CN106453226A - Method for detection of address entropy - Google Patents
Method for detection of address entropy Download PDFInfo
- Publication number
- CN106453226A CN106453226A CN201610577826.3A CN201610577826A CN106453226A CN 106453226 A CN106453226 A CN 106453226A CN 201610577826 A CN201610577826 A CN 201610577826A CN 106453226 A CN106453226 A CN 106453226A
- Authority
- CN
- China
- Prior art keywords
- address
- entropy
- error
- detection
- queue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a method for detection of an address entropy. The current network attack condition is assessed and the attack condition which most should be paid attention to at present according to the mass of logs generated by an intrusion detection device. The method comprises: obtaining a log of an intrusion detection device, and determining whether there is a large-scale network attack event or not through calculation of the distribution conditions of the log source address and the destination address of the intrusion detection device; merging the log of the inversion detection device according to the three parameters consisting of the source address, the destination address and the types of the event, and detecting and reporting an abnormal address and a hotspot event; performing statistics and displaying the communication process of the hotspot event in the assigned time quantum through graphics; and performing association of the output results to give out the comprehensive assessment of the current network attack condition. The system comprises an entropy module unit, a triple module unit, a hotspot event communication display module unit and a comprehensive association analysis module unit.
Description
Technical field
The present invention relates to information security field, be specifically related to a kind of method detecting address entropy.
Background technology
Internet develops rapidly, and is that propagation and the utilization of information brings great convenience, Ye Shi mankind society simultaneously
The huge challenge of information security can be faced with.In order to alleviate day by day serious safety problem, intrusion detection device (IDS:
IntrusionDetectionSystem) obtained increasingly disposing widely.IDS is arranged in the protected network segment, its prison
Listen network interface card to be operated under promiscuous mode, analyze all of packet in the network segment, carry out the detection in real time of assault and ring
Should.Current IDS commonly used misuse detection technique, its detection method is:First to mark, specific Intrusionaction pattern is carried out
Coding, sets up misuse pattern base, then filters the event data obtaining during actually detected, check whether comprise into
Invade the mark of behavior.If be detected that intrusion behavior, then produce a corresponding daily record, wherein contain intrusion behavior initiator
Address (source address), intrusion behavior destination address (destination address), intrusion behavior describe information such as (event types).
A large amount of safety on the one hand protecting information system that introduce of intrusion detection device, on the other hand also bring new
Problem, overview gets up to be mainly reflected in following two aspect:
1. the intrusion detection device running continuously can produce the daily record of magnanimity, and real valuable warning message is submerged
In massive logs.Reporting to the police owing to warning amount is big, uncorrelated many, most of energy of safety manager is consumed and is processing nothing
It with in information, is difficult to the security threat condition of understanding system.
2. existing intrusion detection device is all based on greatly what individual data bag detected, is embodied in the form of expression,
The warning message of intrusion detection device is isolated intrusion event.So when large scale network abnormal behaviour occurs, be difficult to from
The feature obtaining abnormal behaviour directly perceived in warning message, it is difficult to assess current network attack situation on the whole.
Content of the invention
It is an object of the invention to overcome drawbacks described above of the prior art, it is achieved automatically analyze massive logs, give
Go out to attack current network the evaluation of situation, to improve the efficiency of safety management.
According to the purpose of the present invention, the invention provides. a kind of method detecting address entropy, it includes:
Step 101:Read entropy detection configuration parameter information, and current address entropy detection-phase is set to learn rank
Section;
Step 102:In the inquiry Current observation cycle, all daily records of intrusion detection device report;
Step 103:The all daily records reporting intrusion detection device are added up, and count all of source IP ground in daily record
Location, the occurrence number of purpose IP address;
Step 104:Calculate source IP address, purpose IP address entropy distribution H;
Step 105:Judge whether current entropy detection-phase is in the study stage, if it is judged that be "Yes", then enter
Enter step 106, otherwise enter step 109;
Step 106:Calculate evaluated error and update error queue;
Step 107:Whether error in judgement queue is full;
Step 108:Calculate the baseline of address entropy and enter into real-time detection-phase;
Step 109:Judge that whether current source IP address entropy, the distribution of purpose IP address entropy be normal, if it is judged that be
"Yes", then enter step 110, otherwise enter step 111;
Step 110:Output current address entropy state simultaneously updates baseline;
Step 111:Output current address entropy detection state, subsequently into step 102.
