CN106027554A - Hacker tool mining method, device and system - Google Patents
Hacker tool mining method, device and system Download PDFInfo
- Publication number
- CN106027554A CN106027554A CN201610514159.4A CN201610514159A CN106027554A CN 106027554 A CN106027554 A CN 106027554A CN 201610514159 A CN201610514159 A CN 201610514159A CN 106027554 A CN106027554 A CN 106027554A
- Authority
- CN
- China
- Prior art keywords
- attack
- network
- network log
- log
- cloud server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a hacker tool mining method. The hacker tool mining method is used for a cloud server. The hacker tool mining method comprises the following steps of: receiving multiple network logs sent by at least one user equipment; obtaining attack type network logs in the multiple network logs; extracting attack information of various attack type network logs, wherein the attack information comprises attack IPs and attack IDs; and, performing data mining of the attack information of various attack type network logs, and obtaining an attack ID group corresponding to each hacker tool, wherein the attack ID group comprises at least one attack ID. Furthermore, the embodiment of the invention provides a hacker tool mining method applied to the user equipment, the cloud server, the user equipment and a hacker tool mining system.
Description
Technical field
The present invention relates to the network security technology of computer realm, particularly relate to a kind of hack tool method for digging,
Apparatus and system.
Background technology
Along with becoming increasingly popular of the Internet, network has been directed to the various aspects of daily life, thus causes
Network security problem the most day by day becomes people's issues that need special attention.
Existing network exists a lot of hacker, utilizes network hole, in the case of allowing without the other side, enter
Enter method, system or computer, steal information so that carry out the mechanism of business based on the Internet and systems face
Unprecedented threat, these mechanisms and system are once hacked successfully, will result in huge economic loss.
In order to anti-locking system is hacked visitor's attack, needing to set up fire wall for each system, fire wall can effectively be kept away
Exempt from assault, improve the safety of system.
But, network security is a technology-intensive industry, and the direction that different hackers is good at is different,
Some hackers are good at bug excavation, and some hackers are good at tackling antivirus software, and network foundation is set by some hackers
Executing and be very familiar with, the hacker also having is good at social engineering, and the most different hackers can produce different attack row
For, fire wall is difficult to provide complete protection service, and the safety of system is relatively low.
Summary of the invention
For solving above-mentioned technical problem, embodiment of the present invention expectation provides a kind of hack tool method for digging, dress
Put and system, it is possible to excavate the attack pattern of any one hack tool so that fire wall can be according to often
The attack pattern identification hack tool of individual hack tool, and provide complete protection service accordingly, improves and is
The safety of system.
The technical scheme is that and be achieved in that:
First aspect, the embodiment of the present invention provides a kind of hack tool method for digging, for Cloud Server, bag
Include:
Receive multiple network logs that at least one subscriber equipment sends;
Obtain the attack class network log in the plurality of network log;
Extracting the attack information of each described attack class network log, described attack information includes attacking IP and attacking
Hit ID;
The attack information of each described attack class network log is carried out data mining, obtains each hack tool
Corresponding attack ID group, described attack ID group includes that at least one attacks ID.
Optionally, the described attack information to each described attack class network log carries out data mining, obtains
The attack ID group that each hack tool is corresponding includes:
The attack information of each described attack class network log is carried out vectorization description, obtains each attack and believe
The vector of attack of breath, described vector of attack includes the attack IP of corresponding attack information and attacks ID;
The vector of attack of each described attack class network log is carried out data mining, obtains each hack tool
Corresponding attack ID group.
Optionally, the described vector of attack to each described attack class network log carries out data mining, obtains
The attack ID group that each hack tool is corresponding includes:
Use Frequent Itemsets Mining Association Rules Algorithm, the vector of attack of each described attack class network log is carried out data and digs
Pick, obtains the attack ID group that each hack tool is corresponding.
Optionally, described attack information also includes attack time.
Second aspect, the embodiment of the present invention provides a kind of hack tool method for digging, for subscriber equipment, bag
Include:
The network obtaining user accesses behavior;
Network according to user accesses the network traffics that behavior produces, and generates network log;
Described network log is sent to Cloud Server.
The third aspect, the embodiment of the present invention provides a kind of Cloud Server, including:
Receive unit, for receiving multiple network logs that at least one subscriber equipment sends;
Acquiring unit, for obtaining the attack class network log in the plurality of network log;
Extraction unit, for extracting the attack information of each described attack class network log, described attack information
Including attacking IP and attacking ID;
Excavate unit, for the attack information of each described attack class network log is carried out data mining, obtain
Taking the attack ID group that each hack tool is corresponding, described attack ID group includes that at least one attacks ID.
Optionally, described excavation unit specifically for:
The attack information of each described attack class network log is carried out vectorization description, obtains each attack and believe
The vector of attack of breath, described vector of attack includes the attack IP of corresponding attack information and attacks ID;
The vector of attack of each described attack class network log is carried out data mining, obtains each hack tool
Corresponding attack ID group.
Optionally, described excavation unit specifically for:
Use Frequent Itemsets Mining Association Rules Algorithm, the vector of attack of each described attack class network log is carried out data and digs
Pick, obtains the attack ID group that each hack tool is corresponding.
Optionally, described attack information also includes attack time.
Fourth aspect, the embodiment of the present invention provides a kind of subscriber equipment, including:
Acquiring unit, accesses behavior for obtaining the network of user;
Signal generating unit, accesses, for the network according to user, the network traffics that behavior produces, and generates network log;
Transmitting element, for being sent to Cloud Server by described network log.
