CN106027554A - Hacker tool mining method, device and system - Google Patents

Hacker tool mining method, device and system Download PDF

Info

Publication number
CN106027554A
CN106027554A CN201610514159.4A CN201610514159A CN106027554A CN 106027554 A CN106027554 A CN 106027554A CN 201610514159 A CN201610514159 A CN 201610514159A CN 106027554 A CN106027554 A CN 106027554A
Authority
CN
China
Prior art keywords
attack
network
network log
log
cloud server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610514159.4A
Other languages
Chinese (zh)
Inventor
易蜀锋
张永臣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING NETENTSEC Inc
Original Assignee
BEIJING NETENTSEC Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING NETENTSEC Inc filed Critical BEIJING NETENTSEC Inc
Priority to CN201610514159.4A priority Critical patent/CN106027554A/en
Publication of CN106027554A publication Critical patent/CN106027554A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses a hacker tool mining method. The hacker tool mining method is used for a cloud server. The hacker tool mining method comprises the following steps of: receiving multiple network logs sent by at least one user equipment; obtaining attack type network logs in the multiple network logs; extracting attack information of various attack type network logs, wherein the attack information comprises attack IPs and attack IDs; and, performing data mining of the attack information of various attack type network logs, and obtaining an attack ID group corresponding to each hacker tool, wherein the attack ID group comprises at least one attack ID. Furthermore, the embodiment of the invention provides a hacker tool mining method applied to the user equipment, the cloud server, the user equipment and a hacker tool mining system.

