CN107277005A - A kind of distributed operation flow detection method - Google Patents
A kind of distributed operation flow detection method Download PDFInfo
- Publication number
- CN107277005A CN107277005A CN201710444007.6A CN201710444007A CN107277005A CN 107277005 A CN107277005 A CN 107277005A CN 201710444007 A CN201710444007 A CN 201710444007A CN 107277005 A CN107277005 A CN 107277005A
- Authority
- CN
- China
- Prior art keywords
- message
- detection
- stream
- business stream
- operational chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a kind of operation flow detection method, comprise the following steps:When network data flow or message reach fire prevention cloud, condition code or critical field are extracted;Matching detection is carried out with white list in data dictionary, is detected not by then being intercepted, detection passes through, then the context session information of analyze data stream or message;If having produced associated context session information, the condition code or critical field for extracting current data stream or message are added in associated context information table;The Business Stream or operational chain defined again with standard is analyzed;If the Business Stream or operational chain that do not match, are intercepted to packet.The present invention detects that the security protection of significant increase operation system, using distributed hierarchical concurrent operation, solves performance bottleneck of the existing application firewall in deep message detection based on Business Stream and operational chain.
Description
Technical field
The present invention relates to a kind of operation flow detection method, especially a kind of application firewall white list detection technique is adopted
With distributed computing technology, based on Business Stream, the context such as operational chain carries out one kind of safety detection to data flow or message
Efficiently, the method for identification and the control data of becoming more meticulous.
Background technology
Protocol recognition method based on character string feature is extension of the deep bag detection in application-level protocol identification field, due to
It not only checks port numbers, is detected also directed to user's payload, therefore has than the method based on port numbers higher knowledge
Not other rate.Matching process computation complexity based on character string feature is high, storage consumption is big, and market selling software method is generally only capable of
Reach 100,000,000 rank disposal abilities.And the operation flow, portfolio being continually changing rapid growth, continuously emerge new threat and
The occupation mode of procotol and the transmission means of data are attacked and change, product on the market is all based on single message at present
Keyword match is carried out with data stream, there is very big peaceful leak and hidden danger.
The content of the invention
The problem to be solved in the present invention is to provide a kind of distributed operation flow detection method, not only white in service feature
On the basis of list content matching, detected with reference to business or workflow, fire prevention cloud is flowed into data message or data
Row analysis, is intercepted to the data flow or message for not meeting operation flow, realizes the real safety of application detection, and adopt
With distributed node parallel computation mode, solve single node and calculate the performance bottleneck brought.
In order to solve the above technical problems, the technical scheme is that:
A kind of operation flow detection method, comprises the following steps:
1. network data flow or message reach fire prevention cloud, condition code or critical field are extracted;
2. carrying out matching detection with white list in data dictionary, detect not by then being intercepted, detection passes through, then analyzes
The context session information of data flow or message;
If 3. having produced associated context session information, extracting condition code or the pass of current data stream or message
Key field is added in associated context information table;
4. the Business Stream or operational chain that are defined again with standard are analyzed;
If 5. the Business Stream or operational chain that do not match, are intercepted to packet.
Complete some Business Stream or operational chain exemplary step is as follows:Log in, inquiry table 1, inquiry table 2, update table 1, more
New table 2, is exited.
Cleaning Principle:By taking operational chain above as an example, when first stream is matched according to stream or message with logging in, it is legal to detect,
And this operational chain is matched, second associated data flow or message are only that inquiry table 1 is just legal, inquiry table occur
2 or other data flows be all illegal, all messages are differentiated in strict accordance with workflow order, to the data of unauthorized access
Stream or message are intercepted.
Fire prevention cloud uses matrix computations, is detected using multistage parallel, and per one-level parallel processing, operational chain is by a plurality of instruction structure
Into different instruction shares different nodes with different ranks, and Distributed Calculation is detected using hierarchical approaches, is first carried out
1 grade of detection, goes to 2 grades of detections according to testing result, next stage is given to successively and is detected, until detection is completed.
Beneficial effects of the present invention:Detected based on Business Stream and operational chain, the security protection of significant increase operation system,
Using distributed hierarchical concurrent operation, performance bottleneck of the existing application firewall in deep message detection is solved.
Brief description of the drawings
The embodiment to the present invention is described in further detail below in conjunction with the accompanying drawings.
Fig. 1 shows the flow chart of the present invention.
Fig. 2 shows the operational chain schematic diagram of the present invention.
Fig. 3 shows the distributed matrix detects schematic diagram of the present invention.
