CN107404459A

CN107404459A - Obtain the method and the network equipment of the fingerprint characteristic of network attack message

Info

Publication number: CN107404459A
Application number: CN201610338317.5A
Authority: CN
Inventors: 潘永波; 石凌志; 沈海峰
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2016-05-19
Filing date: 2016-05-19
Publication date: 2017-11-28
Anticipated expiration: 2036-05-19
Also published as: CN107404459B

Abstract

This application discloses a kind of method and the network equipment of the fingerprint characteristic for obtaining network attack message, to solve the problems, such as that existing static fingerprint characteristic acquisition modes are less efficient to a certain extent.This method includes：Network traffics are received, normal message and network attack message are included in the network traffics；Arranged by n, the two-dimensional array of m rows, the message in the network traffics is recorded on the diverse location of payload content, the number that each character occurs, each column during n is arranged is corresponding with a position of payload content respectively, and the often row in m rows is corresponding with a character in ASCII character respectively；Feature string is obtained according to the two-dimensional array, the feature string refers to that occurrence number is more than the character string of setpoint frequency threshold value on the fixed position of the message payload content in the network traffics；The fingerprint characteristic for determining the network attack message is the position of the feature string and the feature string in the payload content.

Description

Obtain the method and the network equipment of the fingerprint characteristic of network attack message

Technical field

The application is related to technical field of the computer network, more particularly to a kind of fingerprint characteristic for obtaining network attack message Method and a kind of network equipment for the fingerprint characteristic for obtaining network attack message.

Background technology

Refusal service (DoS, Denial of Service) attack is a kind of common network attack means, DoS attack Purpose is the Internet resources or system resource exhaustion for making target device, and then the service that target device provides temporarily is interrupted Or stop, causing target device unavailable to client.Distributed denial of service (DDoS, Distributed Denial of Service) attack refers to that attacker mobilizes DoS to attack using the main frame of on network at least two under fire controls to target device Hit.For DoS attack, ddos attack it is disguised and destructive all stronger.

In order to take precautions against DoS attack or ddos attack, prior art proposes a kind of static fingerprint technique.Static fingerprint technique Refer to that network traffics when attacking are carried out into contrast with network traffics when not attacking identifies attack message；It is and right The content of attack message carries out manual analysis, obtains the fingerprint characteristic that attack message can be identified.Fingerprint characteristic refers to The character string that can occur on the fixed position of each attack message.After obtaining fingerprint characteristic, network manager fire wall, Fingerprint characteristic is configured on the Network Security Devices such as security gateway and then content matching, realization pair are carried out to the message in rear afterflow rate The attack message being likely to occur is identified and filtered, so as to improve network for DoS attack or the prevention ability of ddos attack.

However, attacker, in order to escape detection, the regular content to attack message of meeting is modified, after content change Attack message can not be detected by configured fingerprint characteristic.Static fingerprint technique by manual analysis after being changed Attack message fingerprint characteristic when, on the one hand can expend a large amount of manpowers, on the other hand due to manual analysis expend the time it is longer The hysteresis quality of detection can be caused, i.e., the fingerprint characteristic of the attack message after change is acquired before, take precautions against DoS attack or Ddos attack has often caused heavy damage to network.It can be seen that attacker can escape detection with less into original.

The content of the invention

The embodiment of the present application provides a kind of method for the fingerprint characteristic for obtaining network attack message, to a certain extent Solve the problems, such as that existing static fingerprint characteristic acquisition modes are less efficient.

