CN106790193B - The method for detecting abnormality and device of Intrusion Detection based on host network behavior - Google Patents
The method for detecting abnormality and device of Intrusion Detection based on host network behavior Download PDFInfo
- Publication number
- CN106790193B CN106790193B CN201611262873.5A CN201611262873A CN106790193B CN 106790193 B CN106790193 B CN 106790193B CN 201611262873 A CN201611262873 A CN 201611262873A CN 106790193 B CN106790193 B CN 106790193B
- Authority
- CN
- China
- Prior art keywords
- abnormal
- data
- dimension data
- network behavior
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses the method for detecting abnormality and device of a kind of Intrusion Detection based on host network behavior.Wherein, this method comprises: according to history abnormal network behavior, the network behavior data of each host at least one host are acquired;Multi dimensional analysis is carried out to network behavior data, obtains dimension data of each host at least one dimension in each dimension;Determine the abnormal dimension data in dimension data;For each host, abnormal dimension data is matched with predefined rule, determine whether to be abnormal network behavior, and in the case where determination is abnormal network behavior, determine the corresponding abnormal network behavior of exception dimension data, wherein, predefined rule is used to determine whether to be abnormal according to abnormal dimension data network behavior and in the case where determination is abnormal network behavior, determines the corresponding abnormal network behavior of exception dimension data.The present invention solves the technical issues of some exceptions can not be by single session/connecting detection in the prior art.
Description
Technical field
The present invention relates to internet areas, in particular to a kind of method for detecting abnormality of Intrusion Detection based on host network behavior
And device.
Background technique
In enterprise or campus network, it will usually have obvious boundary.Firewall/UTM would generally be anti-as boundary
Equipment is protected, Intranet and outer net (wide area network) are connected to, while also protecting host and server in Intranet, prevents external-to-internal
Unauthorized access and attack, at the same also in Intranet host and server carry out isolation appropriate, and prevent internal host pair
Server carries out unauthorized access.Fig. 1 is network topology structure figure in the prior art, specifically, can indicate than more typical
The network of enterprise or colleges and universities, as shown in Figure 1, wherein Internet indicates that outer net, LAN1 indicate internal network 1,
10.100.31.0/24 the address of internal network 1 is indicated, LAN2 indicates that internal network 2,10.100.32.0/24 indicate intranet
The address of network 2, DMZ indicate that server network, 10.100.1.0/24 indicate the address of server network, and server network can be with
It, can be by inside host access for the service disposed in various enterprises, it is also possible to be accessed by the host from Internet;
Firewall indicates firewall, for connecting each internal network and external network, prevents external-to-internal network
Unauthorized access, and the access between internal network is limited according to demand.
In representative network as shown in Figure 1, on the one hand firewall is used as the access point of Internet, on the one hand carries
The buffer action of heterogeneous networks (region), protects internal host and server.Firewall is internal in order to realize in the prior art
The protection of host's machine and server is directed to different safety problems using diversified technology and provides solution, relatively more normal
The first string realizes the protection to intranet host and server, OSI for the packet filtering mode based on three, four layers of IP packet
Whole network is divided into seven layers in network model, be respectively physical layer, link layer, network layer, transport layer, session layer, presentation layer,
Application layer.Current Internet is a kind of realization of IP based network namely network layer is IP network;For transport layer, often
Agreement includes TCP, UDP, ICMP etc., and TCP, UDP are that the overwhelming majority applies used agreement in current network application.
Such as most common Web service, mail service, FTP service are all based on Transmission Control Protocol, a large amount of mobile application is also based on TCP
Agreement;TFTP, DNS and some timely communication softwares will use udp protocol.So by IP address and the port TCP/UDP
It is filtered, so that it may solve the problems, such as the access control of many services, this is also the most basic policing feature of firewall.For
Fig. 1, such as want the Web service (Web service uses 80 port TCP) for allowing LAN1 to access DMZ network, but LAN1 is forbidden to visit
The SMTP service (SMTP service uses 25 port TCP) for asking DMZ, can be carried out by the similar strategy such as following table:
Source address | Destination address | Service | Behavior |
10.100.31.0/24 | 10.100.1.0/24 | TCP dst port 80 | Allow |
10.100.32.0/24 | 10.100.1.0/24 | TCP dst port 25 | Forbid |
Other than mode except through three, four layers of packet filtering, second more commonly used scheme is base in the prior art
The protection to intranet host and server is realized in the deep packet filtering detection of application layer, i.e. quite a few safety problem is benefit
It is counted with the service that can rationally access.Such as the software vulnerability by known Web server, to Web server
It is attacked;Or virus, wooden horse file are deleted on server.These problems can not all pass through three, four layers of information of message
Be filtered because at this time attack message and the message normally accessed in three, four layers of information of message without difference, attack
Feature is hit in the load of TCP or UDP.For this kind of attack, it is common practice to be parsed to application layer protocol, by it
The attack mode string extracted with preparatory analysis is matched, to find to attack.IPS, Anti-virus equipment or UTM are equal at present
It will use this technical solution, wherein UTM equipment that is to say is integrated with the function of IPS and Anti-virus on the basis of firewall
Can, technical principle is similar.
