CN106790193B - The method for detecting abnormality and device of Intrusion Detection based on host network behavior - Google Patents

The method for detecting abnormality and device of Intrusion Detection based on host network behavior Download PDF

Info

Publication number
CN106790193B
CN106790193B CN201611262873.5A CN201611262873A CN106790193B CN 106790193 B CN106790193 B CN 106790193B CN 201611262873 A CN201611262873 A CN 201611262873A CN 106790193 B CN106790193 B CN 106790193B
Authority
CN
China
Prior art keywords
abnormal
data
dimension data
network behavior
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611262873.5A
Other languages
Chinese (zh)
Other versions
CN106790193A (en
Inventor
李矩希
於大维
尚进
蒋东毅
董浩
陆骋怀
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanshi Network Communication Technology Co Ltd
Original Assignee
Shanshi Network Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanshi Network Communication Technology Co Ltd filed Critical Shanshi Network Communication Technology Co Ltd
Priority to CN201611262873.5A priority Critical patent/CN106790193B/en
Publication of CN106790193A publication Critical patent/CN106790193A/en
Application granted granted Critical
Publication of CN106790193B publication Critical patent/CN106790193B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention discloses the method for detecting abnormality and device of a kind of Intrusion Detection based on host network behavior.Wherein, this method comprises: according to history abnormal network behavior, the network behavior data of each host at least one host are acquired;Multi dimensional analysis is carried out to network behavior data, obtains dimension data of each host at least one dimension in each dimension;Determine the abnormal dimension data in dimension data;For each host, abnormal dimension data is matched with predefined rule, determine whether to be abnormal network behavior, and in the case where determination is abnormal network behavior, determine the corresponding abnormal network behavior of exception dimension data, wherein, predefined rule is used to determine whether to be abnormal according to abnormal dimension data network behavior and in the case where determination is abnormal network behavior, determines the corresponding abnormal network behavior of exception dimension data.The present invention solves the technical issues of some exceptions can not be by single session/connecting detection in the prior art.