First aspect, there is provided a kind of method for the fingerprint characteristic for obtaining network attack message, including：

Network traffics are received, include normal message and network attack message in the network traffics, the normal message is Refer to message caused by the proper network behavior of user, the network attack message refers to that attacker is performed caused by network attack Message；

Arranged by n, the two-dimensional array of m rows, record the message in the network traffics on the diverse location of payload content, The number that each character occurs, wherein, n span is 1 to the natural number between the byte number of message load, m value model Enclose for the natural number between 1 to 255, each column in n row is corresponding with a position of payload content respectively, often going in m rows Corresponding with a character in ASCII character respectively, the character in ASCII character corresponding to each row is different, the two-dimensional array i-th The element X of row, jth row_ijValue with the basis of payload content original position, offset is on j position, and the i-th row is corresponding Character occur number positive correlation；

Feature string is obtained according to the two-dimensional array, the feature string refers to the report in the network traffics Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of literary payload content；

The fingerprint characteristic for determining the network attack message is the feature string and the feature string in institute State the position in payload content.

Alternatively, in some implementations, network traffics can be recorded by the way of byte-by-byte scanning.Specifically Ground, arranged by n, the two-dimensional array of m rows, record the message of the network traffics on the diverse location of payload content, each character The number of appearance, including：

For every message in the network traffics, the payload content original position using the message is successively read as base Standard, offset are the character C on p position_p, p value is each natural number untill k since 1 ing, wherein k be n with Smaller value in both message loaded lengths；

In the two-dimensional array, lookup position is arranged by pth, the character C_pElement determined by corresponding row；

The value of the element found is increased to setting incremental units, the value of the incremental units on the basis of currency For positive number.

Alternatively, in some implementations, according to the two-dimensional array, obtain in the fixed position of the network traffics Upper occurrence number exceedes the feature string of setpoint frequency threshold value, including：

For the two-dimensional array, determine that element value is more than or equal to the element of setpoint frequency threshold value；

The continuation column in the two-dimensional array is determined, the position respectively arranged in the continuation column is adjacent two-by-two and includes member Element of the element value more than the setpoint frequency threshold value；

The columns included according to the continuation column, determine position range of the continuation column in payload content；

Characteristic character corresponding to each row in the continuation column is determined, the characteristic character refers to each element in the row Value is more than character corresponding to the element of the setpoint frequency threshold value；

According to the order respectively arranged in continuation column, a characteristic character corresponding to each column in the continuation column is chosen, is combined into Feature string, the position of the feature string is position range of the continuation column in payload content.

Alternatively, in some implementations, before the acquisition feature string according to the two-dimensional array, also wrap Include：

Obtain the message amount included in the network traffics；

The message amount is multiplied to obtain product with preset percentage value, using product as the setpoint frequency threshold value. Wherein, the span of the preset percentage value is 10% to 100%.The value of certain preset percentage value is between 10% He It is a kind of preferable set-up mode between 100%, accurate result can be obtained.If provided as 8%, 9% etc. The fingerprint characteristic of network attack message can still be obtained.

Alternatively, after the fingerprint characteristic of network attack message is obtained, the fingerprint characteristic of acquisition can also be applied to To above-mentioned network traffics, and the network traffics received after above-mentioned network traffics are identified and filtered.Specifically, institute State and determine that the fingerprint characteristic of the network attack message is the feature string and the feature string in the load After position in content, in addition to：

The first message in the network traffics is matched with the fingerprint characteristic, if first message includes The fingerprint characteristic, it is determined that first message is network attack message.Filtering abandons the first message.

The second message in the network traffics is matched with the fingerprint characteristic, if second message does not wrap Include the fingerprint characteristic, it is determined that second message is normal message.And forward the second message.

The method of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application provides without distinguishing in flow in advance Normal message and network attack message, by two-dimensional array record network traffics in message in each position of payload content The character of upper appearance, and the number that character occurs.And then obtain to go out on the fixed position of payload content using two-dimensional array The fingerprint characteristic of the higher character string network attack message the most of existing frequency.Load without manual analysis message in above process Lotus content, cost and spent time are saved, there is preferable real-time, improve the fingerprint spy for obtaining network attack message The efficiency of sign.