Either three, four layers of packet filtering or the Deep content detection technology of application layer data, are substantially same
It is carried out in session/connection context.Based on three, four layers of packet filterings i.e. by defining firewall policy come three to message
Layer, four layers of head are filtered;And the main principle of deep packet inspection technical based on application layer data is: parsing application layer association
View carries out parsing according to application layer protocol and extracts the data needed, and the predefined feature database of heel is matched, to carry out
Anomaly.Deep content detection technology based on three, four layers of packet filterings and based on application layer, they can solve suitable one
The problem of dividing, also belong to the more commonly used and basic scheme of industry.However, there are also attack from individual session, single operation
It can not all note abnormalities, but be placed in the context of longer-term in even several operations, according to long to the host in network
The network data of time is analyzed, learnt and is analyzed, and can but be the discovery that the historical behavior for not meeting host.Here so-called
Network behavior, many situations are not only to extract from individual session, also have and periodically extract from the network data of host
Some data carry out pretreated result.
Aiming at the problem that above-mentioned exceptions some in the prior art can not be by single session/connecting detection, not yet propose at present
Effective solution scheme.
Summary of the invention
The embodiment of the invention provides the method for detecting abnormality and device of a kind of Intrusion Detection based on host network behavior, at least to solve
The technical issues of some exceptions can not be by single session/connecting detection in the prior art.
According to an aspect of an embodiment of the present invention, a kind of method for detecting abnormality of Intrusion Detection based on host network behavior is provided,
It include: that the network behavior data of each host at least one host are acquired according to history abnormal network behavior;To network behavior
Data carry out multi dimensional analysis, obtain dimension data of each host at least one dimension in each dimension;Determine number of dimensions
Abnormal dimension data in;For each host, abnormal dimension data is matched with predefined rule, it is determined whether hair
Raw abnormal network behavior, and determine be abnormal network behavior in the case where, determine the corresponding abnormal net of exception dimension data
Network behavior, wherein predefined rule according to abnormal dimension data for determining whether to be abnormal network behavior and in determination
In the case where being abnormal network behavior, the corresponding abnormal network behavior of exception dimension data is determined.
According to another aspect of an embodiment of the present invention, a kind of abnormality detection dress of Intrusion Detection based on host network behavior is additionally provided
It sets, comprising: acquisition module, for acquiring the network row of each host at least one host according to history abnormal network behavior
For data;Analysis module obtains each host at least one dimension for carrying out multi dimensional analysis to network behavior data
Dimension data in each dimension;Determining module, for determining the abnormal dimension data in dimension data;Matching module is used for needle
To each host, abnormal dimension data is matched with predefined rule, it is determined whether be abnormal network behavior, and true
Surely in the case where being abnormal network behavior, the corresponding abnormal network behavior of exception dimension data is determined, wherein predefined rule
For determining whether to be abnormal network behavior according to abnormal dimension data and determining the case where being abnormal network behavior
Under, determine the corresponding abnormal network behavior of exception dimension data.
In embodiments of the present invention, it in such a way that each host in Intranet is observed, learnt and analyzed, obtains
The suspicious network behavior found in a period of time, that is, web-based history behavior, according to history abnormal network behavior, acquisition is extremely
The network behavior data of each host in a few host;Multi dimensional analysis is carried out to network behavior data, obtains each host
Dimension data at least one dimension in each dimension;Determine the abnormal dimension data in dimension data;For each host,
Abnormal dimension data is matched with predefined rule, it is determined whether be abnormal network behavior, and be abnormal in determination
In the case where network behavior, the corresponding abnormal network behavior of exception dimension data is determined, wherein predefined rule is used for according to different
Normal dimension data determines whether to be abnormal network behavior and in the case where determination is abnormal network behavior, determine abnormal
The corresponding abnormal network behavior of dimension data, thus achieved the purpose that the abnormality detection to Intrusion Detection based on host network behavior, thus
The technical effect of abnormal network behavior can be found out according to individual session/connection in network behavior by realizing, and then be solved existing
There is the technical issues of some exceptions can not be by single session/connecting detection in technology.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of network topology structure figure according to prior art;
Fig. 2 is a kind of flow chart of the method for detecting abnormality of according to embodiments of the present invention 1 Intrusion Detection based on host network behavior;
Fig. 3 is a kind of stream of the method for detecting abnormality of according to embodiments of the present invention 1 optional Intrusion Detection based on host network behavior
Cheng Tu;
Fig. 4 is a kind of structure chart of the abnormal detector of according to embodiments of the present invention 2 Intrusion Detection based on host network behavior;
Fig. 5 is a kind of knot of the abnormal detector of according to embodiments of the present invention 2 optional Intrusion Detection based on host network behavior
Composition;
Fig. 6 is a kind of knot of the abnormal detector of according to embodiments of the present invention 2 optional Intrusion Detection based on host network behavior
Composition;And
Fig. 7 is a kind of knot of the abnormal detector of according to embodiments of the present invention 2 optional Intrusion Detection based on host network behavior
Composition.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention
Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work
It encloses.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to
Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product
Or other step or units that equipment is intrinsic.