Description

A kind of hack tool method for digging, Apparatus and system
Technical field
The present invention relates to the network security technology of computer realm, particularly relate to a kind of hack tool method for digging, Apparatus and system.
Background technology
Along with becoming increasingly popular of the Internet, network has been directed to the various aspects of daily life, thus causes Network security problem the most day by day becomes people's issues that need special attention.
Existing network exists a lot of hacker, utilizes network hole, in the case of allowing without the other side, enter Enter method, system or computer, steal information so that carry out the mechanism of business based on the Internet and systems face Unprecedented threat, these mechanisms and system are once hacked successfully, will result in huge economic loss. In order to anti-locking system is hacked visitor's attack, needing to set up fire wall for each system, fire wall can effectively be kept away Exempt from assault, improve the safety of system.
But, network security is a technology-intensive industry, and the direction that different hackers is good at is different, Some hackers are good at bug excavation, and some hackers are good at tackling antivirus software, and network foundation is set by some hackers Executing and be very familiar with, the hacker also having is good at social engineering, and the most different hackers can produce different attack row For, fire wall is difficult to provide complete protection service, and the safety of system is relatively low.
Summary of the invention
For solving above-mentioned technical problem, embodiment of the present invention expectation provides a kind of hack tool method for digging, dress Put and system, it is possible to excavate the attack pattern of any one hack tool so that fire wall can be according to often The attack pattern identification hack tool of individual hack tool, and provide complete protection service accordingly, improves and is The safety of system.
The technical scheme is that and be achieved in that:
First aspect, the embodiment of the present invention provides a kind of hack tool method for digging, for Cloud Server, bag Include:
Receive multiple network logs that at least one subscriber equipment sends;
Obtain the attack class network log in the plurality of network log;
Extracting the attack information of each described attack class network log, described attack information includes attacking IP and attacking Hit ID;
The attack information of each described attack class network log is carried out data mining, obtains each hack tool Corresponding attack ID group, described attack ID group includes that at least one attacks ID.
Optionally, the described attack information to each described attack class network log carries out data mining, obtains The attack ID group that each hack tool is corresponding includes:
The attack information of each described attack class network log is carried out vectorization description, obtains each attack and believe The vector of attack of breath, described vector of attack includes the attack IP of corresponding attack information and attacks ID;
The vector of attack of each described attack class network log is carried out data mining, obtains each hack tool Corresponding attack ID group.
Optionally, the described vector of attack to each described attack class network log carries out data mining, obtains The attack ID group that each hack tool is corresponding includes:
Use Frequent Itemsets Mining Association Rules Algorithm, the vector of attack of each described attack class network log is carried out data and digs Pick, obtains the attack ID group that each hack tool is corresponding.
Optionally, described attack information also includes attack time.
Second aspect, the embodiment of the present invention provides a kind of hack tool method for digging, for subscriber equipment, bag Include:
The network obtaining user accesses behavior;
Network according to user accesses the network traffics that behavior produces, and generates network log;
Described network log is sent to Cloud Server.
The third aspect, the embodiment of the present invention provides a kind of Cloud Server, including:
Receive unit, for receiving multiple network logs that at least one subscriber equipment sends;
Acquiring unit, for obtaining the attack class network log in the plurality of network log;
Extraction unit, for extracting the attack information of each described attack class network log, described attack information Including attacking IP and attacking ID;
Excavate unit, for the attack information of each described attack class network log is carried out data mining, obtain Taking the attack ID group that each hack tool is corresponding, described attack ID group includes that at least one attacks ID.
Optionally, described excavation unit specifically for:
The attack information of each described attack class network log is carried out vectorization description, obtains each attack and believe The vector of attack of breath, described vector of attack includes the attack IP of corresponding attack information and attacks ID;
The vector of attack of each described attack class network log is carried out data mining, obtains each hack tool Corresponding attack ID group.
Optionally, described excavation unit specifically for:
Use Frequent Itemsets Mining Association Rules Algorithm, the vector of attack of each described attack class network log is carried out data and digs Pick, obtains the attack ID group that each hack tool is corresponding.
Optionally, described attack information also includes attack time.
Fourth aspect, the embodiment of the present invention provides a kind of subscriber equipment, including:
Acquiring unit, accesses behavior for obtaining the network of user;
Signal generating unit, accesses, for the network according to user, the network traffics that behavior produces, and generates network log;
Transmitting element, for being sent to Cloud Server by described network log.
5th aspect, the embodiment of the present invention provides a kind of hack tool digging system, including at least one user Equipment and the Cloud Server being connected with at least one subscriber equipment described;
Described subscriber equipment accesses behavior for the network obtaining user, accesses behavior according to the network of user and produces Raw network traffics, generate network log, and described network log are sent to described Cloud Server;
Described Cloud Server, for receiving multiple network logs that at least one subscriber equipment described sends, obtains Attack class network log in the plurality of network log, extracts the attack of each described attack class network log Information, described attack information includes attacking IP and attacking ID, and to each described attack class network log Attack information carries out data mining, obtains the attack ID group that each hack tool is corresponding, described attack ID group ID is attacked including at least one.
Embodiments provide a kind of hack tool method for digging, Apparatus and system, described hack tool Method for digging includes: receive multiple network logs that at least one subscriber equipment sends;Obtain the plurality of net Attack class network log in network daily record;Extract the attack information of each described attack class network log, described Attack information includes attacking IP and attacking ID;The attack information of each described attack class network log is carried out Data mining, obtains the attack ID group that each hack tool is corresponding, and described attack ID group includes at least one Attack ID.Compared to prior art, the attacker of any one hack tool can be obtained by data mining Formula, and then can be by the attack pattern mark hack tool of hack tool so that fire wall can be according to often The attack pattern identification hack tool of individual hack tool, and provide complete protection service accordingly, improves and is The safety of system.
Accompanying drawing explanation
The schematic flow sheet 1 of a kind of hack tool method for digging that Fig. 1 provides for the embodiment of the present invention;
The schematic flow sheet 2 of a kind of hack tool method for digging that Fig. 2 provides for the embodiment of the present invention;
The mutual schematic diagram of a kind of hack tool method for digging that Fig. 3 provides for the embodiment of the present invention;
The structural representation of a kind of Cloud Server that Fig. 4 provides for the embodiment of the present invention;
The structural representation of a kind of subscriber equipment that Fig. 5 provides for the embodiment of the present invention;
The structural representation of a kind of hack tool digging system that Fig. 6 provides for the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly Chu, it is fully described by.
