CN105978897B - A kind of detection method of electric power secondary system Botnet - Google Patents
A kind of detection method of electric power secondary system Botnet Download PDFInfo
- Publication number
- CN105978897B CN105978897B CN201610488613.3A CN201610488613A CN105978897B CN 105978897 B CN105978897 B CN 105978897B CN 201610488613 A CN201610488613 A CN 201610488613A CN 105978897 B CN105978897 B CN 105978897B
- Authority
- CN
- China
- Prior art keywords
- sequence
- stream
- module
- message
- botnet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 32
- 238000000605 extraction Methods 0.000 claims abstract description 16
- 239000000284 extract Substances 0.000 claims abstract description 5
- 238000000034 method Methods 0.000 claims description 29
- 230000003595 spectral effect Effects 0.000 claims description 21
- 238000012545 processing Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 6
- 238000005311 autocorrelation function Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000004422 calculation algorithm Methods 0.000 claims description 2
- 125000004122 cyclic group Chemical group 0.000 claims description 2
- 230000007613 environmental effect Effects 0.000 claims 1
- 238000004088 simulation Methods 0.000 claims 1
- 238000005259 measurement Methods 0.000 abstract description 8
- 238000006243 chemical reaction Methods 0.000 abstract description 2
- 239000000126 substance Substances 0.000 abstract description 2
- 238000004458 analytical method Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 10
- 230000006399 behavior Effects 0.000 description 8
- 239000000203 mixture Substances 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000001186 cumulative effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 235000012907 honey Nutrition 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a kind of detection method of electric power secondary system Botnet, the packet capturing of packet capturing module and timing message, protocol identification module analytic message agreement simultaneously presses preset white list match protocol, group flow module generates stream record by five-tuple group stream to message, sequences assembly module is flowed by stream record by sequence of rules chemical conversion stream sequence, stream sequence signature extraction module extracts stream sequence signature and generates corpse feature database, and characteristic matching module judges whether the feature to flow measurement sequence meets certain Botnet in corpse feature database.Such detection method can reduce the consumption of computing resource, have good adaptability and Detection accuracy.
Description
Technical field
The invention belongs to the Automation of Electric Systems communication technology and technical field of network security, in particular to a kind of power train
System Network Analyzer and Botnet detection technique.
Background technique
Botnet refers to is implanted into rogue program by various means in multiple devices, enables corpse controller's opposite side
Just and these equipment are centrally controlled, issue the attack net that various instructions carry out corresponding rogue activity to these controlled equipment
Network.With the high speed development of global power system and Internet technology, the scale and complexity of electric power secondary system are higher and higher,
Popularizing while bringing more abundant function for intelligent equipment and ethernet communication, is also the deployment of Botnet and propagation
Create advantageous condition.
Botnet detection method is broadly divided into two kinds, the first is based on analyzing suspicious binary executable, this
Method captures suspicious binary file, analytical attack record and activation record generally by honey jar, finds and destroys corpse net
Network, this method analytical cycle is long, and consumption resource is big, and real-time is poor;Second based on analysis network flow, pass through deep-packet detection
The field feature that method analyzes network message either analyzes the behavioural characteristic and linked character of flow, to find out botnet flow
With the otherness of normal discharge, Botnet is found with this, but due to the complexity of network flow, the accuracy phase of this method
To lower.
Botnet detection method in existing wide area network detects not the Botnet of Power Secondary network
Specific aim, network protocol used in electric power secondary system is comparatively fixed, by taking station level network as an example, usually 103,
61850, DNP has the 101 and 104 of latticed form under a few cases, and all protocol massages in addition to this are construed as
Unconventional agreement may all be generated by bot program, it is possible to detect Botnet with the method for protocol identification.But work as corpse
When program propagate and is movable using the specifications such as 103,61850, protocol recognition method will fail, and need to have more extensively at this time
The traffic behavior analysis method of application range supplement detection, but traffic behavior analysis method is related to largely calculating, and needs to disappear
Consume sizable CPU and memory source.
