CN106713358A - Attack detection method and device - Google Patents
Attack detection method and device Download PDFInfo
- Publication number
- CN106713358A CN106713358A CN201710064374.3A CN201710064374A CN106713358A CN 106713358 A CN106713358 A CN 106713358A CN 201710064374 A CN201710064374 A CN 201710064374A CN 106713358 A CN106713358 A CN 106713358A
- Authority
- CN
- China
- Prior art keywords
- data
- flows
- aggressive
- attack
- fire wall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The embodiment of the invention discloses an attack detection method and device. The method comprises the following steps: collecting flow data passing through a firewall in a network; performing attack detection on the flow data passing through the firewall to obtain flow data with aggressivity; and updating original aggressivity features corresponding to the firewall according to the flow data with aggressivity to obtain updated aggressivity features, applying the updated aggressivity features to the firewall, and performing the attack detection on the passing flow data. As the flow data with aggressivity passing through the firewall are not detected by the firewall previously, the original aggressivity features of the firewall are updated according to the flow data with aggressivity, so that the firewall generates defense ability to the attack behaviors that are not detected previously in time, the firewall can perform the attack detection on the passing flow data by using the updated aggressivity features, and thus the network security is improved.
Description
Technical field
The present invention relates to network safety filed, and in particular to a kind of Detection by the method for attack method and device.
Background technology
With the development of internet industry, network security is increasingly paid attention to by people, and network attack person would generally utilize
Potential cyberspace vulnerability in existing network information system, to network implementation attack, so that illegal authority is obtained, to net
Network information system causes harm.
In the prior art, for the invasion of the person that prevents network attack, the security of network information system is improved, is generally used
The system for monitoring intrusion such as antivirus software, fire wall are monitored to the attack in network, for example:It is arranged on network information system
Fire wall in system be one combined by software and hardware equipment, between Intranet and outer net or private network and public network
Between border on construct protective barrier, by setting up a security gateway in information boundary, so as to protect in-house network to exempt from
Invaded by network attack person.
Fire wall is mainly by collecting and analyzing network behavior, security log, Audit data etc., checks network or is
With the presence or absence of the behavior for violating security strategy or by attack sign in system.But fire wall can only detect known in the prior art
Attack, for unknown attack behavior, fire wall cannot make defence, will enter interior by fire wall
Net, causes fire wall to fail, internet security reduction.
The content of the invention
In view of this, the embodiment of the present invention provides a kind of Detection by the method for attack method and device, can make fire wall for it
Preceding unknown attack behavior produces defence capability in time, improves internet security.
To achieve the above object, the embodiment of the present invention provides following technical scheme:
A kind of Detection by the method for attack method, including:
By the data on flows of fire wall in collection network;
Detection by the method for attack is carried out to the data on flows by fire wall, obtaining has aggressive data on flows;
There is aggressive data on flows according to described, the corresponding original aggressor feature of fire wall is updated, obtain
Aggressive feature after to renewal, makes the fire wall using the aggressive feature after the renewal, to that will prevent by described
The data on flows of wall with flues carries out Detection by the method for attack.
Preferably, it is described that Detection by the method for attack is carried out to the data on flows by fire wall, obtain with aggressive
The process of data on flows includes:
The data on flows by fire wall is scanned, it is determined that the data of the data on flows by fire wall
Type;
It is determined that the corresponding data characteristics of data type of the data on flows by fire wall;
Detection by the method for attack is carried out to the data characteristics, it is determined that with aggressive corresponding to aggressive data characteristics
Data on flows.
Preferably, it is described that Detection by the method for attack is carried out to the data characteristics, it is determined that having aggressive data characteristics institute right
The process of the aggressive data on flows answered includes:
To be stored in the corresponding data characteristics of data type of the data on flows by fire wall and property data base
The corresponding initial data feature of the data type compare, obtain comparison result;
According to the comparison result, it is determined that with the aggressive data on flows corresponding to aggressive data characteristics.
Preferably, it is described according to the comparison result, it is determined that with the data on flows corresponding to aggressive data characteristics
Process include:
According to the comparison result, it is determined that with the aggressive data on flows corresponding to aggressive data characteristics
Attack type, attack path and network interconnection Protocol IP address.