Wherein, step 103 is specially and utilizes hash algorithm to be mapped as source IP address, purpose IP address when statistics
Integer.
Wherein, step 106 specifically includes:Calculate entropy estimate error, the entropy estimate error of destination address of source address, and will
Above-mentioned evaluated error all joins in error queue.
Wherein, step 107 specifically includes:According to the team obtaining from the entropy detection configuration parameter information that step 101 reads
Row length parameter, it is judged that whether the length of error queue meets queue length parameter requires, if it is judged that be "Yes", then enters
Enter step 108, otherwise enter step 102.
Wherein, step 108 specifically includes:Calculate source address entropy, the baseline of destination address entropy, and by current address entropy inspection
The survey stage is set to real-time detection-phase, subsequently into step 102.
Wherein, the concrete mode of the renewal baseline of step 110 is:Leave out first element in error queue, by step
Evaluated error in 109 joins the end of error queue, utilizes the method for step 108 to recalculate baseline.Subsequently into step
Rapid 102.
The method of the detection address entropy of the present invention has the following advantages:By calculating the seedbed of intrusion detection device daily record
The entropy Distribution Value of location and destination address, is capable of detecting when the Large-scale automatic attack event causing Address d istribution abnormal, such as network
Scanning, distributed denial of service attack etc..Carry out merger, Neng Goujian according to source address, destination address, three parameters of event type
Measuring various attacks situation, attack source, target of attack and thing can be capable of detecting when when there is Large-scale automatic attack event
Part type.
In order to further illustrate principle and the characteristic of the present invention, below in conjunction with detailed description of the invention, the present invention is carried out in detail
Explanation.
Detailed description of the invention
The following is detection resources address, the flow process of destination address entropy Distribution Value.This flow process is from the beginning of step 101.
Step 101:Read entropy detection configuration parameter information, and current address entropy detection-phase is set to learn rank
Section.
Step 102:In the inquiry Current observation cycle, all daily records of intrusion detection device report.
Step 103:The all daily records reporting intrusion detection device are added up, and count all of source IP ground in daily record
Location, the occurrence number of purpose IP address.Hash (Hash) algorithm is utilized to reflect source IP address, purpose IP address when statistics
Penetrate as integer.Preferably, source IP address, purpose IP address are the IPv4 address of 32, utilize Hash (to breathe out when statistics
Uncommon) these IPv4 addresses of 32 are mapped as the integer of 16 by algorithm.
Step 104:Calculate source IP address, purpose IP address entropy distribution H.Preferred computational methods are:
H=(-Σi=065535(CiS)log2(CiS))/log2S
Wherein,
Ci is the number of times that the IP address i after Hash computing occurs,
S is IP number of addresses total in the Current observation cycle, S=Σ i=065535Ci.
Certainly, it should be appreciated by those skilled in the art, the algorithm of calculating entropy distribution also can use in prior art appoints
What suitable entropy Distribution Algorithm.
Step 105:Judge whether current entropy detection-phase is in the study stage, if it is judged that be "Yes", then enter
Enter step 106, otherwise enter step 109.
Step 106:Calculate evaluated error and update error queue.Specifically include:Calculate entropy estimate error, the mesh of source address
The entropy estimate error of address, and all join above-mentioned evaluated error in error queue.Preferably, the entropy calculating source address is estimated
Meter error, the optimization algorithm of entropy estimate error of destination address be use exponentially weighted moveing average (EWMA,
ExponentiallyWeightedMovingAverage) algorithm, concrete preferred computational methods are:
Si=α xi-1+ (1-α) Si-1
Ei=xi-Si
Wherein,
Si is the i-th phase address entropy smooth value;
α is smoothing factor, and span is (0,1), obtains according to from the configuration parameter information that step 101 reads;
Xi is the i-th phase address entropy calculated value, is obtained by the result of calculation in step 104;
Ei is the i-th phase evaluated error.