Embodiment 1
According to embodiments of the present invention, the method for providing a kind of method for detecting abnormality of Intrusion Detection based on host network behavior is implemented
Example, it should be noted that step shown in the flowchart of the accompanying drawings can be in the calculating of such as a group of computer-executable instructions
It is executed in machine system, although also, logical order is shown in flow charts, and it in some cases, can be to be different from
Sequence herein executes shown or described step.
Fig. 2 is the method for detecting abnormality of Intrusion Detection based on host network behavior according to an embodiment of the present invention, as shown in Fig. 2, the party
Method includes the following steps:
Step S102 acquires the network behavior number of each host at least one host according to history abnormal network behavior
According to.
Specifically, the network behavior of its general character can be extracted according to the network behavior of existing attack sample, that is, different
Then normal network behavior decomposes these abnormal network behaviors, optionally, can be decomposed into dialogue-based/connection can be into
Then the unit of row acquisition determines that data acquire item according to these units, that is, determines the network row for needing the host acquired
For data, that is, metadata, to sum up, metadata is come out according to the normal Lip river activity-summary of existing network attack, also
It is to be come out according to history abnormal network activity-summary, therefore, the network behavior data acquired in the present invention are particularly likely that different
The data that normal network behavior generates.
Step S104 carries out multi dimensional analysis to network behavior data, it is each at least one dimension to obtain each host
Dimension data in dimension.
Specifically, carrying out multi dimensional analysis to network behavior data namely carries out pretreated one to network behavior data
A process, by being pre-processed to metadata, available dimension data.
Step S106 determines the abnormal dimension data in dimension data.
Specifically, abnormal dimension data is the exception generated based on above-mentioned dimension data.
Step S108 matches abnormal dimension data with predefined rule for each host, it is determined whether occurs
Abnormal network behavior, and in the case where determination is abnormal network behavior, determine the corresponding abnormal network of exception dimension data
Behavior, wherein predefined rule is used to determine whether to be abnormal network behavior according to abnormal dimension data and send out determining
In the case where raw abnormal network behavior, the corresponding abnormal network behavior of exception dimension data is determined.
Specifically, abnormal network behavior has not been necessarily meant that after dimension data generates the abnormal dimension data of abnormal generation,
It is such as under attack etc., it is therefore desirable to abnormal dimension data be matched according to predefined rule, sentenced according to matched result
It is disconnected whether to be abnormal network behavior and what abnormal network behavior specifically occurs, optionally, due to single abnormal number of dimensions
Occur according to abnormal network behavior might not be represented, may just indicate some abnormal network row when there are multiple abnormal dimension datas
To occur, therefore matched abnormal dimension data is carried out with predefined rule and can be single abnormal dimension data, be also possible to
Multiple exception dimension datas are associated matching.
In embodiments of the present invention, it in such a way that each host in Intranet is observed, learnt and analyzed, obtains
The suspicious network behavior found in a period of time, that is, web-based history behavior, according to history abnormal network behavior, acquisition is extremely
The network behavior data of each host in a few host;Multi dimensional analysis is carried out to network behavior data, obtains each host
Dimension data at least one dimension in each dimension;Determine the abnormal dimension data in dimension data;For each host,
Abnormal dimension data is matched with predefined rule, it is determined whether be abnormal network behavior, and be abnormal in determination
In the case where network behavior, the corresponding abnormal network behavior of exception dimension data is determined, wherein predefined rule is used for according to different
Normal dimension data determines whether to be abnormal network behavior and in the case where determination is abnormal network behavior, determine abnormal
The corresponding abnormal network behavior of dimension data, thus achieved the purpose that the abnormality detection to Intrusion Detection based on host network behavior, thus
The technical effect of abnormal network behavior can be found out according to individual session/connection in network behavior by realizing, and then be solved existing
There is the technical issues of some exceptions can not be by single session/connecting detection in technology.
Herein it should be noted that in the embodiment of the present invention method for detecting abnormality of Intrusion Detection based on host network behavior breach with
The thinking of session/be connected as core, then using host as core, network behavior of the comprehensive host in historical process is adopted
Sample, pretreatment, memory is analyzed again later, to determine whether there is abnormal network behavior, the present invention can be based in background technique
The Deep content detection technology of the packet filtering technology and application layer data that three, four layers of firewall is used in combination, as firewall three,
The effectively supplement of one of the Deep content detection of four layers of packet filtering and application layer data, to enhance the abnormality detection energy of firewall
Power.
In an alternative embodiment, network behavior data include at least one following: data on flows, connection data,
TCP data, http data and DNS data.
Specifically, network behavior data are that Intrusion Detection based on host is counted, data on flows includes at least one following: uplink
Flow byte number, downlink traffic byte number, uplink message quantity and downlink message quantity;Connection packet include it is following at least it
One: the connection number initiated from host, from it is external initiate the connection number to host, the well-known port connection number initiated from host and from
The connection number for the well-known port to host that outside is initiated;TCP data includes at least one following: TCP SYN, PUSH and RST
The quantity of message;Http data includes at least one following: URL length, Cookie length, HTTP request length, request
The quantity of the various requesting methods of the field quantity of stem, HTTP, the HTTP request quantity not responded to, HTTP various answer codes
The content type of quantity, http response length and http response;DNS data includes at least the request domain name of DNS.