5th aspect, the embodiment of the present invention provides a kind of hack tool digging system, including at least one user
Equipment and the Cloud Server being connected with at least one subscriber equipment described;
Described subscriber equipment accesses behavior for the network obtaining user, accesses behavior according to the network of user and produces
Raw network traffics, generate network log, and described network log are sent to described Cloud Server;
Described Cloud Server, for receiving multiple network logs that at least one subscriber equipment described sends, obtains
Attack class network log in the plurality of network log, extracts the attack of each described attack class network log
Information, described attack information includes attacking IP and attacking ID, and to each described attack class network log
Attack information carries out data mining, obtains the attack ID group that each hack tool is corresponding, described attack ID group
ID is attacked including at least one.
Embodiments provide a kind of hack tool method for digging, Apparatus and system, described hack tool
Method for digging includes: receive multiple network logs that at least one subscriber equipment sends;Obtain the plurality of net
Attack class network log in network daily record;Extract the attack information of each described attack class network log, described
Attack information includes attacking IP and attacking ID;The attack information of each described attack class network log is carried out
Data mining, obtains the attack ID group that each hack tool is corresponding, and described attack ID group includes at least one
Attack ID.Compared to prior art, the attacker of any one hack tool can be obtained by data mining
Formula, and then can be by the attack pattern mark hack tool of hack tool so that fire wall can be according to often
The attack pattern identification hack tool of individual hack tool, and provide complete protection service accordingly, improves and is
The safety of system.
Accompanying drawing explanation
The schematic flow sheet 1 of a kind of hack tool method for digging that Fig. 1 provides for the embodiment of the present invention;
The schematic flow sheet 2 of a kind of hack tool method for digging that Fig. 2 provides for the embodiment of the present invention;
The mutual schematic diagram of a kind of hack tool method for digging that Fig. 3 provides for the embodiment of the present invention;
The structural representation of a kind of Cloud Server that Fig. 4 provides for the embodiment of the present invention;
The structural representation of a kind of subscriber equipment that Fig. 5 provides for the embodiment of the present invention;
The structural representation of a kind of hack tool digging system that Fig. 6 provides for the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly
Chu, it is fully described by.
The embodiment of the present invention provides a kind of hack tool method for digging, for Cloud Server, and can be by described cloud
Server is arranged to cloud data analysis center, includes as it is shown in figure 1, described hack tool excavates:
Step 101, receive at least one subscriber equipment send multiple network logs.
In hack tool digging system, Cloud Server connects multiple subscriber equipment, and each subscriber equipment is equal
Multiple network log can be generated, and the multiple network logs generated are sent to Cloud Server.
Step 102, the attack class network log obtained in the plurality of network log.
Example, the all-network daily record of generation is all sent to Cloud Server by subscriber equipment, including positive frequentation
Ask the message flow daily record of generation, network access log, area protection daily record etc., also include attacking class network
Daily record, Cloud Server extracts attack class network log from the all-network daily record received.Concrete,
Subscriber equipment, when producing attack class network log, all carries in each attack class network log and attacks with it
The attack ID (identification, identification) that type is corresponding, therefore Cloud Server can pass through network day
Whether will including, attacking ID determines whether network log is to attack class network log.
Step 103, extracting the attack information of each described attack class network log, described attack information includes
Attack IP and attack ID.
Example, Cloud Server is after getting multiple attack class network log, to each attack class network
Daily record is analyzed, and obtains it and attacks IP and attack ID.For example, it is assumed that first network daily record is for attacking class
Network log, first network daily record can be analyzed by Cloud Server, extracts the attack of first network daily record
IP, i.e. produces the IP address of described first network daily record;The attack ID of first network daily record, the most described first
The attack type of network log.Optionally, described attack information can also include attack time, i.e. cloud service
Device can extract the attack time of first network daily record, and described attack time is that described first network daily record is corresponding
Network access behavior produce time.
Step 104, attack information to each described attack class network log carry out data mining, obtain every
The attack ID group that individual hack tool is corresponding, described attack ID group includes that at least one attacks ID.
Example, same attack IP may be provided with multiple hack tool, and each hack tool may produce
Multiple assault behavior, the attack ID difference that every kind of assault behavior is corresponding, therefore attack IP for one
Multiple attack ID that possible corresponding hack tool produces, by mathematical analysis, can attack IP pair from each
The multiple attack ID answered obtain the attack ID group that each hack tool is corresponding, and then this attack can be passed through
ID group mark produces the hack tool of multiple attack ID that described attack ID group includes.
So, the attack pattern of any one hack tool, Jin Erneng can be obtained by data mining
Enough attack pattern mark hack tools by hack tool so that fire wall can be according to each hack tool
Attack pattern identification hack tool, and provide complete protection service accordingly, improve the safety of system.
Optionally, the attack information of each described attack class network log is being carried out data mining, is obtaining every
During attack ID group corresponding to individual hack tool, can first attack to each described attack class network log believe
Breath carries out vectorization description, obtains the vector of attack of each attack information, and described vector of attack includes that correspondence is attacked
Hit the attack IP of information and attack ID, then the vector of attack of each described attack class network log being carried out
Data mining, obtains the attack ID group that each hack tool is corresponding.
Example, for the ease of attack information is carried out mathematical analysis, attack information can be carried out vectorization
Describe, the corresponding vector of the most each attack information.Such as, the primary vector that first network daily record is corresponding is extremely
Including the attack IP of first network daily record less and attack ID, in actual application, primary vector can also include
Attack time.In each vector, the content of element can select as the case may be, the embodiment of the present invention
This is not limited.
Optionally, the vector of attack of each described attack class network log is being carried out data mining, is obtaining every
During attack ID group corresponding to individual hack tool, Frequent Itemsets Mining Association Rules Algorithm can be used, to each described attack class
The vector of attack of network log carries out data mining, obtains the attack ID group that each hack tool is corresponding.