Description

The method for detecting abnormality and device of Intrusion Detection based on host network behavior
Technical field
The present invention relates to internet areas, in particular to a kind of method for detecting abnormality of Intrusion Detection based on host network behavior And device.
Background technique
In enterprise or campus network, it will usually have obvious boundary.Firewall/UTM would generally be anti-as boundary Equipment is protected, Intranet and outer net (wide area network) are connected to, while also protecting host and server in Intranet, prevents external-to-internal Unauthorized access and attack, at the same also in Intranet host and server carry out isolation appropriate, and prevent internal host pair Server carries out unauthorized access.Fig. 1 is network topology structure figure in the prior art, specifically, can indicate than more typical The network of enterprise or colleges and universities, as shown in Figure 1, wherein Internet indicates that outer net, LAN1 indicate internal network 1, 10.100.31.0/24 the address of internal network 1 is indicated, LAN2 indicates that internal network 2,10.100.32.0/24 indicate intranet The address of network 2, DMZ indicate that server network, 10.100.1.0/24 indicate the address of server network, and server network can be with It, can be by inside host access for the service disposed in various enterprises, it is also possible to be accessed by the host from Internet; Firewall indicates firewall, for connecting each internal network and external network, prevents external-to-internal network Unauthorized access, and the access between internal network is limited according to demand.
In representative network as shown in Figure 1, on the one hand firewall is used as the access point of Internet, on the one hand carries The buffer action of heterogeneous networks (region), protects internal host and server.Firewall is internal in order to realize in the prior art The protection of host's machine and server is directed to different safety problems using diversified technology and provides solution, relatively more normal The first string realizes the protection to intranet host and server, OSI for the packet filtering mode based on three, four layers of IP packet Whole network is divided into seven layers in network model, be respectively physical layer, link layer, network layer, transport layer, session layer, presentation layer, Application layer.Current Internet is a kind of realization of IP based network namely network layer is IP network;For transport layer, often Agreement includes TCP, UDP, ICMP etc., and TCP, UDP are that the overwhelming majority applies used agreement in current network application. Such as most common Web service, mail service, FTP service are all based on Transmission Control Protocol, a large amount of mobile application is also based on TCP Agreement;TFTP, DNS and some timely communication softwares will use udp protocol.So by IP address and the port TCP/UDP It is filtered, so that it may solve the problems, such as the access control of many services, this is also the most basic policing feature of firewall.For Fig. 1, such as want the Web service (Web service uses 80 port TCP) for allowing LAN1 to access DMZ network, but LAN1 is forbidden to visit The SMTP service (SMTP service uses 25 port TCP) for asking DMZ, can be carried out by the similar strategy such as following table:
Source address Destination address Service Behavior
10.100.31.0/24 10.100.1.0/24 TCP dst port 80 Allow
10.100.32.0/24 10.100.1.0/24 TCP dst port 25 Forbid
Other than mode except through three, four layers of packet filtering, second more commonly used scheme is base in the prior art The protection to intranet host and server is realized in the deep packet filtering detection of application layer, i.e. quite a few safety problem is benefit It is counted with the service that can rationally access.Such as the software vulnerability by known Web server, to Web server It is attacked;Or virus, wooden horse file are deleted on server.These problems can not all pass through three, four layers of information of message Be filtered because at this time attack message and the message normally accessed in three, four layers of information of message without difference, attack Feature is hit in the load of TCP or UDP.For this kind of attack, it is common practice to be parsed to application layer protocol, by it The attack mode string extracted with preparatory analysis is matched, to find to attack.IPS, Anti-virus equipment or UTM are equal at present It will use this technical solution, wherein UTM equipment that is to say is integrated with the function of IPS and Anti-virus on the basis of firewall Can, technical principle is similar.
Either three, four layers of packet filtering or the Deep content detection technology of application layer data, are substantially same It is carried out in session/connection context.Based on three, four layers of packet filterings i.e. by defining firewall policy come three to message Layer, four layers of head are filtered;And the main principle of deep packet inspection technical based on application layer data is: parsing application layer association View carries out parsing according to application layer protocol and extracts the data needed, and the predefined feature database of heel is matched, to carry out Anomaly.Deep content detection technology based on three, four layers of packet filterings and based on application layer, they can solve suitable one The problem of dividing, also belong to the more commonly used and basic scheme of industry.However, there are also attack from individual session, single operation It can not all note abnormalities, but be placed in the context of longer-term in even several operations, according to long to the host in network The network data of time is analyzed, learnt and is analyzed, and can but be the discovery that the historical behavior for not meeting host.Here so-called Network behavior, many situations are not only to extract from individual session, also have and periodically extract from the network data of host Some data carry out pretreated result.
Aiming at the problem that above-mentioned exceptions some in the prior art can not be by single session/connecting detection, not yet propose at present Effective solution scheme.
Summary of the invention
The embodiment of the invention provides the method for detecting abnormality and device of a kind of Intrusion Detection based on host network behavior, at least to solve The technical issues of some exceptions can not be by single session/connecting detection in the prior art.
According to an aspect of an embodiment of the present invention, a kind of method for detecting abnormality of Intrusion Detection based on host network behavior is provided, It include: that the network behavior data of each host at least one host are acquired according to history abnormal network behavior;To network behavior Data carry out multi dimensional analysis, obtain dimension data of each host at least one dimension in each dimension;Determine number of dimensions Abnormal dimension data in;For each host, abnormal dimension data is matched with predefined rule, it is determined whether hair Raw abnormal network behavior, and determine be abnormal network behavior in the case where, determine the corresponding abnormal net of exception dimension data Network behavior, wherein predefined rule according to abnormal dimension data for determining whether to be abnormal network behavior and in determination In the case where being abnormal network behavior, the corresponding abnormal network behavior of exception dimension data is determined.
