CN105978897A - Detection method of electricity secondary system botnet - Google Patents

Detection method of electricity secondary system botnet Download PDF

Info

Publication number
CN105978897A
CN105978897A CN201610488613.3A CN201610488613A CN105978897A CN 105978897 A CN105978897 A CN 105978897A CN 201610488613 A CN201610488613 A CN 201610488613A CN 105978897 A CN105978897 A CN 105978897A
Authority
CN
China
Prior art keywords
stream
sequence
module
flow
botnet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610488613.3A
Other languages
Chinese (zh)
Other versions
CN105978897B (en
Inventor
张阳
胡绍谦
汤震宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NR Electric Co Ltd
NR Engineering Co Ltd
Original Assignee
NR Electric Co Ltd
NR Engineering Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NR Electric Co Ltd, NR Engineering Co Ltd filed Critical NR Electric Co Ltd
Priority to CN201610488613.3A priority Critical patent/CN105978897B/en
Publication of CN105978897A publication Critical patent/CN105978897A/en
Application granted granted Critical
Publication of CN105978897B publication Critical patent/CN105978897B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a detection method of an electricity secondary system botnet. A packet capturing module is used for capturing a packet and serializing a message; a protocol recognition module is used for analyzing the message protocol and matching the protocol according to a preset white list; a group stream module is used for generating a group stream record for the message according to quintet stream; a stream sequence splicing module is used for serializing the stream record as the stream sequence according to a rule; a stream sequence feature extracting module is used for extracting the stream sequence feature and generating a bot feature library; the feature matching module is used for judging whether the feature of a to be detected stream sequence meets one botnet in the bot feature library. Through the adoption of the detection method disclosed by the invention, the consumption of the computing resource can be reduced, and the method has good adaptability and detection accuracy.