Certainly, it should be appreciated by those skilled in the art, the algorithm calculating entropy estimate error also can use prior art
In any suitable rolling average algorithm.
Step 107:Whether error in judgement queue is full.Specifically include:According to the entropy detection configuration ginseng reading from step 101
The queue length parameter obtaining in number information, it is judged that whether the length of error queue meets queue length parameter requires, if sentenced
Disconnected result is "Yes", then enter step 108, otherwise enter step 102.
Step 108:Calculate the baseline of address entropy and enter into real-time detection-phase.Specifically include:Calculate source address entropy, mesh
The baseline of address entropy, and current address entropy detection-phase is set to real-time detection-phase, subsequently into step 102.Calculate
The preferred computational methods of above-mentioned baseline are:
(1) Mean Square Error σ is calculated according to error sequence:
MSE=Σi=0L-1ei2L
σ=MSE
(2) according to EWMA algorithm, the predicted value of the address entropy of next observation cycle is calculated:
Sn=α xn-1+ (1-α) Sn-1
Step 109:Judge that whether current source IP address entropy, the distribution of purpose IP address entropy be normal, if it is judged that be
"Yes", then enter step 110, otherwise enter step 111.
Concrete determination methods is:Calculate the difference between address entropy predicted value Sn and calculated value:
(1) if | Sn-xn | < 3 is σ, then current address entropy distribution is normal;
(2) if 3 σ≤| Sn-xn | < 5 σ, then current address entropy is distributed mile abnormality;
(3) if 5 σ≤| Sn-xn | < 8 σ, then current address entropy distribution moderate is abnormal;
(4) if | Sn-xn | >=8 σ:Then current address entropy distribution height is abnormal.
Step 110:Output current address entropy state simultaneously updates baseline.The concrete mode updating baseline is:Leave out force error
Evaluated error in step 109 is joined the end of error queue, utilizes the method for step 108 by first element in row
Recalculate baseline.Subsequently into step 102.
Step 111:Output current address entropy detection state, subsequently into step 102.
Describe the process carrying out an attack analysis below according to one embodiment of the present invention in detail.
Assume that certain network segment has 192.168.0.1~192.168.0.100 totally 100 main frames, sometime assailant's profit
With this 100 main frames, initiate SYN_FLOOD Denial of Service attack to an other main frame 192.168.1.1.In order to avoid drawing
Playing network traffics sudden change, assailant's 10 main frames of interpolation per minute are attacked, and after 10 minutes, 100 main frames are all used for
Attack.
So, it according to the analysis process to this attack for the one embodiment of the present invention is:
1., owing to the attack of all of initiation is both for main frame 192.168.1.1, produce at intrusion detection device
In daily record, the distribution of destination address is clearly.Therefore first entropy modular unit 101 can detect and occur in that exception, and
According to address above mentioned entropy testing process, destination address targeted in further obtaining this network segment is all 192.168.1.1.
Then, address entropy abnormal distribution, destination address are grouped as the judged result of 192.168.1.1 and deliver to combine by entropy modular unit 101
Close association analysis modular unit 104.
2. triple modular unit 102 is by carrying out merger from source address, destination address, three parameters of event type,
Going out current modal attack condition is:Target is the main frame of 192.168.1.1, is that SYN_FLOOD refusal services by type
Attack, the attack of current most active is SYN_FLOOD Denial of Service attack, and testing result is delivered to comprehensive associate point
Analysis modular unit 104.
3., in drawing this 10 minutes after focus incident propagation module unit 103 statistics, send SYN_FLOOD Denial of Service attack
The main frame number of times hitting is being gradually increased, and statistics is delivered to integrated relational analysis modular unit 104.