In an alternative embodiment, dimension data includes at least one following: flow dimension data, session number of dimensions
According to, HTTP dimension data and DNS dimension data, wherein flow dimension data includes at least one following: average host per second
Uplink byte number, message amount, downlink byte number, message amount and average well-known port per second uplink byte number, message
Quantity, downlink byte number and message amount;Session dimension data includes at least one following: the average meeting per second initiated to host
Words number and destination port are that the session number, the average session number per second initiated by host and destination port of well-known port are to know
The session number of name port, average host connection per second establish failure quantity, failure quantity is established in average well-known port connection per second,
The quantity of http session quantity and failure that middle host per second is initiated, the middle http session quantity and mistake initiated to host per second
The number of sessions of the quantity, current hosts survival that lose, the http session quantity of current hosts survival;HTTP dimension data includes such as
It is at least one lower: the distribution of lengths of URL request, the quantity in different paths of URL request, the distribution of Cookie length, Cookie
The distribution of field quantity, the distribution of Cookie requesting method, the distribution of response contents type, response contents length point of request header
Cloth, the distribution of answer code, the distribution of response contents requesting method, the quantity of various requesting methods and ratio, various answer codes
Ratio and the file type of HTTP downloading.Herein it should be noted that data for distributional class, usual distribution statistics are at several
Kind range, such as URL length, can count as this 5 kinds of ranges of 0-32,33-64,64-96,96-128 and > 128;DNS
Dimension data includes at least the domain name of DNS request.
In an alternative embodiment, the abnormal dimension data in dimension data is determined in step S106, comprising: step
S202 determines that the dimension data in the dimension data of each host more than default dimension data threshold value is abnormal dimension data;Or
Person, step S204 determine in the dimension data of each host to be more than default dimension data threshold value and the average dimension with All hosts
The deviation of degree evidence is more than that the dimension data of predetermined deviation is abnormal dimension data.
Specifically, can use two ways when determining abnormal dimension data, first way is i.e. super in dimension data
When crossing default dimension data threshold value, that is, judge the dimension data for abnormal dimension data;This mode is referred to as directly
Triggering mode is connect, i.e., can directly be judged according to dimension data.
Herein it should be noted that being directed to each host, due to that may have multiple dimension datas, each dimension data has
Corresponding dimension data threshold value, and dimension data threshold value can be with dynamic learning and adjustment, therefore it can be according to practical feelings
Condition carries out customized setting, can also be calculated after certain time learns host, for all hosts, no
With might have identical dimension data between host, but since the behavior of different hosts is not just the same, even if
It is the identical dimensional data of different hosts, corresponding dimension data threshold value is also likely to be different.
When optionally, using first way, for DNS request data, if DNS request malice domain name either one
The domain name or a large amount of DNS request is had sent in the short time that a little softwares automatically generate, that is, can determine that DNS request data occur
Abnormal, wherein malice domain name can be detected directly by blacklist, and the domain name of Software Create can then pass through some maturations
Domain name generating algorithm software (Domain Generation Algorithm) detect;For SYN message ratio data, such as
The ratio of fruit SYN message is excessively high, then can determine that SYN message ratio data is abnormal, because TCP mono- normal connection is most
The ratio of few 7 messages, SYN message should be lower than 1/7, and ordinary circumstance is well below this value;Compare for http response code 200
It is different to can determine that 200 ratio data of http response code occurs if the ratio of 200 OK of answer code of HTTP is too low for number of cases evidence
Often, because general request is all 200 OK, when this ratio is too low, comparing may be that software goes to attempt to obtain or bypass
Certification;File type data are downloaded for HTTP, if downloading executable file, that is, can determine that HTTP downloads file type data
It is abnormal.
Specifically, when determining abnormal dimension data, the second way can also be used, the second way necessary not only for
Dimension data is more than default dimension data threshold value, it is also necessary to is compared identical dimension data of All hosts, only
When the dimension data of a wherein host occurs abnormal compared with the dimension data of other hosts, just judge that the dimension data is sent out
It is raw abnormal, that is, judge the dimension data for abnormal dimension data;This mode is referred to as lateral comparison mode, that is, need with
The host of all monitoring is compared.
Optionally, the wherein dimension data of a host and other hosts can be quantified by way of calculating deviation
Dimension data calculates the average value of the identical dimension data of All hosts first, then calculates compared to there is abnormal degree
The dimension data of every host and the deviation of the average value judge the number of dimensions of the host if deviation is greater than predetermined deviation
According to being abnormal.