Description

A kind of detection method of electric power secondary system Botnet
Technical field
The invention belongs to Automation of Electric Systems communication technology and technical field of network security, particularly to a kind of electricity Force system Network Analyzer and Botnet detection technique.
Background technology
Botnet refers to implant rogue program in multiple devices by various means, makes the corpse effector can phase To facilitating and being centrally controlled these equipment, issue various instructions to these in check equipment and carry out corresponding malice Movable attacking network.Along with global power system and the high speed development of Internet technology, electric power secondary system Scale and complexity are more and more higher, and popularizing of intelligent equipment and ethernet communication more enriches function bringing Meanwhile, also favourable condition is created for the deployment of Botnet and propagation.
Botnet detection method is broadly divided into two kinds, and the first is based on analyzing suspicious binary executable, This method captures suspicious binary file, analytical attack record and activity inventory generally by honey jar, finds And destroy Botnet, this methods analyst cycle is long, consumes resource greatly, poor real;The second is based on dividing Analysis network flow, analyzes the field feature of network message by deep packet inspection method or analyzes the behavior of flow Feature and linked character, thus find out the diversity of botnet flow and normal discharge, find Botnet with this, But due to the complexity of network traffics, the accuracy of this method is relatively low.
Botnet detection method in existing wide area network detects also for the Botnet of Power Secondary network Not having specific aim, the procotol used in electric power secondary system is the most fixing, as a example by station level network, Be typically 103,61850, DNP, have the 101 and 104 of latticed form under a few cases, in addition All protocol massages are construed as unconventional agreement, all may be produced by bot program, it is possible to association View knows method for distinguishing detection Botnet.But use the stipulations such as 103,61850 to carry out propagating when bot program and Time movable, protocol recognition method will lose efficacy, and now need the traffic behavior analysis with wider application scope Method supplements detection, but traffic behavior is analyzed method and related to substantial amounts of calculating, need to consume sizable CPU and Memory source.
It is thus desirable to a kind of can be for the feature of electric power secondary system, by protocol recognition method, traffic behavior analysis Method combines, and also has good adaptability and detection is accurate on the basis of being substantially reduced calculating resource consumption The Botnet detection means of rate, this case thus produces.
Summary of the invention
The purpose of the present invention, is to provide the detection method of a kind of electric power secondary system Botnet, and it can reduce Calculate the consumption of resource, there is good adaptability and Detection accuracy.
In order to reach above-mentioned purpose, the solution of the present invention is:
The detection method of a kind of electric power secondary system Botnet, comprises the steps:
Step one: after the message sequential that corpse malicious code is produced by packet capturing module, output is to organizing flow module;
Step 2: incoming message is pressed agreement, source port, destination interface, source IP and purpose IP by group flow module Group stream, obtain flow set of records ends, every stream record including at least this stream the stream time started, stream the end time, Message total and total amount of byte, stream set of records ends output is to stream sequences assembly module;
Step 3: every stream record in stream set of records ends is assembled into stream sequence by stream sequences assembly module, output To stream sequence signature extraction module;
Step 4: stream sequence signature extraction module extracts the mean flow time interval of each stream sequence, mean flow is held Continuous time and mean flow byte number;
Step 5: stream sequence signature extraction module convection current sequence carries out 01 serializing, uses circulation auto-correlation side Method calculates the most notable frequency of 01 sequence, and calculates the most notable frequency of the power spectral density function of 01 sequence;
Step 6: stream sequence signature extraction module uses X-means clustering algorithm to mean flow time interval, puts down Current-sharing persistent period, mean flow byte number, the most notable frequency of 01 sequence and power spectral density function the most aobvious Write frequency these five stream sequence signature to cluster respectively, and calculate the average of each classification, standard deviation and clustering result quality;
Step 7: circulation performs step one and exports each corpse maliciously to step 6, stream sequence signature extraction module The flow fingerprint of code, comprise mean flow time interval, the mean flow persistent period, mean flow byte number, 01 The classification that the most notable frequency of sequence, the most notable frequency these five of power spectral density function flow sequence signature is equal Value, Category criteria is poor, clustering result quality and characteristic matching number threshold value and characteristic similarity score threshold, use Default step-length adjusts characteristic matching number threshold value and characteristic similarity score threshold automatically, makes total rate of false alarm and leakage Report rate minimizes value in adjusting range;
Step 8: packet capturing module reception message to be analyzed, as input, exports after sequential to protocol identification module;
Step 9: protocol identification module is analysed to message output extremely group flow module group stream, according to step 2 to step After rapid five process, the stream sequence signature to be analyzed generated is inputted to characteristic matching module;