The embodiment of the present invention provides a kind of hack tool method for digging, for Cloud Server, and can be by described cloud Server is arranged to cloud data analysis center, includes as it is shown in figure 1, described hack tool excavates:
Step 101, receive at least one subscriber equipment send multiple network logs.
In hack tool digging system, Cloud Server connects multiple subscriber equipment, and each subscriber equipment is equal Multiple network log can be generated, and the multiple network logs generated are sent to Cloud Server.
Step 102, the attack class network log obtained in the plurality of network log.
Example, the all-network daily record of generation is all sent to Cloud Server by subscriber equipment, including positive frequentation Ask the message flow daily record of generation, network access log, area protection daily record etc., also include attacking class network Daily record, Cloud Server extracts attack class network log from the all-network daily record received.Concrete, Subscriber equipment, when producing attack class network log, all carries in each attack class network log and attacks with it The attack ID (identification, identification) that type is corresponding, therefore Cloud Server can pass through network day Whether will including, attacking ID determines whether network log is to attack class network log.
Step 103, extracting the attack information of each described attack class network log, described attack information includes Attack IP and attack ID.
Example, Cloud Server is after getting multiple attack class network log, to each attack class network Daily record is analyzed, and obtains it and attacks IP and attack ID.For example, it is assumed that first network daily record is for attacking class Network log, first network daily record can be analyzed by Cloud Server, extracts the attack of first network daily record IP, i.e. produces the IP address of described first network daily record;The attack ID of first network daily record, the most described first The attack type of network log.Optionally, described attack information can also include attack time, i.e. cloud service Device can extract the attack time of first network daily record, and described attack time is that described first network daily record is corresponding Network access behavior produce time.
Step 104, attack information to each described attack class network log carry out data mining, obtain every The attack ID group that individual hack tool is corresponding, described attack ID group includes that at least one attacks ID.
Example, same attack IP may be provided with multiple hack tool, and each hack tool may produce Multiple assault behavior, the attack ID difference that every kind of assault behavior is corresponding, therefore attack IP for one Multiple attack ID that possible corresponding hack tool produces, by mathematical analysis, can attack IP pair from each The multiple attack ID answered obtain the attack ID group that each hack tool is corresponding, and then this attack can be passed through ID group mark produces the hack tool of multiple attack ID that described attack ID group includes.
So, the attack pattern of any one hack tool, Jin Erneng can be obtained by data mining Enough attack pattern mark hack tools by hack tool so that fire wall can be according to each hack tool Attack pattern identification hack tool, and provide complete protection service accordingly, improve the safety of system.
Optionally, the attack information of each described attack class network log is being carried out data mining, is obtaining every During attack ID group corresponding to individual hack tool, can first attack to each described attack class network log believe Breath carries out vectorization description, obtains the vector of attack of each attack information, and described vector of attack includes that correspondence is attacked Hit the attack IP of information and attack ID, then the vector of attack of each described attack class network log being carried out Data mining, obtains the attack ID group that each hack tool is corresponding.
Example, for the ease of attack information is carried out mathematical analysis, attack information can be carried out vectorization Describe, the corresponding vector of the most each attack information.Such as, the primary vector that first network daily record is corresponding is extremely Including the attack IP of first network daily record less and attack ID, in actual application, primary vector can also include Attack time.In each vector, the content of element can select as the case may be, the embodiment of the present invention This is not limited.
Optionally, the vector of attack of each described attack class network log is being carried out data mining, is obtaining every During attack ID group corresponding to individual hack tool, Frequent Itemsets Mining Association Rules Algorithm can be used, to each described attack class The vector of attack of network log carries out data mining, obtains the attack ID group that each hack tool is corresponding.
Example, having implemented of described Frequent Itemsets Mining Association Rules Algorithm is a variety of, the embodiment of the present invention with Illustrating as a example by FP-Growth algorithm, described FP-growth algorithm uses one to be referred to as frequent pattern tree (fp tree) The data structure of (Frequent Pattern Tree), described FP-tree is a kind of special prefix trees, by frequency Numerous head table and item prefix trees are constituted, and described FP-Growth algorithm accelerates whole excavation based on above structure Process.
Embodiments provide a kind of hack tool method for digging, including: receive at least one user and set Multiple network logs that preparation is sent;Obtain the attack class network log in the plurality of network log;Extract every The attack information of individual described attack class network log, described attack information includes attacking IP and attacking ID;Right The attack information of each described attack class network log carries out data mining, obtains each hack tool corresponding Attacking ID group, described attack ID group includes that at least one attacks ID.Compared to prior art, pass through data Excavation can obtain the attack pattern of any one hack tool, and then can be by the attacker of hack tool Formula mark hack tool so that fire wall can according to the attack pattern identification hack tool of each hack tool, And complete protection service is provided accordingly, improve the safety of system.
The embodiment of the present invention provides a kind of hack tool method for digging, for subscriber equipment, described subscriber equipment Various ways can be shown as, can be traditional firewall, a new generation's fire wall, network log-in management equipment, Intelligent flow management equipment, wan optimization gateway, security proxy server etc., the embodiment of the present invention is to this Do not limit.As in figure 2 it is shown, described hack tool method for digging includes:
Step 201, the network of acquisition user access behavior.
Example, when user is surfed the Net by described subscriber equipment on the client, various net can be produced Network access behavior, such as, user can on the client by described subscriber equipment carry out shopping at network, Line chat, online appreciation music and film, P2P (Peer to Peer, peer-to-peer network) instrument are downloaded, and Assaults etc., different networks accesses the network traffics difference that behavior produces.
Step 202, access, according to the network of user, the network traffics that behavior produces, generate network log.
In prior art, access behavior, each known network access line for the ease of the network that mark is different For being provided with condition code, i.e. can determine that concrete network behavior according to condition code, and then correspondence can be generated Network log.Common network log includes message flow daily record, network access log, area protection daily record Deng.And user is when carrying on a attack by subscriber equipment on the client, may produce at short notice Bigger network traffics, therefore can be according to the size of network traffics, it is judged that network accesses whether behavior is black Visitor attacks class behavior.
Optionally, owing to the type of assault is a lot, such as Brute Force, leak is attacked, and refuses service Attacking, it is the most different, therefore according to assault class that the network that different aggressive behaviors produces accesses behavior Behavior generates when attacking class network log, and the attack type that can be different arranges different attack ID, i.e. adopts The attack type different with attacking ID mark, described attack ID is arranged in the attack class network log of generation, Each attack class network log includes corresponding attack ID.
