CN106101130B - A kind of network malicious data detection method, apparatus and system - Google Patents
A kind of network malicious data detection method, apparatus and system Download PDFInfo
- Publication number
- CN106101130B CN106101130B CN201610537326.7A CN201610537326A CN106101130B CN 106101130 B CN106101130 B CN 106101130B CN 201610537326 A CN201610537326 A CN 201610537326A CN 106101130 B CN106101130 B CN 106101130B
- Authority
- CN
- China
- Prior art keywords
- data
- network
- characteristic value
- feature values
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of network malicious data detection methods, apparatus and system, wherein network malicious data detection method first acquires network data, and extract the data feature values in network data, the correlation degree between the malicious data characteristic value in data feature values and pre-stored malice characteristic value collection is obtained later, when correlation degree between some data feature values and malicious data characteristic value exceeds default correlation degree threshold, malicious data characteristic value collection is expanded according to the data feature values.Malicious data characteristic value collection can be constantly corrected and be optimized, realizes the prediction judgement threatened unknown network, and to the Initiative Defense of network security, reduce wrong report, the rate of failing to report of network malicious data intrusion detection.
Description
Technical field
The present invention relates to network invasion monitoring (NIDS) technical fields, and in particular to a kind of network malicious data detection side
Method, apparatus and system.
Background technique
NIDS is the abbreviation of Network Intrusion Detection System (Network Intrusion Detection System), is
The important development direction of network security, it utilizes state-of-the-art data grabber and Protocol Analysis Technology, monitors all in network
Original flow, the analysis for carrying out flow and agreement to the data that get are handled, according to existing event and behavioural characteristic library
Pattern match is carried out, identify assault and event response is provided, realizes that the monitoring to network data, filtering even hinder
It is disconnected, the safety of Logistics networks environment.
There are mainly two types of detection methods used by current existing Network Intrusion Detection System: the detection based on feature
(Signature-based Detection) and based on abnormal detection (Anomaly-based detection).Feature detection
Method mainly matches network data or behavior with the existing malicious data feature database of system, but this mode is easy to
It causes to report by mistake and fail to report, and can not detect unknown invasion;Method for detecting abnormality is then based on building network normal characteristics
On the basis of define the characteristic quantity and threshold of "abnormal", be identified as abnormal and alarm if being more than threshold, and if threshold value
It is arranged unreasonable, also easilys lead to report by mistake and fail to report.
Summary of the invention
Therefore, technical problems to be solved of the embodiment of the present invention are to overcome network inbreak detection method in the prior art
The high defect of wrong report, rate of failing to report.
For this purpose, the embodiment of the invention provides following technical solutions:
The embodiment of the invention provides a kind of network malicious data detection methods, comprising:
Acquire network data;
Extract the data feature values in the network data;
Obtain malicious data characteristic value in each data feature values and pre-stored malice characteristic value collection it
Between correlation degree;
If the correlation degree between some described data feature values and the malicious data characteristic value is associated with journey beyond default
Threshold is spent, the malicious data characteristic value collection is expanded according to the data feature values.
Method described in the embodiment of the present invention further include:
If the correlation degree between the data feature values and the malicious data characteristic value exceeds default correlation degree fault
Value judges the data feature values for malicious data characteristic value, and the corresponding network data of the data feature values is network malicious data;
Count the number for occurring the network malicious data in preset duration;
If there is Network Abnormal beyond safe threshold, judgement is preset in the number, and according to the exception of the Network Abnormal
Degree takes corresponding safety measure.
Method described in the embodiment of the present invention further include:
It is adjusted according to the network environment dynamic in the number and same time for occurring the network malicious data in preset duration
It is described to preset safe threshold.
Method described in the embodiment of the present invention, the acquisition network data includes:
Capture network data;
Network data shunting is stored to corresponding Circular buffer area according to current network environment and storage pressure.
Method described in the embodiment of the present invention, the acquisition network data further include:, will be corresponding when reading network data
The network data stored in the Circular buffer area maps directly to client layer.
Method described in the embodiment of the present invention, the data feature values extracted in the network data include:
Using in network data described in event analysis engine filter analysis specific agreement and resulting network event;
The behavioural characteristic of each network event is monitored and analyzed using strategy interpreting engine;
Using network event behavioural characteristic corresponding with its as the data feature values of the network data.
The rule of method described in the embodiment of the present invention, the event analysis engine and the strategy interpreting engine writes base
In scripting language.