Preferably, Detection by the method for attack is being carried out to the data on flows by fire wall, obtaining has aggressive stream
After amount data, also include:
There is aggressive data on flows, the aggressive warning information of generation according to described.
A kind of Detection by the method for attack device, including:
Flow data collector module, for gathering the data on flows in network by fire wall;
Detection by the method for attack module, for carrying out Detection by the method for attack to the data on flows by fire wall, acquisition has
Aggressive data on flows;
Aggressive feature update module, for there is aggressive data on flows according to described, to the corresponding original of fire wall
The aggressive feature that begins is updated, and the aggressive feature after being updated makes the fire wall using the attack after the renewal
Property feature, to Detection by the method for attack will be carried out by the data on flows of the fire wall.
Preferably, the Detection by the method for attack module includes:
Scan module, for being scanned to the data on flows by fire wall, it is determined that described by fire wall
The data type of data on flows;
Data characteristics determining module, the corresponding data of data type for determining the data on flows by fire wall
Feature;
Aggressive data on flows determining module, for carrying out Detection by the method for attack to the data characteristics, it is determined that have attacking
Aggressive data on flows corresponding to the data characteristics of property.
Preferably, the aggressive data on flows determining module includes:
Data characteristics comparing module, for the corresponding data of the data type of the data on flows by fire wall are special
Levy initial data feature corresponding with the data type stored in property data base to compare, obtain comparison result;
Aggressive data on flows determination sub-module, according to the comparison result, it is determined that having aggressive data characteristics institute
Corresponding aggressive data on flows.
Preferably, the aggressive data on flows determination sub-module specifically for:
According to the comparison result, it is determined that with the aggressive data on flows corresponding to aggressive data characteristics
Attack type, attack path and network interconnection Protocol IP address.
Preferably, also include:
Aggressive warning information generation module, for having aggressive data on flows according to described, generation is aggressive to accuse
Alert information.
A kind of Detection by the method for attack method and device is disclosed based on above-mentioned technical proposal, in the embodiment of the present invention, including:Adopt
By the data on flows of fire wall in collection network;Detection by the method for attack is carried out to the data on flows by fire wall, tool is obtained
There is aggressive data on flows;There is aggressive data on flows according to described, to the corresponding original aggressor feature of fire wall
It is updated, the aggressive feature after being updated, makes the fire wall using the aggressive feature after the renewal, to will
Detection by the method for attack is carried out by the data on flows of the fire wall.The data on flows by fire wall is entered in the embodiment of the present invention
Row Detection by the method for attack, so that obtain with aggressive data on flows, and should be by fire wall with aggressive flow number
Do not detected according to before being fire wall, using the aggressive data on flows to the corresponding original aggressor feature of fire wall
It is updated, so that fire wall produces defence capability to the attack not detected before in time, fire wall can profit
With the aggressive feature after renewal, to Detection by the method for attack will be carried out by the data on flows of the fire wall, network peace is improved
Quan Xing.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are only this
Inventive embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
The accompanying drawing of offer obtains other accompanying drawings.
Fig. 1 is a kind of Detection by the method for attack method flow diagram provided in an embodiment of the present invention;
Fig. 2 be it is provided in an embodiment of the present invention it is a kind of Detection by the method for attack is carried out to the data on flows by fire wall,
Obtain the method flow diagram with aggressive data on flows;
Fig. 3 is that another kind provided in an embodiment of the present invention carries out aggressive inspection to the data on flows by fire wall
Survey, obtain the method flow diagram with aggressive data on flows;
Fig. 4 is a kind of structured flowchart of Detection by the method for attack device provided in an embodiment of the present invention;
Fig. 5 is a kind of Detection by the method for attack Organization Chart provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
In terms of network design, many networks are typically the classification deployment of subregion point domain, without between same district, domain and level
Generally protected using various types of fire walls (such as status firewall, application firewall).Due to information system security
The presence of leak, network attack person often passes through fire wall using the security breaches in network, penetrates into the interior of relatively deep
Unlawful activities are carried out in net.Once network attack person captures certain intranet host, you can the main frame for being captured this is used as springboard
Further permeated to deep layer Intranet.Network attack person it is this " capture->Springboard->Capture->The operation behavior of springboard ... " is most
A linear attack link can be presented as eventually, chain is as attacked, and network attack person carries out network attack by the attack chain.