Therefore a kind of the characteristics of capable of being directed to electric power secondary system is needed, by protocol recognition method, traffic behavior analysis method
It combines, the Botnet of good adaptability and Detection accuracy is also possessed on the basis of substantially reducing computing resource and consuming
Thus detection means, this case generate.
Summary of the invention
The purpose of the present invention is to provide a kind of detection method of electric power secondary system Botnet, can reduce calculating
The consumption of resource has good adaptability and Detection accuracy.
In order to achieve the above objectives, solution of the invention is:
A kind of detection method of electric power secondary system Botnet, includes the following steps:
Step 1: after the message timing that packet capturing module generates corpse malicious code, output to group flow module;
Step 2: group flow module presses agreement, source port, destination port, source IP and destination IP group stream to incoming message, obtains
Set of records ends is flowed, every stream record includes at least stream time started, stream end time, message total and the total amount of byte of the stream,
Stream set of records ends is exported to stream sequences assembly module;
Step 3: the every stream record flowed in set of records ends is assembled into stream sequence by stream sequences assembly module, and output is extremely flowed
Sequence signature extraction module;
Step 4: when stream sequence signature extraction module extracts the mean flow time interval of each stream sequence, mean flow continues
Between and mean flow byte number;
Step 5: stream sequence signature extraction module convection current sequence carries out 01 serializing, is calculated using circulation autocorrelation method
The most significant frequency of 01 sequence, and calculate the most significant frequency of the power spectral density function of 01 sequence;
Step 6: stream sequence signature extraction module holds mean flow time interval, mean flow using X-means clustering algorithm
The continuous time, mean flow byte number, the most significant frequency of 01 sequence and power spectral density function this five stream sequences of most significant frequency
Column feature clusters respectively, and calculates the mean value, standard deviation and clustering result quality of each classification;
Step 7: circulation executes step 1 to step 6, flows sequence signature extraction module and exports each corpse malicious code
Flow fingerprint, comprising mean flow time interval, the mean flow duration, mean flow byte number, 01 sequence most significant frequency,
The classification mean value of the stream sequence signature of most significant frequency this five of power spectral density function, Category criteria be poor, clustering result quality and
Characteristic matching number threshold value and characteristic similarity score threshold use preset step-length adjust automatically characteristic matching number threshold value and spy
Similarity score threshold value is levied, total rate of false alarm and rate of failing to report is made to reach minimum value in adjusting range;
Step 8: packet capturing module receives message to be analyzed as input, and output is to protocol identification module after timing;
Step 9: protocol identification module is analysed to message and exports to group flow module group stream, according to step 2 to step 5
After processing, the stream sequence signature to be analyzed of generation is input to characteristic matching module;
Step 10: characteristic matching module compares stream sequence signature to be analyzed and " flow fingerprint " library, if characteristic matching number
More than characteristic matching number threshold value, and characteristic similarity score is more than characteristic similarity score threshold, then is analysed to stream sequence
Processing is the Botnet stream sequence, if meeting a plurality of fingerprint, being by the maximum stream series processing of characteristic similarity score should
Botnet stream sequence records and generates alarm.
The detailed content of above-mentioned steps one is: collecting known corpse malicious code sample, disposes one by one in experimental situation
Malicious code sample, experimental situation simulate electric power secondary system network structure, when extracting feature, dispose one kind every time, leave it
It operation and propagates, after enough long-times, records all messages in network, and after carrying out timing, output to group flow module.
In above-mentioned steps three, it is by the method that stream record is assembled into stream sequence: by stream record according to agreement, source IP, purpose
IP and destination port are assembled into stream sequence, and agreement, source IP, destination IP and the identical stream record of destination port are sequentially arranged
At a stream sequence.
In above-mentioned steps five, the process that convection current sequence carries out 01 serializing is: referring to a lesser time interval t segmentation
One stream sequence, if stream sequence total duration is T, T=Nt, N are positive integer, in a t, if there is stream to start, are set to
1,0 is otherwise set, 01 sequence that a length is N is obtained.