Example, having implemented of described Frequent Itemsets Mining Association Rules Algorithm is a variety of, the embodiment of the present invention with
Illustrating as a example by FP-Growth algorithm, described FP-growth algorithm uses one to be referred to as frequent pattern tree (fp tree)
The data structure of (Frequent Pattern Tree), described FP-tree is a kind of special prefix trees, by frequency
Numerous head table and item prefix trees are constituted, and described FP-Growth algorithm accelerates whole excavation based on above structure
Process.
Embodiments provide a kind of hack tool method for digging, including: receive at least one user and set
Multiple network logs that preparation is sent;Obtain the attack class network log in the plurality of network log;Extract every
The attack information of individual described attack class network log, described attack information includes attacking IP and attacking ID;Right
The attack information of each described attack class network log carries out data mining, obtains each hack tool corresponding
Attacking ID group, described attack ID group includes that at least one attacks ID.Compared to prior art, pass through data
Excavation can obtain the attack pattern of any one hack tool, and then can be by the attacker of hack tool
Formula mark hack tool so that fire wall can according to the attack pattern identification hack tool of each hack tool,
And complete protection service is provided accordingly, improve the safety of system.
The embodiment of the present invention provides a kind of hack tool method for digging, for subscriber equipment, described subscriber equipment
Various ways can be shown as, can be traditional firewall, a new generation's fire wall, network log-in management equipment,
Intelligent flow management equipment, wan optimization gateway, security proxy server etc., the embodiment of the present invention is to this
Do not limit.As in figure 2 it is shown, described hack tool method for digging includes:
Step 201, the network of acquisition user access behavior.
Example, when user is surfed the Net by described subscriber equipment on the client, various net can be produced
Network access behavior, such as, user can on the client by described subscriber equipment carry out shopping at network,
Line chat, online appreciation music and film, P2P (Peer to Peer, peer-to-peer network) instrument are downloaded, and
Assaults etc., different networks accesses the network traffics difference that behavior produces.
Step 202, access, according to the network of user, the network traffics that behavior produces, generate network log.
In prior art, access behavior, each known network access line for the ease of the network that mark is different
For being provided with condition code, i.e. can determine that concrete network behavior according to condition code, and then correspondence can be generated
Network log.Common network log includes message flow daily record, network access log, area protection daily record
Deng.And user is when carrying on a attack by subscriber equipment on the client, may produce at short notice
Bigger network traffics, therefore can be according to the size of network traffics, it is judged that network accesses whether behavior is black
Visitor attacks class behavior.
Optionally, owing to the type of assault is a lot, such as Brute Force, leak is attacked, and refuses service
Attacking, it is the most different, therefore according to assault class that the network that different aggressive behaviors produces accesses behavior
Behavior generates when attacking class network log, and the attack type that can be different arranges different attack ID, i.e. adopts
The attack type different with attacking ID mark, described attack ID is arranged in the attack class network log of generation,
Each attack class network log includes corresponding attack ID.
Step 203, described network log is sent to Cloud Server.
Optionally, network log may the most all be produced due to subscriber equipment, if in real time to cloud service
Device sends network log, may affect the processing speed of subscriber equipment, therefore can arrange in subscriber equipment
Network log caches, and the network log that subscriber equipment produces is stored in real-time network daily record sequentially in time and delays
In depositing.When during described network log caches, the network log quantity of storage is more than or equal to predetermined number threshold value,
Cloud Server is issued in the network log packing of storage in being cached by network log;Or when described network log delays
After storing the network log of preset time period, the network log packing of storage during network log is cached
Issue Cloud Server, it is to avoid frequently send and cause subscriber equipment processing speed to decline.
Embodiments provide a kind of hack tool method for digging, including: the network obtaining user accesses
Behavior;Network according to user accesses the network traffics that behavior produces, and generates network log;By described network
Daily record is sent to Cloud Server.Compared to prior art, it is possible to network log is sent to Cloud Server, with
It is easy to Cloud Server and is obtained the attack pattern of any one hack tool by data mining, and then pass through hacker
The attack pattern mark hack tool of instrument so that fire wall can be according to the attack pattern of each hack tool
Identify hack tool, and complete protection service is provided accordingly, improve the safety of system.
The embodiment of the present invention provides a kind of hack tool method for digging, is applied to hack tool digging system, institute
State hack tool digging system and include multiple subscriber equipment and the Cloud Server being connected with the plurality of subscriber equipment,
Described subscriber equipment can show as various ways, can be traditional firewall, a new generation's fire wall, online
Behavior management equipment, intelligent flow management equipment, wan optimization gateway, security proxy server etc., this
This is not limited by inventive embodiments.Meanwhile, the number of user equipment being connected with described Cloud Server does not goes up
Line, The more the better, the embodiment of the present invention illustrates as a example by any one subscriber equipment, as it is shown on figure 3,
Described method includes:
Step 301, subscriber equipment obtain the network of user and access behavior, perform step 302.
Example, when user is surfed the Net by described subscriber equipment on the client, various net can be produced
Network access behavior, such as, user can on the client by described subscriber equipment carry out shopping at network,
Line chat, online appreciate music and film, P2P instrument download, and assault etc., different networks
The network traffics that access behavior produces are different.
Step 302, subscriber equipment access, according to the network of user, the network traffics that behavior produces, and generate network
Daily record, performs step 303.