Second aspect, a kind of device for the fingerprint characteristic for obtaining network attack message is additionally provided, including：Receiving module, For receiving network traffics, normal message and network attack message are included in the network traffics；

Processing module, for being arranged by n, the two-dimensional array of m rows, the message in the network traffics is recorded in payload content Diverse location on, number that each character occurs, wherein, n span is 1 to the nature between the byte number of message load Number, m span are the natural number between 1 to 255, and each column during n is arranged is corresponding with a position of payload content respectively, Often row in m rows is corresponding with a character in ASCII character respectively, and the character in ASCII character corresponding to each row is different, described The element X of the row of two-dimensional array i-th, jth row_ijValue with the basis of payload content original position, offset is j position On, the number positive correlation of character appearance corresponding to the i-th row；

Alternatively, in some implementations, said apparatus can record network flow by the way of byte-by-byte scanning Amount.Specifically,

The processing module, for for every message in the network traffics, being successively read with the load of the message On the basis of lotus content original position, offset is the character C on p position_p, p value be since 1, it is each untill k Natural number, wherein k are the smaller value in both n and the message loaded length；

Alternatively, in some implementations, the processing module is used to be directed to the two-dimensional array, determines that element value is big In or equal to the setpoint frequency threshold value element；

Alternatively, the processing module, before being additionally operable to obtain feature string according to the two-dimensional array, described in acquisition The message amount included in network traffics；

The device of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application provides without distinguishing in flow in advance Normal message and network attack message, by two-dimensional array record network traffics in message in each position of payload content The character of upper appearance, and the number that character occurs.And then obtain to go out on the fixed position of payload content using two-dimensional array The fingerprint characteristic of the higher character string network attack message the most of existing frequency.Load without manual analysis message in above process Lotus content, cost and spent time are saved, there is preferable real-time, improve the fingerprint spy for obtaining network attack message The efficiency of sign.

The third aspect, additionally provide a kind of Network Security Device, including memory, processor, network interface and bus, institute Memory is stated, the processor and the network interface are connected with each other by the bus, it is characterised in that

The network interface, for receiving network traffics, normal message and network attack report are included in the network traffics Text, the normal message refer to message caused by the proper network behavior of user, and the network attack message refers to that attacker holds Message caused by row network attack；

After the processor reads the program code stored in the memory, following operate is performed：

Method in any possible implementation of the computing device first aspect or first aspect.

Fourth aspect, the application provide a kind of computer-readable medium, for storing computer program, the computer program Include the instruction of the method in any possible implementation for performing first aspect or first aspect.

Brief description of the drawings

, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are this Shens Some embodiments please, for those of ordinary skill in the art, on the premise of not paying creative work, can be with root Other accompanying drawings are obtained according to these accompanying drawings.

Fig. 1 is a kind of application scenarios of the scheme of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application provides Schematic diagram；

Fig. 2A is a kind of structural representation for Network Security Device that the embodiment of the present application provides；

Fig. 2 B are the schematic flow sheets for the method that the embodiment of the present application provides the fingerprint characteristic for obtaining network attack message；

Fig. 3 is a kind of operation principle schematic diagram for Network Security Device that the embodiment of the present application provides；

Fig. 4 A are a kind of schematic diagram for the two-dimensional array example original state that the embodiment of the present application provides；

Fig. 4 B are a kind of schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides；

Fig. 4 C are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides；

Fig. 4 D are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides；

Fig. 4 E are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides；

Fig. 4 F are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides；

Fig. 4 G are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides；

Fig. 4 H are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides；

Fig. 5 is the stream that the Network Security Device that the embodiment of the present application provides is recorded using two-dimensional array to network traffics Journey schematic diagram；

Fig. 6 A are the flow for the fingerprint characteristic that network attack message is obtained based on two-dimensional array that the embodiment of the present application provides Schematic diagram；

Fig. 6 B are a kind of schematic diagram of state after the processing for the two-dimensional array example that the embodiment of the present application provides；

Fig. 6 C are the state another kind schematic diagram after the processing for the two-dimensional array example that the embodiment of the present application provides；

Fig. 7 is the structural representation of the device of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application provides.