According to another aspect of an embodiment of the present invention, a kind of abnormality detection dress of Intrusion Detection based on host network behavior is additionally provided It sets, comprising: acquisition module, for acquiring the network row of each host at least one host according to history abnormal network behavior For data;Analysis module obtains each host at least one dimension for carrying out multi dimensional analysis to network behavior data Dimension data in each dimension;Determining module, for determining the abnormal dimension data in dimension data;Matching module is used for needle To each host, abnormal dimension data is matched with predefined rule, it is determined whether be abnormal network behavior, and true Surely in the case where being abnormal network behavior, the corresponding abnormal network behavior of exception dimension data is determined, wherein predefined rule For determining whether to be abnormal network behavior according to abnormal dimension data and determining the case where being abnormal network behavior Under, determine the corresponding abnormal network behavior of exception dimension data.
In embodiments of the present invention, it in such a way that each host in Intranet is observed, learnt and analyzed, obtains The suspicious network behavior found in a period of time, that is, web-based history behavior, according to history abnormal network behavior, acquisition is extremely The network behavior data of each host in a few host;Multi dimensional analysis is carried out to network behavior data, obtains each host Dimension data at least one dimension in each dimension;Determine the abnormal dimension data in dimension data;For each host, Abnormal dimension data is matched with predefined rule, it is determined whether be abnormal network behavior, and be abnormal in determination In the case where network behavior, the corresponding abnormal network behavior of exception dimension data is determined, wherein predefined rule is used for according to different Normal dimension data determines whether to be abnormal network behavior and in the case where determination is abnormal network behavior, determine abnormal The corresponding abnormal network behavior of dimension data, thus achieved the purpose that the abnormality detection to Intrusion Detection based on host network behavior, thus The technical effect of abnormal network behavior can be found out according to individual session/connection in network behavior by realizing, and then be solved existing There is the technical issues of some exceptions can not be by single session/connecting detection in technology.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of network topology structure figure according to prior art;
Fig. 2 is a kind of flow chart of the method for detecting abnormality of according to embodiments of the present invention 1 Intrusion Detection based on host network behavior;
Fig. 3 is a kind of stream of the method for detecting abnormality of according to embodiments of the present invention 1 optional Intrusion Detection based on host network behavior Cheng Tu;
Fig. 4 is a kind of structure chart of the abnormal detector of according to embodiments of the present invention 2 Intrusion Detection based on host network behavior;
Fig. 5 is a kind of knot of the abnormal detector of according to embodiments of the present invention 2 optional Intrusion Detection based on host network behavior Composition;
Fig. 6 is a kind of knot of the abnormal detector of according to embodiments of the present invention 2 optional Intrusion Detection based on host network behavior Composition;And
Fig. 7 is a kind of knot of the abnormal detector of according to embodiments of the present invention 2 optional Intrusion Detection based on host network behavior Composition.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work It encloses.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product Or other step or units that equipment is intrinsic.
Embodiment 1
According to embodiments of the present invention, the method for providing a kind of method for detecting abnormality of Intrusion Detection based on host network behavior is implemented Example, it should be noted that step shown in the flowchart of the accompanying drawings can be in the calculating of such as a group of computer-executable instructions It is executed in machine system, although also, logical order is shown in flow charts, and it in some cases, can be to be different from Sequence herein executes shown or described step.
Fig. 2 is the method for detecting abnormality of Intrusion Detection based on host network behavior according to an embodiment of the present invention, as shown in Fig. 2, the party Method includes the following steps:
Step S102 acquires the network behavior number of each host at least one host according to history abnormal network behavior According to.
Specifically, the network behavior of its general character can be extracted according to the network behavior of existing attack sample, that is, different Then normal network behavior decomposes these abnormal network behaviors, optionally, can be decomposed into dialogue-based/connection can be into Then the unit of row acquisition determines that data acquire item according to these units, that is, determines the network row for needing the host acquired For data, that is, metadata, to sum up, metadata is come out according to the normal Lip river activity-summary of existing network attack, also It is to be come out according to history abnormal network activity-summary, therefore, the network behavior data acquired in the present invention are particularly likely that different The data that normal network behavior generates.
Step S104 carries out multi dimensional analysis to network behavior data, it is each at least one dimension to obtain each host Dimension data in dimension.
Specifically, carrying out multi dimensional analysis to network behavior data namely carries out pretreated one to network behavior data A process, by being pre-processed to metadata, available dimension data.
Step S106 determines the abnormal dimension data in dimension data.
Specifically, abnormal dimension data is the exception generated based on above-mentioned dimension data.
Step S108 matches abnormal dimension data with predefined rule for each host, it is determined whether occurs Abnormal network behavior, and in the case where determination is abnormal network behavior, determine the corresponding abnormal network of exception dimension data Behavior, wherein predefined rule is used to determine whether to be abnormal network behavior according to abnormal dimension data and send out determining In the case where raw abnormal network behavior, the corresponding abnormal network behavior of exception dimension data is determined.
Specifically, abnormal network behavior has not been necessarily meant that after dimension data generates the abnormal dimension data of abnormal generation, It is such as under attack etc., it is therefore desirable to abnormal dimension data be matched according to predefined rule, sentenced according to matched result It is disconnected whether to be abnormal network behavior and what abnormal network behavior specifically occurs, optionally, due to single abnormal number of dimensions Occur according to abnormal network behavior might not be represented, may just indicate some abnormal network row when there are multiple abnormal dimension datas To occur, therefore matched abnormal dimension data is carried out with predefined rule and can be single abnormal dimension data, be also possible to Multiple exception dimension datas are associated matching.