And fire wall is provided in the guarantor constructed on the border between Intranet and outer net or between private network and public network
Shield barrier, as internal network and first critical point on external network border, prevents the virus in external network or public network
Or unauthorized access enters Intranet or private network, fire wall can prevent attack from source, prevent network attack row
It is to be permeated to deeper Intranet.Therefore, the cyber-defence ability of fire wall is improved, as the important hand for preventing network attack
Section.
But fire wall can only detect known network attack in the prior art, for unknown attack row
For fire wall cannot make defence to it, will enter Intranet by fire wall, cause fire wall to fail, internet security drop
It is low.
Based on this, the embodiment of the present invention provides a kind of Detection by the method for attack method and device, can make fire wall for before
Unknown attack behavior produces defence capability in time, improves internet security.
Fig. 1 is a kind of Detection by the method for attack method flow diagram provided in an embodiment of the present invention, and the method can be applied to terminal, is joined
According to Fig. 1, methods described can include:
By the data on flows of fire wall in step S100, collection network;
The operation conditions of network system can be monitored in the embodiment of the present invention, i.e., in the real-time Transmission in network
Appearance is monitored, and collection passes through the data on flows of fire wall, it is necessary to explanation, the flow in Intranet or in private network
Data refer to the data of real-time Transmission, such as packet, data message and network log, and the embodiment of the present invention is not done specifically
Limit.
It should be noted that referring to by the data on flows of fire wall not blocked by fire wall in the embodiment of the present invention
Data on flows, wherein, not by fire wall block data on flows in comprising do not have aggressive data on flows, it is also possible to
Comprising with aggressive data on flows.
Step S110, Detection by the method for attack is carried out to the data on flows by fire wall, obtaining has aggressive stream
Amount data;
Detection by the method for attack is carried out to the data on flows by fire wall in the embodiment of the present invention, is to obtain fire prevention
Wall could not enough blocking with aggressive data on flows, be aggressive data on flows that fire wall has not been able to identification.
Optionally, can by way of carrying out Detection by the method for attack to the data on flows fire wall in the embodiment of the present invention
Based on the intruding detection system such as snort and machine learning storehouse such as LIBSVM etc. of increasing income, to be also based on increasing income storehouse such as
OpenSSL etc., the embodiment of the present invention is not specifically limited.
Step S120, foundation are described to have aggressive data on flows, and the corresponding original aggressor feature of fire wall is entered
Row updates, the aggressive feature after being updated, and makes the fire wall using the aggressive feature after the renewal, to that will lead to
The data on flows for crossing the fire wall carries out Detection by the method for attack.
It should be noted that fire wall itself is to that should have original aggressor feature, the original aggressor feature can be deposited
Storage has aggressive data on flows, to the corresponding original aggressor of fire wall in original aggressor feature list according to described
Property feature list in store original aggressor feature be updated, the aggressive feature after being updated makes the fire wall
Using the aggressive feature after the renewal, to Detection by the method for attack will be carried out by the data on flows of the fire wall.
It should be noted that the process being updated to the corresponding original aggressor feature of fire wall, can be by foundation
The target attack feature with the generation of aggressive data on flows is sent to fire wall, wherein, then by target attack
During feature is sent to fire wall, the target attack feature can be encrypted, or digital signature mode
To ensure the security of target attack feature, it is ensured that the target attack feature is not stolen, the peace of network service is improved
Quan Xing.
According to the actual conditions of each firewall product in the embodiment of the present invention, it is achieved by calling concrete function interface
The above disclosed in the embodiment of the present invention.
Detection by the method for attack is carried out to the data on flows by fire wall in the embodiment of the present invention, so as to obtain with aggressiveness
Data on flows, and should be fire wall with aggressive data on flows by fire wall before do not detect, utilization
The aggressive data on flows is updated to the corresponding original aggressor feature of fire wall, so that fire wall to not having before
The attack for detecting produces defence capability in time, and fire wall is using the aggressive feature after renewal, to that will pass through
The data on flows of the fire wall carries out Detection by the method for attack, improves internet security.