Step 203, described network log is sent to Cloud Server.
Optionally, network log may the most all be produced due to subscriber equipment, if in real time to cloud service Device sends network log, may affect the processing speed of subscriber equipment, therefore can arrange in subscriber equipment Network log caches, and the network log that subscriber equipment produces is stored in real-time network daily record sequentially in time and delays In depositing.When during described network log caches, the network log quantity of storage is more than or equal to predetermined number threshold value, Cloud Server is issued in the network log packing of storage in being cached by network log;Or when described network log delays After storing the network log of preset time period, the network log packing of storage during network log is cached Issue Cloud Server, it is to avoid frequently send and cause subscriber equipment processing speed to decline.
Embodiments provide a kind of hack tool method for digging, including: the network obtaining user accesses Behavior;Network according to user accesses the network traffics that behavior produces, and generates network log;By described network Daily record is sent to Cloud Server.Compared to prior art, it is possible to network log is sent to Cloud Server, with It is easy to Cloud Server and is obtained the attack pattern of any one hack tool by data mining, and then pass through hacker The attack pattern mark hack tool of instrument so that fire wall can be according to the attack pattern of each hack tool Identify hack tool, and complete protection service is provided accordingly, improve the safety of system.
The embodiment of the present invention provides a kind of hack tool method for digging, is applied to hack tool digging system, institute State hack tool digging system and include multiple subscriber equipment and the Cloud Server being connected with the plurality of subscriber equipment, Described subscriber equipment can show as various ways, can be traditional firewall, a new generation's fire wall, online Behavior management equipment, intelligent flow management equipment, wan optimization gateway, security proxy server etc., this This is not limited by inventive embodiments.Meanwhile, the number of user equipment being connected with described Cloud Server does not goes up Line, The more the better, the embodiment of the present invention illustrates as a example by any one subscriber equipment, as it is shown on figure 3, Described method includes:
Step 301, subscriber equipment obtain the network of user and access behavior, perform step 302.
Example, when user is surfed the Net by described subscriber equipment on the client, various net can be produced Network access behavior, such as, user can on the client by described subscriber equipment carry out shopping at network, Line chat, online appreciate music and film, P2P instrument download, and assault etc., different networks The network traffics that access behavior produces are different.
Step 302, subscriber equipment access, according to the network of user, the network traffics that behavior produces, and generate network Daily record, performs step 303.
Example, if user is carried on a attack by subscriber equipment on the client, may be in short-term The network traffics that interior generation is bigger, therefore can be according to the size of network traffics, it is judged that network accesses behavior Whether it is assault class behavior.Such as, flow threshold is set, if network accesses behavior and produces during initialization Flow more than or equal to flow threshold time, described network accesses behavior and can confirm that as assault behavior, Attack class network log can be generated according to such assault behavior;If network accesses the flow that behavior produces During less than flow threshold, described network accesses behavior and can confirm that as normal access behavior.In prior art, Accessing behavior for the ease of the network that mark is different, each known network accesses behavior and is provided with condition code, I.e. can determine that concrete network behavior according to condition code, and then the network log of correspondence can be generated.Common Network log includes message flow daily record, network access log, area protection daily record etc..
Optionally, owing to the type of assault is a lot, such as Brute Force, leak is attacked, and refuses service Attacking, it is the most different, therefore according to assault class that the network that different aggressive behaviors produces accesses behavior Behavior generates when attacking class network log, and the attack type that can be different arranges different attack ID, i.e. adopts The attack type different with attacking ID mark, described attack ID is arranged in the attack class network log of generation, Each attack class network log includes corresponding attack ID.
Such as, if the network traffics that user carries out generation when first network accesses behavior are relatively big, determined For assault behavior, and access attack type corresponding to behavior for described first network and arrange unique corresponding Attacking ID, described attack ID can be 100000, when user carries out generation when the second network accesses behavior Network traffics are relatively big, are defined as assault behavior, and are that described second network access behavior is corresponding It can be 100001 that attack type arranges unique corresponding attack ID, described attack ID, the like, for Different attack types arranges different attack ID.
Described network log is sent to Cloud Server by step 303, subscriber equipment, performs step 304.
Example, each subscriber equipment, can be by net after according to network access line for generating network log Network daily record is sent to Cloud Server, in order to network log is analyzed by Cloud Server.
Optionally, network log may the most all be produced due to subscriber equipment, if in real time to cloud service Device sends network log, may affect the processing speed of subscriber equipment, therefore can arrange in subscriber equipment Network log caches, and the network log that subscriber equipment produces is stored in real-time network daily record sequentially in time and delays In depositing.When during described network log caches, the network log quantity of storage is more than or equal to predetermined number threshold value, Cloud Server is issued in the network log packing of storage in being cached by network log;Or when described network log delays After storing the network log of preset time period, the network log packing of storage during network log is cached Issue Cloud Server, it is to avoid frequently send and cause subscriber equipment processing speed to decline.
The network log that the multiple subscriber equipment of step 304, cloud server sends, performs step 306.
Example, in hack tool digging system, Cloud Server connects multiple subscriber equipment, Mei Geyong The network log of generation all can be sent to Cloud Server by family equipment.
Step 305, Cloud Server obtain attack class network log from the described network log received, and hold Row step 306.
Example, the all-network daily record of generation is all sent to Cloud Server by subscriber equipment, including positive frequentation Ask the message flow daily record of generation, network access log, area protection daily record etc., also include attacking class network Daily record, Cloud Server extracts attack class network log from the all-network daily record received.Concrete, Subscriber equipment, when producing attack class network log, all carries in each attack class network log and attacks with it The attack ID that type is corresponding, therefore whether Cloud Server can be by including in network log that attacking ID determines Whether network log is to attack class network log.
Step 306, Cloud Server extract the attack information of each described attack class network log, described attack Information includes attacking IP (Internet Protocol, the agreement of interconnection between network), when attacking ID and attack Between, perform step 307.
Example, Cloud Server is after getting multiple attack class network log, to each attack class network Daily record is analyzed, and obtains it and attacks IP, attacks ID and attack time.For example, it is assumed that first network day Will is for attacking class network log, and first network daily record can be analyzed by Cloud Server, extracts first network The attack IP of daily record, i.e. produces the IP address of described first network daily record;The attack ID of first network daily record, The attack type of the most described first network daily record;And the attack time of first network daily record, the most described first The network that network log is corresponding accesses the time that behavior produces.