In above-mentioned steps nine, before stream sequence signature detection, the inspection of agreement white list is first carried out with protocol identification module
It surveys, is handled according to the protocol comparison in protocol architecture parsing incoming message, with predefined white list if being not belonging to white list
To belong to exception message, recording and generating alarm, if belonging to white list, it is analysed to message and exports to group flow module group stream.
After adopting the above scheme, the beneficial effects of the present invention are:
(1) the characteristics of being directed to Power Secondary network, i.e., network protocol used in electric power secondary system is comparatively fixed,
By taking station level network as an example, usually 103,61850, DNP have latticed form 101 and 104 under a few cases, in addition to this
All protocol massages be construed as unconventional agreement, may all be generated by bot program, therefore using protocol identification
Method is pre-configured with agreement white list in detection program, can effectively detect Botnet.
(2) when bot program propagate and is movable using the specifications such as 103,61850, protocol recognition method will fail,
So traffic behavior analysis method has wider application range, but traffic behavior analysis method is related to largely calculating, and needs
Consume sizable CPU and memory source, the characteristics of for electric power secondary system, present invention uses protocol recognition method and
The means that behavior analysis method based on stream sequence signature combines, are also gathered around on the basis of substantially reducing the consumption of computing resource
There are good adaptability and Detection accuracy.
(3) present invention is when sequence periodicity is flowed in description, most using the most significant frequency of circulation auto-correlation and energy spectral density
The means that significant frequency combines describe, and compared with other methods such as power spectral density, have calculation amount small, low in resources consumption
The advantages of.
(4) detection program of the present invention is integrated in electric power secondary system in existing device Network Analyzer, is not required to
New equipment is added, change existing network framework is not needed yet, is conducive to be embodied.
Detailed description of the invention
Fig. 1 is the integrated stand composition of each module of the present invention;
Fig. 2 is the establishment process schematic diagram of corpse stream sequence signature fingerprint in the present invention;
Fig. 3 is detection process schematic diagram of the present invention to station level message mirror.
Specific embodiment
Below with reference to attached drawing, technical solution of the present invention is described in detail.
The present invention provides a kind of detection method of electric power secondary system Botnet, and Fig. 1 describes each module of the present invention
Overall architecture is made of six modules, be respectively packet capturing module, protocol identification module, group flow module, stream sequences assembly module,
Flow sequence signature extraction module and characteristic matching module, wherein the packet capturing of packet capturing module and timing message, protocol identification module solution
It analyses message protocol and presses preset white list match protocol, group flow module generates stream record by five-tuple group stream to message, flows sequence
By stream record by sequence of rules chemical conversion stream sequence, stream sequence signature extraction module extracts stream sequence signature and generates column assembling module
Corpse feature database, characteristic matching module judge whether the feature to flow measurement sequence meets certain corpse net in corpse feature database
Network.
Fig. 2 describes the establishment process of corpse stream sequence signature the fingerprint of the invention, " flow of each corpse malicious code
Fingerprint " is by mean flow time interval, mean flow duration, mean flow byte number, the circulation most significant frequency f of auto-correlation1, energy
The most significant frequency f of spectrum density2This five are flowed poor the classification mean value of sequence signature, Category criteria, clustering result quality and characteristic matching
Number threshold value σ1maxWith characteristic similarity score threshold σ2maxComposition, wherein characteristic matching number threshold value refers to, for mean flow
Time interval, mean flow duration, mean flow byte number, the most significant frequency of circulation auto-correlation, the most significant frequency of energy spectral density
Five features of rate, the minimum number to the feature that flow measurement sequence signature and known corpse stream sequence signature match;Feature is similar
Degree score threshold refers to, to each feature of flow measurement sequence, the degree that matches with known corpse stream sequence signature, with one
Value description, the minimum value of the cumulative sum of the matching value of all features;Characteristic matching number threshold value and spy are only met or exceeded simultaneously
It just can be considered as the stream sequence that corresponding Botnet generates to flow measurement sequence when levying similarity score threshold value.