Also, can be according to described with aggressive data on flows, to the corresponding original of fire wall in the embodiment of the present invention
The aggressive feature that begins is updated, and the aggressive feature after being updated is automatically performed the configuration of fire wall, reduces manual analysis
Workload, reduce the process time of aggressive data on flows, can be prevented effectively from because security incident response delay cause
Loss.
Fig. 2 be it is provided in an embodiment of the present invention it is a kind of Detection by the method for attack is carried out to the data on flows by fire wall,
The method flow diagram with aggressive data on flows is obtained, reference picture 2, methods described can include:
Step S200, the data on flows by fire wall is scanned, it is determined that the flow by fire wall
The data type of data;
Optionally, different numbers can be divided to the data on flows by fire wall according to the field type of data on flows
According to type, different data types can also be divided to the data on flows by fire wall according to the transport-type of data on flows,
It is not specifically limited in the embodiment of the present invention.
Step S210, the corresponding data characteristics of data type for determining the data on flows by fire wall;
Line statement identification can be entered in the embodiment of the present invention to the data on flows by fire wall, the number of data on flows is obtained
According to the corresponding data characteristics of type, i.e., the feature of the data type of data on flows can be characterized, such as:Different words in data on flows
Section name etc., the embodiment of the present invention is not specifically limited.
Step S220, Detection by the method for attack is carried out to the data characteristics, it is determined that having corresponding to aggressive data characteristics
Aggressive data on flows.
Whether default aggressive criterion can be met with detection data feature in the embodiment of the present invention, so that it is determined that the data
Whether feature has aggressiveness, for example:Corresponding aggressiveness rule match is carried out to data characteristics, judges that the data characteristics is
It is no to meet aggressive rule, if be unsatisfactory for, it is determined that the data characteristics is without aggressiveness, conversely, then there is aggressiveness,
Further determine that with the aggressive data on flows corresponding to aggressive data characteristics.
By carrying out Detection by the method for attack to the data on flows by fire wall in the embodiment of the present invention, obtain to have and attack
The data on flows of hitting property, does not detect before should being fire wall with aggressive data on flows by fire wall, profit
The corresponding original aggressor feature of fire wall is updated with the aggressive data on flows, so that fire wall to not having before
There is the attack for detecting to produce defence capability in time, fire wall is using the aggressive feature after renewal, to that will lead to
Crossing the data on flows of the fire wall carries out Detection by the method for attack, improves internet security.Also, in the embodiment of the present invention can and
When will be detected with aggressive data on flows by fire wall, the defence capability to fire wall is improved, and makes to prevent
Wall with flues can in time produce defence capability to the attack not detected before, improve the place to aggressive data on flows
Reason efficiency.
Fig. 3 is that another kind provided in an embodiment of the present invention carries out aggressive inspection to the data on flows by fire wall
Survey, obtain the method flow diagram with aggressive data on flows, reference picture 3, methods described can include:
Step S300, the data on flows by fire wall is scanned, it is determined that the flow by fire wall
The data type of data;
Step S310, the corresponding data characteristics of data type for determining the data on flows by fire wall;
Step S320, the corresponding data characteristics of data type and characteristic by the data on flows by fire wall
The corresponding initial data feature of the data type stored in storehouse is compared, and obtains comparison result;
By the corresponding data characteristics of data type of the data on flows by fire wall and spy in the embodiment of the present invention
Levying the process that the corresponding initial data feature of the data type stored in database compares can be:Will be described by anti-
The corresponding data characteristics of data type of the data on flows of wall with flues original corresponding with the data type stored in property data base
The similarity of beginning data characteristics, according to similarity, it is determined that with the aggressive flow number corresponding to aggressive data characteristics
According to.
Step S330, according to the comparison result, it is determined that with the aggressive stream corresponding to aggressive data characteristics
Amount data.