In embodiments of the present invention, it in such a way that each host in Intranet is observed, learnt and analyzed, obtains The suspicious network behavior found in a period of time, that is, web-based history behavior, according to history abnormal network behavior, acquisition is extremely The network behavior data of each host in a few host;Multi dimensional analysis is carried out to network behavior data, obtains each host Dimension data at least one dimension in each dimension;Determine the abnormal dimension data in dimension data;For each host, Abnormal dimension data is matched with predefined rule, it is determined whether be abnormal network behavior, and be abnormal in determination In the case where network behavior, the corresponding abnormal network behavior of exception dimension data is determined, wherein predefined rule is used for according to different Normal dimension data determines whether to be abnormal network behavior and in the case where determination is abnormal network behavior, determine abnormal The corresponding abnormal network behavior of dimension data, thus achieved the purpose that the abnormality detection to Intrusion Detection based on host network behavior, thus The technical effect of abnormal network behavior can be found out according to individual session/connection in network behavior by realizing, and then be solved existing There is the technical issues of some exceptions can not be by single session/connecting detection in technology.
Herein it should be noted that in the embodiment of the present invention method for detecting abnormality of Intrusion Detection based on host network behavior breach with The thinking of session/be connected as core, then using host as core, network behavior of the comprehensive host in historical process is adopted Sample, pretreatment, memory is analyzed again later, to determine whether there is abnormal network behavior, the present invention can be based in background technique The Deep content detection technology of the packet filtering technology and application layer data that three, four layers of firewall is used in combination, as firewall three, The effectively supplement of one of the Deep content detection of four layers of packet filtering and application layer data, to enhance the abnormality detection energy of firewall Power.
In an alternative embodiment, network behavior data include at least one following: data on flows, connection data, TCP data, http data and DNS data.
Specifically, network behavior data are that Intrusion Detection based on host is counted, data on flows includes at least one following: uplink Flow byte number, downlink traffic byte number, uplink message quantity and downlink message quantity;Connection packet include it is following at least it One: the connection number initiated from host, from it is external initiate the connection number to host, the well-known port connection number initiated from host and from The connection number for the well-known port to host that outside is initiated;TCP data includes at least one following: TCP SYN, PUSH and RST The quantity of message;Http data includes at least one following: URL length, Cookie length, HTTP request length, request The quantity of the various requesting methods of the field quantity of stem, HTTP, the HTTP request quantity not responded to, HTTP various answer codes The content type of quantity, http response length and http response;DNS data includes at least the request domain name of DNS.
In an alternative embodiment, dimension data includes at least one following: flow dimension data, session number of dimensions According to, HTTP dimension data and DNS dimension data, wherein flow dimension data includes at least one following: average host per second Uplink byte number, message amount, downlink byte number, message amount and average well-known port per second uplink byte number, message Quantity, downlink byte number and message amount;Session dimension data includes at least one following: the average meeting per second initiated to host Words number and destination port are that the session number, the average session number per second initiated by host and destination port of well-known port are to know The session number of name port, average host connection per second establish failure quantity, failure quantity is established in average well-known port connection per second, The quantity of http session quantity and failure that middle host per second is initiated, the middle http session quantity and mistake initiated to host per second The number of sessions of the quantity, current hosts survival that lose, the http session quantity of current hosts survival;HTTP dimension data includes such as It is at least one lower: the distribution of lengths of URL request, the quantity in different paths of URL request, the distribution of Cookie length, Cookie The distribution of field quantity, the distribution of Cookie requesting method, the distribution of response contents type, response contents length point of request header Cloth, the distribution of answer code, the distribution of response contents requesting method, the quantity of various requesting methods and ratio, various answer codes Ratio and the file type of HTTP downloading.Herein it should be noted that data for distributional class, usual distribution statistics are at several Kind range, such as URL length, can count as this 5 kinds of ranges of 0-32,33-64,64-96,96-128 and > 128;DNS Dimension data includes at least the domain name of DNS request.
In an alternative embodiment, the abnormal dimension data in dimension data is determined in step S106, comprising: step S202 determines that the dimension data in the dimension data of each host more than default dimension data threshold value is abnormal dimension data;Or Person, step S204 determine in the dimension data of each host to be more than default dimension data threshold value and the average dimension with All hosts The deviation of degree evidence is more than that the dimension data of predetermined deviation is abnormal dimension data.
Specifically, can use two ways when determining abnormal dimension data, first way is i.e. super in dimension data When crossing default dimension data threshold value, that is, judge the dimension data for abnormal dimension data;This mode is referred to as directly Triggering mode is connect, i.e., can directly be judged according to dimension data.
Herein it should be noted that being directed to each host, due to that may have multiple dimension datas, each dimension data has Corresponding dimension data threshold value, and dimension data threshold value can be with dynamic learning and adjustment, therefore it can be according to practical feelings Condition carries out customized setting, can also be calculated after certain time learns host, for all hosts, no With might have identical dimension data between host, but since the behavior of different hosts is not just the same, even if It is the identical dimensional data of different hosts, corresponding dimension data threshold value is also likely to be different.
When optionally, using first way, for DNS request data, if DNS request malice domain name either one The domain name or a large amount of DNS request is had sent in the short time that a little softwares automatically generate, that is, can determine that DNS request data occur Abnormal, wherein malice domain name can be detected directly by blacklist, and the domain name of Software Create can then pass through some maturations Domain name generating algorithm software (Domain Generation Algorithm) detect;For SYN message ratio data, such as The ratio of fruit SYN message is excessively high, then can determine that SYN message ratio data is abnormal, because TCP mono- normal connection is most The ratio of few 7 messages, SYN message should be lower than 1/7, and ordinary circumstance is well below this value;Compare for http response code 200 It is different to can determine that 200 ratio data of http response code occurs if the ratio of 200 OK of answer code of HTTP is too low for number of cases evidence Often, because general request is all 200 OK, when this ratio is too low, comparing may be that software goes to attempt to obtain or bypass Certification;File type data are downloaded for HTTP, if downloading executable file, that is, can determine that HTTP downloads file type data It is abnormal.