Optionally, for the newly-built session number of a certain host, if newly-built session number is more than corresponding threshold value, and significant
When greater than other hosts, that is, it can determine that the newly-built session number of the host is abnormal;Well-known end is created for a certain host
Mouthful session, if the session number that newly-built destination port is well-known port is more than threshold value, and noticeably greater than other hosts when
Determine that the newly-built well-known port session of the host is abnormal;For the newly-built http session of a certain host: newly-built HTTP
Session number be more than threshold value, and noticeably greater than other hosts when, that is, can determine that the newly-built http session of the host is abnormal;For
The well-known port of a certain host is survived number of sessions: the connection number of well-known port is more than threshold value, and noticeably greater than other hosts,
It can determine that the well-known port survival number of sessions of the host is abnormal;For the HTTP survival session number of a certain host
Amount: HTTP connection number is more than threshold value, and noticeably greater than other hosts, that is, can determine that the HTTP of the host is survived number of sessions
It is abnormal;For the connection quantity of a certain host: total connection number is more than threshold value, and noticeably greater than other hosts when, that is, can determine
The connection quantity of the host is abnormal;For the uplink traffic of a certain host: uplink traffic is more than threshold value, and is noticeably greater than
When other hosts, that is, it can determine that the uplink traffic of the host is abnormal;For the uplink and downlink flow proportional of a certain host: on
When downlink traffic ratio is noticeably greater than other hosts, that is, it can determine that the uplink and downlink flow proportional of the host is abnormal;For certain
The HTTP access path of one host: to the different paths URL of fixed destination address, quantity is more than threshold value, and significant big
In other hosts, that is, it can determine that the HTTP access path of the host is abnormal.
In an alternative embodiment, it after the abnormal dimension data in dimension data is determined in step S106, also wraps
Include: step S302 is grouped abnormal dimension data according to periodicity;Then by abnormal dimension data and predetermined in step S108
Adopted rule is matched, can be with specifically: matches the abnormal dimension data in the same period with predefined rule.
Specifically, as above, for a host, since single abnormal dimension data might not represent abnormal network row
To occur, some abnormal network behavior, therefore and predefined rule may be just indicated when there are multiple abnormal dimension datas
Carrying out matched abnormal dimension data can be single abnormal dimension data, is also possible to multiple abnormal dimension datas and is associated
Matching, and preferably the abnormal dimension data of same period is matched, therefore firstly the need of according to periodicity to exception
Dimension data is grouped, wherein the period for grouping customized can be arranged.
Optionally, when the request of uplink well-known port is more than threshold value, and uplink well-known port is returned unsuccessfully more than threshold value,
It may determine that initiate scanning to outside;The newly-built connection of interior connection HTTP per second is more than threshold value, and the connection survived is more than
Threshold value, it can be determined that for connection exhaustion attacks;It is more than threshold value that HTTP, which creates number of requests, and HTTP request number of paths was looked for
Threshold value, it can be determined that be crawler behavior;It is more than threshold value that HTTP, which creates number of requests, and largely returns to the answer code of 3XX, can be sentenced
Break to attempt bypassing authentication or crawler;Executable file is downloaded, and generates a large amount of malice domain names or production of machinery domain name
DNS request, it can be determined that be to have suffered wooden horse or Backdoor Software.
In an alternative embodiment, after the abnormal dimension data in step S106 in determining dimension data, comprising:
Step S402 uses the corresponding abnormal network behavior of abnormal dimension data of step program analysis All hosts.
Specifically, the network behavior many for some network datas that are periodically longer and being related to, such as attack,
It is difficult to be associated dimension data by predefined rule, in order to solve this problem, step program week can be used
Phase property analyzes abnormal dimension, specifically can according to the rule of a large amount of abnormal dimension data in analysis long-time, and
And according to the corresponding abnormal network behavior of rule matching, a large amount of historical data that can analyze using step program, and
The time span time is long, it might even be possible to and other hosts are associated, therefore can be more complicated and flexible using step program
The dimension to history analyze extremely, can overcome the disadvantages that the inflexible problem of predefined rule.
In an alternative embodiment, as shown in figure 3, can determine need by forwarding, based on the packet filtering module of stream
The metadata to be acquired, wherein metadata i.e. network behavior data can be with by the acquisition of the metadata to multiple main frames
Metadata is pre-processed, dimension data is obtained, plurality of host is expressed as host 1, host 2, host 3 etc. on Fig. 3,
Specifically, pre-processing in the corresponding processing function of the dimension that metadata can be input to host, each host is obtained
Multiple dimension datas, specific dimension data are expressed as dimension 1, dimension 2, dimension 3 etc. in Fig. 3, can after obtaining dimension data
To determine the abnormal dimension data in dimension data, and in the database by the storage of abnormal dimension data, by database
The comprehensive analysis of abnormal dimension data can be obtained corresponding abnormal network behavior, that is, may generate the event of threat,
And after determining abnormal network behavior, abnormal network behavior alarm can be carried out.
In one in optional embodiment, the present invention is suitable for gateway class product, such as next-generation as firewall/UTM/
One supplement of firewall, to enhance the abnormality detection ability of intranet host, the present invention can help enterprise, campus discovery Intranet
The abnormal phenomenon of host may finally orient situations such as intranet host may be by kind of a wooden horse, virus infection;And it helps to find
Intranet host actively launches a offensive to enterprise, campus and external server, reduces the security risk of enterprise, campus.
Embodiment 2
According to embodiments of the present invention, the product for providing a kind of abnormal detector of Intrusion Detection based on host network behavior is implemented
Example, Fig. 4 is the abnormal detector of Intrusion Detection based on host network behavior according to an embodiment of the present invention, as shown in figure 4, the device includes
Acquisition module 101, analysis module 103, determining module 105 and matching module 107.