Fig. 3 describes the present invention to the detection process of station level message mirror, has used protocol recognition method and based on stream
The means that the behavior analysis method of sequence signature combines also possess good on the basis of substantially reducing the consumption of computing resource
Adaptability and Detection accuracy.
The step of present invention includes is as follows:
Step 1: the message timing that packet capturing module generates corpse malicious code specifically collects known corpse malice
Code sample, such as BlackEnergy, SDbot, Zbot, but not limited to this, dispose malicious code one by one in experimental situation
Sample, experimental situation simulate electric power secondary system network structure, can be realized by multiple virtual machines, can also set reality by actual load
It is existing, when extracting feature, one kind is disposed every time, is appointed and is run by and propagate, and after enough long-times, records all reports in network
Text, and timing is carried out, it is denoted as G, and export to group flow module;
Step 2: the message in G is pressed agreement, source port, destination port, source IP, destination IP group stream by group flow module, is obtained
Flow set of records ends G1, every stream record at least should include that stream time started, stream end time, message total and the byte of the stream are total
Number, stream set of records ends are exported to stream sequences assembly module;Wherein, stream refers to whithin a period of time, a source address and destination
Transfer of unidirectional message flow between location, all messages transport layer source, destination slogan, protocol number and source port having the same, purpose
Address, i.e. five-tuple content is identical, and stream description is primary specific communication activity between two end systems;
Step 3: by G1Composition stream sequence, note stream arrangement set is G2;
Step 3: stream sequences assembly module will flow set of records ends G1In every stream record according to agreement, source IP, purpose
IP, destination port are assembled into stream sequence, and the identical stream record of agreement, source IP, destination IP, destination port is sequentially arranged into
One stream sequence, note stream arrangement set is G2, all stream sequences export to stream sequence signature extraction module;Wherein, stream sequence is
Refer to whithin a period of time, communicated between a particular source and a specific purpose address and specific purpose port caused by
The sequence of stream, flow sequence description is that the movable overall permanence of homogeneous communication, such as end are between two end systems in a period of time
The A that unites requests 80 ports of end system B, and continuously request is multiple in a period of time, and AB generates multiple streams, then when these streams press stream beginning
Between sort composition sequence be a stream sequence;
Step 4: for G2In each stream sequence, stream sequence signature extraction module extract it is each stream sequence mean flow
Time interval, mean flow duration and mean flow byte number;
Step 5: stream sequence signature extraction module is to G2In each stream sequence carry out 01 serializing, using circulation from phase
Pass method calculates the most significant frequency of 01 sequence, and calculates the most significant frequency of the power spectral density function of 01 sequence, uses 01
The most significant frequency of the power spectral density function of sequence describes 01 sequence periodicity;Wherein, 01 serializing refers to one smaller
Time interval t divide a stream sequence, if stream sequence total duration be T, t take it is average flow time interval 1/4, T=Nt,
N is positive integer, in a t, if there is stream to start, is set to 1, otherwise sets 0, obtains 01 sequence that a length is N.
If 01 arrangement set is S, the most significant frequency f of each sequence in S is calculated using circulation autocorrelation method1, calculate
Method such as following formula:
The item number of 01 sequence f is standardized as to 2 integral number power, chooses the subsequence that the preceding P element of sequence f is constituted,
Meet:
P=2n,P≤M,2n+1> M n ∈ Q
Wherein, P is the element number after 01 sequence f standardization, and M is the original element number of 01 sequence f, and Q is natural number
Collection.
The discrete auto-correlation function of 01 sequence f:
The discrete Cyclic Autocorrelation Function of 01 sequence f:
The most significant frequency of auto-correlation is recycled to calculate:
Power spectral density function Φ is calculated for sequence each in S, according to the energy spectral density letter of the available sequence of Φ
Several most significant frequency f2, calculation method such as following formula:
The discrete Fourier transform of 01 sequence f:
The power spectral density function of 01 sequence f:
The item number of 01 sequence f is standardized as to 2 integral number power, chooses the subsequence that the preceding P element of sequence f is constituted,
Meet:
P=2n,P≤M,2n+1> M n ∈ Q
Wherein, P is the element number after 01 sequence f standardization, and M is the original element number of 01 sequence f, and Q is natural number
Collection.