Specifically, when determining abnormal dimension data, the second way can also be used, the second way necessary not only for Dimension data is more than default dimension data threshold value, it is also necessary to is compared identical dimension data of All hosts, only When the dimension data of a wherein host occurs abnormal compared with the dimension data of other hosts, just judge that the dimension data is sent out It is raw abnormal, that is, judge the dimension data for abnormal dimension data;This mode is referred to as lateral comparison mode, that is, need with The host of all monitoring is compared.
Optionally, the wherein dimension data of a host and other hosts can be quantified by way of calculating deviation Dimension data calculates the average value of the identical dimension data of All hosts first, then calculates compared to there is abnormal degree The dimension data of every host and the deviation of the average value judge the number of dimensions of the host if deviation is greater than predetermined deviation According to being abnormal.
Optionally, for the newly-built session number of a certain host, if newly-built session number is more than corresponding threshold value, and significant When greater than other hosts, that is, it can determine that the newly-built session number of the host is abnormal;Well-known end is created for a certain host Mouthful session, if the session number that newly-built destination port is well-known port is more than threshold value, and noticeably greater than other hosts when Determine that the newly-built well-known port session of the host is abnormal;For the newly-built http session of a certain host: newly-built HTTP Session number be more than threshold value, and noticeably greater than other hosts when, that is, can determine that the newly-built http session of the host is abnormal;For The well-known port of a certain host is survived number of sessions: the connection number of well-known port is more than threshold value, and noticeably greater than other hosts, It can determine that the well-known port survival number of sessions of the host is abnormal;For the HTTP survival session number of a certain host Amount: HTTP connection number is more than threshold value, and noticeably greater than other hosts, that is, can determine that the HTTP of the host is survived number of sessions It is abnormal;For the connection quantity of a certain host: total connection number is more than threshold value, and noticeably greater than other hosts when, that is, can determine The connection quantity of the host is abnormal;For the uplink traffic of a certain host: uplink traffic is more than threshold value, and is noticeably greater than When other hosts, that is, it can determine that the uplink traffic of the host is abnormal;For the uplink and downlink flow proportional of a certain host: on When downlink traffic ratio is noticeably greater than other hosts, that is, it can determine that the uplink and downlink flow proportional of the host is abnormal;For certain The HTTP access path of one host: to the different paths URL of fixed destination address, quantity is more than threshold value, and significant big In other hosts, that is, it can determine that the HTTP access path of the host is abnormal.
In an alternative embodiment, it after the abnormal dimension data in dimension data is determined in step S106, also wraps Include: step S302 is grouped abnormal dimension data according to periodicity;Then by abnormal dimension data and predetermined in step S108 Adopted rule is matched, can be with specifically: matches the abnormal dimension data in the same period with predefined rule.
Specifically, as above, for a host, since single abnormal dimension data might not represent abnormal network row To occur, some abnormal network behavior, therefore and predefined rule may be just indicated when there are multiple abnormal dimension datas Carrying out matched abnormal dimension data can be single abnormal dimension data, is also possible to multiple abnormal dimension datas and is associated Matching, and preferably the abnormal dimension data of same period is matched, therefore firstly the need of according to periodicity to exception Dimension data is grouped, wherein the period for grouping customized can be arranged.
Optionally, when the request of uplink well-known port is more than threshold value, and uplink well-known port is returned unsuccessfully more than threshold value, It may determine that initiate scanning to outside;The newly-built connection of interior connection HTTP per second is more than threshold value, and the connection survived is more than Threshold value, it can be determined that for connection exhaustion attacks;It is more than threshold value that HTTP, which creates number of requests, and HTTP request number of paths was looked for Threshold value, it can be determined that be crawler behavior;It is more than threshold value that HTTP, which creates number of requests, and largely returns to the answer code of 3XX, can be sentenced Break to attempt bypassing authentication or crawler;Executable file is downloaded, and generates a large amount of malice domain names or production of machinery domain name DNS request, it can be determined that be to have suffered wooden horse or Backdoor Software.
In an alternative embodiment, after the abnormal dimension data in step S106 in determining dimension data, comprising: Step S402 uses the corresponding abnormal network behavior of abnormal dimension data of step program analysis All hosts.
Specifically, the network behavior many for some network datas that are periodically longer and being related to, such as attack, It is difficult to be associated dimension data by predefined rule, in order to solve this problem, step program week can be used Phase property analyzes abnormal dimension, specifically can according to the rule of a large amount of abnormal dimension data in analysis long-time, and And according to the corresponding abnormal network behavior of rule matching, a large amount of historical data that can analyze using step program, and The time span time is long, it might even be possible to and other hosts are associated, therefore can be more complicated and flexible using step program The dimension to history analyze extremely, can overcome the disadvantages that the inflexible problem of predefined rule.
In an alternative embodiment, as shown in figure 3, can determine need by forwarding, based on the packet filtering module of stream The metadata to be acquired, wherein metadata i.e. network behavior data can be with by the acquisition of the metadata to multiple main frames Metadata is pre-processed, dimension data is obtained, plurality of host is expressed as host 1, host 2, host 3 etc. on Fig. 3, Specifically, pre-processing in the corresponding processing function of the dimension that metadata can be input to host, each host is obtained Multiple dimension datas, specific dimension data are expressed as dimension 1, dimension 2, dimension 3 etc. in Fig. 3, can after obtaining dimension data To determine the abnormal dimension data in dimension data, and in the database by the storage of abnormal dimension data, by database The comprehensive analysis of abnormal dimension data can be obtained corresponding abnormal network behavior, that is, may generate the event of threat, And after determining abnormal network behavior, abnormal network behavior alarm can be carried out.
In one in optional embodiment, the present invention is suitable for gateway class product, such as next-generation as firewall/UTM/ One supplement of firewall, to enhance the abnormality detection ability of intranet host, the present invention can help enterprise, campus discovery Intranet The abnormal phenomenon of host may finally orient situations such as intranet host may be by kind of a wooden horse, virus infection;And it helps to find Intranet host actively launches a offensive to enterprise, campus and external server, reduces the security risk of enterprise, campus.
