CN106101162A - A kind of across session flow network attack screening technique - Google Patents
A kind of across session flow network attack screening technique Download PDFInfo
- Publication number
- CN106101162A CN106101162A CN201610764283.6A CN201610764283A CN106101162A CN 106101162 A CN106101162 A CN 106101162A CN 201610764283 A CN201610764283 A CN 201610764283A CN 106101162 A CN106101162 A CN 106101162A
- Authority
- CN
- China
- Prior art keywords
- stream
- session
- definition
- network
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention provides a kind of across session flow network attack screening technique.Described method includes the step belonging to session stream feature across session flow network aggressive behavior in advance from three aspect abstract definitions;Individual session stream is carried out the step of four-tuple defined analysis;Carry out individual session stream flowing the step that characterizing definition is analyzed;Each session stream flow between the step of characteristic matching.Session stream is filtered by native system from three dimensions, and coupling can be realized respectively, single bag feature can be successfully managed, cross over the attack of multiple BlueDrama stream, can be according to feature between the stream grasped, completely detect that novel high-level network is attacked, promote the detection ability of discovery attacked for new network in the anti-work of stealing secret information of network.
Description
Technical field
The invention belongs to Analysis of Network Attack technical field, refer more particularly to a kind of across session flow network attack screening side
Method.
Background technology
Along with the complication day by day of network attack, traditional attack detecting mode based on single bag characteristic matching is the most increasingly
New attack cannot be tackled.At present, APT(is senior sustainable) attack all communication of stealing secret information can be hidden, common hidden side
Formula mainly has data encryption and uses believable channel (as used HTTP and HTTPS port transmission), after using AES
The feature that packet is not fixed, and increasing wooden horse activates and reaches the standard grade not in use by black domain name.These Stealth Modus
Traditional detection mode based on packet feature and black domain name is caused huge challenge.At present, state-of-the-art steal
Close program have employed the communication mode across session stream, and i.e. wooden horse activation code, instruction of stealing secret information, data of stealing secret information are all by difference
IP, by different ports, transmit respectively via different cipher modes.
Find after further investigation, though this type of is attacked without single packet network attack signature, but because being that programme-control completes, also
It is to have feature governed.As: some the stream feature attacked in session stream is relatively-stationary, deposits between relevant session stream to attacking
In association order etc. successively, therefore can detect by the way of building attack model.The model of main flow the most both at home and abroad
Coupling engine is all built upon exploitation under the demand premise that single session flow point is analysed.For realizing the attack model across session stream
Join, it is necessary to the analytical technology across session stream is studied.
Summary of the invention
For solving the problems referred to above, the invention provides a kind of across session flow network attack screening technique, comprise the steps:
Step one: abstract definition belongs to the session stream feature across session flow network aggressive behavior from three aspects in advance, respectively
For defining between four-tuple definition, stream option definition, stream;The definition of described four-tuple is for going to retouch single meeting from the dimension of IP and port
The feature of words stream;Described stream option definition is for describing the characteristic of fluid of individual session stream;Between described stream, characterizing definition is for fixed
Relation between justice individual session stream.
Step 2: the individual session stream utilizing four-tuple definition to treat analysis session stream session stream duration carries out four
Tuple defined analysis, extracts the individual session stream meeting four-tuple definition.
Step 3: wait second step extracts after individual data terminates or closes, according to stream option definition, it is entered
Row is analyzed, and extracts the individual session stream meeting stream option definition.
Step 4: according to stream between characterizing definition, step 3 is extracted each session stream flow between characteristic matching, carry
Take out the session stream meeting characterizing definition between stream, be network attack session stream.
Further, the characteristic of fluid of the individual session stream of stream option definition includes session stream persistent period and/or data
Bag.
Further, between described stream, relation between the individual session stream of characterizing definition includes flowing the relation between sequential
And/or the relation between flow context.
Further, the relation between described flow context include IP relation between individual session stream to be matched and/
Or port relation and/or stream between characteristic matching sexual relationship.
Further, described method uses data capture engine to capture session stream, holds the session stream grabbed
Row step 2 is in step 4.
The invention have the benefit that
Native system defines the description of three dimensions of behavior model, and can realize coupling respectively, it is possible to successfully manage not
There is single bag feature, cross over the attack of multiple BlueDrama stream, it is possible to according to feature between the stream grasped, completely detect novel
High-level network is attacked, and promotes the detection ability of discovery attacked in the anti-work of stealing secret information of network for new network.
Accompanying drawing explanation
Fig. 1 is the flow chart of the method for the invention.