Wherein, acquisition module 101, for acquiring each host at least one host according to history abnormal network behavior
Network behavior data;Analysis module 103 obtains each host extremely for carrying out multi dimensional analysis to network behavior data
Dimension data in a few dimension in each dimension;Determining module 105, for determining the abnormal dimension data in dimension data;
Matching module 107 matches abnormal dimension data with predefined rule for being directed to each host, it is determined whether occurs
Abnormal network behavior, and in the case where determination is abnormal network behavior, determine the corresponding abnormal network of exception dimension data
Behavior, wherein predefined rule is used to determine whether to be abnormal network behavior according to abnormal dimension data and send out determining
In the case where raw abnormal network behavior, the corresponding abnormal network behavior of exception dimension data is determined.
In embodiments of the present invention, it in such a way that each host in Intranet is observed, learnt and analyzed, obtains
The suspicious network behavior found in a period of time, that is, web-based history behavior, by acquisition module 101 according to history exception net
Network behavior acquires the network behavior data of each host at least one host;Analysis module 103 carries out network behavior data
Multi dimensional analysis obtains dimension data of each host at least one dimension in each dimension;Determining module 105 determines dimension
Abnormal dimension data in data;Matching module 107 is directed to each host, by abnormal dimension data and predefined rule progress
Match, it is determined whether be abnormal network behavior, and in the case where determination is abnormal network behavior, determine exception dimension data
Corresponding abnormal network behavior, wherein predefined rule according to abnormal dimension data for determining whether to be abnormal network row
In the case where being abnormal network behavior for and determination, the corresponding abnormal network behavior of exception dimension data is determined, thus
The abnormality detection to Intrusion Detection based on host network behavior is achieved the purpose that, to realize according to individual session/company in network behavior
Connect the technical effect that can find out abnormal network behavior, so solve in the prior art some exceptions can not by single session/
The technical issues of connecting detection.
Herein it should be noted that in the embodiment of the present invention abnormal detector of Intrusion Detection based on host network behavior breach with
The thinking of session/be connected as core, then using host as core, network behavior of the comprehensive host in historical process is adopted
Sample, pretreatment, memory is analyzed again later, to determine whether there is abnormal network behavior, the present invention can be based in background technique
The Deep content detection technology of the packet filtering technology and application layer data that three, four layers of firewall is used in combination, as firewall three,
The effectively supplement of one of the Deep content detection of four layers of packet filtering and application layer data, to enhance the abnormality detection energy of firewall
Power.
Herein it should be noted that above-mentioned acquisition module 101, analysis module 103, determining module 105 and matching module 107
Corresponding to the step S102 to step S108 in embodiment 1, the example and applied field that above-mentioned module is realized with corresponding step
Scape is identical, but is not limited to the above embodiments 1 disclosure of that.It should be noted that a part of above-mentioned module as device
It can execute in a computer system such as a set of computer executable instructions.
In an alternative embodiment, as shown in figure 5, determining module 105 includes the first determining module 201 and/or the
Two determining modules 203;Wherein, the first determining module 201 is more than default number of dimensions in the dimension data for determining each host
Dimension data according to threshold value is abnormal dimension data;Second determining module 203 surpasses in the dimension data for determining each host
Cross default dimension data threshold value and and the deviations of average dimensions data of All hosts be more than the dimension data of predetermined deviation be different
Normal dimension data.
Herein it should be noted that above-mentioned first determining module 201 and the second determining module 203 correspond in embodiment 1
Step S202 to step S204, above-mentioned module is identical as example and application scenarios that corresponding step is realized, but is not limited to
1 disclosure of that of above-described embodiment.It should be noted that above-mentioned module can be in such as one group of meter as a part of of device
It is executed in the computer system of calculation machine executable instruction.
In an alternative embodiment, as shown in fig. 6, device further includes grouping module 301, in determining module
After 105 determine the abnormal dimension data in dimension data, abnormal dimension data is grouped according to periodicity;Therefore it matches
The specific embodiment of module 107 can be to match the abnormal dimension data in the same period with predefined rule.
Herein it should be noted that above-mentioned grouping module 301 correspond to embodiment 1 in step S302, above-mentioned module with
The example that corresponding step is realized is identical with application scenarios, but is not limited to the above embodiments 1 disclosure of that.It needs to illustrate
, above-mentioned module can hold in a computer system such as a set of computer executable instructions as a part of of device
Row.
In an alternative embodiment, as shown in fig. 7, device further includes step program analysis module 401, for true
After cover half block 105 determines the abnormal dimension data in dimension data, the abnormal dimension of step program analysis All hosts is used
The corresponding abnormal network behavior of data.
Herein it should be noted that above-mentioned step program analysis module 401 corresponds to the step S402 in embodiment 1, on
It is identical as the example and application scenarios that corresponding step is realized to state module, but is not limited to the above embodiments 1 disclosure of that.
It should be noted that above-mentioned module can be in the department of computer science of such as a group of computer-executable instructions as a part of of device
It is executed in system.
In an alternative embodiment, network behavior data include at least one following: data on flows, connection data,
TCP data, http data and DNS data.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
In the above embodiment of the invention, it all emphasizes particularly on different fields to the description of each embodiment, does not have in some embodiment
The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others
Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, Ke Yiwei
A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or
Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module
It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
On unit.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the present invention whole or
Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code
Medium.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered
It is considered as protection scope of the present invention.