Embodiment 2
According to embodiments of the present invention, the product for providing a kind of abnormal detector of Intrusion Detection based on host network behavior is implemented Example, Fig. 4 is the abnormal detector of Intrusion Detection based on host network behavior according to an embodiment of the present invention, as shown in figure 4, the device includes Acquisition module 101, analysis module 103, determining module 105 and matching module 107.
Wherein, acquisition module 101, for acquiring each host at least one host according to history abnormal network behavior Network behavior data;Analysis module 103 obtains each host extremely for carrying out multi dimensional analysis to network behavior data Dimension data in a few dimension in each dimension;Determining module 105, for determining the abnormal dimension data in dimension data; Matching module 107 matches abnormal dimension data with predefined rule for being directed to each host, it is determined whether occurs Abnormal network behavior, and in the case where determination is abnormal network behavior, determine the corresponding abnormal network of exception dimension data Behavior, wherein predefined rule is used to determine whether to be abnormal network behavior according to abnormal dimension data and send out determining In the case where raw abnormal network behavior, the corresponding abnormal network behavior of exception dimension data is determined.
In embodiments of the present invention, it in such a way that each host in Intranet is observed, learnt and analyzed, obtains The suspicious network behavior found in a period of time, that is, web-based history behavior, by acquisition module 101 according to history exception net Network behavior acquires the network behavior data of each host at least one host;Analysis module 103 carries out network behavior data Multi dimensional analysis obtains dimension data of each host at least one dimension in each dimension;Determining module 105 determines dimension Abnormal dimension data in data;Matching module 107 is directed to each host, by abnormal dimension data and predefined rule progress Match, it is determined whether be abnormal network behavior, and in the case where determination is abnormal network behavior, determine exception dimension data Corresponding abnormal network behavior, wherein predefined rule according to abnormal dimension data for determining whether to be abnormal network row In the case where being abnormal network behavior for and determination, the corresponding abnormal network behavior of exception dimension data is determined, thus The abnormality detection to Intrusion Detection based on host network behavior is achieved the purpose that, to realize according to individual session/company in network behavior Connect the technical effect that can find out abnormal network behavior, so solve in the prior art some exceptions can not by single session/ The technical issues of connecting detection.
Herein it should be noted that in the embodiment of the present invention abnormal detector of Intrusion Detection based on host network behavior breach with The thinking of session/be connected as core, then using host as core, network behavior of the comprehensive host in historical process is adopted Sample, pretreatment, memory is analyzed again later, to determine whether there is abnormal network behavior, the present invention can be based in background technique The Deep content detection technology of the packet filtering technology and application layer data that three, four layers of firewall is used in combination, as firewall three, The effectively supplement of one of the Deep content detection of four layers of packet filtering and application layer data, to enhance the abnormality detection energy of firewall Power.
Herein it should be noted that above-mentioned acquisition module 101, analysis module 103, determining module 105 and matching module 107 Corresponding to the step S102 to step S108 in embodiment 1, the example and applied field that above-mentioned module is realized with corresponding step Scape is identical, but is not limited to the above embodiments 1 disclosure of that.It should be noted that a part of above-mentioned module as device It can execute in a computer system such as a set of computer executable instructions.
In an alternative embodiment, as shown in figure 5, determining module 105 includes the first determining module 201 and/or the Two determining modules 203;Wherein, the first determining module 201 is more than default number of dimensions in the dimension data for determining each host Dimension data according to threshold value is abnormal dimension data;Second determining module 203 surpasses in the dimension data for determining each host Cross default dimension data threshold value and and the deviations of average dimensions data of All hosts be more than the dimension data of predetermined deviation be different Normal dimension data.
Herein it should be noted that above-mentioned first determining module 201 and the second determining module 203 correspond in embodiment 1 Step S202 to step S204, above-mentioned module is identical as example and application scenarios that corresponding step is realized, but is not limited to 1 disclosure of that of above-described embodiment.It should be noted that above-mentioned module can be in such as one group of meter as a part of of device It is executed in the computer system of calculation machine executable instruction.
In an alternative embodiment, as shown in fig. 6, device further includes grouping module 301, in determining module After 105 determine the abnormal dimension data in dimension data, abnormal dimension data is grouped according to periodicity;Therefore it matches The specific embodiment of module 107 can be to match the abnormal dimension data in the same period with predefined rule.
Herein it should be noted that above-mentioned grouping module 301 correspond to embodiment 1 in step S302, above-mentioned module with The example that corresponding step is realized is identical with application scenarios, but is not limited to the above embodiments 1 disclosure of that.It needs to illustrate , above-mentioned module can hold in a computer system such as a set of computer executable instructions as a part of of device Row.
In an alternative embodiment, as shown in fig. 7, device further includes step program analysis module 401, for true After cover half block 105 determines the abnormal dimension data in dimension data, the abnormal dimension of step program analysis All hosts is used The corresponding abnormal network behavior of data.
Herein it should be noted that above-mentioned step program analysis module 401 corresponds to the step S402 in embodiment 1, on It is identical as the example and application scenarios that corresponding step is realized to state module, but is not limited to the above embodiments 1 disclosure of that. It should be noted that above-mentioned module can be in the department of computer science of such as a group of computer-executable instructions as a part of of device It is executed in system.
In an alternative embodiment, network behavior data include at least one following: data on flows, connection data, TCP data, http data and DNS data.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
In the above embodiment of the invention, it all emphasizes particularly on different fields to the description of each embodiment, does not have in some embodiment The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, Ke Yiwei A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple On unit.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the present invention whole or Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code Medium.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (8)