Optionally, can also be according to the comparison result, it is determined that having aggressive data characteristics in the embodiment of the present invention
Attack type, attack path and network interconnection Protocol IP address in corresponding aggressive data on flows.
Optionally, Detection by the method for attack is being carried out to the data on flows by fire wall, obtaining has aggressive stream
After amount data, also include:
According to described with aggressive data on flows, the aggressive warning information of generation, and the aggressive alarm is believed
Breath is sent to system manager, the system manager is adjusted to network protection in time according to the aggressive warning information
It is whole, improve internet security.
Method is described in detail in the invention described above disclosed embodiment, can be taken various forms for the method for the present invention
Device realize, therefore the invention also discloses a kind of device, specific embodiment is given below and is described in detail.
Fig. 4 is a kind of structured flowchart of Detection by the method for attack device provided in an embodiment of the present invention, and the device can include:Stream
Amount data acquisition module 100, Detection by the method for attack module 110 and aggressive feature update module 120;
Detection by the method for attack framework with reference to shown in Fig. 5, fire wall is placed at the border gateway of internal-external network, internally
The packet that outer network is exchanged is rigid in checking up, and prevents virus and the entrance of unauthorized access of external network;The embodiment of the present invention
In Detection by the method for attack device be then arranged in internal network, the moment monitoring internal network in network condition, find network in
The illegal operation of presence or intrusion behavior simultaneously send response in time, have reached the purpose of protection intranet security.
Flow data collector module 100, for gathering the data on flows in network by fire wall;
It should be noted that the operation conditions of network system can be monitored in the embodiment of the present invention, i.e., to network
In real-time Transmission content be monitored, in Intranet or in private network by flow data collector module 100 gather pass through
The data on flows of fire wall is, it is necessary to illustrate, the data on flows refers to the data of real-time Transmission, such as packet, data
Message and network log etc., the embodiment of the present invention is not specifically limited.
Detection by the method for attack module 110, for carrying out Detection by the method for attack to the data on flows by fire wall, obtains tool
There is aggressive data on flows;
It should be noted that by the stream described in Detection by the method for attack module 110 pairs by fire wall in the embodiment of the present invention
Amount data carry out Detection by the method for attack, be in order to obtain fire wall could not enough blocking with aggressive data on flows, be anti-
Wall with flues has not been able to the aggressive data on flows of identification.
Aggressive feature update module 120, it is corresponding to fire wall for having aggressive data on flows described in
Original aggressor feature is updated, the aggressive feature after being updated, and makes the fire wall using attacking after the renewal
Hitting property feature, to Detection by the method for attack will be carried out by the data on flows of the fire wall.
It should be noted that fire wall itself is to that should have original aggressor feature, the original aggressor feature can be deposited
Storage has aggressive data on flows, to the corresponding original aggressor of fire wall in original aggressor feature list according to described
Property feature list in store original aggressor feature be updated, the aggressive feature after being updated makes the fire wall
Using the aggressive feature after the renewal, to Detection by the method for attack will be carried out by the data on flows of the fire wall.
Based on above-mentioned Detection by the method for attack device embodiment, it is new that the present invention can also choose proper modules composition from lower module
Detection by the method for attack device, the associated description that concrete composition mode can be in corresponding method embodiment is determined, and the present embodiment is not
Repeat again.
The Detection by the method for attack module includes:
Scan module, for being scanned to the data on flows by fire wall, it is determined that described by fire wall
The data type of data on flows;
Data characteristics determining module, the corresponding data of data type for determining the data on flows by fire wall
Feature;
Aggressive data on flows determining module, for carrying out Detection by the method for attack to the data characteristics, it is determined that have attacking
Aggressive data on flows corresponding to the data characteristics of property.
The aggressive data on flows determining module includes:
Data characteristics comparing module, for the corresponding data of the data type of the data on flows by fire wall are special
Levy initial data feature corresponding with the data type stored in property data base to compare, obtain comparison result;
Aggressive data on flows determination sub-module, according to the comparison result, it is determined that having aggressive data characteristics institute
Corresponding aggressive data on flows.