Step 307, Cloud Server carry out vectorization description to each described attack information, obtain each attack The vector of attack of information, performs step 308.
Example, for the ease of attack information is carried out mathematical analysis, attack information can be carried out vectorization Describe, the corresponding vector of the most each attack information.Such as, the primary vector that first network daily record is corresponding is extremely Including the attack IP of first network daily record less and attack ID, in actual application, primary vector can also include Attack time.In each vector, the content of element can select as the case may be, the embodiment of the present invention This is not limited.
Described attack information, according to the vector of attack of each attack information, is carried out by step 307, Cloud Server Stratification is analyzed, and obtains the attack ID group that each hack tool is corresponding.
Example, same attack IP may be provided with multiple hack tool, and each hack tool may produce Multiple assault behavior, the attack ID difference that every kind of assault behavior is corresponding, therefore attack IP for one Possible corresponding multiple attack ID, by mathematical analysis, can be from multiple attack ID corresponding for each attack IP The attack ID group that each hack tool of middle acquisition is corresponding, and then institute can be produced by this attack ID group mark State the hack tool attacking multiple attack ID that ID group includes.
Optionally, it is assumed that attack one hack tool of ID group correspondence for one, then mean that this is attacked ID group is bound to repeatedly occur in the different attack ID attacking IP.In order to find out these arrangements, can adopt Use Frequent Itemsets Mining Association Rules Algorithm.Wherein, having implemented of Frequent Itemsets Mining Association Rules Algorithm is a variety of, and the present invention implements Example illustrates as a example by FP-Growth algorithm.Described FP-growth algorithm employs a kind of being referred to as frequently The data structure of scheme-tree (Frequent Pattern Tree), described FP-tree is a kind of special prefix trees, Being made up of frequent episode head table and item prefix trees, described FP-Growth algorithm is accelerated whole based on above structure Mining process.
Concrete, first the attack ID of each attack IP is collected, the time produced according to each attack ID Arrangement, generates the attack ID set of each attack IP, obtains the attack ID set of described each attack IP Composition database D.Then scan described database D, obtain in described database D frequency of occurrence more than or Rearrange frequent episode set F, each attack ID equal to the attack ID of the first predetermined number threshold value and arrange bag Including at least two and attack ID, the frequency descending occurred according to each attacks ID arrangement, described in arrangement Attack ID arrangement in frequent episode set F obtains frequent episode table L, builds described according to described frequent episode table L FP-tree, carries out data mining according to described FP-tree, obtains support more than the joint presetting support threshold The attack ID arrangement that point is corresponding, and each attack ID got arrangement is split as unduplicated two tuples, For example, it is assumed that one attack ID be arranged as 1000000,1000001,1000002}, can be by this attack ID arrangement is split as { 1000000,1000001} and { 1000001,1000002}, and all by be split to Two tuples form two tuple-set E.
Assume one to attack on IP to be provided with two or above to hack tool, if selecting two hacker's works Tool carries out instrument, and switching to another hack tool from a hack tool needs the regular hour poor, permissible Assume that this time difference is Td.Calculate two attack ID that in described two tuple-set E, each two tuple includes Between time difference, retention time difference more than described Td two tuples form new two tuple-set Ed.
Attack ID set in the D of ergodic data storehouse, removes the subset in described database D, such as, false If following three attack ID set once in data base 1000000,1000001,1000002}, 1000000, 1000001} and 1000000,1000002}, due to { 1000000,1000001} and { 1000000,1000002} It is that { therefore the subset of 1000000,1000001,1000002} only retains taking out during oneself 1000000,1000001,1000002}, and remove described 1000000,1000001} and 1000000, 1000002}.After described database D removes subset, remaining attack ID collection is combined into data base A.
Any one including described data base A is attacked ID and is gathered A1, calculates described A1 and data In the A of storehouse, number of elements exceedes the Jie Kade distance between other attacks ID set of described A1, if there is certain Jie Kade distance between one attack ID set and described A1 more than 0.4, then deletes described A1, Jing Guoji After calculation, in data base A, remaining attack ID collection is combined into data base C.Wherein, described Jie Kade distance (Jaccard Distance) is used to weigh a kind of index of two set difference opposite sex, and it is the similar system of Jie Kade The supplementary set of number, is defined as 1 and deducts Jaccard similarity coefficient.And Jie Kade similarity coefficient (Jaccard Similarity coefficient), also referred to as Jie Kade index (Jaccard Index), it is used to weigh two set phases A kind of index like degree.Described Jaccard similarity index is used for measuring the similarity between two set, its quilt It is defined as the element number element number divided by union of two set common factors.Described Jaccard distance is used for spending Measuring the diversity between two set, it is the supplementary set of the similarity coefficient of Jaccard, is defined as 1 and deducts Jaccard similarity coefficient.Described Jie Kade distance, Jie Kade similarity coefficient, Jaccard similarity index and institute Stating Jaccard distance and be prior art, the embodiment of the present invention does not repeats at this.
Finally, due in new two tuple-set Ed, each two tuples include two attack ID from two Hack tool, therefore can be carried out according to the attack ID set that data base C is included by new two tuple-set Ed Split.Such as, data base C include attack ID set 1000000,1000001,1000002,1000003}, New two tuple-set Ed include two tuples 1000001,1000002}, can be according to this two tuple { 1000001,1000002} can will attack ID set { 1000000,1000001,1000002,1000003} Be split as two attack ID groups 1000000,1000001} and 1000002,1000003}, described 1000000, 1000001} is with { 1000002,1000003} are respectively two attack ID groups corresponding to hack tool, Ke Yifen Yong Yu not identify the hack tool of its correspondence.
It should be noted that the sequencing of the hack tool method for digging step of embodiment of the present invention offer can Suitably to adjust, step can also increase and decrease the most accordingly, any is familiar with the art Technical staff in the technical scope that the invention discloses, the method that change can be readily occurred in, all should contain this Within the protection domain of invention, therefore repeat no more.
Embodiments provide a kind of hack tool method for digging, compared to prior art, pass through data Excavation can obtain the attack pattern of any one hack tool, and then can be by the attacker of hack tool Formula mark hack tool so that fire wall can according to the attack pattern identification hack tool of each hack tool, And complete protection service is provided accordingly, improve the safety of system.
A kind of Cloud Server 40 of embodiment of the present invention offer, as shown in Figure 4, including:
Receive unit 401, for receiving multiple network logs that at least one subscriber equipment sends.
Acquiring unit 402, for obtaining the attack class network log in the plurality of network log.
Extraction unit 403, for extracting the attack information of each described attack class network log, described attack Information includes attacking IP and attacking ID.
Excavate unit 404, for the attack information of each described attack class network log is carried out data mining, Obtaining the attack ID group that each hack tool is corresponding, described attack ID group includes that at least one attacks ID.
So, the attack pattern of any one hack tool, Jin Erneng can be obtained by data mining Enough attack pattern mark hack tools by hack tool so that fire wall can be according to each hack tool Attack pattern identification hack tool, and provide complete protection service accordingly, improve the safety of system.