Step 10: characteristic matching module comparison stream to be analyzed sequence signature and " flow fingerprint " storehouse, if feature Join number and exceed characteristic matching number threshold value, and characteristic similarity score exceedes characteristic similarity score threshold, then Being analysed to flow series processing is this Botnet stream sequence, if meeting a plurality of fingerprint, is then obtained by characteristic similarity Dividing maximum stream series processing is this Botnet stream sequence, records and produces alarm.
The detailed content of above-mentioned steps one is: collect known corpse malicious code sample, in experimental situation one by one Disposing malicious code sample, experimental situation simulates electric power secondary system network structure, when extracting feature, and each portion Administration's one, appoints and runs by and propagate, after the long enough time, and all messages in record network, and carry out After sequential, output is to organizing flow module.
In above-mentioned steps three, by stream record be assembled into stream sequence method be: by stream record according to agreement, source IP, Purpose IP and destination interface are assembled into stream sequence, the stream that agreement, source IP, purpose IP and destination interface are identical Record is sequentially arranged into a stream sequence.
In above-mentioned steps five, convection current sequence carries out the process of 01 serializing and is: refer to between a less time Splitting a stream sequence every t, if stream sequence total duration is T, T=Nt, N are positive integer, at a t In, if there being stream to start, then it is set to 1, otherwise sets to 0, obtain 01 sequence of an a length of N.
In above-mentioned steps nine, before stream sequence signature detection, first carry out agreement white list by protocol identification module Detection, resolve the protocol comparison in incoming message, with predefined white list according to protocol architecture, if being not belonging to White list, then being processed as belonging to exception message, record and produce alarm, if belonging to white list, being then analysed to Message output is to group flow module group stream.
After using such scheme, the invention has the beneficial effects as follows:
(1) for the procotol used in the feature of Power Secondary network, i.e. electric power secondary system relatively Be fixing, as a example by station level network, it is common that 103,61850, DNP, have network shape under a few cases Formula 101 and 104, all protocol massages in addition are construed as unconventional agreement, all may be by deadlock Corpse program produces, and the method therefore using protocol identification is pre-configured with agreement white list in detection program, can Effectively to detect Botnet.
(2) when the stipulations such as bot program use 103,61850 carry out propagating and being movable, protocol recognition method To lose efficacy, so traffic behavior is analyzed method and had wider application scope, but traffic behavior is analyzed method and is related to And substantial amounts of calculating, need to consume sizable CPU and memory source, for the feature of electric power secondary system, Present invention uses protocol recognition method and the means combined based on the behavior analysis method flowing sequence signature, Also good adaptability and Detection accuracy is had on the basis of being substantially reduced the consumption of calculating resource.
(3) present invention is when describing stream sequence periodicity, uses the circulation the most notable frequency of auto-correlation and energy spectrum The means that the most notable frequency of density combines describe, and compared with additive method such as power spectral density, have calculating Measure little, low in resources consumption advantage.
(4) detection program of the present invention is integrated in electric power secondary system in existing device Network Analyzer, Need not add new equipment, it is not required that change existing network framework, be conducive to being embodied as.
Accompanying drawing explanation
Fig. 1 is the integrated stand composition of each module of the present invention;
Fig. 2 be in the present invention corpse stream sequence signature fingerprint set up process schematic;
Fig. 3 is the present invention detection process schematic to station level message mirror.
Detailed description of the invention
Below with reference to accompanying drawing, technical scheme is described in detail.
The present invention provides the detection method of a kind of electric power secondary system Botnet, and Fig. 1 describes each mould of the present invention The overall architecture of block, is made up of six modules, be respectively packet capturing module, protocol identification module, group flow module, Stream sequences assembly module, stream sequence signature extraction module and characteristic matching module, wherein, packet capturing module packet capturing is also Sequential message, protocol identification module analytic message agreement is also pressed the white list match protocol preset, is organized flow module Message being pressed five-tuple group stream and generates stream record, sequence of rules chemical conversion stream sequence is pressed in stream record by stream sequences assembly module Row, stream sequence signature extraction module extracts stream sequence signature and generates corpse feature database, and characteristic matching module judges Treat certain the Botnet whether feature of flow measurement sequence meets in corpse feature database.
What Fig. 2 described the corpse stream sequence signature fingerprint of the present invention sets up process, each corpse malicious code " flow fingerprint " is by mean flow time interval, mean flow persistent period, mean flow byte number, circulation auto-correlation The most notable frequency f1, the most notable frequency f of energy spectral density2These five streams the classification average of sequence signature, classification marks Accurate poor, clustering result quality and characteristic matching number threshold value σ1maxWith characteristic similarity score threshold σ2maxComposition, Wherein, characteristic matching number threshold value refers to, for mean flow time interval, mean flow persistent period, mean flow Byte number, the circulation the most notable frequency of auto-correlation, five features of the most notable frequency of energy spectral density, treat flow measurement sequence The minimum number of the feature that feature matches with known corpse stream sequence signature;Characteristic similarity score threshold is Referring to, treat each feature of flow measurement sequence, and the degree that matches of known corpse stream sequence signature, by a value Describe, the minima of the cumulative sum of the matching value of all features;Meet or exceed characteristic matching number threshold the most simultaneously When value and characteristic similarity score threshold, treat that flow measurement sequence can be considered as just the stream sequence that corresponding Botnet produces Row.