After obtaining power spectral density function Φ (k), chooses the maximum k of Φ (k ≠ 0), frequency f is calculated2:
Step 6: including mean flow time interval, mean flow duration, mean flow byte number, 01 sequence in above step
The most significant frequency f of column1, power spectral density function most significant frequency f2Totally 5 stream sequence signatures are clustered using X-means and are calculated
Method clusters each feature respectively, and each available several cluster sets of feature acquire normal stream in practical station level environment
Amount is mixed with the botnet flow in step 1, repeats step 2 to step 5, for each stream sequence for mixed traffic
Feature vector T [i], respectively compared with each cluster set of each feature, if T [i], in [c-2sd, c+2sd], c is the cluster
The mean value of collection, sd are standard deviation, then characteristic matching number σ1Increase by 1, characteristic similarity score σ2Increase Qc*QTi, wherein QcFor life
The clustering result quality of middle classification, QTiIt is the quality for flowing sequence T on i attribute, that is, flows sequence signature quality, quality QTi=exp (- β *
Sd/c), 2.5 β indicate adjustment parameter, flow the f of sequence1Quality by circulation auto-correlation maximum ratio replace, f2Quality is by putting down
The quality for flowing time interval replaces, if σ1Reach characteristic matching number threshold value σ1max, σ2Reach characteristic similarity score threshold
σ2max, then it is assumed that the stream sequence belongs to corresponding corpse stream sequence, adjust automatically σ1maxAnd σ2maxValue, σ1maxOne by one from 0~5
Experiment, step-length 1, σ2maxIt is tested one by one from 0~5, step-length 0.1, rate of false alarm and rate of failing to report is made to reach minimum;
Step 7: step 1 is repeated to step 6, " the flow fingerprint " of each corpse malicious code can be obtained, by mean flow
Time interval, mean flow duration, mean flow byte number, frequency f1, frequency f2The mean value of each cluster classification, is gathered at standard deviation
Class quality and σ1maxAnd σ2maxComposition, uses preset step-length adjust automatically characteristic matching number threshold value and characteristic similarity score
Threshold value makes total rate of false alarm and rate of failing to report reach minimum value in adjusting range;Wherein, characteristic matching number threshold value refers to, right
In mean flow time interval, mean flow duration, mean flow byte number, the most significant frequency of 01 sequence, energy spectral density letter
Several five features of most significant frequency, the minimum to the feature that flow measurement sequence signature and known corpse stream sequence signature match
Number;Characteristic similarity score threshold refers to, to each feature of flow measurement sequence, with matching for known corpse stream sequence signature
Degree is described with a value, the minimum value of the cumulative sum of the matching value of all features;Characteristic matching is only met or exceeded simultaneously
It just can be considered as the stream sequence that corresponding Botnet generates to flow measurement sequence when number threshold value and characteristic similarity score threshold;
Step 8: step 1 to step 7 is the extraction process of Botnet " flow fingerprint ", by fingerprint base and detection journey
Prelude is deployed in station in Network Analyzer, and Network Analyzer needs to connect core switch mirror port, acquires whole station message mirror;
Packet capturing module receives message to be analyzed as input, and output is to protocol identification module after timing;
Step 9: configuration protocol white list, by the protocol configuration being likely to occur in existing station level network into detection program,
Such as IEC60870-5-103, IEC61850, DNP;Protocol identification module parses incoming message according to protocol architecture, and predefined
Protocol comparison in white list, if being not belonging to white list, processing records to belong to exception message and generates alarm, if belonging to
White list is then analysed to message and exports to group flow module group stream, after step 2 to step 5 processing, by generation wait divide
Analysis stream sequence signature is input to characteristic matching module;
Step 10: the stream sequence to be analyzed for each, characteristic matching module compare stream sequence signature to be analyzed and " stream
Measure fingerprint " library, calculate the characteristic matching number σ of every fingerprint in fingerprint base1With sign similarity score σ2If σ1Reach in fingerprint
σ1max, σ2Reach the σ in fingerprint2max, then it is assumed that stream sequence to be analyzed belongs to the Botnet, handles as the Botnet
Sequence is flowed, if meeting a plurality of fingerprint, by σ2Maximum stream series processing is Botnet stream sequence, records and generates alarm.