The aggressive data on flows determination sub-module specifically for:
According to the comparison result, it is determined that with the aggressive data on flows corresponding to aggressive data characteristics
Attack type, attack path and network interconnection Protocol IP address.
Also include:
Aggressive warning information generation module, for having aggressive data on flows according to described, generation is aggressive to accuse
Alert information.
In sum:
A kind of Detection by the method for attack method and device is disclosed in the embodiment of the present invention, including:By fire prevention in collection network
The data on flows of wall;Detection by the method for attack is carried out to the data on flows by fire wall, obtaining has aggressive flow number
According to;There is aggressive data on flows according to described, the corresponding original aggressor feature of fire wall is updated, updated
Aggressive feature afterwards, makes the fire wall using the aggressive feature after the renewal, to will be by the fire wall
Data on flows carries out Detection by the method for attack.Detection by the method for attack is carried out to the data on flows by fire wall in the embodiment of the present invention, from
And obtaining has aggressive data on flows, and do not have before should being fire wall with aggressive data on flows by fire wall
Have what is detected, the corresponding original aggressor feature of fire wall is updated using the aggressive data on flows, so that
Fire wall produces defence capability to the attack not detected before in time, and fire wall is using the aggressiveness after renewal
Feature, to that will carry out Detection by the method for attack by the data on flows of the fire wall, improves internet security.
Each embodiment is described by the way of progressive in this specification, and what each embodiment was stressed is and other
The difference of embodiment, between each embodiment identical similar portion mutually referring to.For device disclosed in embodiment
For, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is said referring to method part
It is bright.
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description
And algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software, generally describes the composition and step of each example according to function in the above description.These
Function is performed with hardware or software mode actually, depending on the application-specific and design constraint of technical scheme.Specialty
Technical staff can realize described function to each specific application using distinct methods, but this realization should not
Think beyond the scope of this invention.
The step of method or algorithm for being described with reference to the embodiments described herein, directly can be held with hardware, processor
Capable software module, or the two combination is implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In field in known any other form of storage medium.
The foregoing description of the disclosed embodiments, enables professional and technical personnel in the field to realize or uses the present invention.
Various modifications to these embodiments will be apparent for those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, the present invention
The embodiments shown herein is not intended to be limited to, and is to fit to and principles disclosed herein and features of novelty phase one
The scope most wide for causing.
Claims (10)
1. a kind of Detection by the method for attack method, it is characterised in that including:
By the data on flows of fire wall in collection network;
Detection by the method for attack is carried out to the data on flows by fire wall, obtaining has aggressive data on flows;
There is aggressive data on flows according to described, the corresponding original aggressor feature of fire wall is updated, obtain more
Aggressive feature after new, makes the fire wall using the aggressive feature after the renewal, to will be by the fire wall
Data on flows carry out Detection by the method for attack.
2. Detection by the method for attack method according to claim 1, it is characterised in that described to the flow by fire wall
Data carry out Detection by the method for attack, and obtaining the process with aggressive data on flows includes:
The data on flows by fire wall is scanned, it is determined that the data class of the data on flows by fire wall
Type;
It is determined that the corresponding data characteristics of data type of the data on flows by fire wall;
Detection by the method for attack is carried out to the data characteristics, it is determined that with the aggressive flow corresponding to aggressive data characteristics
Data.
3. Detection by the method for attack method according to claim 2, it is characterised in that described to attack the data characteristics
Property detection, it is determined that the process with the aggressive data on flows corresponding to aggressive data characteristics includes:
Should by what is stored in the corresponding data characteristics of data type of the data on flows by fire wall and property data base
The corresponding initial data feature of data type is compared, and obtains comparison result;
According to the comparison result, it is determined that with the aggressive data on flows corresponding to aggressive data characteristics.
4. Detection by the method for attack method according to claim 3, it is characterised in that described according to the comparison result, it is determined that
Process with the data on flows corresponding to aggressive data characteristics includes:
According to the comparison result, it is determined that with the attack in the aggressive data on flows corresponding to aggressive data characteristics
Type, attack path and network interconnection Protocol IP address.