Embodiment

Taken time and effort because existing static fingerprint technique is present, detect the problem of hysteresis, the embodiment of the present application proposes A kind of method of the automatic fingerprint characteristic for obtaining network attack message.Fingerprint characteristic in the embodiment of the present application refers in each attack The character string that can all occur on the fixed position of message, for example, each attack message payload content the 2nd character to the 5th Can all occur character string abcd between character.Fingerprint characteristic is a kind of basic of Network Security Device identification network attack message Foundation.How timely and effectively to obtain the fingerprint characteristic of network attack message is that the application will solve the problems, such as.

With reference to each accompanying drawing, embodiments herein is described.

Accompanying drawing 1 is a kind of applied field of the scheme of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application provides Scape schematic diagram.In the network scenarios including the equipment such as interchanger, router, Network Security Device, each protected net An interchanger is deployed with network, each interchanger is connected by Network Security Device with router.Network Security Device can be with The flow transmitted between Internet and protected network is obtained, and the legitimacy of flow is carried out according to feature set in advance Identification, such as normal message or network attack message are identified, or the protocol type to carrying data is identified.Enter One step, Network Security Device can also be filtered or forwarded to flow according to preassigned forwarding strategy, such as be filtered Discard network attack message, forwarding normal message etc..Exemplarily, Network Security Device can be fire wall, safety net Close, deep message identification (DPI, Deep packet inspection) equipment.Network Security Device in accompanying drawing 1 can use The scheme that the present embodiment provides below obtains the fingerprint characteristic of network attack message, and the legitimacy of flow is identified accordingly.

Obviously, the scheme that the present embodiment provides can also be applied in other scenes.For example, set to reduce network security Standby processing pressure, each Network Security Device are connected with a flow cleaning equipment respectively.Network Security Device knows legitimacy Not Shi Bai flow be forwarded to flow cleaning equipment, scheme that flow cleaning equipment utilization the present embodiment provides below obtains network The fingerprint characteristic of attack message, the legitimacy of flow is identified accordingly, the flow cleaned after filtering is back to network peace Full equipment is subsequently to be forwarded.

Later in association with accompanying drawing 2A, the structure of accompanying drawing 2B and accompanying drawing 3 to the Network Security Device in the scene shown in accompanying drawing 1 It is described in detail with operation principle.

Accompanying drawing 2A is a kind of structural representation for Network Security Device that the embodiment of the present application provides.Network Security Device bag Include memory 210, processor 220, network interface 230 and bus 240.Memory 210, processor 220 and network interface 230 are logical Bus 240 is crossed to be connected with each other.

It is random access memory (RAM), read-only storage (ROM) that memory 210, which includes but is not limited to, erasable is compiled Journey read-only storage (EPROM) or portable read-only storage (CD-ROM).Memory 210 is used to store Network Security Device The operating system of upper operation, the program code of application program, in the present embodiment memory 210 be additionally operable to store feature database, it is special Preserve the fingerprint characteristic of network attack message in sign storehouse.

Processor 220 can be one or more central processing units (CPU, Central Processing Unit), locate In the case that reason device 210 is a CPU, the CPU can be monokaryon CPU or multi-core CPU.

Network interface 230 can be wireline interface, such as Fiber Distributed Data Interface (FDDI, Fiber Distributed Data Interface), gigabit Ethernet (GE, Gigabit Ethernet) interface；Network interface 230 It can be wave point.