Example, if user is carried on a attack by subscriber equipment on the client, may be in short-term
The network traffics that interior generation is bigger, therefore can be according to the size of network traffics, it is judged that network accesses behavior
Whether it is assault class behavior.Such as, flow threshold is set, if network accesses behavior and produces during initialization
Flow more than or equal to flow threshold time, described network accesses behavior and can confirm that as assault behavior,
Attack class network log can be generated according to such assault behavior;If network accesses the flow that behavior produces
During less than flow threshold, described network accesses behavior and can confirm that as normal access behavior.In prior art,
Accessing behavior for the ease of the network that mark is different, each known network accesses behavior and is provided with condition code,
I.e. can determine that concrete network behavior according to condition code, and then the network log of correspondence can be generated.Common
Network log includes message flow daily record, network access log, area protection daily record etc..
Optionally, owing to the type of assault is a lot, such as Brute Force, leak is attacked, and refuses service
Attacking, it is the most different, therefore according to assault class that the network that different aggressive behaviors produces accesses behavior
Behavior generates when attacking class network log, and the attack type that can be different arranges different attack ID, i.e. adopts
The attack type different with attacking ID mark, described attack ID is arranged in the attack class network log of generation,
Each attack class network log includes corresponding attack ID.
Such as, if the network traffics that user carries out generation when first network accesses behavior are relatively big, determined
For assault behavior, and access attack type corresponding to behavior for described first network and arrange unique corresponding
Attacking ID, described attack ID can be 100000, when user carries out generation when the second network accesses behavior
Network traffics are relatively big, are defined as assault behavior, and are that described second network access behavior is corresponding
It can be 100001 that attack type arranges unique corresponding attack ID, described attack ID, the like, for
Different attack types arranges different attack ID.
Described network log is sent to Cloud Server by step 303, subscriber equipment, performs step 304.
Example, each subscriber equipment, can be by net after according to network access line for generating network log
Network daily record is sent to Cloud Server, in order to network log is analyzed by Cloud Server.
Optionally, network log may the most all be produced due to subscriber equipment, if in real time to cloud service
Device sends network log, may affect the processing speed of subscriber equipment, therefore can arrange in subscriber equipment
Network log caches, and the network log that subscriber equipment produces is stored in real-time network daily record sequentially in time and delays
In depositing.When during described network log caches, the network log quantity of storage is more than or equal to predetermined number threshold value,
Cloud Server is issued in the network log packing of storage in being cached by network log;Or when described network log delays
After storing the network log of preset time period, the network log packing of storage during network log is cached
Issue Cloud Server, it is to avoid frequently send and cause subscriber equipment processing speed to decline.
The network log that the multiple subscriber equipment of step 304, cloud server sends, performs step 306.
Example, in hack tool digging system, Cloud Server connects multiple subscriber equipment, Mei Geyong
The network log of generation all can be sent to Cloud Server by family equipment.
Step 305, Cloud Server obtain attack class network log from the described network log received, and hold
Row step 306.
Example, the all-network daily record of generation is all sent to Cloud Server by subscriber equipment, including positive frequentation
Ask the message flow daily record of generation, network access log, area protection daily record etc., also include attacking class network
Daily record, Cloud Server extracts attack class network log from the all-network daily record received.Concrete,
Subscriber equipment, when producing attack class network log, all carries in each attack class network log and attacks with it
The attack ID that type is corresponding, therefore whether Cloud Server can be by including in network log that attacking ID determines
Whether network log is to attack class network log.
Step 306, Cloud Server extract the attack information of each described attack class network log, described attack
Information includes attacking IP (Internet Protocol, the agreement of interconnection between network), when attacking ID and attack
Between, perform step 307.
Example, Cloud Server is after getting multiple attack class network log, to each attack class network
Daily record is analyzed, and obtains it and attacks IP, attacks ID and attack time.For example, it is assumed that first network day
Will is for attacking class network log, and first network daily record can be analyzed by Cloud Server, extracts first network
The attack IP of daily record, i.e. produces the IP address of described first network daily record;The attack ID of first network daily record,
The attack type of the most described first network daily record;And the attack time of first network daily record, the most described first
The network that network log is corresponding accesses the time that behavior produces.
Step 307, Cloud Server carry out vectorization description to each described attack information, obtain each attack
The vector of attack of information, performs step 308.
Example, for the ease of attack information is carried out mathematical analysis, attack information can be carried out vectorization
Describe, the corresponding vector of the most each attack information.Such as, the primary vector that first network daily record is corresponding is extremely
Including the attack IP of first network daily record less and attack ID, in actual application, primary vector can also include
Attack time.In each vector, the content of element can select as the case may be, the embodiment of the present invention
This is not limited.
Described attack information, according to the vector of attack of each attack information, is carried out by step 307, Cloud Server
Stratification is analyzed, and obtains the attack ID group that each hack tool is corresponding.
Example, same attack IP may be provided with multiple hack tool, and each hack tool may produce
Multiple assault behavior, the attack ID difference that every kind of assault behavior is corresponding, therefore attack IP for one
Possible corresponding multiple attack ID, by mathematical analysis, can be from multiple attack ID corresponding for each attack IP
The attack ID group that each hack tool of middle acquisition is corresponding, and then institute can be produced by this attack ID group mark
State the hack tool attacking multiple attack ID that ID group includes.
Optionally, it is assumed that attack one hack tool of ID group correspondence for one, then mean that this is attacked
ID group is bound to repeatedly occur in the different attack ID attacking IP.In order to find out these arrangements, can adopt
Use Frequent Itemsets Mining Association Rules Algorithm.Wherein, having implemented of Frequent Itemsets Mining Association Rules Algorithm is a variety of, and the present invention implements
Example illustrates as a example by FP-Growth algorithm.Described FP-growth algorithm employs a kind of being referred to as frequently
The data structure of scheme-tree (Frequent Pattern Tree), described FP-tree is a kind of special prefix trees,
Being made up of frequent episode head table and item prefix trees, described FP-Growth algorithm is accelerated whole based on above structure
Mining process.