Embodiment
In order that present invention solves the technical problem that, use technical scheme, obtain technique effect it can be readily appreciated that below
With reference to specific accompanying drawing, the embodiment to the present invention is described further.
As shown in figure 1, a kind of operation flow detection method, comprises the following steps:
1. network data flow or message reach fire prevention cloud, condition code or critical field are extracted;
2. carrying out matching detection with white list in data dictionary, detect not by then being intercepted, detection passes through, then analyzes
The context session information of data flow or message;
If 3. having produced associated context session information, extracting condition code or the pass of current data stream or message
Key field is added in associated context information table;
4. the Business Stream or operational chain that are defined again with standard are analyzed;
If 5. the Business Stream or operational chain that do not match, are intercepted to packet.
As shown in Fig. 2 being Business Stream or operational chain example, some business is completed by sequentially needing several steps to complete,
As logged in, inquiry table 1, inquiry table 2 updates table 1, updates table 2, exits, and constitutes a complete operation chain.
Cleaning Principle:By taking operational chain above as an example, when first stream is matched according to stream or message with logging in, it is legal to detect,
And this operational chain is matched, second associated data flow or message are only that inquiry table 1 is just legal, inquiry table occur
2 or other data flows be all illegal, all messages are differentiated in strict accordance with workflow order, to the data of unauthorized access
Stream or message are intercepted.
As shown in figure 3, fire prevention cloud uses matrix computations, detected using multistage parallel, per one-level parallel processing, operational chain by
A plurality of instruction is constituted, and different instruction is entered with different nodes, Distributed Calculation is shared with different ranks using hierarchical approaches
Row detection, first carries out 1 grade of detection, goes to 2 grades of detections according to testing result, next stage is given to successively and is detected, until detection
Complete.
Specifically, the construction step of operation flow detecting system is as follows:
Step 1:Get out input block, main control unit, detection unit hardware device;
Step 2:To input block, main control unit, detection unit installation operation system;
Step 3:Main control unit installation database system;
Step 4:Deployment program, main control unit deployment primary control program, detection unit deployment detection program, input block deployment
Distributed-computation program;
Step 5:Calculate and configured by multistage matrix distribution formula, build Distributed Detection array;
Step 6:Build and import or study white list rule base, operational chain storehouse;
Step 7:Build abnormal data stream and access attack, the number to not meeting white list rule and operational chain workflow sequence
Intercepted according to stream or message.
The foregoing is only a preferred embodiment of the present invention, but protection scope of the present invention be not limited thereto,
Any one skilled in the art the invention discloses technical scope in, the change or replacement that can be readily occurred in,
It should all be included within the scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims
It is defined.
Claims (3)
1. a kind of distributed operation flow detection method, it is characterised in that:Comprise the following steps:
1) when network data flows or message reach fire prevention cloud, condition code or critical field are extracted;
2) carries out matching detection with white list in data dictionary, detects not by then being intercepted, detection passes through, then analyzes number
According to the context session information of stream or message;
If 3) has produced associated context session information, the condition code or key of current data stream or message are extracted
Field is added in associated context information table;
4) Business Stream or operational chain that is defined with standard again are analyzed;
If 5) Business Stream or operational chain that is not matched, are intercepted to packet.
2. distributed operation flow detection method according to claim 1, it is characterised in that:The Business Stream or behaviour
The exemplary operations step for making chain is as follows:Log in, inquiry table 1, inquiry table 2, update table 1, update table 2, exit.