Optionally, described excavation unit 404 is specifically for attack to each described attack class network log Information carries out vectorization description, obtains the vector of attack of each attack information, and described vector of attack includes correspondence The attack IP of attack information and attack ID;
The vector of attack of each described attack class network log is carried out data mining, obtains each hack tool Corresponding attack ID group.
Optionally, described excavation unit 404 specifically for: use Frequent Itemsets Mining Association Rules Algorithm, to each described The vector of attack attacking class network log carries out data mining, obtains the attack ID group that each hack tool is corresponding.
Optionally, described attack information also includes attack time.
It should be noted that first, those skilled in the art is it can be understood that arrive, for describe Convenient and succinct, the device of foregoing description and the specific works process of unit, it is referred to preceding method and implements Corresponding process in example, does not repeats them here.
Second, described acquiring unit 402, extraction unit 403 and excavation unit 404 all can be by being positioned at cloud clothes Central processing unit (Central Processing Unit, CPU) in business device 40, microprocessor (Micro Processor Unit, MPU), digital signal processor (Digital Signal Processor, DSP) or Field programmable gate arrays (Field Programmable Gate Array, FPGA) etc. realize.Receive unit 401 can be realized by the communication bus between Cloud Server 40 and subscriber equipment.
The embodiment of the present invention provides a kind of Cloud Server, including: receive unit, be used for receiving at least one and use Multiple network logs that family equipment sends;Acquiring unit, for obtaining the attack in the plurality of network log Class network log;Extraction unit, for extracting the attack information of each described attack class network log, described Attack information includes attacking IP and attacking ID;Excavate unit, for each described attack class network log Attack information carry out data mining, obtain the attack ID group that each hack tool is corresponding, described attack ID Group includes that at least one attacks ID.Compared to prior art, can be obtained any one by data mining black The attack pattern of visitor's instrument, and then can be by the attack pattern mark hack tool of hack tool so that anti- Wall with flues according to the attack pattern identification hack tool of each hack tool, and can provide complete protection accordingly Service, improves the safety of system.
The embodiment of the present invention provides a kind of subscriber equipment 50, as it is shown in figure 5, include:
Acquiring unit 501, accesses behavior for obtaining the network of user;
Signal generating unit 502, accesses, for the network according to user, the network traffics that behavior produces, and generates network Daily record;
Transmitting element 503, for being sent to Cloud Server by described network log.
It should be noted that first, those skilled in the art is it can be understood that arrive, for describe Convenient and succinct, the device of foregoing description and the specific works process of unit, it is referred to preceding method and implements Corresponding process in example, does not repeats them here.
Second, described acquiring unit 501 and signal generating unit 502 can be by the centre being positioned in subscriber equipment 50 Reason device (Central Processing Unit, CPU), microprocessor (Micro Processor Unit, MPU), Digital signal processor (Digital Signal Processor, DSP) or field programmable gate array (Field Programmable Gate Array, FPGA) etc. realize.Transmitting element 503 all can be by subscriber equipment 50 And the communication bus between Cloud Server realizes;
Embodiments provide a kind of subscriber equipment, compared to prior art, it is possible to sent out by network log Give Cloud Server, in order to Cloud Server obtains the attacker of any one hack tool by data mining Formula, and then by the attack pattern mark hack tool of hack tool so that fire wall can be according to each black The attack pattern identification hack tool of visitor's instrument, and complete protection service is provided accordingly, improve system Safety.
The embodiment of the present invention provides a kind of hack tool digging system 60, as shown in Figure 6, including at least one Subscriber equipment 601 and the Cloud Server 602 being connected with at least one subscriber equipment described;In Fig. 6, described Hack tool digging system 60 includes four subscriber equipmenies 601, with described Cloud Server 602 in actual application Subscriber equipment 301 quantity connected is not reached the standard grade, The more the better.
Described subscriber equipment 601 accesses behavior, according to the network access line of user for the network obtaining user For the network traffics produced, generate network log, and described network log is sent to described Cloud Server;
Described Cloud Server 602 is used for receiving multiple network logs that at least one subscriber equipment described sends, Obtain the attack class network log in the plurality of network log, extract each described attack class network log Attack information, described attack information includes attacking IP and attacking ID, and to each described attack class network day The attack information of will carries out data mining, obtains the attack ID group that each hack tool is corresponding, described attack ID group includes that at least one attacks ID.
It should be noted that those skilled in the art is it can be understood that arrive, for describe convenience and Succinctly, the system specific works process of foregoing description, it is referred to the corresponding process in preceding method embodiment, Do not repeat them here.
Embodiments provide a kind of hack tool digging system, compared to prior art, subscriber equipment Network log can be sent to Cloud Server, and it is black that Cloud Server can obtain any one by data mining The attack pattern of visitor's instrument, and then by the attack pattern mark hack tool of hack tool so that fire wall According to the attack pattern identification hack tool of each hack tool, and complete protection service can be provided accordingly, Improve the safety of system.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter Calculation machine program product.Therefore, the present invention can use hardware embodiment, software implementation or combine software and The form of the embodiment of hardware aspect.And, the present invention can use and wherein include calculating one or more The computer-usable storage medium of machine usable program code (includes but not limited to disk memory and optical storage Device etc.) form of the upper computer program implemented.
The present invention is with reference to method, equipment (system) and computer program according to embodiments of the present invention Flow chart and/or block diagram describe.It should be understood that can be by computer program instructions flowchart and/or side Flow process in each flow process in block diagram and/or square frame and flow chart and/or block diagram and/or the knot of square frame Close.Can provide these computer program instructions to general purpose computer, special-purpose computer, Embedded Processor or The processor of other programmable data processing device is to produce a machine so that by computer or other can The instruction that the processor of programming data processing equipment performs produces for realizing in one flow process or multiple of flow chart The device of the function specified in flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device In the computer-readable memory worked in a specific way so that be stored in this computer-readable memory Instruction produces the manufacture including command device, and this command device realizes at one flow process of flow chart or multiple stream The function specified in journey and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, makes Sequence of operations step must be performed to produce computer implemented process on computer or other programmable devices, Thus the instruction performed on computer or other programmable devices provides for realizing in one flow process of flow chart Or the step of the function specified in multiple flow process and/or one square frame of block diagram or multiple square frame.
The above, only presently preferred embodiments of the present invention, it is not intended to limit the protection model of the present invention Enclose.