5. the Detection by the method for attack method according to claim 1-4 any one, it is characterised in that to described by fire prevention
The data on flows of wall carries out Detection by the method for attack, obtains with after aggressive data on flows, also includes:
There is aggressive data on flows, the aggressive warning information of generation according to described.
6. a kind of Detection by the method for attack device, it is characterised in that including:
Flow data collector module, for gathering the data on flows in network by fire wall;
Detection by the method for attack module, for carrying out Detection by the method for attack to the data on flows by fire wall, obtains to have and attacks
The data on flows of property;
Aggressive feature update module, it is corresponding to fire wall original to attack for there is aggressive data on flows according to described
Hitting property feature is updated, the aggressive feature after being updated, and makes the fire wall special using the aggressiveness after the renewal
Levy, to Detection by the method for attack will be carried out by the data on flows of the fire wall.
7. Detection by the method for attack device according to claim 6, it is characterised in that the Detection by the method for attack module includes:
Scan module, for being scanned to the data on flows by fire wall, it is determined that the flow by fire wall
The data type of data;
Data characteristics determining module, the corresponding data of data type for determining the data on flows by fire wall are special
Levy;
Aggressive data on flows determining module, for carrying out Detection by the method for attack to the data characteristics, it is determined that having aggressive
Aggressive data on flows corresponding to data characteristics.
8. Detection by the method for attack device according to claim 7, it is characterised in that the aggressive data on flows determining module
Including:
Data characteristics comparing module, for by the corresponding data characteristics of data type of the data on flows by fire wall with
The corresponding initial data feature of the data type stored in property data base is compared, and obtains comparison result;
Aggressive data on flows determination sub-module, according to the comparison result, it is determined that having corresponding to aggressive data characteristics
Aggressive data on flows.
9. Detection by the method for attack device according to claim 8, it is characterised in that the aggressive data on flows determines submodule
Block specifically for:
According to the comparison result, it is determined that with the attack in the aggressive data on flows corresponding to aggressive data characteristics
Type, attack path and network interconnection Protocol IP address.
10. the Detection by the method for attack device according to claim 6-8 any one, it is characterised in that also include:
Aggressive warning information generation module, for there is aggressive data on flows, the aggressive alarm letter of generation according to described
Breath.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710064374.3A CN106713358A (en) | 2017-02-04 | 2017-02-04 | Attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710064374.3A CN106713358A (en) | 2017-02-04 | 2017-02-04 | Attack detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106713358A true CN106713358A (en) | 2017-05-24 |
Family
ID=58909848
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710064374.3A Pending CN106713358A (en) | 2017-02-04 | 2017-02-04 | Attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106713358A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107395593A (en) * | 2017-07-19 | 2017-11-24 | 深信服科技股份有限公司 | A kind of leak automation means of defence, fire wall and storage medium |
| CN107483502A (en) * | 2017-09-28 | 2017-12-15 | 深信服科技股份有限公司 | A kind of method and device for detecting remaining attack |
| CN108667855A (en) * | 2018-07-19 | 2018-10-16 | 百度在线网络技术(北京)有限公司 | Network traffic anomaly monitor method, apparatus, electronic equipment and storage medium |
| CN112615865A (en) * | 2020-12-21 | 2021-04-06 | 曹佳乐 | Data anti-intrusion method based on big data and artificial intelligence and big data server |
| CN112910895A (en) * | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Network attack behavior detection method and device, computer equipment and system |
| CN113704772A (en) * | 2021-08-31 | 2021-11-26 | 陈靓 | Safety protection processing method and system based on user behavior big data mining |
| CN115208678A (en) * | 2022-07-09 | 2022-10-18 | 国网新疆电力有限公司信息通信公司 | Intelligent network safety protection method, system, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519016A (en) * | 2013-09-29 | 2015-04-15 | 中国电信股份有限公司 | Method and device for automatic defense distributed denial of service attack of firewall |