Network Security Device realizes transmission control protocol/Yin Te jointly by the hardware and operating system of network interface 230 At the protocol stack of net interconnection protocol (TCP/IP, Transmission Control Protocol/Internet Protocol) Manage function.As a rule, network interface 230 is realized to the area protocol of physical layer in message and data link layer by hardware Processing function, such as message related data is parsed and encapsulated, the area protocol of wherein data link layer refers to comparison bottom Layer protocol, such as media access control (MAC, medium access control) related protocol.Operating system realizes Data-Link Other agreements of road floor, all accord of Internet, transport layer all accord processing function, such as to message related data Parsed and encapsulated.Operating system provides application program by the way of socket or dynamic link library, to application layer and compiled Journey interface (API, Application Programming Interface), application layer program only need to call API to complete net Network communicates.In other words, by the above-mentioned means, so that ICP/IP protocol stack is transparent for application layer.

Accompanying drawing 2B is the side of the fingerprint characteristic for the acquisition network attack message that the Network Security Device shown in accompanying drawing 2A performs The flow chart of method.

Step 20, network interface 230 is used to receive network traffics.Normal message and network attack report are included in network traffics Text, the normal message refer to message caused by the proper network behavior of user, and the network attack message refers to that attacker holds Message caused by row network attack.In the present embodiment without by manual analysis distinguish network traffics in normal message and Network attack message.Only need directly to perform subsequent treatment i.e. to the network traffics for being mixed with normal message and network attack message Can.

After processor 220 reads the program code stored in the memory 220, following operate is performed：

Step 40, processor 220 arranged by n, the two-dimensional array of m rows, record the message in the network traffics in load On the diverse location of content, the number of each character appearance.

In fact, n span is according to the protocol layer where the obtained payload content of parsing, and it is widely accepted The MTU (MTU, Maximum Transmission Unit) of the protocol layer message that defines of technical standard determine 's.For example, according to Institute of Electrical and Electric Engineers (IEEE, Institute of Electrical and Electronics Engineers) the Ether frame internal structure specified in 802.3-2012 standards, Internet load maximum length are 1500 bytes. Message payload content in the application refers in the TCP layer load that is obtained after being parsed by ICP/IP protocol stack to message Hold, UDP layer payload content or with HTTP (HTTP, HyperText Transfer Protocol) layer exemplified by Application layer payload content.N span is 1 to the natural number between the byte number of message load.Each column difference in n row Corresponding with a position of payload content, position corresponding to each column is different.For example, when n values are 1500,1 to 1500 row In each column it is corresponding with a byte in the byte of payload content 1500 respectively, the 1st word of the 1st corresponding payload content of row Section, the 2nd byte of the corresponding payload content of the 2nd row, by that analogy, the 1500th byte of the corresponding payload content of the 1500th row.

The payload content of message is binary data, and each byte is made up of 8bit, the value corresponding A SCII of each byte A character in code.255 characters are shared in ASCII character, m span is the natural number between 1 to 255.In m rows Often row is corresponding with a character in ASCII character respectively, and the character in ASCII character corresponding to each row is different.

In order to lift the treatment effeciency of processor 220, the memory headroom of occupancy is reduced, can be only to fixed in payload content A part of data of position are recorded, such as only record preceding 20 bytes in payload content, or only record payload content 101st byte is to 100 bytes between the 200th byte etc..Equally, can also be only to the part in payload content The character being likely to occur is counted, such as only records the number that 26 English alphabets that each position occurs occur, if Position as statistics target occurs that other symbols, such as "+", then does not count.Therefore when message payload content is HTTP During layer payload content, n value is the byte number no more than message payload, and m value is the natural number among 1 to 255.

In this application for the sake of simple, intuitive, carried by the HTTP layers being only made up of ASCII character of message payload content Two-dimensional array is described exemplified by lotus content.In order to further reduce the scale of two-dimensional array, m=26 is employed, n=20's Two-dimensional array.I.e. just for the value corresponding A SCII codes of 20 bytes before message payload content and each byte of payload content In the situations of 26 English alphabets recorded.

In the present embodiment, each column in two-dimensional array n row is corresponding with a position in 20 bytes before payload content, Often row in m rows is corresponding with a letter in 26 English alphabets in ASCII character respectively.The original state of two-dimensional array is such as Shown in Fig. 4 A.