Method described in the embodiment of the present invention, it is described to obtain each data feature values and the malicious data characteristic value
Between correlation degree include:
Predict a possibility that any one of data feature values are any one of malicious data characteristic value;
If a possibility that some described data feature values is some described malicious data characteristic value is lower than default value, in advance
It surveys and there is a possibility that being associated between the data feature values and the malicious data characteristic value;
Predict a possibility that malicious data characteristic value occurs;
According between the data feature values and the malicious data characteristic value exist be associated with a possibility that and the malicious data spy
A possibility that value indicative occurs predicts a possibility that data feature values develop into the malicious data characteristic value;
According to the data feature values be the malicious data characteristic value a possibility that or the data feature values develop into the evil
A possibility that data feature values of anticipating, determines the correlation degree between the data feature values and the malicious data characteristic value.
The embodiment of the invention also provides a kind of network malicious data detection devices, comprising:
Data acquisition unit, for acquiring network data;
Data processing unit, for extracting the data feature values in the network data;
Data analysis unit, for obtaining in each data feature values and pre-stored malice characteristic value collection
Correlation degree between malicious data characteristic value;If the pass between some described data feature values and the malicious data characteristic value
Connection degree exceeds default correlation degree threshold, is expanded according to the data feature values the malicious data characteristic value collection.
The embodiment of the invention also provides a kind of network malicious data detection systems, including above-mentioned network malicious data to detect
Device and display device;
The display device, for receiving and showing the data of the network malicious data detection device transmission.
Technical solution of the embodiment of the present invention, has the advantages that
A kind of network malicious data detection method and device are present embodiments provided, first acquire network data, and extract net
Data feature values in network data obtain the malice in each data feature values and pre-stored malice characteristic value collection later
Correlation degree between data feature values, the correlation degree between some data feature values and malicious data characteristic value is beyond pre-
If when correlation degree threshold, being expanded according to the data feature values malicious data characteristic value collection.It can constantly correct
With optimization malicious data characteristic value collection, the prediction judgement threatened unknown network, and the active to network security are realized
Defence, reduces wrong report, the rate of failing to report of network malicious data intrusion detection.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the flow chart of a specific example of network malicious data detection method in the embodiment of the present invention 1;
Fig. 2 is the signal that a specific example of framework is disposed in 1 network malicious data detection method of the embodiment of the present invention
Figure;
Fig. 3 is the specific example that network data is acquired in 1 network malicious data detection method of the embodiment of the present invention
Flow chart;
Fig. 4 is one of network data acquisition technical implementation way in 1 network malicious data detection method of the embodiment of the present invention
The schematic diagram of a specific example;
Fig. 5 is the data feature values extracted in network data in 1 network malicious data detection method of the embodiment of the present invention
The flow chart of one specific example;
Fig. 6 is the specific example that correlation degree is obtained in 1 network malicious data detection method of the embodiment of the present invention
Flow chart;
Fig. 7 is the functional block diagram of a specific example of network malicious data detection device in the embodiment of the present invention 2.
Appended drawing reference:
1- data acquisition unit;2- data processing unit;3- data analysis unit;4- feedback regulation unit;11- capture
Unit;12- storing sub-units;13- maps subelement;21- event analysis subelement;22- strategy interpreting subelement;23- is extracted
Subelement;31- first predicts subelement;32- second predicts subelement;33- third predicts subelement;Prediction of 34- the 4th is single
Member;35- association analysis subelement.
Specific embodiment
It is clearly and completely described below in conjunction with technical solution of the attached drawing to the embodiment of the present invention, it is clear that described
Embodiment be a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, this field is general
Logical technical staff every other embodiment obtained without making creative work belongs to what the present invention protected
Range.
In the description of the embodiment of the present invention, it should be noted that term " center ", "upper", "lower", "left", "right",
The orientation or positional relationship of the instructions such as "vertical", "horizontal", "inner", "outside" is to be based on the orientation or positional relationship shown in the drawings,
It is merely for convenience of the description embodiment of the present invention and simplifies description, rather than the device or element of indication or suggestion meaning must have
There is specific orientation, be constructed and operated in a specific orientation, therefore is not considered as limiting the invention.In addition, term " the
One ", " second ", " third " are used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance.
In the description of the embodiment of the present invention, it should be noted that unless otherwise clearly defined and limited, term " peace
Dress ", " connected ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or integrally
Connection;It can be mechanical connection, be also possible to be electrically connected;Can be directly connected, can also indirectly connected through an intermediary,
It can also be the connection inside two elements, can be wireless connection, be also possible to wired connection.For the common skill of this field
For art personnel, the concrete meaning of above-mentioned term in the present invention can be understood with concrete condition.
As long as in addition, the non-structure each other of technical characteristic involved in invention described below different embodiments
It can be combined with each other at conflict.
