-23 | 北京明略软件系统有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
CN113271322A (en) * | 2021-07-20 | 2021-08-17 | 北京明略软件系统有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
CN114374528A (en) * | 2021-11-24 | 2022-04-19 | 河南中裕广恒科技股份有限公司 | Data security detection method and device, electronic equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
CN105978897B (en) | 2019-05-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105978897A (en) | Detection method of electricity secondary system botnet | |
CN113556354B (en) | Industrial Internet security threat detection method and system based on flow analysis | |
KR101538709B1 (en) | Anomaly detection system and method for industrial control network | |
Paudel et al. | Detecting dos attack in smart home iot devices using a graph-based approach | |
Lin et al. | Understanding IEC-60870-5-104 traffic patterns in SCADA networks | |
Soe et al. | Rule generation for signature based detection systems of cyber attacks in iot environments | |
Wang et al. | Research on DDoS attacks detection based on RDF-SVM | |
Efstathopoulos et al. | Operational data based intrusion detection system for smart grid | |
CN107360152A (en) | A kind of Web based on semantic analysis threatens sensory perceptual system | |
Hodo et al. | Anomaly detection for simulated iec-60870-5-104 trafiic | |
Dairi et al. | Semi-supervised deep learning-driven anomaly detection schemes for cyber-attack detection in smart grids | |
CN104660464A (en) | Network anomaly detection method based on non-extensive entropy | |
Dalai et al. | Wdtf: A technique for wireless device type fingerprinting | |
CN106603538A (en) | Invasion detection method and system | |
Xu et al. | [Retracted] DDoS Detection Using a Cloud‐Edge Collaboration Method Based on Entropy‐Measuring SOM and KD‐Tree in SDN | |
Zhao | Network intrusion detection system model based on data mining | |
CN110493235A (en) | A kind of mobile terminal from malicious software synchronization detection method based on network flow characteristic | |
CN112733954A (en) | Abnormal traffic detection method based on generation countermeasure network | |
Wang et al. | Benchmark data for mobile app traffic research | |
Wang et al. | Coordinated cyber-attack detection model of cyber-physical power system based on the operating state data link | |
Tan et al. | DDoS detection method based on Gini impurity and random forest in SDN environment | |
Zaman et al. | Validation of a Machine Learning-Based IDS Design Framework Using ORNL Datasets for Power System With SCADA | |
Cheng et al. | Development of deep packet inspection system for network traffic analysis and intrusion detection | |
Zhao et al. | A classification and identification technology of tls encrypted traffic applications | |
Tang et al. | Malware Traffic Classification Based on Recurrence Quantification Analysis. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190507 |