Fig. 3 describes the present invention detection process to station level message mirror, employs protocol recognition method and base In the means that the behavior analysis method of stream sequence signature combines, on the basis being substantially reduced the consumption calculating resource On also have good adaptability and Detection accuracy.
The step that the present invention comprises is as follows:
Step one: the message sequential that corpse malicious code is produced by packet capturing module, specifically collects known corpse Malicious code sample, such as BlackEnergy, SDbot, Zbot etc., but is not limited to this, in experimental situation In dispose malicious code sample one by one, experimental situation simulation electric power secondary system network structure, can be by multiple void Plan machine realizes, it is also possible to put realization by actual load, when extracting feature, disposes one every time, appoints and runs by and pass Broadcast, after the long enough time, all messages in record network, and carry out sequential, it is designated as G, and exports To organizing flow module;
Step 2: the message in G is pressed agreement, source port, destination interface, source IP, purpose by group flow module IP group flows, and obtains flowing set of records ends G1, every stream record at least should comprise the stream time started of this stream, stream knot Bundle time, message total and total amount of byte, stream set of records ends output is to stream sequences assembly module;Wherein, stream is Referring within a period of time, a transfer of unidirectional message flow between source address and destination address, all messages have identical Transport layer source, destination slogan, protocol number and source port, destination address, i.e. five-tuple content is identical, stream Describe is once specific communication activity between two end systems;
Step 3: by G1Composition stream sequence, note stream arrangement set is G2
Step 3: stream sequences assembly module will stream set of records ends G1In every stream record according to agreement, source IP, Purpose IP, destination interface are assembled into stream sequence, the stream note that agreement, source IP, purpose IP, destination interface are identical Record is sequentially arranged into a stream sequence, and note stream arrangement set is G2, all stream sequences export to flowing sequence Row characteristic extracting module;Wherein, stream sequence refers within a period of time, and a particular source is specific with one The sequence of the produced stream of communication between destination address and specific purpose port, stream sequence description is a period of time The overall permanence that between interior two end systems, homogeneous communication is movable, such as 80 ends of end system A request end system B Mouthful, asking repeatedly continuously in a period of time, AB produces multiple streams, then these streams are by stream time started ordered set The sequence become is a stream sequence;
Step 4: for G2In each stream sequence, stream sequence signature extraction module extracts each stream sequence Mean flow time interval, mean flow persistent period and mean flow byte number;
Step 5: stream sequence signature extraction module is to G2In each stream sequence carry out 01 serializing, use follows Ring autocorrelation method calculates the most notable frequency of 01 sequence, and calculates the power spectral density function of 01 sequence Notable frequency, uses the most notable frequency of the power spectral density function of 01 sequence to describe 01 sequence periodicity;Its In, 01 serializing refers to split a stream sequence, if stream sequence always continues by less time interval t Between be that T, t make even the 1/4, T=Nt of current-sharing time interval, N is positive integer, in a t, if there being stream to open Begin, be then set to 1, otherwise set to 0, obtain 01 sequence of an a length of N.
If 01 arrangement set is S, circulation autocorrelation method is used to calculate the most notable frequency of each sequence in S f1, computational methods such as below equation:
The item number of 01 sequence f is standardized as the integral number power of 2, and front P the element choosing sequence f is constituted Subsequence, meet:
P=2n,P≤M,2n+1> M n ∈ Q
Wherein, P is the element number after 01 sequence f standardization, and M is the element number that 01 sequence f is original, Q is nature manifold.
The discrete auto-correlation function of 01 sequence f:
R [ k ] = Σ - ∞ + ∞ f [ m ] f [ m - k ] , k = 0 , ... , M - 1
The discrete Cyclic Autocorrelation Function of 01 sequence f:
R ′ [ k ] = Σ m = 0 M - 1 f [ m ] f [ ( m + 1 ) % M ]
The circulation the most notable frequency of auto-correlation calculates:
ω = m a x ( R ′ [ k ] R ′ [ 0 ] ) , k = 1 , ... , P 2 - 1
f 1 = 1 k ω · t t = Interval a v g 4
Calculating power spectral density function Φ for each sequence in S, the energy spectrum that can obtain sequence according to Φ is close The most notable frequency f of degree function2, computational methods such as below equation:
The discrete Fourier transform of 01 sequence f:
F [ k ] = Σ m = 0 M - 1 e - i 2 π M m k f [ m ] , k = 0 , ... , M - 1
The power spectral density function of 01 sequence f:
Φ [ k ] = F [ k ] F * [ k ] 2 π , k = 0 , ... , M - 1
The item number of 01 sequence f is standardized as the integral number power of 2, and front P the element choosing sequence f is constituted Subsequence, meet:
P=2n,P≤M,2n+1> M n ∈ Q
Wherein, P is the element number after 01 sequence f standardization, and M is the element number that 01 sequence f is original, Q is nature manifold.