Embodiment 1
A kind of network malicious data detection method is present embodiments provided, as shown in Figure 1, comprising:
S1. network data is acquired.Specifically, the network of local area network or internet that the acquisition that can continue needs to monitor
Data;It can also be every the network data for the local area network or internet that acquisition needs to monitor in preset time, such as 5s.Specifically
It can according to need the local area network of monitoring or the acquisition that the selections such as the network environment of internet or security level required are applicable in
Mode.
S2. the data feature values in network data are extracted.Specifically, any one data point in the prior art can be selected
Analysis method extracts the data feature values in network data to obtain the network environment of the currently monitored local area network or internet
Situation.
S3. it obtains between the malicious data characteristic value in each data feature values and pre-stored malice characteristic value collection
Correlation degree.Specifically, the malicious data characteristic value in malice characteristic value collection can monitor sample to one or more
It is obtained in the network data that this long term monitoring obtains.By obtaining the pass between each data feature values and malicious data characteristic value
Connection degree, though the data feature values fail with malicious data characteristic value successful match, belong to unknown data characteristic value, can also be with
By its correlation degree between some malicious data characteristic value judge the data feature values for the malicious data characteristic value can
Energy property or the situation for developing into the malicious data characteristic value.
S4. malicious data characteristic value is corrected.Further comprising:
S41. judge whether the correlation degree between some data feature values and malicious data characteristic value exceeds default association
Degree threshold.If exceeding, S42 is entered step;If without departing from return step S1.Specifically, correlation degree threshold can be according to tool
The requirement of the network environment or network environment security level of body monitoring is set, and security level is high, then can be by correlation degree
Threshold adjust it is relatively low, even also the data feature values can be divided to potentially in the presence of the security threat for not being especially severe
Malicious data characteristic value.
S42. malicious data characteristic value collection is expanded according to the data feature values.Specifically, if the net of acquisition
There are the correlation degrees between some data feature values and malicious data characteristic value to exceed default correlation degree threshold in network data,
Even if illustrating that the data feature values are not also currently malicious data characteristic values, but future evolution is the malicious data characteristic value
Possibility is very high.By the way that the data feature values are extended to malicious data characteristic value collection, evil can be constantly corrected and optimized
Meaning data characteristics value set realizes the prediction judgement threatened unknown network, and to the Initiative Defense of network security, reduces
The wrong report of network malicious data intrusion detection, rate of failing to report.
Preferably, the present embodiment additionally provides another network malicious data detection method, in addition to including above-mentioned steps S1
Further include following steps S5 to S7 to except S4:
If S5. the correlation degree between data feature values and malicious data characteristic value exceeds default correlation degree threshold, sentence
The data feature values of breaking are malicious data characteristic value, and the corresponding network data of the data feature values is network malicious data.
S6. it counts in preset duration and the number of network malicious data occurs.Specifically, preset duration can be according to network rings
Situations such as border or network safety grade, is set, for example can be 1 minute.
S7. Prevention-Security.Further comprising:
S71. judge whether number exceeds and preset safe threshold.If exceeding, S72 is entered step, if without departing from entering step
S73。
S72. there is Network Abnormal in judgement, and takes corresponding safety measure according to the intensity of anomaly of Network Abnormal.Specifically
Ground takes the Network Abnormal of different intensity of anomaly different safety measures, more meets network actual environment.Such as if net
Network intensity of anomaly is smaller, it is possible to any movement is not necessarily to, if Network Abnormal degree is bigger, it is possible to just need to be implemented police
Report is notified of etc..
S73. judge network environment safety.
Preferably, the present embodiment additionally provides another network malicious data detection method, in addition to including above-mentioned steps S1
Further include following steps S8 to except S4 or S1 to S7:
S8. it is adjusted according to the network environment dynamic in the number and same time for occurring network malicious data in preset duration pre-
If safe threshold.Specifically, by there is the number of network malicious data in the preset duration that feeds back to and in the same time
Network environment dynamically adjusts default secure threshold, can further decrease failing to report, reporting by mistake for network malicious data intrusion detection
Rate.