Concrete, first the attack ID of each attack IP is collected, the time produced according to each attack ID
Arrangement, generates the attack ID set of each attack IP, obtains the attack ID set of described each attack IP
Composition database D.Then scan described database D, obtain in described database D frequency of occurrence more than or
Rearrange frequent episode set F, each attack ID equal to the attack ID of the first predetermined number threshold value and arrange bag
Including at least two and attack ID, the frequency descending occurred according to each attacks ID arrangement, described in arrangement
Attack ID arrangement in frequent episode set F obtains frequent episode table L, builds described according to described frequent episode table L
FP-tree, carries out data mining according to described FP-tree, obtains support more than the joint presetting support threshold
The attack ID arrangement that point is corresponding, and each attack ID got arrangement is split as unduplicated two tuples,
For example, it is assumed that one attack ID be arranged as 1000000,1000001,1000002}, can be by this attack
ID arrangement is split as { 1000000,1000001} and { 1000001,1000002}, and all by be split to
Two tuples form two tuple-set E.
Assume one to attack on IP to be provided with two or above to hack tool, if selecting two hacker's works
Tool carries out instrument, and switching to another hack tool from a hack tool needs the regular hour poor, permissible
Assume that this time difference is Td.Calculate two attack ID that in described two tuple-set E, each two tuple includes
Between time difference, retention time difference more than described Td two tuples form new two tuple-set Ed.
Attack ID set in the D of ergodic data storehouse, removes the subset in described database D, such as, false
If following three attack ID set once in data base 1000000,1000001,1000002}, 1000000,
1000001} and 1000000,1000002}, due to { 1000000,1000001} and { 1000000,1000002}
It is that { therefore the subset of 1000000,1000001,1000002} only retains taking out during oneself
1000000,1000001,1000002}, and remove described 1000000,1000001} and 1000000,
1000002}.After described database D removes subset, remaining attack ID collection is combined into data base A.
Any one including described data base A is attacked ID and is gathered A1, calculates described A1 and data
In the A of storehouse, number of elements exceedes the Jie Kade distance between other attacks ID set of described A1, if there is certain
Jie Kade distance between one attack ID set and described A1 more than 0.4, then deletes described A1, Jing Guoji
After calculation, in data base A, remaining attack ID collection is combined into data base C.Wherein, described Jie Kade distance
(Jaccard Distance) is used to weigh a kind of index of two set difference opposite sex, and it is the similar system of Jie Kade
The supplementary set of number, is defined as 1 and deducts Jaccard similarity coefficient.And Jie Kade similarity coefficient (Jaccard
Similarity coefficient), also referred to as Jie Kade index (Jaccard Index), it is used to weigh two set phases
A kind of index like degree.Described Jaccard similarity index is used for measuring the similarity between two set, its quilt
It is defined as the element number element number divided by union of two set common factors.Described Jaccard distance is used for spending
Measuring the diversity between two set, it is the supplementary set of the similarity coefficient of Jaccard, is defined as 1 and deducts
Jaccard similarity coefficient.Described Jie Kade distance, Jie Kade similarity coefficient, Jaccard similarity index and institute
Stating Jaccard distance and be prior art, the embodiment of the present invention does not repeats at this.
Finally, due in new two tuple-set Ed, each two tuples include two attack ID from two
Hack tool, therefore can be carried out according to the attack ID set that data base C is included by new two tuple-set Ed
Split.Such as, data base C include attack ID set 1000000,1000001,1000002,1000003},
New two tuple-set Ed include two tuples 1000001,1000002}, can be according to this two tuple
{ 1000001,1000002} can will attack ID set { 1000000,1000001,1000002,1000003}
Be split as two attack ID groups 1000000,1000001} and 1000002,1000003}, described 1000000,
1000001} is with { 1000002,1000003} are respectively two attack ID groups corresponding to hack tool, Ke Yifen
Yong Yu not identify the hack tool of its correspondence.
It should be noted that the sequencing of the hack tool method for digging step of embodiment of the present invention offer can
Suitably to adjust, step can also increase and decrease the most accordingly, any is familiar with the art
Technical staff in the technical scope that the invention discloses, the method that change can be readily occurred in, all should contain this
Within the protection domain of invention, therefore repeat no more.
Embodiments provide a kind of hack tool method for digging, compared to prior art, pass through data
Excavation can obtain the attack pattern of any one hack tool, and then can be by the attacker of hack tool
Formula mark hack tool so that fire wall can according to the attack pattern identification hack tool of each hack tool,
And complete protection service is provided accordingly, improve the safety of system.
A kind of Cloud Server 40 of embodiment of the present invention offer, as shown in Figure 4, including:
Receive unit 401, for receiving multiple network logs that at least one subscriber equipment sends.
Acquiring unit 402, for obtaining the attack class network log in the plurality of network log.
Extraction unit 403, for extracting the attack information of each described attack class network log, described attack
Information includes attacking IP and attacking ID.
Excavate unit 404, for the attack information of each described attack class network log is carried out data mining,
Obtaining the attack ID group that each hack tool is corresponding, described attack ID group includes that at least one attacks ID.
So, the attack pattern of any one hack tool, Jin Erneng can be obtained by data mining
Enough attack pattern mark hack tools by hack tool so that fire wall can be according to each hack tool
Attack pattern identification hack tool, and provide complete protection service accordingly, improve the safety of system.
Optionally, described excavation unit 404 is specifically for attack to each described attack class network log
Information carries out vectorization description, obtains the vector of attack of each attack information, and described vector of attack includes correspondence
The attack IP of attack information and attack ID;
The vector of attack of each described attack class network log is carried out data mining, obtains each hack tool
Corresponding attack ID group.