After obtaining power spectral density function Φ (k), choose the maximum k (k ≠ 0) of Φ, be calculated frequency f2:
f 2 = k P · t t = Interval a v g 4
Step 6: above step comprises mean flow time interval, the mean flow persistent period, mean flow byte number, The most notable frequency f of 01 sequence1, the most notable frequency f of power spectral density function2Totally 5 stream sequence signatures, Using X-means clustering algorithm, cluster each feature respectively, each feature can obtain several cluster set, In actual station level environment, gather normal discharge mix with the botnet flow in step one, for mixed traffic weight Multiple step 2 to step 5, flows characteristic vector T [i] of sequence for each, respectively each with each feature Cluster set compares, if T [i] is in [c-2sd, c+2sd], c is the average of this cluster set, and sd is standard deviation, then Characteristic matching number σ1Increase by 1, characteristic similarity score σ2Increase Qc*QTi, wherein QcFor hit classification Clustering result quality, QTiStream sequence T quality on i attribute, i.e. stream sequence signature quality, quality QTi= Exp (-β * sd/c), β is 2.5, represents regulation parameter, the f of stream sequence1Quality by circulating auto-correlation high specific Value replaces, f2Quality is replaced by the quality of mean flow time interval, if σ1Reach characteristic matching number threshold value σ1max, σ2Reach characteristic similarity score threshold σ2max, then it is assumed that this stream sequence belongs to corresponding corpse stream sequence, from Dynamic adjustment σ1maxAnd σ2maxValue, σ1maxTest one by one from 0~5, step-length 1, σ2maxTest one by one from 0~5, Step-length 0.1, makes rate of false alarm and rate of failing to report all reach minimum;
Step 7: repeat step one and arrive step 6, can get " the flow fingerprint " of each corpse malicious code, By mean flow time interval, mean flow persistent period, mean flow byte number, frequency f1, frequency f2Each cluster The average of classification, standard deviation, clustering result quality and σ1maxAnd σ2maxComposition, uses default step-length automatically to adjust Characteristic matching number threshold value and characteristic similarity score threshold, make total rate of false alarm and rate of failing to report in adjusting range Minimize value;Wherein, characteristic matching number threshold value refers to, lasting for mean flow time interval, mean flow Time, mean flow byte number, the most notable frequency of 01 sequence, the most notable frequency five of power spectral density function Individual feature, treats the minimum number of the feature that flow measurement sequence signature matches with known corpse stream sequence signature;Feature Similarity score threshold value refers to, treats each feature of flow measurement sequence, with the phase of known corpse stream sequence signature Join degree, describe by a value, the minima of the cumulative sum of the matching value of all features;Reach or super the most simultaneously When crossing characteristic matching number threshold value and characteristic similarity score threshold, treat that flow measurement sequence can be considered as just corresponding stiff The stream sequence that corpse network produces;
Step 8: step one to step 7 is the extraction process of Botnet " flow fingerprint ", by fingerprint base with Detection program division is deployed in the interior Network Analyzer in station, and Network Analyzer needs to connect core switch mirror port, adopts Collect message mirror of entirely standing;Packet capturing module reception message to be analyzed, as input, exports to protocol identification after sequential Module;
Step 9: configuration protocol white list, enters detection by the protocol configuration being likely to occur in existing station level network Program, such as IEC60870-5-103, IEC61850, DNP etc.;Protocol identification module resolves according to protocol architecture Protocol comparison in incoming message, with predefined white list, if being not belonging to white list, then is processed as belonging to abnormal Message, records and produces alarm, if belonging to white list, is then analysed to message output extremely group flow module group stream, After processing according to step 2 to step 5, the stream sequence signature to be analyzed generated is inputted to characteristic matching module;
Step 10: for each stream sequence to be analyzed, characteristic matching module comparison stream to be analyzed sequence signature With " flow fingerprint " storehouse, calculate characteristic matching number σ of every fingerprint in fingerprint base1With levy similarity score σ2If, σ1Reach the σ in fingerprint1max, σ2Reach the σ in fingerprint2max, then it is assumed that stream sequence to be analyzed belongs to In this Botnet, it is processed as this Botnet stream sequence, if meeting a plurality of fingerprint, then by σ2Maximum stream Series processing is Botnet stream sequence, records and produces alarm.
In sum, present invention uses protocol recognition method and behavior analysis method phase based on stream sequence signature In conjunction with means, be substantially reduced calculate resource consumption on the basis of also have good adaptability and detection standard Really rate.The present invention is directed to electric power secondary system agreement single, stream the relatively-stationary feature of sequence pattern, one be inspection Abnormal protocol massages in survey grid network, two be the stream sequence signature in detection network whether with previously known corpse The stream sequence signature that program produces matches, and judges whether there is Botnet in Power Secondary network with this, and two The means of kind combine, and also have good adaptability and detection on the basis of being substantially reduced the consumption calculating resource Accuracy rate, the safe operation for electric power secondary system provides safeguard.
Above example is only the technological thought that the present invention is described, it is impossible to limit protection scope of the present invention with this, Every technological thought proposed according to the present invention, any change done on the basis of technical scheme, each fall within this Within invention protection domain.