Step 60, processor 220 obtains feature string according to two-dimensional array, and the feature string refers in the net Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of message payload content in network flow.

Step 80, processor 220 determines that the fingerprint characteristic of the network attack message is the feature string and spy Levy position of the character string in payload content.

Later in association with instantiation to the mode that is recorded using two-dimensional array to network traffics and according to record The process that obtained two-dimensional array obtains the fingerprint characteristic of network attack message describes in detail.After the recording is completed, two For message in the value instruction network traffics of each element in dimension group on each position of payload content, there is frequency in kinds of characters The height of rate.In other words, the row of two-dimensional array i-th, the element X of jth row_ijValue with using payload content original position as base Standard, offset are the number positive correlation that character corresponding to the i-th row occurs on the position of j bytes.Specifically, in two-dimensional array The value of element can directly pointing character occur number, can also with character occur number it is proportional.

Alternatively, Network Security Device also includes input equipment 250.Input equipment 250 can be touch-screen, and keyboard is real Body button etc..Keeper can input equipment 250 in a manner of order line or graphic user interface to network security The data such as the configuration parameter of equipment, presetting rule are modified.

Alternatively, Network Security Device also includes output equipment 260, and output equipment 260 can be printer, display. It can also be the stereo set such as sound card and the earphone being connected with sound card, loudspeaker.Network Security Device can be set by output Standby 260 transmission is alerted, or the configuration operation to keeper is fed back.Keeper can pass through input equipment 250 and output Equipment 260 interacts with Network Security Device.

Accompanying drawing 3 is a kind of operation principle schematic diagram for the Network Security Device that the embodiment of the present application provides.Network in Fig. 3 As shown in Figure 1, Network Security Device accesses network transmission road to the deployed position of safety means in a network in a manner of direct-connected In footpath, network traffics are filtered in real time.Normal message is represented with blank boxes in accompanying drawing 3, net is represented with shaded box Network attack message.

Network Security Device receives network traffics T1 by network interface 230.As illustrated, comprising just in network traffics T1 Normal message and network attack message.

Step 302, the processor 220 of Network Security Device arranged by n, the two-dimensional array of m rows, in record network traffics T1 Message on each position of payload content, number that each character occurs.Processor 220 obtains network attack according to dimension group The fingerprint characteristic of message.Fingerprint characteristic indicates the feature string occurred on the fixed position of message payload content, such as With the original position of payload content, offset is character occur in the position range of 5 bytes to 11 bytes for fingerprint characteristic A instructions Go here and there " xafeea ".

Generally in the case where network attack occurs, such as DDOS attack, the number of network attack message are more than normal report Text.Normal message is that message caused by the proper network behavior of user or user use message caused by normal network traffic, Such as user by browser surf the Net caused by message, or user downloads message caused by file, and user passes through instant messaging Instrument carries out the caused message that communicates with other users.The content of normal message has higher randomness, in payload content The possibility for occurring identical content on fixed position with upper frequency is relatively low.Network Security Device utilizes this phenomenon study fingerprint Feature.

Step 303, the fingerprint characteristic for the network attack message that the processor 220 of Network Security Device obtains step 302 In the feature database preserved added to memory 210, so as to update feature database.

Alternatively, controllability during fingerprint characteristic is added to improve processor 220 into feature database, improves fingerprint characteristic The fingerprint characteristic for the network attack message that step 302 obtains is in by the accuracy of acquisition, processor 220 by output equipment 260 Now give keeper, after waiting the confirmation feedback that keeper is inputted by input equipment 250, then fingerprint characteristic is added to memory In.

Alternatively, in order to save the memory space of memory 210, processor 220 can be to protect in periodic statistical feature database The fingerprint characteristic deposited is hit the number of (hit), and the fingerprint characteristic not being hit for a long time is deleted.