1. a kind of method for detecting abnormality of Intrusion Detection based on host network behavior characterized by comprising
According to history abnormal network behavior, the network behavior data of each host at least one host are acquired;
Multi dimensional analysis is carried out to the network behavior data, obtains dimension of each host at least one dimension in each dimension Degree evidence;
Determine the abnormal dimension data in the dimension data;
The abnormal dimension data is grouped according to periodicity;
For each host, the abnormal dimension data is matched with predefined rule, it is determined whether be abnormal network Behavior, and in the case where determining the generation abnormal network behavior, determine the corresponding exception of the abnormal dimension data Network behavior, wherein the predefined rule is used to according to the abnormal dimension data determine whether that the abnormal network occurs Behavior and determine the abnormal network behavior occurs in the case where, determine the corresponding exception of the abnormal dimension data Network behavior;
Wherein, the abnormal dimension data is matched with predefined rule, comprising: will be described different in the same period Normal dimension data is matched with the predefined rule.
2. being wrapped the method according to claim 1, wherein determining the abnormal dimension data in the dimension data It includes:
Determine be more than the dimension data of default dimension data threshold value in the dimension data of each host to be the abnormal dimension Data;Alternatively, determine in the dimension data of each host be more than the default dimension data threshold value and with All hosts The deviation of average dimensions data is more than that the dimension data of predetermined deviation is the abnormal dimension data.
3. the method according to claim 1, wherein determine abnormal dimension data in the dimension data it Afterwards, comprising:
Use the corresponding abnormal network behavior of the exception dimension data of step program analysis All hosts.
4. method according to claim 1-3, which is characterized in that the network behavior data include it is following at least One of: data on flows, connection data, TCP data, http data and DNS data.
5. a kind of abnormal detector of Intrusion Detection based on host network behavior characterized by comprising
Acquisition module, for acquiring the network behavior number of each host at least one host according to history abnormal network behavior According to;
Analysis module obtains each host at least one dimension for carrying out multi dimensional analysis to the network behavior data In dimension data in each dimension;
Determining module, for determining the abnormal dimension data in the dimension data;
Matching module matches the abnormal dimension data with predefined rule for being directed to each host, it is determined whether It is abnormal network behavior, and in the case where determining the generation abnormal network behavior, determines the abnormal dimension data pair The abnormal network behavior answered, wherein the predefined rule is used to determine whether to occur according to the abnormal dimension data The abnormal network behavior and determine the abnormal network behavior occurs in the case where, determine the abnormal dimension data pair The abnormal network behavior answered;
Wherein, described device further include: grouping module, it is described different in the dimension data for being determined in the determining module After normal dimension data, the abnormal dimension data is grouped according to periodicity;
The matching module includes: the abnormal dimension data and the predefined rule progress that will be in the same period Match.
6. device according to claim 5, which is characterized in that the determining module includes:
First determining module is more than the number of dimensions of default dimension data threshold value in the dimension data for determining each host According to for the abnormal dimension data;And/or
Second determining module, be more than in the dimension data for determining each host the default dimension data threshold value and with The deviation of the average dimensions data of All hosts is more than that the dimension data of predetermined deviation is the abnormal dimension data.
7. device according to claim 5, which is characterized in that described device further include: step program analysis module is used for After the determining module determines the abnormal dimension data in the dimension data, all masters are analyzed using step program The corresponding abnormal network behavior of the exception dimension data of machine.
8. according to the described in any item devices of claim 5-7, which is characterized in that the network behavior data include it is following at least One of: data on flows, connection data, TCP data, http data and DNS data.
CN201611262873.5A 2016-12-30 2016-12-30 The method for detecting abnormality and device of Intrusion Detection based on host network behavior Active CN106790193B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611262873.5A CN106790193B (en) 2016-12-30 2016-12-30 The method for detecting abnormality and device of Intrusion Detection based on host network behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611262873.5A CN106790193B (en) 2016-12-30 2016-12-30 The method for detecting abnormality and device of Intrusion Detection based on host network behavior