Claims (5)

1. the detection method of an electric power secondary system Botnet, it is characterised in that comprise the steps:
Step one: after the message sequential that corpse malicious code is produced by packet capturing module, output is to organizing flow module;
Step 2: incoming message is pressed agreement, source port, destination interface, source IP and purpose IP by group flow module Group stream, obtain flow set of records ends, every stream record including at least this stream the stream time started, stream the end time, Message total and total amount of byte, stream set of records ends output is to stream sequences assembly module;
Step 3: every stream record in stream set of records ends is assembled into stream sequence by stream sequences assembly module, output To stream sequence signature extraction module;
Step 4: stream sequence signature extraction module extracts the mean flow time interval of each stream sequence, mean flow is held Continuous time and mean flow byte number;
Step 5: stream sequence signature extraction module convection current sequence carries out 01 serializing, uses circulation auto-correlation side Method calculates the most notable frequency of 01 sequence, and calculates the most notable frequency of the power spectral density function of 01 sequence;
Step 6: stream sequence signature extraction module uses X-means clustering algorithm to mean flow time interval, puts down Current-sharing persistent period, mean flow byte number, the most notable frequency of 01 sequence and power spectral density function the most aobvious Write frequency these five stream sequence signature to cluster respectively, and calculate the average of each classification, standard deviation and clustering result quality;
Step 7: circulation performs step one and exports each corpse maliciously to step 6, stream sequence signature extraction module The flow fingerprint of code, comprise mean flow time interval, the mean flow persistent period, mean flow byte number, 01 The classification that the most notable frequency of sequence, the most notable frequency these five of power spectral density function flow sequence signature is equal Value, Category criteria is poor, clustering result quality and characteristic matching number threshold value and characteristic similarity score threshold, use Default step-length adjusts characteristic matching number threshold value and characteristic similarity score threshold automatically, makes total rate of false alarm and leakage Report rate minimizes value in adjusting range;
Step 8: packet capturing module reception message to be analyzed, as input, exports after sequential to protocol identification module;
Step 9: protocol identification module is analysed to message output extremely group flow module group stream, according to step 2 to step After rapid five process, the stream sequence signature to be analyzed generated is inputted to characteristic matching module;
Step 10: characteristic matching module comparison stream to be analyzed sequence signature and " flow fingerprint " storehouse, if feature Join number and exceed characteristic matching number threshold value, and characteristic similarity score exceedes characteristic similarity score threshold, then Being analysed to flow series processing is this Botnet stream sequence, if meeting a plurality of fingerprint, is then obtained by characteristic similarity Dividing maximum stream series processing is this Botnet stream sequence, records and produces alarm.
The detection method of a kind of electric power secondary system Botnet the most as claimed in claim 1, its feature exists Detailed content in described step one is: collect known corpse malicious code sample, portion one by one in experimental situation Administration's malicious code sample, experimental situation simulation electric power secondary system network structure, when extracting feature, dispose every time One, appoints and runs by and propagate, after the long enough time, and all messages in record network, and when carrying out After sequence, output is to organizing flow module.
The detection method of a kind of electric power secondary system Botnet the most as claimed in claim 1, its feature exists In:, in described step 3, by the method that stream record is assembled into stream sequence be: stream is recorded according to agreement, source IP, purpose IP and destination interface are assembled into stream sequence, and agreement, source IP, purpose IP and destination interface are identical Stream record be sequentially arranged into one stream sequence.
The detection method of a kind of electric power secondary system Botnet the most as claimed in claim 1, its feature exists In: in described step 5, convection current sequence carries out the process of 01 serializing and is: between referring to a less time Splitting a stream sequence every t, if stream sequence total duration is T, T=Nt, N are positive integer, at a t In, if there being stream to start, then it is set to 1, otherwise sets to 0, obtain 01 sequence of an a length of N.
The detection method of a kind of electric power secondary system Botnet the most as claimed in claim 1, its feature exists In: in described step 9, before stream sequence signature detection, first carry out agreement white list by protocol identification module Detection, resolve the protocol comparison in incoming message, with predefined white list according to protocol architecture, if being not belonging to White list, then being processed as belonging to exception message, record and produce alarm, if belonging to white list, being then analysed to Message output is to group flow module group stream.
CN201610488613.3A 2016-06-28 2016-06-28 A kind of detection method of electric power secondary system Botnet Expired - Fee Related CN105978897B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610488613.3A CN105978897B (en) 2016-06-28 2016-06-28 A kind of detection method of electric power secondary system Botnet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610488613.3A CN105978897B (en) 2016-06-28 2016-06-28 A kind of detection method of electric power secondary system Botnet