Claims (11)

1. a hack tool method for digging, it is characterised in that for Cloud Server, including:
Receive multiple network logs that at least one subscriber equipment sends;
Obtain the attack class network log in the plurality of network log;
Extracting the attack information of each described attack class network log, described attack information includes attacking IP and attacking Hit ID;
The attack information of each described attack class network log is carried out data mining, obtains each hack tool Corresponding attack ID group, described attack ID group includes that at least one attacks ID.
Method the most according to claim 1, it is characterised in that described to each described attack class network The attack information of daily record carries out data mining, and the attack ID group obtaining each hack tool corresponding includes:
The attack information of each described attack class network log is carried out vectorization description, obtains each attack and believe The vector of attack of breath, described vector of attack includes the attack IP of corresponding attack information and attacks ID;
The vector of attack of each described attack class network log is carried out data mining, obtains each hack tool Corresponding attack ID group.
Method the most according to claim 2, it is characterised in that described to each described attack class network The vector of attack of daily record carries out data mining, and the attack ID group obtaining each hack tool corresponding includes:
Use Frequent Itemsets Mining Association Rules Algorithm, the vector of attack of each described attack class network log is carried out data and digs Pick, obtains the attack ID group that each hack tool is corresponding.
4. according to the method described in claim 1-3 any one claim, it is characterised in that described in attack Information of hitting also includes attack time.
5. a hack tool method for digging, it is characterised in that for subscriber equipment, including:
The network obtaining user accesses behavior;
Network according to user accesses the network traffics that behavior produces, and generates network log;
Described network log is sent to Cloud Server.
6. a Cloud Server, it is characterised in that including:
Receive unit, for receiving multiple network logs that at least one subscriber equipment sends;
Acquiring unit, for obtaining the attack class network log in the plurality of network log;
Extraction unit, for extracting the attack information of each described attack class network log, described attack information Including attacking IP and attacking ID;
Excavate unit, for the attack information of each described attack class network log is carried out data mining, obtain Taking the attack ID group that each hack tool is corresponding, described attack ID group includes that at least one attacks ID.
Cloud Server the most according to claim 6, it is characterised in that described excavation unit specifically for:
The attack information of each described attack class network log is carried out vectorization description, obtains each attack and believe The vector of attack of breath, described vector of attack includes the attack IP of corresponding attack information and attacks ID;
The vector of attack of each described attack class network log is carried out data mining, obtains each hack tool Corresponding attack ID group.
Cloud Server the most according to claim 7, it is characterised in that described excavation unit specifically for:
Use Frequent Itemsets Mining Association Rules Algorithm, the vector of attack of each described attack class network log is carried out data and digs Pick, obtains the attack ID group that each hack tool is corresponding.
9. according to the Cloud Server described in claim 6-8 any one claim, it is characterised in that institute State attack information and also include attack time.
10. a subscriber equipment, it is characterised in that including:
Acquiring unit, accesses behavior for obtaining the network of user;
Signal generating unit, accesses, for the network according to user, the network traffics that behavior produces, and generates network log;
Transmitting element, for being sent to Cloud Server by described network log.
11. 1 kinds of hack tool digging systems, it is characterised in that include at least one subscriber equipment and with institute State the Cloud Server that at least one subscriber equipment connects;
Described subscriber equipment accesses behavior for the network obtaining user, accesses behavior according to the network of user and produces Raw network traffics, generate network log, and described network log are sent to described Cloud Server;
Described Cloud Server, for receiving multiple network logs that at least one subscriber equipment described sends, obtains Attack class network log in the plurality of network log, extracts the attack of each described attack class network log Information, described attack information includes attacking IP and attacking ID, and to each described attack class network log Attack information carries out data mining, obtains the attack ID group that each hack tool is corresponding, described attack ID group ID is attacked including at least one.
CN201610514159.4A 2016-06-30 2016-06-30 Hacker tool mining method, device and system Pending CN106027554A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610514159.4A CN106027554A (en) 2016-06-30 2016-06-30 Hacker tool mining method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610514159.4A CN106027554A (en) 2016-06-30 2016-06-30 Hacker tool mining method, device and system