4. integrated relational analysis modular unit 104 receives and association analysis entropy modular unit the 101st, triple modular unit
102nd, focus incident propagates the result of display module unit 103 output, thus draws the overall merit of network attack situation:Due to
Address entropy abnormal distribution, and destination address all concentrates on main frame 192.168.1.1, therefore there occurs the refusal for this main frame
Service attack;The type attacked is SYN_FLOOD Denial of Service attack;Attack process is from initial time, increase per minute
10 main frames are attacked, until attack source sum is 100 main frames.
In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " specifically show
Specific features, structure, material or the spy that the description of example " or " some examples " etc. means to combine this embodiment or example describes
Point is contained at least one embodiment or the example of the present invention.In this manual, to the schematic representation of above-mentioned term not
Necessarily refer to identical embodiment or example.And, the specific features of description, structure, material or feature can be any
One or more embodiment or example in combine in an appropriate manner.
Although an embodiment of the present invention has been shown and described, it will be understood by those skilled in the art that:Not
Multiple change, modification, replacement and modification can be carried out to these embodiments in the case of the principle and the objective that depart from the present invention, this
The scope of invention is limited by claim and equivalent thereof.
Claims (6)
1. detecting a method for address entropy, it includes:
Step 101:Read entropy detection configuration parameter information, and current address entropy detection-phase is set to the study stage;
Step 102:In the inquiry Current observation cycle, all daily records of intrusion detection device report;
Step 103:The all daily records reporting intrusion detection device are added up, count all of source IP address in daily record,
The occurrence number of purpose IP address;
Step 104:Calculate source IP address, purpose IP address entropy distribution H;
Step 105:Judge whether current entropy detection-phase is in the study stage, if it is judged that be "Yes", then enter step
Rapid 106, otherwise enter step 109;
Step 106:Calculate evaluated error and update error queue;
Step 107:Whether error in judgement queue is full;
Step 108:Calculate the baseline of address entropy and enter into real-time detection-phase;
Step 109:Judge that whether current source IP address entropy, the distribution of purpose IP address entropy be normal, if it is judged that be "Yes", then
Enter step 110, otherwise enter step 111;
Step 110:Output current address entropy state simultaneously updates baseline;
Step 111:Output current address entropy detection state, subsequently into step 102.
2. method as claimed in claim 1, wherein step 103 is specially when statistics and utilizes hash algorithm by source IP ground
Location, purpose IP address are mapped as integer.
3. method as claimed in claim 1, wherein step 106 specifically includes:Calculate entropy estimate error, the destination address of source address
Entropy estimate error, and all join above-mentioned evaluated error in error queue.
4. method as claimed in claim 1, wherein step 107 specifically includes:According to the entropy detection configuration ginseng reading from step 101
The queue length parameter obtaining in number information, it is judged that whether the length of error queue meets queue length parameter requires, if sentenced
Disconnected result is "Yes", then enter step 108, otherwise enter step 102.
5. method as claimed in claim 1, wherein step 108 specifically includes:Calculate source address entropy, the baseline of destination address entropy,
And current address entropy detection-phase is set to real-time detection-phase, subsequently into step 102.