Claims (8)
1. a kind of method for detecting abnormality of Intrusion Detection based on host network behavior characterized by comprising
According to history abnormal network behavior, the network behavior data of each host at least one host are acquired;
Multi dimensional analysis is carried out to the network behavior data, obtains dimension of each host at least one dimension in each dimension
Degree evidence;
Determine the abnormal dimension data in the dimension data;
The abnormal dimension data is grouped according to periodicity;
For each host, the abnormal dimension data is matched with predefined rule, it is determined whether be abnormal network
Behavior, and in the case where determining the generation abnormal network behavior, determine the corresponding exception of the abnormal dimension data
Network behavior, wherein the predefined rule is used to according to the abnormal dimension data determine whether that the abnormal network occurs
Behavior and determine the abnormal network behavior occurs in the case where, determine the corresponding exception of the abnormal dimension data
Network behavior;
Wherein, the abnormal dimension data is matched with predefined rule, comprising: will be described different in the same period
Normal dimension data is matched with the predefined rule.
2. being wrapped the method according to claim 1, wherein determining the abnormal dimension data in the dimension data
It includes:
Determine be more than the dimension data of default dimension data threshold value in the dimension data of each host to be the abnormal dimension
Data;Alternatively, determine in the dimension data of each host be more than the default dimension data threshold value and with All hosts
The deviation of average dimensions data is more than that the dimension data of predetermined deviation is the abnormal dimension data.
3. the method according to claim 1, wherein determine abnormal dimension data in the dimension data it
Afterwards, comprising:
Use the corresponding abnormal network behavior of the exception dimension data of step program analysis All hosts.
4. method according to claim 1-3, which is characterized in that the network behavior data include it is following at least
One of: data on flows, connection data, TCP data, http data and DNS data.
5. a kind of abnormal detector of Intrusion Detection based on host network behavior characterized by comprising
Acquisition module, for acquiring the network behavior number of each host at least one host according to history abnormal network behavior
According to;
Analysis module obtains each host at least one dimension for carrying out multi dimensional analysis to the network behavior data
In dimension data in each dimension;
Determining module, for determining the abnormal dimension data in the dimension data;
Matching module matches the abnormal dimension data with predefined rule for being directed to each host, it is determined whether
It is abnormal network behavior, and in the case where determining the generation abnormal network behavior, determines the abnormal dimension data pair
The abnormal network behavior answered, wherein the predefined rule is used to determine whether to occur according to the abnormal dimension data
The abnormal network behavior and determine the abnormal network behavior occurs in the case where, determine the abnormal dimension data pair
The abnormal network behavior answered;
Wherein, described device further include: grouping module, it is described different in the dimension data for being determined in the determining module
After normal dimension data, the abnormal dimension data is grouped according to periodicity;
The matching module includes: the abnormal dimension data and the predefined rule progress that will be in the same period
Match.
6. device according to claim 5, which is characterized in that the determining module includes:
First determining module is more than the number of dimensions of default dimension data threshold value in the dimension data for determining each host
According to for the abnormal dimension data;And/or
Second determining module, be more than in the dimension data for determining each host the default dimension data threshold value and with
The deviation of the average dimensions data of All hosts is more than that the dimension data of predetermined deviation is the abnormal dimension data.
7. device according to claim 5, which is characterized in that described device further include: step program analysis module is used for
After the determining module determines the abnormal dimension data in the dimension data, all masters are analyzed using step program
The corresponding abnormal network behavior of the exception dimension data of machine.
8. according to the described in any item devices of claim 5-7, which is characterized in that the network behavior data include it is following at least
One of: data on flows, connection data, TCP data, http data and DNS data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611262873.5A CN106790193B (en) | 2016-12-30 | 2016-12-30 | The method for detecting abnormality and device of Intrusion Detection based on host network behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611262873.5A CN106790193B (en) | 2016-12-30 | 2016-12-30 | The method for detecting abnormality and device of Intrusion Detection based on host network behavior |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106790193A CN106790193A (en) | 2017-05-31 |
CN106790193B true CN106790193B (en) | 2019-11-08 |
Family
ID=58954105
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611262873.5A Active CN106790193B (en) | 2016-12-30 | 2016-12-30 | The method for detecting abnormality and device of Intrusion Detection based on host network behavior |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106790193B (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107357712B (en) * | 2017-07-17 | 2020-09-25 | 顺丰科技有限公司 | Order checking abnormity detection method, system and equipment |