In conclusion being combined present invention uses protocol recognition method with the behavior analysis method based on stream sequence signature
Means, good adaptability and Detection accuracy are also possessed on the basis of substantially reducing the consumption of computing resource.The present invention
The characteristics of, stream sequence pattern single for electric power secondary system agreement is fixed relatively, first is that the abnormal agreement report in detection network
Text, second is that the stream sequence signature whether the stream sequence signature in detection network generates with previously known bot program matches,
Judge that with the presence or absence of Botnet in Power Secondary network, two kinds of means are combined, and are substantially reducing disappearing for computing resource with this
Also possess good adaptability and Detection accuracy on the basis of consumption, provided safeguard for the safe operation of electric power secondary system.
The above examples only illustrate the technical idea of the present invention, and this does not limit the scope of protection of the present invention, all
According to the technical idea provided by the invention, any changes made on the basis of the technical scheme each falls within the scope of the present invention
Within.
Claims (4)
1. a kind of detection method of electric power secondary system Botnet, it is characterised in that include the following steps:
Step 1: after the message timing that packet capturing module generates corpse malicious code, output to group flow module;
Step 2: group flow module presses agreement, source port, destination port, source IP and destination IP group stream to incoming message, obtains stream note
Record set, every stream record include at least stream time started, stream end time, message total and the total amount of byte of the stream, stream note
Record set output extremely stream sequences assembly module;
Step 3: the every stream record flowed in set of records ends is assembled into stream sequence, output to stream sequence by stream sequences assembly module
Characteristic extracting module;
Step 4: stream sequence signature extraction module extract each stream mean flow time interval of sequence, the mean flow duration and
Mean flow byte number;
Step 5: stream sequence signature extraction module convection current sequence carries out 01 serializing, calculates 01 sequence using circulation autocorrelation method
The most significant frequency of column, and calculate the most significant frequency of the power spectral density function of 01 sequence;
In the step 5, the process that convection current sequence carries out 01 serializing is: referring to and divides one with a lesser time interval t
Sequence is flowed, if stream sequence total duration is T, T=Nt, N are positive integer, in a t, if there is stream to start, are set to 1, no
0 is then set, 01 sequence that a length is N is obtained;
Step 6: when stream sequence signature extraction module continues mean flow time interval, mean flow using X-means clustering algorithm
Between, this five stream sequences of most significant frequency of the most significant frequency of mean flow byte number, 01 sequence and power spectral density function it is special
Sign clusters respectively, and calculates the mean value, standard deviation and clustering result quality of each classification;
Step 7: circulation executes step 1 to step 6, flows the stream that sequence signature extraction module exports each corpse malicious code
Fingerprint is measured, mean flow time interval, mean flow duration, mean flow byte number, the most significant frequency of 01 sequence, energy are included
The most significant frequency this five of spectral density function flows poor the classification mean value of sequence signature, Category criteria, clustering result quality and feature
Number threshold value and characteristic similarity score threshold are matched, preset step-length adjust automatically characteristic matching number threshold value and feature phase are used
Like degree score threshold, total rate of false alarm and rate of failing to report is made to reach minimum value in adjusting range;
If 01 arrangement set is S, the most significant frequency f of each sequence in S is calculated using circulation autocorrelation method1, calculation method is such as
Following formula:
The item number of 01 sequence f is standardized as to 2 integral number power, the subsequence that the preceding P element of sequence f is constituted is chosen, meets:
P=2n,P≤M,2n+1> M n ∈ Q
Wherein, P is the element number after 01 sequence f standardization, and M is the original element number of 01 sequence f, and Q is nature manifold;
The discrete auto-correlation function of 01 sequence f:
The discrete Cyclic Autocorrelation Function of 01 sequence f:
The most significant frequency of auto-correlation is recycled to calculate:
Power spectral density function Φ is calculated for sequence each in S, the power spectral density function of sequence can be obtained according to Φ
Most significant frequency f2, calculation method such as following formula:
The discrete Fourier transform of 01 sequence f:
The power spectral density function of 01 sequence f:
The item number of 01 sequence f is standardized as to 2 integral number power, the subsequence that the preceding P element of sequence f is constituted is chosen, meets:
P=2n,P≤M,2n+1> M n ∈ Q
Wherein, P is the element number after 01 sequence f standardization, and M is the original element number of 01 sequence f, and Q is nature manifold;
After obtaining power spectral density function Φ (k), the maximum k of Φ is chosen, frequency f is calculated in k ≠ 02:
Step 8: packet capturing module receives message to be analyzed as input, and output is to protocol identification module after timing;
Step 9: protocol identification module is analysed to message and exports to group flow module group stream, according to step 2 to step 5 processing
Afterwards, the stream sequence signature to be analyzed of generation is input to characteristic matching module;
Step 10: characteristic matching module compares stream sequence signature to be analyzed and " flow fingerprint " library, if characteristic matching number is more than
Characteristic matching number threshold value, and characteristic similarity score is more than characteristic similarity score threshold, then is analysed to stream series processing
It is the corpse by the maximum stream series processing of characteristic similarity score if meeting a plurality of fingerprint for the Botnet stream sequence
Network flow sequence records and generates alarm.
2. a kind of detection method of electric power secondary system Botnet as described in claim 1, it is characterised in that the step
One detailed content is: collecting known corpse malicious code sample, disposes malicious code sample one by one in experimental situation, tests
Environmental simulation electric power secondary system network structure disposes one kind when extracting feature every time, appoints and runs by and propagate, by foot
After enough long-times, all messages in network are recorded, and after carrying out timing, output to group flow module.
3. a kind of detection method of electric power secondary system Botnet as described in claim 1, it is characterised in that: the step
In three, it is by the method that stream record is assembled into stream sequence: stream record is assembled according to agreement, source IP, destination IP and destination port
At stream sequence, agreement, source IP, destination IP and the identical stream record of destination port are sequentially arranged into a stream sequence.
4. a kind of detection method of electric power secondary system Botnet as described in claim 1, it is characterised in that: the step
In nine, before stream sequence signature detection, the detection of agreement white list is first carried out with protocol identification module, according to protocol architecture solution
The protocol comparison in incoming message, with predefined white list is analysed, if being not belonging to white list, processing is remembered to belong to exception message
It records and generates alarm, if belonging to white list, be analysed to message and export to group flow module group stream.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610488613.3A CN105978897B (en) | 2016-06-28 | 2016-06-28 | A kind of detection method of electric power secondary system Botnet |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610488613.3A CN105978897B (en) | 2016-06-28 | 2016-06-28 | A kind of detection method of electric power secondary system Botnet |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105978897A CN105978897A (en) | 2016-09-28 |
CN105978897B true CN105978897B (en) | 2019-05-07 |
Family
ID=57019380