Specifically, as shown in Fig. 2, the application program for executing above-mentioned steps S1 to S4 or S1 to S7 can be divided into number
According to acquisition layer, data analysis layer and data analysis layer.Data collection layer can select TAP component and FRONTEND component to be used as and adopt
Collect equipment and multiple detection child nodes of collected network data transmission to data analysis layer are subjected to mentioning for data feature values
It takes;The data feature values of extraction are transmitted to the Analysis server of data analysis layer by detection child node later, in Analysis server
It is previously stored with malice characteristic value collection, which includes multiple malicious data characteristic values, and Analysis server receives data spy
After value indicative, the correlation degree between each data feature values and malicious data characteristic value can be obtained, if correlation degree is beyond default
The data feature values can be extended to malicious data characteristic value collection by correlation degree threshold, to malicious data characteristic value collection into
Row updates and amendment.The network malicious data of analysis can be fed back to data analysis layer by the management server of data analysis layer later
Detection child node, detection child node can count the number for occurring above-mentioned network malicious data in preset duration, and super in number
Degree when presetting safe threshold out according to Network Abnormal takes corresponding log recording, execution mail notification, execution alarm logical
The safety measures such as know to ensure network Environmental security.Detecting child node simultaneously can also occur maliciously according in the preset duration of statistics
The number and network environment of network data carry out dynamic adjustment to default secure threshold, to further decrease network malicious data
The wrong report of detection, rate of failing to report.Preferably, Analysis server can also will the data such as the obtained disparate networks malicious data of analysis into
Row statistics and summarize, use B/S etc. visualization framework by the chart after counting and summarizing in the form of web page element in browser
In drawn, and presented by the display devices such as display, realize the visualization of data, the form of presentation can have area
Figure, data form, line chart, cake chart, column diagram etc., it is simple and clear.
Preferably, as shown in figure 3, in above-mentioned each embodiment, step S1 includes:
S11. network data is captured.
S12. network data shunting is stored to corresponding Circular buffer area according to current network environment and storage pressure.Tool
Body, before the network data write-in Circular buffer area of capture, needs to position and write index, after network data is written, rope is write in movement
The end for guiding to data queue, due to Circular buffer area structure be annular, do not need frequently carry out buffer area distribution and
Release reduces performance loss.
When S13. reading network data, the network data stored in corresponding Circular buffer area is mapped directly into user
Layer.
Specifically, as shown in figure 4, step S11 to S13 can be executed using TAP component and FRONTEND component.TAP
Component can bypass access and need to acquire the network environment (including local area network or internet) of network data, data acquisition function by
HIGHCAP module in TAP component realizes that the module supports the data of multiple 10Gb/s network interface cards to acquire, and may be implemented
The network data of maximum 1Gb/s shunts, and the data source that multichannel can be provided for the distributed node of rear end is supported, while after mitigation
The cost and pressure of end data processing.After HIGHCAP module bypass access network environment (including local area network and internet), it can catch
It obtains the data frame of link layer and the target MAC (Media Access Control) address of frame head is revised as to the MAC Address of monitoring client, it is concurrent to replicate the data frame
It is sent to specified monitoring client.Equally loaded is done after monitoring client captures network data later, according to the place of network environment and rear end
Reason pressure is shunted, and network data is written to Circular buffer area.RING-SOCK module in FRONTEND component utilizes ring
The mode of shape buffer area and direct memory access (Direct Memory Access, abbreviation DMA) is realized, ensure that data
Access efficiency reduces packet loss and performance loss.Preferably, because detection child node is needed when reading data from user
Floor obtains the network data in Circular buffer area, the duplication in order to avoid network data from Circular buffer area to client layer memory headroom
Direct memory access technology (Direct Memory Access, abbreviation DMA technology) can be used, and network data is direct in process
It is mapped to client layer, can further promote the reading efficiency of network data, while reducing performance loss.
Preferably, as shown in figure 5, in above-mentioned each embodiment, step S2 includes:
S21. specific agreement and the resulting network event in event analysis engine filter analysis network data are used.
S22. it monitors using strategy interpreting engine and analyzes the behavioural characteristic of each network event.
S23. using network event behavioural characteristic corresponding with its as the data feature values of network data.Preferably, event
The rule of analysis engine and strategy interpreting engine is write based on scripting language.
Specifically, write can be based on the script of Bro language, the foot for the rule of event analysis engine and strategy interpreting engine
This language uses event-driven mechanism, and network protocol and application protocol for current mainstream preset a variety of event handling functions,
Including the state in each stages such as connection, request, response during protocol communication and data transmission procedure, header parser
With data analysis etc., the hybrid analysis of various protocols can be realized with self-defined combination, reply network environment complicated and changeable at present.
Table 1: the http request information (example request address www.baidu.com) of Event processing engine analysis record
As shown in table 1, a strategy is specified in strategy interpreting engine, includes three attributes
(1) the corresponding IP address resp_host=61.135.169.125 of www.baidu.com domain name
(2) requesting method method=GET
(3) response contents attribute resp_mime_type=text/html,
If returning response data meet three tactful attributes of this, illustrate that access is normal.If returning response finds IP
Address be tampered perhaps response contents attribute with policy definition is inconsistent illustrates that DNS or flow are kidnapped, need into
One step analyze.