Detailed description of the invention
As it is shown in figure 1, the present invention can be summarized as following steps:
Step one: abstract definition belongs to the session stream feature across session flow network aggressive behavior from three aspects in advance, respectively
For defining between four-tuple definition, stream option definition, stream;The definition of described four-tuple is for going to retouch single meeting from the dimension of IP and port
The feature of words stream;Described stream option definition is for describing the characteristic of fluid of individual session stream;Between described stream, characterizing definition is for fixed
Relation between justice individual session stream.
Step 2: the individual session stream utilizing four-tuple definition to treat analysis session stream session stream duration carries out four
Tuple defined analysis, extracts the individual session stream meeting four-tuple definition.
This method utilizes network data acquisition engine.Acquisition engine supports the flow from gigabit to million network environments up to ten thousand
Linear speed gathers, it is possible to for the data source that the data analysis offer on system upper strata is true and reliable.Described network data acquisition engine can
Select Chengdu softcom limited third generation networks data capture engine (Colasoft Packet Capture Engine,
It is called for short CSPCE) and bottom layer driving (supporting Windows Yu Linux Double tabletop), it is supported from gigabit to million network environments up to ten thousand
Flow linear speed gather.
In gatherer process, engine can automatically adjust packet capturing strategy according to uninterrupted, when sudden peak flow occur
Time, automatically improve engine cache quantity and size, it is ensured that peak-data is not lost.Owing to network backtracking analytical technology will be for entirely
Network data is acquired, and not abandons the invalid data bag of error format, but is actively identified capture, energy simultaneously
Intelligent Recognition attack therein implication field, prevents engine own collapse.
Step 3: wait second step extracts after individual data terminates or closes, according to stream option definition, it is entered
Row is analyzed, and extracts the individual session stream meeting stream option definition;
Step 4: according to stream between characterizing definition, step 3 is extracted each session stream flow between characteristic matching, extract
Meet the session stream of characterizing definition between stream, be network attack session stream.
Further, the characteristic of fluid of the individual session stream of stream option definition includes session stream persistent period and/or data
Bag.It is of course also possible to define other characteristic of fluid according to practical situation.
Further, between described stream, relation between the individual session stream of characterizing definition includes flowing the relation between sequential
And/or the relation between flow context.Relation between flow context includes the IP relation between individual session stream to be matched
And/or port relation and/or stream between characteristic matching sexual relationship.
Described IP relation mainly judges whether session stream derives from as same IP or related different IP.Described end
Mouth relation mainly judges whether session stream derives from same port or related different port.Characteristic matching between described stream
Sexual relationship mainly judges whether the matching degree between some stream feature of session stream to be matched meets requirement.Certainly, it is possible to
To define its context relation according to practical situation.
Claims (5)
1. attack screening technique across session flow network for one kind, it is characterised in that comprise the steps:
Step one: abstract definition belongs to the session stream feature across session flow network aggressive behavior from three aspects in advance, respectively
For defining between four-tuple definition, stream option definition, stream;The definition of described four-tuple is for going to retouch single meeting from the dimension of IP and port
The feature of words stream;Described stream option definition is for describing the characteristic of fluid of individual session stream;Between described stream, characterizing definition is for fixed
Relation between justice individual session stream;
Step 2: the individual session stream utilizing four-tuple definition to treat analysis session stream session stream duration carries out four-tuple
Defined analysis, extracts the individual session stream meeting four-tuple definition;
Step 3: wait second step extracts after individual data terminates or closes, according to stream option definition, it is carried out point
Analysis, extracts the individual session stream meeting stream option definition;
Step 4: according to stream between characterizing definition, step 3 is extracted all session streams flow between characteristic matching, extract
Meet the session stream of characterizing definition between stream, be network attack session stream.
2. attack screening technique across session flow network as claimed in claim 1, it is characterised in that the single meeting of stream option definition
The characteristic of fluid of words stream includes session stream persistent period and/or packet.
3. attack screening technique across session flow network as claimed in claim 1 or 2, it is characterised in that between described stream, feature is fixed
Relation between the individual session stream of justice includes flowing the relation between relation and/or the flow context between sequential.
4. attack screening technique across session flow network as claimed in claim 3, it is characterised in that between described flow context
Relation includes characteristic matching sexual relationship between the IP relation between individual session stream to be matched and/or port relation and/or stream.