Publications (1)

Publication Number Publication Date
CN106027554A true CN106027554A (en) 2016-10-12

Family

ID=57106209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610514159.4A Pending CN106027554A (en) 2016-06-30 2016-06-30 Hacker tool mining method, device and system

Country Status (1)

Country Link
CN (1) CN106027554A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632272A (en) * 2018-05-04 2018-10-09 成都信息工程大学 A kind of network-based attack tool recognition methods and system
CN110839033A (en) * 2019-11-18 2020-02-25 广州安加互联科技有限公司 Network attack identification method, system and terminal
CN111885011A (en) * 2020-07-02 2020-11-03 北京赋云安运营科技有限公司 Method and system for analyzing and mining safety of service data network

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018121A (en) * 2007-03-15 2007-08-15 杭州华为三康技术有限公司 Log convergence processing method and convergence processing device
CN101931570A (en) * 2010-02-08 2010-12-29 中国航天科技集团公司第七一○研究所 Method for reconstructing network attack path based on frequent pattern-growth algorithm
CN103678709A (en) * 2013-12-30 2014-03-26 中国科学院自动化研究所 Recommendation system attack detection method based on time series data
CN104283889A (en) * 2014-10-20 2015-01-14 国网重庆市电力公司电力科学研究院 Electric power system interior APT attack detection and pre-warning system based on network architecture
CN104601591A (en) * 2015-02-02 2015-05-06 中国人民解放军国防科学技术大学 Detection method of network attack source organization
CN104901975A (en) * 2015-06-30 2015-09-09 北京奇虎科技有限公司 Web log safety analyzing method, device and gateway
CN104954188A (en) * 2015-06-30 2015-09-30 北京奇虎科技有限公司 Cloud based web log security analysis method, device and system
CN105208000A (en) * 2015-08-21 2015-12-30 深信服网络科技(深圳)有限公司 Network attack retrospective analysis method and network security equipment
US20150381649A1 (en) * 2014-06-30 2015-12-31 Neo Prime, LLC Probabilistic Model For Cyber Risk Forecasting
CN105721427A (en) * 2016-01-14 2016-06-29 湖南大学 Method for mining attack frequent sequence mode from Web log

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018121A (en) * 2007-03-15 2007-08-15 杭州华为三康技术有限公司 Log convergence processing method and convergence processing device
CN101931570A (en) * 2010-02-08 2010-12-29 中国航天科技集团公司第七一○研究所 Method for reconstructing network attack path based on frequent pattern-growth algorithm
CN103678709A (en) * 2013-12-30 2014-03-26 中国科学院自动化研究所 Recommendation system attack detection method based on time series data
US20150381649A1 (en) * 2014-06-30 2015-12-31 Neo Prime, LLC Probabilistic Model For Cyber Risk Forecasting
CN104283889A (en) * 2014-10-20 2015-01-14 国网重庆市电力公司电力科学研究院 Electric power system interior APT attack detection and pre-warning system based on network architecture
CN104601591A (en) * 2015-02-02 2015-05-06 中国人民解放军国防科学技术大学 Detection method of network attack source organization
CN104901975A (en) * 2015-06-30 2015-09-09 北京奇虎科技有限公司 Web log safety analyzing method, device and gateway
CN104954188A (en) * 2015-06-30 2015-09-30 北京奇虎科技有限公司 Cloud based web log security analysis method, device and system
CN105208000A (en) * 2015-08-21 2015-12-30 深信服网络科技(深圳)有限公司 Network attack retrospective analysis method and network security equipment
CN105721427A (en) * 2016-01-14 2016-06-29 湖南大学 Method for mining attack frequent sequence mode from Web log

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632272A (en) * 2018-05-04 2018-10-09 成都信息工程大学 A kind of network-based attack tool recognition methods and system
CN110839033A (en) * 2019-11-18 2020-02-25 广州安加互联科技有限公司 Network attack identification method, system and terminal
CN111885011A (en) * 2020-07-02 2020-11-03 北京赋云安运营科技有限公司 Method and system for analyzing and mining safety of service data network
CN111885011B (en) * 2020-07-02 2022-11-01 安全能力生态聚合(北京)运营科技有限公司 Method and system for analyzing and mining safety of service data network

Similar Documents

Publication Publication Date Title
Xu et al. Am I eclipsed? A smart detector of eclipse attacks for Ethereum
Pei et al. A DDoS attack detection method based on machine learning
CN104618343B (en) A kind of method and system of the website threat detection based on real-time logs
Negi et al. Enhanced CBF packet filtering method to detect DDoS attack in cloud computing environment
CN105681250B (en) A kind of Botnet distribution real-time detection method and system
Qin et al. DDoS attack detection using flow entropy and clustering technique
CN105162626B (en) Network flow depth recognition system and recognition methods based on many-core processor
CN106534164B (en) Effective virtual identity depicting method based on cyberspace user identifier
CN104283897B (en) Wooden horse communication feature rapid extracting method based on multiple data stream cluster analysis
CN111818103B (en) Traffic-based tracing attack path method in network target range
Taylor et al. Detecting malicious exploit kits using tree-based similarity searches
CN102968591B (en) Malicious-software characteristic clustering analysis method and system based on behavior segment sharing
CN110691080B (en) Automatic tracing method, device, equipment and medium
US9830451B2 (en) Distributed pattern discovery
CN106027554A (en) Hacker tool mining method, device and system
Hanmanthu et al. SQL Injection Attack prevention based on decision tree classification
Iannucci et al. A comparison of graph-based synthetic data generators for benchmarking next-generation intrusion detection systems
Elekar Combination of data mining techniques for intrusion detection system
Li et al. Ethereum behavior analysis with netflow data
Meng et al. Design of cloud-based parallel exclusive signature matching model in intrusion detection
Zhang et al. Density approach: a new model for BigData analysis and visualization
Zheng et al. Detecting malicious tls network traffic based on communication channel features
CN104038344A (en) Identity authentication method based on regular expression
CN106411951A (en) Network attack behavior detection method and device
CN108366048B (en) Network intrusion detection method based on unsupervised learning

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20161012