Table 2: type of security
| ACTION_NONE | It is no to execute movement |
| ACTION_LOG | Execution journal record |
| ACTION_EMAIL | Execute mail notification |
| ACTION_ALARM | Execute alert notification |
As shown in table 2, the safety measure taken can be set gradually according to the sequence of intensity of anomaly from low to high are as follows: nothing
Execution movement, execution journal record execute mail notification and execute alert notification.It realizes at the classification of safety precautions
Reason.
The rule of network malicious data detection method in the present embodiment, event analysis engine and strategy interpreting engine is write
Based on scripting language, each network event and its corresponding behavior effectively can be detected and record in terms of dynamic and static state two
Feature, and because modification and addition are based on scripting language, it is easily operated, so that user and operator maintenance personnel need to only understand
Basic exploitation knowledge can carry out the addition of rule according to actual network condition, it is not necessary to wait or purchase comes from manufacturer
Upgrading, it is ensured that the monitoring loophole of repairing network environment in time while also reducing the cost of O&M.
Preferably, as shown in fig. 6, in above-mentioned each embodiment, step S32 includes:
S321. a possibility that any one data feature values is any one malicious data characteristic value is predicted.
S322. association possibility is predicted.Further comprising:
S3221. judge whether some data feature values is lower than default value for a possibility that some malicious data characteristic value.
If being lower than, S3222 is entered step, if being not less than, enters step S325.
S3222. predict there is a possibility that being associated between the data feature values and the malicious data characteristic value.
S323. a possibility that malicious data characteristic value occurs is predicted.
S324. according between the data feature values and the malicious data characteristic value exist be associated with a possibility that and the malice number
A possibility that occurring according to characteristic value predicts a possibility that data feature values develop into the malicious data characteristic value.
S325. a possibility that being the malicious data characteristic value according to the data feature values or the data feature values develop into
A possibility that malicious data characteristic value, determines the correlation degree between the data feature values and the malicious data characteristic value.
Specifically, can using association algorithm (such as Apriori algorithm, FP-Tree algorithm etc.) and prediction algorithm (such as
Logistic regression algorithm, ridge regression algorithm and CART tree regression algorithm etc.) to be any one malice number to data feature values
A possibility that according to characteristic value, data feature values and there is a possibility that being associated with, malicious data feature between the malicious data characteristic value
A possibility that value occurs etc. is associated prediction, and then obtains the correlation degree of the data feature values Yu malicious data characteristic value,
Prediction judgement is carried out to unknown network threat, realizes the Initiative Defense of network security.
Such as it contains and is usurped to the http connection request that domain name www.baidu.com is initiated, in the network data of return
The data feature values such as the response host IP address resp_host changed and the part exception web page contents of carrying, this is defined herein as X.
The pass of data feature values X and pre-stored malicious data characteristic value Y are obtained using association algorithm and prediction algorithm
The correlation degree of connection degree, discovery X and malicious data characteristic value Y are up to 90%, but with the feature in malicious data characteristic value Y
The resp_host degree of association is little, it may be possible to which a mutation of malicious data characteristic value Y, then data feature values X is also regarded at this time
Expand for a malicious data characteristic value into malicious data characteristic value collection, and the resp_host in associated data characteristic value X,
If being in the same network segment or extremely similar between the feature resp_host of X and Y, it can predict to come from according to this feature and be somebody's turn to do
The network data of network segment is network malicious data and directly blocks or be analyzed and processed.
Embodiment 2
A kind of network malicious data detection device is present embodiments provided, as shown in Fig. 7, comprising:
Data acquisition unit 1, for acquiring network data.
Data processing unit 2, for extracting the data feature values in network data.
Data analysis unit 3, for obtaining the evil in each data feature values and pre-stored malice characteristic value collection
Correlation degree between data feature values of anticipating;If the correlation degree between some data feature values and malicious data characteristic value exceeds
Default correlation degree threshold, expands malicious data characteristic value collection according to the data feature values.Specifically, if acquisition
Network data in there are the correlation degrees between some data feature values and malicious data characteristic value to exceed default correlation degree
Threshold, even if illustrating that the data feature values are not also currently malicious data characteristic values, but future evolution is that the malicious data is special
A possibility that value indicative, is very high.By the way that the data feature values are extended to malicious data characteristic value collection, can constantly correct and
Optimize malicious data characteristic value collection, realize the prediction judgement threatened unknown network, and is anti-to the active of network security
It is imperial, reduce wrong report, the rate of failing to report of network malicious data intrusion detection.