3. distributed operation flow detection method according to claim 1, it is characterised in that:The fire prevention cloud uses square
Battle array is calculated, and is detected using multistage parallel, per one-level parallel processing, and operational chain is made up of a plurality of instruction, and different instruction is with different
Rank is shared on different nodes, and Distributed Calculation is detected using hierarchical approaches, 1 grade of detection is first carried out, according to detection
As a result 2 grades of detections are gone to, next stage is given to successively and is detected, until detection is completed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710444007.6A CN107277005A (en) | 2017-06-13 | 2017-06-13 | A kind of distributed operation flow detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710444007.6A CN107277005A (en) | 2017-06-13 | 2017-06-13 | A kind of distributed operation flow detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107277005A true CN107277005A (en) | 2017-10-20 |
Family
ID=60067551
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710444007.6A Pending CN107277005A (en) | 2017-06-13 | 2017-06-13 | A kind of distributed operation flow detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107277005A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108345902A (en) * | 2018-01-24 | 2018-07-31 | 深圳市永达电子信息股份有限公司 | Self study white list model library structure based on transaction characteristics and white list detection method |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102799960A (en) * | 2012-06-18 | 2012-11-28 | 北京大学 | Parallel operation flow anomaly detection method oriented to data model |
| US20140222522A1 (en) * | 2013-02-07 | 2014-08-07 | Ibms, Llc | Intelligent management and compliance verification in distributed work flow environments |
| CN104239144A (en) * | 2014-09-22 | 2014-12-24 | 珠海许继芝电网自动化有限公司 | Multilevel distributed task processing system |
| CN104392297A (en) * | 2014-10-27 | 2015-03-04 | 普元信息技术股份有限公司 | Method and system for realizing non-business process irregularity detection in large data environment |
| CN104598300A (en) * | 2014-12-24 | 2015-05-06 | 北京奇虎科技有限公司 | Distributive business process customization method and system |
| CN105429791A (en) * | 2015-11-03 | 2016-03-23 | 国网技术学院 | Distributed service state detection device and method |
| CN105991587A (en) * | 2015-02-13 | 2016-10-05 | 中国移动通信集团山西有限公司 | Intrusion detection method and system |
-
2017
- 2017-06-13 CN CN201710444007.6A patent/CN107277005A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102799960A (en) * | 2012-06-18 | 2012-11-28 | 北京大学 | Parallel operation flow anomaly detection method oriented to data model |
| US20140222522A1 (en) * | 2013-02-07 | 2014-08-07 | Ibms, Llc | Intelligent management and compliance verification in distributed work flow environments |
| CN104239144A (en) * | 2014-09-22 | 2014-12-24 | 珠海许继芝电网自动化有限公司 | Multilevel distributed task processing system |
| CN104392297A (en) * | 2014-10-27 | 2015-03-04 | 普元信息技术股份有限公司 | Method and system for realizing non-business process irregularity detection in large data environment |
| CN104598300A (en) * | 2014-12-24 | 2015-05-06 | 北京奇虎科技有限公司 | Distributive business process customization method and system |
| CN105991587A (en) * | 2015-02-13 | 2016-10-05 | 中国移动通信集团山西有限公司 | Intrusion detection method and system |
| CN105429791A (en) * | 2015-11-03 | 2016-03-23 | 国网技术学院 | Distributed service state detection device and method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108345902A (en) * | 2018-01-24 | 2018-07-31 | 深圳市永达电子信息股份有限公司 | Self study white list model library structure based on transaction characteristics and white list detection method |
| CN108345902B (en) * | 2018-01-24 | 2021-08-17 | 深圳市永达电子信息股份有限公司 | Self-learning white list model base construction and white list detection method based on transaction characteristics |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106778259B (en) | Abnormal behavior discovery method and system based on big data machine learning | |
| CN109547409B (en) | Method and system for analyzing industrial network transmission protocol | |
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| US10187401B2 (en) | Hierarchical feature extraction for malware classification in network traffic | |
| CN103733590B (en) | Compiler for regular expressions | |
| CN109818976A (en) | A kind of anomalous traffic detection method and device | |
| CN106133740B (en) | Log Analysis System | |
| Barbosa et al. | Exploiting traffic periodicity in industrial control networks | |
| CN112468347B (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
| CN106104556B (en) | Log Analysis System | |
| CN109660518B (en) | Communication data detection method and device of network and machine-readable storage medium | |
| Vidal et al. | Alert correlation framework for malware detection by anomaly-based packet payload analysis | |
| Amoli et al. | Unsupervised network intrusion detection systems for zero-day fast-spreading attacks and botnets | |
| CN105743880A (en) | Data analysis system | |
| CN104135385A (en) | Method of application classification in Tor anonymous communication flow | |
| Folorunso et al. | Ca-NIDS: A network intrusion detection system using combinatorial algorithm approach | |
| Han et al. | Covert timing channel detection method based on time interval and payload length analysis | |
| CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
| Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
| Sharma et al. | Feature ranking using statistical techniques for computer networks intrusion detection | |
| Yang et al. | Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems | |
| CN105429817A (en) | Illegal business identification device and illegal business identification method based on DPI and DFI | |
| CN107277005A (en) | A kind of distributed operation flow detection method | |
| Ogawa et al. | Malware originated http traffic detection utilizing cluster appearance ratio | |
| Nandal et al. | Cyber security against ddos malware spoofing attacks using machine learning with genetic algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20171020 |
|
| WD01 | Invention patent application deemed withdrawn after publication |