Optionally, described excavation unit 404 specifically for: use Frequent Itemsets Mining Association Rules Algorithm, to each described
The vector of attack attacking class network log carries out data mining, obtains the attack ID group that each hack tool is corresponding.
Optionally, described attack information also includes attack time.
It should be noted that first, those skilled in the art is it can be understood that arrive, for describe
Convenient and succinct, the device of foregoing description and the specific works process of unit, it is referred to preceding method and implements
Corresponding process in example, does not repeats them here.
Second, described acquiring unit 402, extraction unit 403 and excavation unit 404 all can be by being positioned at cloud clothes
Central processing unit (Central Processing Unit, CPU) in business device 40, microprocessor (Micro
Processor Unit, MPU), digital signal processor (Digital Signal Processor, DSP) or
Field programmable gate arrays (Field Programmable Gate Array, FPGA) etc. realize.Receive unit
401 can be realized by the communication bus between Cloud Server 40 and subscriber equipment.
The embodiment of the present invention provides a kind of Cloud Server, including: receive unit, be used for receiving at least one and use
Multiple network logs that family equipment sends;Acquiring unit, for obtaining the attack in the plurality of network log
Class network log;Extraction unit, for extracting the attack information of each described attack class network log, described
Attack information includes attacking IP and attacking ID;Excavate unit, for each described attack class network log
Attack information carry out data mining, obtain the attack ID group that each hack tool is corresponding, described attack ID
Group includes that at least one attacks ID.Compared to prior art, can be obtained any one by data mining black
The attack pattern of visitor's instrument, and then can be by the attack pattern mark hack tool of hack tool so that anti-
Wall with flues according to the attack pattern identification hack tool of each hack tool, and can provide complete protection accordingly
Service, improves the safety of system.
The embodiment of the present invention provides a kind of subscriber equipment 50, as it is shown in figure 5, include:
Acquiring unit 501, accesses behavior for obtaining the network of user;
Signal generating unit 502, accesses, for the network according to user, the network traffics that behavior produces, and generates network
Daily record;
Transmitting element 503, for being sent to Cloud Server by described network log.
It should be noted that first, those skilled in the art is it can be understood that arrive, for describe
Convenient and succinct, the device of foregoing description and the specific works process of unit, it is referred to preceding method and implements
Corresponding process in example, does not repeats them here.
Second, described acquiring unit 501 and signal generating unit 502 can be by the centre being positioned in subscriber equipment 50
Reason device (Central Processing Unit, CPU), microprocessor (Micro Processor Unit, MPU),
Digital signal processor (Digital Signal Processor, DSP) or field programmable gate array (Field
Programmable Gate Array, FPGA) etc. realize.Transmitting element 503 all can be by subscriber equipment 50
And the communication bus between Cloud Server realizes;
Embodiments provide a kind of subscriber equipment, compared to prior art, it is possible to sent out by network log
Give Cloud Server, in order to Cloud Server obtains the attacker of any one hack tool by data mining
Formula, and then by the attack pattern mark hack tool of hack tool so that fire wall can be according to each black
The attack pattern identification hack tool of visitor's instrument, and complete protection service is provided accordingly, improve system
Safety.
The embodiment of the present invention provides a kind of hack tool digging system 60, as shown in Figure 6, including at least one
Subscriber equipment 601 and the Cloud Server 602 being connected with at least one subscriber equipment described;In Fig. 6, described
Hack tool digging system 60 includes four subscriber equipmenies 601, with described Cloud Server 602 in actual application
Subscriber equipment 301 quantity connected is not reached the standard grade, The more the better.
Described subscriber equipment 601 accesses behavior, according to the network access line of user for the network obtaining user
For the network traffics produced, generate network log, and described network log is sent to described Cloud Server;
Described Cloud Server 602 is used for receiving multiple network logs that at least one subscriber equipment described sends,
Obtain the attack class network log in the plurality of network log, extract each described attack class network log
Attack information, described attack information includes attacking IP and attacking ID, and to each described attack class network day
The attack information of will carries out data mining, obtains the attack ID group that each hack tool is corresponding, described attack
ID group includes that at least one attacks ID.
It should be noted that those skilled in the art is it can be understood that arrive, for describe convenience and
Succinctly, the system specific works process of foregoing description, it is referred to the corresponding process in preceding method embodiment,
Do not repeat them here.
Embodiments provide a kind of hack tool digging system, compared to prior art, subscriber equipment
Network log can be sent to Cloud Server, and it is black that Cloud Server can obtain any one by data mining
The attack pattern of visitor's instrument, and then by the attack pattern mark hack tool of hack tool so that fire wall
According to the attack pattern identification hack tool of each hack tool, and complete protection service can be provided accordingly,
Improve the safety of system.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter
Calculation machine program product.Therefore, the present invention can use hardware embodiment, software implementation or combine software and
The form of the embodiment of hardware aspect.And, the present invention can use and wherein include calculating one or more
The computer-usable storage medium of machine usable program code (includes but not limited to disk memory and optical storage
Device etc.) form of the upper computer program implemented.