Publications (2)

Publication Number Publication Date
CN105978897A true CN105978897A (en) 2016-09-28
CN105978897B CN105978897B (en) 2019-05-07

Family

ID=57019380

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610488613.3A Expired - Fee Related CN105978897B (en) 2016-06-28 2016-06-28 A kind of detection method of electric power secondary system Botnet

Country Status (1)

Country Link
CN (1) CN105978897B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566340A (en) * 2018-02-05 2018-09-21 中国科学院信息工程研究所 Network flow fining sorting technique based on dynamic time warping algorithm and device
CN109617893A (en) * 2018-12-27 2019-04-12 北京神州绿盟信息安全科技股份有限公司 A kind of means of defence, device and the storage medium of Botnet ddos attack
CN110287699A (en) * 2019-06-12 2019-09-27 杭州迪普科技股份有限公司 The feature extracting method and device of application program
CN110381083A (en) * 2019-08-07 2019-10-25 浙江双成电气有限公司 A kind of smart grid communication abnormality detection method based on time series
CN110912860A (en) * 2018-09-18 2020-03-24 北京数安鑫云信息技术有限公司 Method and device for detecting pseudo periodic access behavior
CN112565183A (en) * 2020-10-29 2021-03-26 中国船舶重工集团公司第七0九研究所 Network flow abnormity detection method and device based on flow dynamic time warping algorithm
CN113271322A (en) * 2021-07-20 2021-08-17 北京明略软件系统有限公司 Abnormal flow detection method and device, electronic equipment and storage medium
CN114374528A (en) * 2021-11-24 2022-04-19 河南中裕广恒科技股份有限公司 Data security detection method and device, electronic equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102333313A (en) * 2011-10-18 2012-01-25 中国科学院计算技术研究所 Feature code generation method and detection method of mobile botnet
CN103746982A (en) * 2013-12-30 2014-04-23 中国科学院计算技术研究所 Automatic generation method and system for HTTP (Hyper Text Transport Protocol) network feature code
CN104168272A (en) * 2014-08-04 2014-11-26 国家电网公司 Trojan horse detection method based on communication behavior clustering
CN105187411A (en) * 2015-08-18 2015-12-23 福建省海峡信息技术有限公司 Distributed abnormal detection method for network data stream

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102333313A (en) * 2011-10-18 2012-01-25 中国科学院计算技术研究所 Feature code generation method and detection method of mobile botnet
CN103746982A (en) * 2013-12-30 2014-04-23 中国科学院计算技术研究所 Automatic generation method and system for HTTP (Hyper Text Transport Protocol) network feature code
CN104168272A (en) * 2014-08-04 2014-11-26 国家电网公司 Trojan horse detection method based on communication behavior clustering
CN105187411A (en) * 2015-08-18 2015-12-23 福建省海峡信息技术有限公司 Distributed abnormal detection method for network data stream