Preferably, another network malicious data detection device is present embodiments provided, on the basis of the above embodiments,
Data analysis unit 3, the correlation degree being also used between data feature values and malicious data characteristic value are associated with journey beyond default
When spending threshold, the data feature values are judged for malicious data characteristic value, the corresponding network data of the data feature values is network evil
Meaning data.
Data processing unit 2 is also used to count the number for occurring network malicious data in preset duration, and exceeds in number
When presetting safe threshold, there is Network Abnormal in judgement, and takes corresponding safety measure according to the intensity of anomaly of Network Abnormal.Tool
Body, different safety measures is taken the Network Abnormal of different intensity of anomaly, network actual environment is more met.Such as if
Network Abnormal degree is smaller, it is possible to any movement is not necessarily to, if Network Abnormal degree is bigger, it is possible to just need to be implemented
Alert notification etc..
Preferably, the present embodiment additionally provides another network malicious data detection device, on the basis of above-described embodiment
On, it further include feedback regulation unit 4, for according to the net in the number and same time for occurring network malicious data in preset duration
Safe threshold is preset in network environment dynamic adjustment.Specifically, by occurring time of network malicious data in the preset duration that feeds back to
Network environment in the several and same time dynamically adjusts default secure threshold, can further decrease the invasion of network malicious data
Detection fail to report, rate of false alarm.
Preferably, the network malicious data detection device in the present embodiment, data acquisition unit 1 include:
Subelement 11 is captured, for capturing network data.
Storing sub-units 12, for being stored network data shunting to corresponding according to current network environment and storage pressure
Circular buffer area.
Preferably, data acquisition unit 1 further include: mapping subelement 13 is used for when reading network data, will be corresponding
The network data stored in Circular buffer area maps directly to client layer.
Preferably, the network malicious data detection device in the present embodiment, data processing unit 2 include:
Event analysis subelement 21, for using in event analysis engine filter analysis network data specific agreement and by
This network event generated.
Strategy interpreting subelement 22, the behavior for each network event to be monitored and analyzed using strategy interpreting engine are special
Sign.
Subelement 23 is extracted, for using network event behavioural characteristic corresponding with its as the data characteristics of network data
Value.Preferably, the rule of event analysis engine and strategy interpreting engine is write based on scripting language.
Preferably, the network malicious data detection device in the present embodiment, data analysis unit 3 include:
First prediction subelement 31, for predicting that any one data feature values is any one malicious data characteristic value
Possibility.
Second prediction subelement 32, for predicting that some data feature values is some malice number in the first default subelement 31
When according to being lower than default value a possibility that characteristic value, predict that there are associated between the data feature values and the malicious data characteristic value
Possibility.
Third predicts subelement 33, for predicting a possibility that malicious data characteristic value occurs.
4th prediction subelement 34, for according between the data feature values and the malicious data characteristic value there are it is associated can
A possibility that energy property and the malicious data characteristic value occur predicts that the data feature values develop into the malicious data characteristic value
Possibility.
Association analysis subelement 35, for according to the data feature values be the malicious data characteristic value a possibility that or should
Data feature values develop into a possibility that malicious data characteristic value determine the data feature values and the malicious data characteristic value it
Between correlation degree.
Embodiment 3
A kind of network malicious data detection system is present embodiments provided, including the network malicious data inspection in embodiment 2
Survey device and display device.
Display device, for receiving and showing the data of network malicious data detection device transmission.Specifically, display device
It can be display screen.
Malicious data detection system in the present embodiment, network malicious data detection device some data feature values with
When correlation degree between malicious data characteristic value exceeds default correlation degree threshold, according to the data feature values to malicious data
Characteristic value collection is expanded.Malicious data characteristic value collection can be constantly corrected and be optimized, is realized to unknown network prestige
The prediction of the side of body judges, and to the Initiative Defense of network security, reduces the wrong report of network malicious data intrusion detection, fails to report
Rate.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Claims (9)
1. a kind of network malicious data detection method characterized by comprising
Acquire network data;
Extract the data feature values in the network data;
It obtains between the malicious data characteristic value in each data feature values and pre-stored malice characteristic value collection
Correlation degree, comprising:
Predict a possibility that any one of data feature values are any one of malicious data characteristic value;
If a possibility that some described data feature values is some described malicious data characteristic value is lower than default value, prediction should
There is a possibility that being associated between data feature values and the malicious data characteristic value;
Predict a possibility that malicious data characteristic value occurs;
According between the data feature values and the malicious data characteristic value exist be associated with a possibility that and the malicious data characteristic value
A possibility that appearance, predicts a possibility that data feature values develop into the malicious data characteristic value;
According to the data feature values be the malicious data characteristic value a possibility that or the data feature values develop into the malice number
The correlation degree between the data feature values and the malicious data characteristic value is determined according to a possibility that characteristic value;If some described number
Exceed default correlation degree threshold according to the correlation degree between characteristic value and the malicious data characteristic value, according to the data characteristics
Value expands the malicious data characteristic value collection.