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610488613.3A Expired - Fee Related CN105978897B (en) | 2016-06-28 | 2016-06-28 | A kind of detection method of electric power secondary system Botnet |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105978897B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108566340B (en) * | 2018-02-05 | 2021-03-09 | 中国科学院信息工程研究所 | Network flow refined classification method and device based on dynamic time warping algorithm |
CN110912860B (en) * | 2018-09-18 | 2022-02-18 | 北京数安鑫云信息技术有限公司 | Method and device for detecting pseudo periodic access behavior |
CN109617893B (en) * | 2018-12-27 | 2021-06-25 | 绿盟科技集团股份有限公司 | Method and device for preventing botnet DDoS attack and storage medium |
CN110287699B (en) * | 2019-06-12 | 2021-02-26 | 杭州迪普科技股份有限公司 | Application program feature extraction method and device |
CN110381083B (en) * | 2019-08-07 | 2022-02-18 | 浙江双成电气有限公司 | Smart power grid communication anomaly detection method based on time sequence |
CN112565183B (en) * | 2020-10-29 | 2022-12-09 | 中国船舶重工集团公司第七0九研究所 | Network flow abnormity detection method and device based on flow dynamic time warping algorithm |
CN113271322B (en) * | 2021-07-20 | 2021-11-23 | 北京明略软件系统有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
CN114374528A (en) * | 2021-11-24 | 2022-04-19 | 河南中裕广恒科技股份有限公司 | Data security detection method and device, electronic equipment and medium |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102333313A (en) * | 2011-10-18 | 2012-01-25 | 中国科学院计算技术研究所 | Feature code generation method and detection method of mobile botnet |
CN103746982B (en) * | 2013-12-30 | 2017-05-31 | 中国科学院计算技术研究所 | A kind of http network condition code automatic generation method and its system |
CN104168272A (en) * | 2014-08-04 | 2014-11-26 | 国家电网公司 | Trojan horse detection method based on communication behavior clustering |
CN105187411B (en) * | 2015-08-18 | 2018-09-14 | 福建省海峡信息技术有限公司 | A kind of method of distribution abnormality detection network data flow |
-
2016
- 2016-06-28 CN CN201610488613.3A patent/CN105978897B/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
CN105978897A (en) | 2016-09-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105978897B (en) | A kind of detection method of electric power secondary system Botnet | |
CN111277578B (en) | Encrypted flow analysis feature extraction method, system, storage medium and security device | |
CN102035698B (en) | HTTP tunnel detection method based on decision tree classification algorithm | |
CN107992746B (en) | Malicious behavior mining method and device | |
CN104270392B (en) | A kind of network protocol identification method learnt based on three grader coorinated trainings and system | |
CN105302885B (en) | full-text data extraction method and device | |
CN105306463A (en) | Modbus TCP intrusion detection method based on support vector machine | |
CN109462575A (en) | A kind of webshell detection method and device | |
US11528285B2 (en) | Label guided unsupervised learning based network-level application signature generation | |
Zhang et al. | Pca-svm-based approach of detecting low-rate dos attack | |
CN103491107A (en) | Method for quickly extracting Trojan communication characteristics based on network data stream cluster | |
CN110493235A (en) | A kind of mobile terminal from malicious software synchronization detection method based on network flow characteristic | |
CN117081858A (en) | Intrusion behavior detection method, system, equipment and medium based on multi-decision tree | |
Makanju et al. | Fast entropy based alert detection in super computer logs | |
Bharti et al. | Intrusion detection using clustering | |
CN112733954A (en) | Abnormal traffic detection method based on generation countermeasure network | |
Xu et al. | [Retracted] DDoS Detection Using a Cloud‐Edge Collaboration Method Based on Entropy‐Measuring SOM and KD‐Tree in SDN | |
Aldwairi et al. | Hybrid multithreaded pattern matching algorithm for intrusion detections systems | |
CN109450876A (en) | A kind of DDos recognition methods and system based on various dimensions state-transition matrix feature | |
Tang et al. | Malware Traffic Classification Based on Recurrence Quantification Analysis. | |
Liu et al. | Machine learning for analyzing malware | |
CN109698835A (en) | A kind of encryption Trojan detecting method towards the hidden tunnel HTTPS | |
CN114666282B (en) | Machine learning-based 5G flow identification method and device | |
Dong | Design of an automatic detection system for abnormal communication data packets of electronic equipment | |
KR102559398B1 (en) | Security monitoring intrusion detection alarm processing device and method using artificial intelligence |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190507 |