5. attack screening technique across session flow network as claimed in claim 1, it is characterised in that described method uses network number
According to acquisition engine, session stream is captured, the session stream grabbed is performed step 2 in step 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610764283.6A CN106101162A (en) | 2016-08-31 | 2016-08-31 | A kind of across session flow network attack screening technique |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610764283.6A CN106101162A (en) | 2016-08-31 | 2016-08-31 | A kind of across session flow network attack screening technique |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106101162A true CN106101162A (en) | 2016-11-09 |
Family
ID=57224394
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610764283.6A Pending CN106101162A (en) | 2016-08-31 | 2016-08-31 | A kind of across session flow network attack screening technique |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106101162A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101980506A (en) * | 2010-10-29 | 2011-02-23 | 北京航空航天大学 | Flow characteristic analysis-based distributed intrusion detection method |
| US20110261710A1 (en) * | 2008-09-26 | 2011-10-27 | Nsfocus Information Technology (Beijing) Co., Ltd. | Analysis apparatus and method for abnormal network traffic |
| CN103532940A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Network security detection method and device |
| CN104184708A (en) * | 2013-05-22 | 2014-12-03 | 杭州华三通信技术有限公司 | Method of inhabiting MAC address attack in EVI (Ethernet Virtualization Interconnection) network and ED (edge device) |
| CN105141604A (en) * | 2015-08-19 | 2015-12-09 | 国家电网公司 | Method and system for detecting network security threat based on trusted business flow |
-
2016
- 2016-08-31 CN CN201610764283.6A patent/CN106101162A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110261710A1 (en) * | 2008-09-26 | 2011-10-27 | Nsfocus Information Technology (Beijing) Co., Ltd. | Analysis apparatus and method for abnormal network traffic |
| CN101980506A (en) * | 2010-10-29 | 2011-02-23 | 北京航空航天大学 | Flow characteristic analysis-based distributed intrusion detection method |
| CN104184708A (en) * | 2013-05-22 | 2014-12-03 | 杭州华三通信技术有限公司 | Method of inhabiting MAC address attack in EVI (Ethernet Virtualization Interconnection) network and ED (edge device) |
| CN103532940A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Network security detection method and device |
| CN105141604A (en) * | 2015-08-19 | 2015-12-09 | 国家电网公司 | Method and system for detecting network security threat based on trusted business flow |
Non-Patent Citations (1)
| Title |
|---|
| 李宗林 等: "DDoS攻击的全局异常相关检测方法", 《计算机应用》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102202064B (en) | Method for extracting behavior characteristics of Trojan communication based on network data flow analysis | |
| CN104283897B (en) | Wooden horse communication feature rapid extracting method based on multiple data stream cluster analysis | |
| CN101741862B (en) | System and method for detecting IRC bot network based on data packet sequence characteristics | |
| CN106888209B (en) | A kind of industry control bug excavation method based on protocol status figure extreme saturation | |
| Xue et al. | Traffic classification: Issues and challenges | |
| CN104009986B (en) | A kind of host-based network attacks springboard detection method and device | |
| CN106603519A (en) | SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior | |
| CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
| CN109831448A (en) | For the detection method of particular encryption web page access behavior | |
| Shanthi et al. | Detection of botnet by analyzing network traffic flow characteristics using open source tools | |
| CN106209775A (en) | The application type recognition methods of a kind of SSL encryption network flow and device | |
| CN105847250B (en) | VoIP flow media various dimensions information steganography real-time detection method | |
| CN109120602A (en) | A kind of IPv6 attack source tracing method | |
| CN104348741A (en) | Method and system for detecting P2P (peer-to-peer) traffic based on multi-dimensional analysis and decision tree | |
| CN114239737A (en) | Encrypted malicious flow detection method based on space-time characteristics and double-layer attention | |
| Dingledine | Tor and Circumvention: Lessons Learned: (Abstract to Go with Invited Talk) | |
| CN105933094A (en) | Covert communication detection method specific to multilink arrival sequence coding | |
| Kiremire et al. | Using network motifs to investigate the influence of network topology on PPM-based IP traceback schemes | |
| CN106101162A (en) | A kind of across session flow network attack screening technique | |
| Wang et al. | Appclassnet: A commercial-grade dataset for application identification research | |
| CN105119858B (en) | Interference avoidance method based on constellation rotation in collaborative D2D Transmission systems | |
| CN105404797B (en) | A kind of Active Networks streaming digital water mark method based on dual redundant | |
| Pluskal et al. | Netfox Detective: A tool for advanced network forensics analysis | |
| CN105049456B (en) | A kind of secret communication method based on web page interlinkage request | |
| CN110912906B (en) | Edge calculation malicious node identification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161109 |