2. according to the method described in claim 1, characterized by further comprising:
If the correlation degree between the data feature values and the malicious data characteristic value exceeds default correlation degree threshold, sentence
The data feature values of breaking are malicious data characteristic value, and the corresponding network data of the data feature values is network malicious data;
Count the number for occurring the network malicious data in preset duration;
If there is Network Abnormal beyond safe threshold, judgement is preset in the number, and according to the intensity of anomaly of the Network Abnormal
Take corresponding safety measure.
3. according to the method described in claim 2, characterized by further comprising:
According to the network environment dynamic adjustment in the number and same time for occurring the network malicious data in preset duration
Preset safe threshold.
4. method according to claim 1-3, which is characterized in that the acquisition network data includes:
Capture network data;
Network data shunting is stored to corresponding Circular buffer area according to current network environment and storage pressure.
5. according to the method described in claim 4, it is characterized in that, the acquisition network data further include: read network data
When, the network data stored in the corresponding Circular buffer area is mapped directly into client layer.
6. method according to claim 1-3, which is characterized in that the data extracted in the network data
Characteristic value includes:
Using in network data described in event analysis engine filter analysis specific agreement and resulting network event;
The behavioural characteristic of each network event is monitored and analyzed using strategy interpreting engine;
Using network event behavioural characteristic corresponding with its as the data feature values of the network data.
7. according to the method described in claim 6, it is characterized in that, the event analysis engine and the strategy interpreting engine
Rule is write based on scripting language.
8. a kind of network malicious data detection device characterized by comprising
Data acquisition unit (1), for acquiring network data;
Data processing unit (2), for extracting the data feature values in the network data;
Data analysis unit (3), for obtaining in each data feature values and pre-stored malice characteristic value collection
Correlation degree between malicious data characteristic value, comprising:
Predict a possibility that any one of data feature values are any one of malicious data characteristic value;
If a possibility that some described data feature values is some described malicious data characteristic value is lower than default value, prediction should
There is a possibility that being associated between data feature values and the malicious data characteristic value;
Predict a possibility that malicious data characteristic value occurs;
According between the data feature values and the malicious data characteristic value exist be associated with a possibility that and the malicious data characteristic value
A possibility that appearance, predicts a possibility that data feature values develop into the malicious data characteristic value;
According to the data feature values be the malicious data characteristic value a possibility that or the data feature values develop into the malice number
The correlation degree between the data feature values and the malicious data characteristic value is determined according to a possibility that characteristic value;
If the correlation degree between some described data feature values and the malicious data characteristic value exceeds default correlation degree fault
Value, expands the malicious data characteristic value collection according to the data feature values.
9. a kind of network malicious data detection system, which is characterized in that detected including network malicious data according to any one of claims 8
Device and display device;
The display device, for receiving and showing the data of the network malicious data detection device transmission.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610537326.7A CN106101130B (en) | 2016-07-08 | 2016-07-08 | A kind of network malicious data detection method, apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610537326.7A CN106101130B (en) | 2016-07-08 | 2016-07-08 | A kind of network malicious data detection method, apparatus and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106101130A CN106101130A (en) | 2016-11-09 |
| CN106101130B true CN106101130B (en) | 2019-05-17 |
Family
ID=57212837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610537326.7A Active CN106101130B (en) | 2016-07-08 | 2016-07-08 | A kind of network malicious data detection method, apparatus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106101130B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685719A (en) * | 2016-12-30 | 2017-05-17 | 郑州云海信息技术有限公司 | Network card performance optimization method and network card performance optimization system |
| CN107332738A (en) * | 2017-07-26 | 2017-11-07 | 成都科来软件有限公司 | A kind of method and system of quick discovery network probe |
| CN109815725B (en) * | 2017-11-20 | 2020-12-25 | 北京金融资产交易所有限公司 | System and method for realizing data safety processing |