Publications (2)

Publication Number Publication Date
CN106790193A CN106790193A (en) 2017-05-31
CN106790193B true CN106790193B (en) 2019-11-08

Family

ID=58954105

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611262873.5A Active CN106790193B (en) 2016-12-30 2016-12-30 The method for detecting abnormality and device of Intrusion Detection based on host network behavior

Country Status (1)

Country Link
CN (1) CN106790193B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107357712B (en) * 2017-07-17 2020-09-25 顺丰科技有限公司 Order checking abnormity detection method, system and equipment
CN109391590A (en) * 2017-08-07 2019-02-26 中国科学院信息工程研究所 A kind of regular description method and construction method, medium of network-oriented access control
CN107370752B (en) * 2017-08-21 2020-09-25 北京工业大学 Efficient remote control Trojan detection method
CN107454109B (en) * 2017-09-22 2020-06-23 杭州安恒信息技术股份有限公司 Network privacy stealing behavior detection method based on HTTP traffic analysis
CN107566420B (en) * 2017-10-27 2020-04-14 深信服科技股份有限公司 Method and equipment for positioning host infected by malicious code
CN107920077A (en) * 2017-11-21 2018-04-17 湖北鑫英泰系统技术股份有限公司 A kind of rejection service attack determination methods and device for electric power dispatching system
CN109033889B (en) * 2018-08-13 2020-12-18 杭州安恒信息技术股份有限公司 Intrusion identification method and device based on space-time collision and intelligent terminal
CN109144820A (en) * 2018-08-31 2019-01-04 新华三信息安全技术有限公司 A kind of detection method and device of abnormal host
CN109918902B (en) * 2019-02-28 2021-04-13 杭州默安科技有限公司 Method and system for identifying abnormal behavior of host
CN110535855B (en) * 2019-08-28 2021-07-30 北京安御道合科技有限公司 Network event monitoring and analyzing method and system and information data processing terminal
CN111224997B (en) * 2020-01-17 2022-11-01 杭州迪普科技股份有限公司 Method and device for inhibiting virus from spreading in local area network
CN112001443A (en) * 2020-08-24 2020-11-27 成都卫士通信息产业股份有限公司 Network behavior data monitoring method and device, storage medium and electronic equipment
CN113347203B (en) * 2021-06-29 2023-02-03 深信服科技股份有限公司 Network attack detection method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103248607A (en) * 2012-02-02 2013-08-14 哈尔滨安天科技股份有限公司 IPv4 and IPv6-based detection method and system for denial of service attacks
CN103886068A (en) * 2014-03-20 2014-06-25 北京国双科技有限公司 Data processing method and device for Internet user behavior analysis
CN104753946A (en) * 2015-04-01 2015-07-01 浪潮电子信息产业股份有限公司 Security analysis framework based on network traffic meta data
CN105554016A (en) * 2015-12-31 2016-05-04 山石网科通信技术有限公司 Network attack processing method and device
CN105915555A (en) * 2016-06-29 2016-08-31 北京奇虎科技有限公司 Method and system for detecting network anomalous behavior

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103248607A (en) * 2012-02-02 2013-08-14 哈尔滨安天科技股份有限公司 IPv4 and IPv6-based detection method and system for denial of service attacks
CN103886068A (en) * 2014-03-20 2014-06-25 北京国双科技有限公司 Data processing method and device for Internet user behavior analysis
CN104753946A (en) * 2015-04-01 2015-07-01 浪潮电子信息产业股份有限公司 Security analysis framework based on network traffic meta data
CN105554016A (en) * 2015-12-31 2016-05-04 山石网科通信技术有限公司 Network attack processing method and device
CN105915555A (en) * 2016-06-29 2016-08-31 北京奇虎科技有限公司 Method and system for detecting network anomalous behavior

Also Published As

Publication number Publication date
CN106790193A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
CN106790193B (en) The method for detecting abnormality and device of Intrusion Detection based on host network behavior
US9124550B1 (en) Distributed multi-processing security gateway
US9762592B2 (en) Automatic generation of attribute values for rules of a web application layer attack detector
US20220060498A1 (en) System and method for monitoring and securing communications networks and associated devices
JP5524737B2 (en) Method and apparatus for detecting spoofed network information
DE10249888B4 (en) Node of a network operating a burglar alarm system, method of performing burglary prevention on a node of a network, and computer readable medium
US20150052606A1 (en) Method and a system to detect malicious software
US20060031928A1 (en) Detector and computerized method for determining an occurrence of tunneling activity
Ganesh Kumar et al. Improved network traffic by attacking denial of service to protect resource using Z-test based 4-tier geomark traceback (Z4TGT)
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
CN107241186A (en) Application signature is generated and distributed
US9531673B2 (en) High availability security device
US10567441B2 (en) Distributed security system
Ahmed et al. A Linux-based IDPS using Snort
Singh et al. Performance analysis of agent based distributed defense mechanisms against DDOS attacks
KR100983549B1 (en) System for defending client distribute denial of service and method therefor
DE102016100692A1 (en) Network protection entity and method for protecting a communication network against fraudulent messages
Kuppusamy et al. An effective prevention of attacks using gI time frequency algorithm under dDoS
Kim et al. Analysis of ICMP policy for edge firewalls using active probing
Alexey et al. Lan abnormalities threat detection: an outlook and applicability analysis
Winter Firewall Best Practices
Subrahmanyam et al. Adaptive Reorientation Method for Performance Enhancement in Network Firewalls
Chandradeep A Scheme for the Design and Implementation of a Distributed IDS
Schütte Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection
Asosheh et al. A new and comprehensive taxonomy of DDoS attacks and defense mechanism

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 215163 No. 181 Jingrun Road, Suzhou High-tech Zone, Jiangsu Province

Applicant after: SHANSHI NETWORK COMMUNICATION TECHNOLOGY CO., LTD.

Address before: 215163 No. 181 Jingrun Road, Suzhou High-tech Zone, Jiangsu Province

Applicant before: HILLSTONE NETWORKS

GR01 Patent grant
GR01 Patent grant