CN109391590A (en) * | 2017-08-07 | 2019-02-26 | 中国科学院信息工程研究所 | A kind of regular description method and construction method, medium of network-oriented access control |
CN107370752B (en) * | 2017-08-21 | 2020-09-25 | 北京工业大学 | Efficient remote control Trojan detection method |
CN107454109B (en) * | 2017-09-22 | 2020-06-23 | 杭州安恒信息技术股份有限公司 | Network privacy stealing behavior detection method based on HTTP traffic analysis |
CN107566420B (en) * | 2017-10-27 | 2020-04-14 | 深信服科技股份有限公司 | Method and equipment for positioning host infected by malicious code |
CN107920077A (en) * | 2017-11-21 | 2018-04-17 | 湖北鑫英泰系统技术股份有限公司 | A kind of rejection service attack determination methods and device for electric power dispatching system |
CN109033889B (en) * | 2018-08-13 | 2020-12-18 | 杭州安恒信息技术股份有限公司 | Intrusion identification method and device based on space-time collision and intelligent terminal |
CN109144820A (en) * | 2018-08-31 | 2019-01-04 | 新华三信息安全技术有限公司 | A kind of detection method and device of abnormal host |
CN109918902B (en) * | 2019-02-28 | 2021-04-13 | 杭州默安科技有限公司 | Method and system for identifying abnormal behavior of host |
CN110535855B (en) * | 2019-08-28 | 2021-07-30 | 北京安御道合科技有限公司 | Network event monitoring and analyzing method and system and information data processing terminal |
CN111224997B (en) * | 2020-01-17 | 2022-11-01 | 杭州迪普科技股份有限公司 | Method and device for inhibiting virus from spreading in local area network |
CN112001443A (en) * | 2020-08-24 | 2020-11-27 | 成都卫士通信息产业股份有限公司 | Network behavior data monitoring method and device, storage medium and electronic equipment |
CN113347203B (en) * | 2021-06-29 | 2023-02-03 | 深信服科技股份有限公司 | Network attack detection method and device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103248607A (en) * | 2012-02-02 | 2013-08-14 | 哈尔滨安天科技股份有限公司 | IPv4 and IPv6-based detection method and system for denial of service attacks |
CN103886068A (en) * | 2014-03-20 | 2014-06-25 | 北京国双科技有限公司 | Data processing method and device for Internet user behavior analysis |
CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic meta data |
CN105554016A (en) * | 2015-12-31 | 2016-05-04 | 山石网科通信技术有限公司 | Network attack processing method and device |
CN105915555A (en) * | 2016-06-29 | 2016-08-31 | 北京奇虎科技有限公司 | Method and system for detecting network anomalous behavior |
-
2016
- 2016-12-30 CN CN201611262873.5A patent/CN106790193B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103248607A (en) * | 2012-02-02 | 2013-08-14 | 哈尔滨安天科技股份有限公司 | IPv4 and IPv6-based detection method and system for denial of service attacks |
CN103886068A (en) * | 2014-03-20 | 2014-06-25 | 北京国双科技有限公司 | Data processing method and device for Internet user behavior analysis |
CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic meta data |
CN105554016A (en) * | 2015-12-31 | 2016-05-04 | 山石网科通信技术有限公司 | Network attack processing method and device |
CN105915555A (en) * | 2016-06-29 | 2016-08-31 | 北京奇虎科技有限公司 | Method and system for detecting network anomalous behavior |
Also Published As
Publication number | Publication date |
---|---|
CN106790193A (en) | 2017-05-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106790193B (en) | The method for detecting abnormality and device of Intrusion Detection based on host network behavior | |
US9124550B1 (en) | Distributed multi-processing security gateway | |
US9762592B2 (en) | Automatic generation of attribute values for rules of a web application layer attack detector | |
US20220060498A1 (en) | System and method for monitoring and securing communications networks and associated devices | |
JP5524737B2 (en) | Method and apparatus for detecting spoofed network information | |
DE10249888B4 (en) | Node of a network operating a burglar alarm system, method of performing burglary prevention on a node of a network, and computer readable medium | |
US20150052606A1 (en) | Method and a system to detect malicious software | |
US20060031928A1 (en) | Detector and computerized method for determining an occurrence of tunneling activity | |
Ganesh Kumar et al. | Improved network traffic by attacking denial of service to protect resource using Z-test based 4-tier geomark traceback (Z4TGT) | |
US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
CN107241186A (en) | Application signature is generated and distributed | |
US9531673B2 (en) | High availability security device | |
US10567441B2 (en) | Distributed security system | |
Ahmed et al. | A Linux-based IDPS using Snort | |
Singh et al. | Performance analysis of agent based distributed defense mechanisms against DDOS attacks | |
KR100983549B1 (en) | System for defending client distribute denial of service and method therefor | |
DE102016100692A1 (en) | Network protection entity and method for protecting a communication network against fraudulent messages | |
Kuppusamy et al. | An effective prevention of attacks using gI time frequency algorithm under dDoS | |
Kim et al. | Analysis of ICMP policy for edge firewalls using active probing | |
Alexey et al. | Lan abnormalities threat detection: an outlook and applicability analysis | |
Winter | Firewall Best Practices | |
Subrahmanyam et al. | Adaptive Reorientation Method for Performance Enhancement in Network Firewalls | |
Chandradeep | A Scheme for the Design and Implementation of a Distributed IDS | |
Schütte | Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection | |
Asosheh et al. | A new and comprehensive taxonomy of DDoS attacks and defense mechanism |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 215163 No. 181 Jingrun Road, Suzhou High-tech Zone, Jiangsu Province Applicant after: SHANSHI NETWORK COMMUNICATION TECHNOLOGY CO., LTD. Address before: 215163 No. 181 Jingrun Road, Suzhou High-tech Zone, Jiangsu Province Applicant before: HILLSTONE NETWORKS |
|
GR01 | Patent grant | ||
GR01 | Patent grant |