6. method as claimed in claim 1, wherein the concrete mode of the renewal baseline of step 110 is:Leave out in error queue
Evaluated error in step 109 is joined the end of error queue by first element, utilizes the method for step 108 again to count
Calculate baseline;Subsequently into step 102.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610577826.3A CN106453226A (en) | 2016-07-21 | 2016-07-21 | Method for detection of address entropy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610577826.3A CN106453226A (en) | 2016-07-21 | 2016-07-21 | Method for detection of address entropy |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106453226A true CN106453226A (en) | 2017-02-22 |
Family
ID=58184088
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610577826.3A Pending CN106453226A (en) | 2016-07-21 | 2016-07-21 | Method for detection of address entropy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106453226A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108696486A (en) * | 2017-04-10 | 2018-10-23 | 中国移动通信集团公司 | A kind of abnormal operation behavioral value processing method and processing device |
CN114697135A (en) * | 2022-05-07 | 2022-07-01 | 湖南大学 | Automobile controller area network intrusion detection method and system and automobile |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7716329B2 (en) * | 2007-11-26 | 2010-05-11 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting anomalous traffic |
CN101883017A (en) * | 2009-05-04 | 2010-11-10 | 北京启明星辰信息技术股份有限公司 | System and method for evaluating network safe state |
CN101741633B (en) * | 2008-11-06 | 2011-12-28 | 北京启明星辰信息技术股份有限公司 | Association analysis method and system for massive logs |
-
2016
- 2016-07-21 CN CN201610577826.3A patent/CN106453226A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7716329B2 (en) * | 2007-11-26 | 2010-05-11 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting anomalous traffic |
CN101741633B (en) * | 2008-11-06 | 2011-12-28 | 北京启明星辰信息技术股份有限公司 | Association analysis method and system for massive logs |
CN101883017A (en) * | 2009-05-04 | 2010-11-10 | 北京启明星辰信息技术股份有限公司 | System and method for evaluating network safe state |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108696486A (en) * | 2017-04-10 | 2018-10-23 | 中国移动通信集团公司 | A kind of abnormal operation behavioral value processing method and processing device |
CN108696486B (en) * | 2017-04-10 | 2021-03-05 | 中国移动通信集团公司 | Abnormal operation behavior detection processing method and device |
CN114697135A (en) * | 2022-05-07 | 2022-07-01 | 湖南大学 | Automobile controller area network intrusion detection method and system and automobile |
CN114697135B (en) * | 2022-05-07 | 2023-04-25 | 湖南大学 | Method and system for detecting intrusion of regional network of automobile controller and automobile |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101741633B (en) | Association analysis method and system for massive logs | |
CN102340485B (en) | Network security situation awareness system and method based on information correlation | |
CN107679716B (en) | Interconnected power grid cascading failure risk assessment and alarm method considering communication vulnerability | |
CN103685575B (en) | A kind of web portal security monitoring method based on cloud framework | |
CN106254318A (en) | A kind of Analysis of Network Attack method | |
US20100268818A1 (en) | Systems and methods for forensic analysis of network behavior | |
CN110868425A (en) | Industrial control information safety monitoring system adopting black and white list for analysis | |
CN109600363A (en) | A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method | |
CN102104611A (en) | Promiscuous mode-based DDoS (Distributed Denial of Service) attack detection method and device | |
CN105868629B (en) | Security threat situation assessment method suitable for electric power information physical system | |
CN109302408A (en) | A kind of network security situation evaluating method | |
TWI405434B (en) | Botnet early detection using hhmm algorithm | |
CN108632224A (en) | A kind of APT attack detection methods and device | |
CN101150586A (en) | CC attack prevention method and device | |
CN106789351A (en) | A kind of online intrusion prevention method and system based on SDN | |
CN113810362A (en) | Safety risk detection and disposal system and method thereof | |
CN106330611A (en) | Anonymous protocol classification method based on statistical feature classification | |
CN102447707A (en) | DDoS (Distributed Denial of Service) detection and response method based on mapping request | |
CN105867347A (en) | Trans-space cascade fault detection method based on machine learning technology | |
CN115766235A (en) | Network security early warning system and early warning method | |
CN115378711A (en) | Industrial control network intrusion detection method and system | |
CN106453226A (en) | Method for detection of address entropy | |
CN102104606B (en) | Worm detection method of intranet host | |
CN102111302B (en) | Worm detection method | |
TWI744545B (en) | Decentralized network flow analysis approach and system for malicious behavior detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: No. 52 Kwun Tong Road in Liuzhou city of the Guangxi Zhuang Autonomous Region in 545005 Applicant after: LIUZHOU LONGHUI SCIENCE & TECHNOLOGY CO., LTD. Address before: 545005 the Guangxi Zhuang Autonomous Region Liuzhou Liunan District City Station Road No. 94, a new era of commercial port logistics warehousing center No. 5 Floor 4 No. 022 Applicant before: LIUZHOU LONGHUI SCIENCE & TECHNOLOGY CO., LTD. |
|
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170222 |