The present invention is with reference to method, equipment (system) and computer program according to embodiments of the present invention
Flow chart and/or block diagram describe.It should be understood that can be by computer program instructions flowchart and/or side
Flow process in each flow process in block diagram and/or square frame and flow chart and/or block diagram and/or the knot of square frame
Close.Can provide these computer program instructions to general purpose computer, special-purpose computer, Embedded Processor or
The processor of other programmable data processing device is to produce a machine so that by computer or other can
The instruction that the processor of programming data processing equipment performs produces for realizing in one flow process or multiple of flow chart
The device of the function specified in flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device
In the computer-readable memory worked in a specific way so that be stored in this computer-readable memory
Instruction produces the manufacture including command device, and this command device realizes at one flow process of flow chart or multiple stream
The function specified in journey and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, makes
Sequence of operations step must be performed to produce computer implemented process on computer or other programmable devices,
Thus the instruction performed on computer or other programmable devices provides for realizing in one flow process of flow chart
Or the step of the function specified in multiple flow process and/or one square frame of block diagram or multiple square frame.
The above, only presently preferred embodiments of the present invention, it is not intended to limit the protection model of the present invention
Enclose.
Claims (11)
1. a hack tool method for digging, it is characterised in that for Cloud Server, including:
Receive multiple network logs that at least one subscriber equipment sends;
Obtain the attack class network log in the plurality of network log;
Extracting the attack information of each described attack class network log, described attack information includes attacking IP and attacking
Hit ID;
The attack information of each described attack class network log is carried out data mining, obtains each hack tool
Corresponding attack ID group, described attack ID group includes that at least one attacks ID.
Method the most according to claim 1, it is characterised in that described to each described attack class network
The attack information of daily record carries out data mining, and the attack ID group obtaining each hack tool corresponding includes:
The attack information of each described attack class network log is carried out vectorization description, obtains each attack and believe
The vector of attack of breath, described vector of attack includes the attack IP of corresponding attack information and attacks ID;
The vector of attack of each described attack class network log is carried out data mining, obtains each hack tool
Corresponding attack ID group.
Method the most according to claim 2, it is characterised in that described to each described attack class network
The vector of attack of daily record carries out data mining, and the attack ID group obtaining each hack tool corresponding includes:
Use Frequent Itemsets Mining Association Rules Algorithm, the vector of attack of each described attack class network log is carried out data and digs
Pick, obtains the attack ID group that each hack tool is corresponding.
4. according to the method described in claim 1-3 any one claim, it is characterised in that described in attack
Information of hitting also includes attack time.
5. a hack tool method for digging, it is characterised in that for subscriber equipment, including:
The network obtaining user accesses behavior;
Network according to user accesses the network traffics that behavior produces, and generates network log;
Described network log is sent to Cloud Server.
6. a Cloud Server, it is characterised in that including:
Receive unit, for receiving multiple network logs that at least one subscriber equipment sends;
Acquiring unit, for obtaining the attack class network log in the plurality of network log;
Extraction unit, for extracting the attack information of each described attack class network log, described attack information
Including attacking IP and attacking ID;
Excavate unit, for the attack information of each described attack class network log is carried out data mining, obtain
Taking the attack ID group that each hack tool is corresponding, described attack ID group includes that at least one attacks ID.
Cloud Server the most according to claim 6, it is characterised in that described excavation unit specifically for:
The attack information of each described attack class network log is carried out vectorization description, obtains each attack and believe
The vector of attack of breath, described vector of attack includes the attack IP of corresponding attack information and attacks ID;
The vector of attack of each described attack class network log is carried out data mining, obtains each hack tool
Corresponding attack ID group.
Cloud Server the most according to claim 7, it is characterised in that described excavation unit specifically for:
Use Frequent Itemsets Mining Association Rules Algorithm, the vector of attack of each described attack class network log is carried out data and digs
Pick, obtains the attack ID group that each hack tool is corresponding.
9. according to the Cloud Server described in claim 6-8 any one claim, it is characterised in that institute
State attack information and also include attack time.
10. a subscriber equipment, it is characterised in that including:
Acquiring unit, accesses behavior for obtaining the network of user;
Signal generating unit, accesses, for the network according to user, the network traffics that behavior produces, and generates network log;
Transmitting element, for being sent to Cloud Server by described network log.
11. 1 kinds of hack tool digging systems, it is characterised in that include at least one subscriber equipment and with institute
State the Cloud Server that at least one subscriber equipment connects;
Described subscriber equipment accesses behavior for the network obtaining user, accesses behavior according to the network of user and produces
Raw network traffics, generate network log, and described network log are sent to described Cloud Server;
Described Cloud Server, for receiving multiple network logs that at least one subscriber equipment described sends, obtains
Attack class network log in the plurality of network log, extracts the attack of each described attack class network log
Information, described attack information includes attacking IP and attacking ID, and to each described attack class network log
Attack information carries out data mining, obtains the attack ID group that each hack tool is corresponding, described attack ID group