| US9258323B1 (en) * | 2001-10-09 | 2016-02-09 | Juniper Networks, Inc. | Distributed filtering for networks |
| CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
-
2017
- 2017-02-04 CN CN201710064374.3A patent/CN106713358A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9258323B1 (en) * | 2001-10-09 | 2016-02-09 | Juniper Networks, Inc. | Distributed filtering for networks |
| CN104519016A (en) * | 2013-09-29 | 2015-04-15 | 中国电信股份有限公司 | Method and device for automatic defense distributed denial of service attack of firewall |
| CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
Non-Patent Citations (5)
| Title |
|---|
| 夏起军: "防火墙与入侵检测系统联动技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 孙鹏程: "基于隧道技术的企业VPN方案研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 张洋: "基于SDN的DDoS攻击检测和防护机制研究", 《电子测试》 * |
| 李仁玲: "图书馆Web服务器的多层入侵容错系统", 《河北科技图苑》 * |
| 蔡丽萍: "分层架构企业网络安全的研究", 《信息系统工程》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107395593A (en) * | 2017-07-19 | 2017-11-24 | 深信服科技股份有限公司 | A kind of leak automation means of defence, fire wall and storage medium |
| CN107395593B (en) * | 2017-07-19 | 2020-12-04 | 深信服科技股份有限公司 | Vulnerability automatic protection method, firewall and storage medium |
| CN107483502A (en) * | 2017-09-28 | 2017-12-15 | 深信服科技股份有限公司 | A kind of method and device for detecting remaining attack |
| CN108667855A (en) * | 2018-07-19 | 2018-10-16 | 百度在线网络技术(北京)有限公司 | Network traffic anomaly monitor method, apparatus, electronic equipment and storage medium |
| CN112615865A (en) * | 2020-12-21 | 2021-04-06 | 曹佳乐 | Data anti-intrusion method based on big data and artificial intelligence and big data server |
| CN112910895A (en) * | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Network attack behavior detection method and device, computer equipment and system |
| CN113704772A (en) * | 2021-08-31 | 2021-11-26 | 陈靓 | Safety protection processing method and system based on user behavior big data mining |
| CN113704772B (en) * | 2021-08-31 | 2022-05-17 | 中数智创科技有限公司 | Safety protection processing method and system based on user behavior big data mining |
| CN115208678A (en) * | 2022-07-09 | 2022-10-18 | 国网新疆电力有限公司信息通信公司 | Intelligent network safety protection method, system, equipment and medium |
| CN115208678B (en) * | 2022-07-09 | 2023-08-11 | 国网新疆电力有限公司信息通信公司 | Intelligent network security protection method, system, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106713358A (en) | Attack detection method and device | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| US7197563B2 (en) | Systems and methods for distributed network protection | |
| US9008617B2 (en) | Layered graphical event mapping | |
| CN108092948A (en) | A kind of recognition methods of network attack mode and device | |
| US20010052014A1 (en) | Systems and methods for distributed network protection | |
| CN108040070A (en) | A kind of network security test platform and method | |
| CN107493256B (en) | Security event defense method and device | |
| CN105959250A (en) | Network attack black list management method and device | |
| AlYousef et al. | Dynamically detecting security threats and updating a signature-based intrusion detection system’s database | |
| CN108200095A (en) | The Internet boundaries security strategy fragility determines method and device | |
| KR20170091989A (en) | System and method for managing and evaluating security in industry control network | |
| Innab et al. | Hybrid system between anomaly based detection system and honeypot to detect zero day attack | |
| KR101768079B1 (en) | System and method for improvement invasion detection | |
| Basholli et al. | Possibility of protection against unauthorized interference in telecommunication systems | |
| KR101767591B1 (en) | System and method for improvement invasion detection | |
| CN106453235A (en) | Network security method | |
| Ahmed et al. | Collecting and analyzing digital proof material to detect cybercrimes | |
| Bendiab et al. | IoT Security Frameworks and Countermeasures | |
| KR20210141198A (en) | Network security system that provides security optimization function of internal network | |
| KR100798755B1 (en) | Threats management system and method thereof | |
| Gaonjur et al. | Risk of insider threats in information technology outsourcing: Can deceptive techniques be applied? | |
| Potdar et al. | Security solutions for Cloud computing | |
| LanFang et al. | A Research of Behavior-Based Penetration Testing Model of the Network | |
| Kaur et al. | Contemplate and Investigate a Network based Intrusion Detection System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170524 |