| CN108460279A (en) * | 2018-03-12 | 2018-08-28 | 北京知道创宇信息技术有限公司 | Attack recognition method, apparatus and computer readable storage medium |
| CN110046253B (en) * | 2019-04-10 | 2022-01-04 | 广州大学 | Language conflict prediction method |
| CN110381063A (en) * | 2019-07-22 | 2019-10-25 | 秒针信息技术有限公司 | A kind of method and device of determining cheating flow |
| CN110650135B (en) * | 2019-09-20 | 2022-06-21 | 腾讯科技(深圳)有限公司 | Node processing method, related equipment and computer readable storage medium |
| CN110932933B (en) * | 2019-11-15 | 2020-11-06 | 掌阅科技股份有限公司 | Network condition monitoring method, computing device and computer storage medium |
| CN111740957A (en) * | 2020-05-21 | 2020-10-02 | 江苏信息职业技术学院 | Automatic XSS attack detection method based on FP-tree optimization |
| CN113254928B (en) * | 2021-05-14 | 2023-03-17 | 重庆贝特计算机系统工程有限公司 | Remote malicious code identification method based on industrial internet |
| CN116302582A (en) * | 2023-05-26 | 2023-06-23 | 北京固加数字科技有限公司 | Stock exchange platform load balancing control system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105530265A (en) * | 2016-01-28 | 2016-04-27 | 李青山 | Mobile Internet malicious application detection method based on frequent itemset description |
| WO2016064919A1 (en) * | 2014-10-21 | 2016-04-28 | Abramowitz Marc Lauren | Dynamic security rating for cyber insurance products |
| WO2016084073A1 (en) * | 2014-11-25 | 2016-06-02 | enSilo Ltd. | Systems and methods for malicious code detection |
| CN105681339A (en) * | 2016-03-07 | 2016-06-15 | 重庆邮电大学 | Incremental intrusion detection method fusing rough set theory and DS evidence theory |
| KR20160074342A (en) * | 2014-12-18 | 2016-06-28 | 광주과학기술원 | Method for Detecting Intrusion in Network |
-
2016
- 2016-07-08 CN CN201610537326.7A patent/CN106101130B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016064919A1 (en) * | 2014-10-21 | 2016-04-28 | Abramowitz Marc Lauren | Dynamic security rating for cyber insurance products |
| WO2016084073A1 (en) * | 2014-11-25 | 2016-06-02 | enSilo Ltd. | Systems and methods for malicious code detection |
| KR20160074342A (en) * | 2014-12-18 | 2016-06-28 | 광주과학기술원 | Method for Detecting Intrusion in Network |
| CN105530265A (en) * | 2016-01-28 | 2016-04-27 | 李青山 | Mobile Internet malicious application detection method based on frequent itemset description |
| CN105681339A (en) * | 2016-03-07 | 2016-06-15 | 重庆邮电大学 | Incremental intrusion detection method fusing rough set theory and DS evidence theory |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106101130A (en) | 2016-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106101130B (en) | A kind of network malicious data detection method, apparatus and system | |
| US10476749B2 (en) | Graph-based fusing of heterogeneous alerts | |
| US10860406B2 (en) | Information processing device and monitoring method | |
| JP7101272B2 (en) | Automatic threat alert triage through data history | |
| US20180307832A1 (en) | Information processing device, information processing method, and computer readable medium | |
| US20180075240A1 (en) | Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device | |
| US10476752B2 (en) | Blue print graphs for fusing of heterogeneous alerts | |
| JP6523582B2 (en) | INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND INFORMATION PROCESSING PROGRAM | |
| DE112012001160T5 (en) | Irregularity detection system for detecting an irregularity in a plurality of control systems | |
| CN113242267A (en) | Situation perception method based on brain-like calculation | |
| CN114006723B (en) | Network security prediction method, device and system based on threat information | |
| US11575688B2 (en) | Method of malware characterization and prediction | |
| US20210117538A1 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| KR101585342B1 (en) | Apparatus and method for detecting abnormal behavior | |
| CN114584405A (en) | Electric power terminal safety protection method and system | |
| CN113660115B (en) | Alarm-based network security data processing method, device and system | |
| US20170244595A1 (en) | Dynamic data collection profile configuration | |
| CN112039858A (en) | Block chain service security reinforcement system and method | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| US8554908B2 (en) | Device, method, and storage medium for detecting multiplexed relation of applications | |
| KR101444250B1 (en) | System for monitoring access to personal information and method therefor | |
| CN108153654A (en) | A kind of log collecting method and device | |
| CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
| JP6616045B2 (en) | Graph-based combination of heterogeneous alerts | |
| US20130160074A1 (en) | Apparatus and method for analyzing rule-based security event association |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190627 Address after: 101102 Guangguancun Science and Technology Park, Tongzhou District, Beijing, 21 Jiachuang Road, Photoelectric and Electrical Integration Industrial Base Co-patentee after: Beijing E-Hualu Information Technology Co., Ltd. Patentee after: Guofurui Data Systems Co., Ltd. Address before: 100043, 9, Fuhua stone road, Shijingshan District, Beijing, China 165 Patentee before: Beijing E-Hualu Information Technology Co., Ltd. |
|
| TR01 | Transfer of patent right |