ID is attacked including at least one.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610514159.4A CN106027554A (en) | 2016-06-30 | 2016-06-30 | Hacker tool mining method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610514159.4A CN106027554A (en) | 2016-06-30 | 2016-06-30 | Hacker tool mining method, device and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106027554A true CN106027554A (en) | 2016-10-12 |
Family
ID=57106209
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610514159.4A Pending CN106027554A (en) | 2016-06-30 | 2016-06-30 | Hacker tool mining method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106027554A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108632272A (en) * | 2018-05-04 | 2018-10-09 | 成都信息工程大学 | A kind of network-based attack tool recognition methods and system |
CN110839033A (en) * | 2019-11-18 | 2020-02-25 | 广州安加互联科技有限公司 | Network attack identification method, system and terminal |
CN111885011A (en) * | 2020-07-02 | 2020-11-03 | 北京赋云安运营科技有限公司 | Method and system for analyzing and mining safety of service data network |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101018121A (en) * | 2007-03-15 | 2007-08-15 | 杭州华为三康技术有限公司 | Log convergence processing method and convergence processing device |
CN101931570A (en) * | 2010-02-08 | 2010-12-29 | 中国航天科技集团公司第七一○研究所 | Method for reconstructing network attack path based on frequent pattern-growth algorithm |
CN103678709A (en) * | 2013-12-30 | 2014-03-26 | 中国科学院自动化研究所 | Recommendation system attack detection method based on time series data |
CN104283889A (en) * | 2014-10-20 | 2015-01-14 | 国网重庆市电力公司电力科学研究院 | Electric power system interior APT attack detection and pre-warning system based on network architecture |
CN104601591A (en) * | 2015-02-02 | 2015-05-06 | 中国人民解放军国防科学技术大学 | Detection method of network attack source organization |
CN104901975A (en) * | 2015-06-30 | 2015-09-09 | 北京奇虎科技有限公司 | Web log safety analyzing method, device and gateway |
CN104954188A (en) * | 2015-06-30 | 2015-09-30 | 北京奇虎科技有限公司 | Cloud based web log security analysis method, device and system |
CN105208000A (en) * | 2015-08-21 | 2015-12-30 | 深信服网络科技(深圳)有限公司 | Network attack retrospective analysis method and network security equipment |
US20150381649A1 (en) * | 2014-06-30 | 2015-12-31 | Neo Prime, LLC | Probabilistic Model For Cyber Risk Forecasting |
CN105721427A (en) * | 2016-01-14 | 2016-06-29 | 湖南大学 | Method for mining attack frequent sequence mode from Web log |
-
2016
- 2016-06-30 CN CN201610514159.4A patent/CN106027554A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101018121A (en) * | 2007-03-15 | 2007-08-15 | 杭州华为三康技术有限公司 | Log convergence processing method and convergence processing device |
CN101931570A (en) * | 2010-02-08 | 2010-12-29 | 中国航天科技集团公司第七一○研究所 | Method for reconstructing network attack path based on frequent pattern-growth algorithm |
CN103678709A (en) * | 2013-12-30 | 2014-03-26 | 中国科学院自动化研究所 | Recommendation system attack detection method based on time series data |
US20150381649A1 (en) * | 2014-06-30 | 2015-12-31 | Neo Prime, LLC | Probabilistic Model For Cyber Risk Forecasting |
CN104283889A (en) * | 2014-10-20 | 2015-01-14 | 国网重庆市电力公司电力科学研究院 | Electric power system interior APT attack detection and pre-warning system based on network architecture |
CN104601591A (en) * | 2015-02-02 | 2015-05-06 | 中国人民解放军国防科学技术大学 | Detection method of network attack source organization |
CN104901975A (en) * | 2015-06-30 | 2015-09-09 | 北京奇虎科技有限公司 | Web log safety analyzing method, device and gateway |
CN104954188A (en) * | 2015-06-30 | 2015-09-30 | 北京奇虎科技有限公司 | Cloud based web log security analysis method, device and system |
CN105208000A (en) * | 2015-08-21 | 2015-12-30 | 深信服网络科技(深圳)有限公司 | Network attack retrospective analysis method and network security equipment |
CN105721427A (en) * | 2016-01-14 | 2016-06-29 | 湖南大学 | Method for mining attack frequent sequence mode from Web log |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108632272A (en) * | 2018-05-04 | 2018-10-09 | 成都信息工程大学 | A kind of network-based attack tool recognition methods and system |
CN110839033A (en) * | 2019-11-18 | 2020-02-25 | 广州安加互联科技有限公司 | Network attack identification method, system and terminal |
CN111885011A (en) * | 2020-07-02 | 2020-11-03 | 北京赋云安运营科技有限公司 | Method and system for analyzing and mining safety of service data network |
CN111885011B (en) * | 2020-07-02 | 2022-11-01 | 安全能力生态聚合(北京)运营科技有限公司 | Method and system for analyzing and mining safety of service data network |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Xu et al. | Am I eclipsed? A smart detector of eclipse attacks for Ethereum | |
Pei et al. | A DDoS attack detection method based on machine learning | |
CN104618343B (en) | A kind of method and system of the website threat detection based on real-time logs | |
Negi et al. | Enhanced CBF packet filtering method to detect DDoS attack in cloud computing environment | |
CN105681250B (en) | A kind of Botnet distribution real-time detection method and system | |
Qin et al. | DDoS attack detection using flow entropy and clustering technique | |
CN105162626B (en) | Network flow depth recognition system and recognition methods based on many-core processor | |
CN106534164B (en) | Effective virtual identity depicting method based on cyberspace user identifier | |
CN104283897B (en) | Wooden horse communication feature rapid extracting method based on multiple data stream cluster analysis | |
CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
Taylor et al. | Detecting malicious exploit kits using tree-based similarity searches | |
CN102968591B (en) | Malicious-software characteristic clustering analysis method and system based on behavior segment sharing | |
CN110691080B (en) | Automatic tracing method, device, equipment and medium | |
US9830451B2 (en) | Distributed pattern discovery | |
CN106027554A (en) | Hacker tool mining method, device and system | |
Hanmanthu et al. | SQL Injection Attack prevention based on decision tree classification | |
Iannucci et al. | A comparison of graph-based synthetic data generators for benchmarking next-generation intrusion detection systems | |
Elekar | Combination of data mining techniques for intrusion detection system | |
Li et al. | Ethereum behavior analysis with netflow data | |
Meng et al. | Design of cloud-based parallel exclusive signature matching model in intrusion detection | |
Zhang et al. | Density approach: a new model for BigData analysis and visualization | |
Zheng et al. | Detecting malicious tls network traffic based on communication channel features | |
CN104038344A (en) | Identity authentication method based on regular expression | |
CN106411951A (en) | Network attack behavior detection method and device | |
CN108366048B (en) | Network intrusion detection method based on unsupervised learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161012 |