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566340A (en) * 2018-02-05 2018-09-21 中国科学院信息工程研究所 Network flow fining sorting technique based on dynamic time warping algorithm and device
CN110912860B (en) * 2018-09-18 2022-02-18 北京数安鑫云信息技术有限公司 Method and device for detecting pseudo periodic access behavior
CN110912860A (en) * 2018-09-18 2020-03-24 北京数安鑫云信息技术有限公司 Method and device for detecting pseudo periodic access behavior
CN109617893A (en) * 2018-12-27 2019-04-12 北京神州绿盟信息安全科技股份有限公司 A kind of means of defence, device and the storage medium of Botnet ddos attack
CN109617893B (en) * 2018-12-27 2021-06-25 绿盟科技集团股份有限公司 Method and device for preventing botnet DDoS attack and storage medium
CN110287699A (en) * 2019-06-12 2019-09-27 杭州迪普科技股份有限公司 The feature extracting method and device of application program
CN110287699B (en) * 2019-06-12 2021-02-26 杭州迪普科技股份有限公司 Application program feature extraction method and device
CN110381083A (en) * 2019-08-07 2019-10-25 浙江双成电气有限公司 A kind of smart grid communication abnormality detection method based on time series
CN110381083B (en) * 2019-08-07 2022-02-18 浙江双成电气有限公司 Smart power grid communication anomaly detection method based on time sequence
CN112565183A (en) * 2020-10-29 2021-03-26 中国船舶重工集团公司第七0九研究所 Network flow abnormity detection method and device based on flow dynamic time warping algorithm
CN113271322B (en) * 2021-07-20 2021-11-23 北京明略软件系统有限公司 Abnormal flow detection method and device, electronic equipment and storage medium
CN113271322A (en) * 2021-07-20 2021-08-17 北京明略软件系统有限公司 Abnormal flow detection method and device, electronic equipment and storage medium
CN114374528A (en) * 2021-11-24 2022-04-19 河南中裕广恒科技股份有限公司 Data security detection method and device, electronic equipment and medium

Also Published As

Publication number Publication date
CN105978897B (en) 2019-05-07

Similar Documents

Publication Publication Date Title
CN105978897A (en) Detection method of electricity secondary system botnet
CN113556354B (en) Industrial Internet security threat detection method and system based on flow analysis
KR101538709B1 (en) Anomaly detection system and method for industrial control network
Paudel et al. Detecting dos attack in smart home iot devices using a graph-based approach
Lin et al. Understanding IEC-60870-5-104 traffic patterns in SCADA networks
Soe et al. Rule generation for signature based detection systems of cyber attacks in iot environments
Wang et al. Research on DDoS attacks detection based on RDF-SVM
Efstathopoulos et al. Operational data based intrusion detection system for smart grid
CN107360152A (en) A kind of Web based on semantic analysis threatens sensory perceptual system
Hodo et al. Anomaly detection for simulated iec-60870-5-104 trafiic
Dairi et al. Semi-supervised deep learning-driven anomaly detection schemes for cyber-attack detection in smart grids
CN104660464A (en) Network anomaly detection method based on non-extensive entropy
Dalai et al. Wdtf: A technique for wireless device type fingerprinting
CN106603538A (en) Invasion detection method and system
Xu et al. [Retracted] DDoS Detection Using a Cloud‐Edge Collaboration Method Based on Entropy‐Measuring SOM and KD‐Tree in SDN
Zhao Network intrusion detection system model based on data mining
CN110493235A (en) A kind of mobile terminal from malicious software synchronization detection method based on network flow characteristic
CN112733954A (en) Abnormal traffic detection method based on generation countermeasure network
Wang et al. Benchmark data for mobile app traffic research
Wang et al. Coordinated cyber-attack detection model of cyber-physical power system based on the operating state data link
Tan et al. DDoS detection method based on Gini impurity and random forest in SDN environment
Zaman et al. Validation of a Machine Learning-Based IDS Design Framework Using ORNL Datasets for Power System With SCADA
Cheng et al. Development of deep packet inspection system for network traffic analysis and intrusion detection
Zhao et al. A classification and identification technology of tls encrypted traffic applications
Tang et al. Malware Traffic Classification Based on Recurrence Quantification Analysis.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190507