Step 305, feature database of the processor 220 based on renewal of Network Security Device, is matched to network traffics T2, So as to distinguish normal message and network attack message.Wherein network traffics T2 can be network traffics T1 or in network The subsequent network flow that network interface 230 receives after flow T1.If a message includes a fingerprint spy in feature database During sign, confirm that the message belongs to network attack message T3.If a message does not include any fingerprint characteristic in feature database, really Recognize the message and belong to normal message T4.

Specifically, Network Security Device 220 is special by each fingerprint in each message in network traffics T2 and feature database Sign is compared one by one.By taking fingerprint characteristic A as an example, if a message, with the original position of payload content, offset is 5 words There is character string " xafeea " in section to the position range of 11 bytes, then confirm that the payload content of the message includes fingerprint characteristic A During the content of description, it is network attack message to confirm the message.

Alternatively, after Network Security Device realizes differentiation normal message and network attack message, can normally forward just Normal message T4, filtering or blocks network attack message T3, avoid network attack message in a network continue to propagate, reduce network Influence of the attack message to network service.

Below in conjunction with the example of the two-dimensional array shown in accompanying drawing 4A, 4B, 4C, 4D, 4E, 4F, 4G, 4H, and the institute of accompanying drawing 5 The flow chart shown, the mode recorded to Network Security Device using two-dimensional array to network traffics are introduced.

Step 51, the memory 210 of Network Security Device preserves the network traffics that network interface 230 receives.Specifically, Each message in the network traffics that Network Security Device can receive to network interface 230 carries out protocol analysis, memory 210 only preserve the HTTP layer payload contents of each message.

Alternatively, in order to realize analyzing adjuncts and statistical function, the other information of message can also be preserved.Such as in order to unite The intensity of network attack is counted, the timestamp of each message can also be preserved., can be with for analytical attack source and attack destination Source IP address and purpose IP address of message etc. are preserved, is no longer described in detail one by one herein.

Step 52, the processor 220 of Network Security Device reads the HTTP layer payload contents of every message one by one, for every The HTTP layers payload content of bar message performs 53~step 55 of subsequent step, until handled preserved in memory 210 it is last Untill the HTTP layer payload contents of one message.

In the present embodiment, it is described exemplified by preserving 7 messages in the memory 210 of Network Security Device.Thing In order to improve the accuracy of fingerprint characteristic study in reality, class often is carried out to a large amount of messages, such as thousands of, tens of thousands of messages As processing.The HTTP layer payload contents of 7 messages are as shown in table 1.

Table 1

Test serial number	The HTTP layer payload contents of message
		1	domainwwwsinacom
2	padkexafeeajnveiqhgn
		3	kjeclxaffeeaqizp
4	oicaexafeeaxmndea
		5	qcpuixafeeawpnbjdeq
6	iuvbdxafeeaqw
		7	getindexhtml

Step 53, it is successively read on the basis of the payload content original position of the message, offset is on p position Character C_p, p value is each natural number untill k since 1.Wherein k is in both n and the message loaded length Smaller value.

Step 54, in the two-dimensional array, lookup position is arranged by pth, the character C_pIt is first determined by corresponding row Element.Element columns residing in two-dimensional array is p, residing behavior character C_pCorresponding row.

Step 55, the value of the element found is increased to setting incremental units on the basis of currency, it is described to be incremented by list The value of position is positive number.In the present embodiment, incremental units are set as 1, the base of the value of the element that will be found in currency Add 1 on plinth.

Exemplary, every a line in two-dimensional array is all corresponding with a letter in English alphabet a~z.In two-dimemsional number During group initialization, the value of each element is 0.

(1) each character in the payload content of message 1 is scanned, the payload content of message 1 is " domainwwwsinacom ".

The 1st character d in the payload content of message 1 is read, due to being the 4th row in array corresponding to character d, and Position in payload content is the offset 1 on the basis of original position.Therefore the position that the row the 1st of two-dimensional array the 4th arranges is searched Element X corresponding to putting_[4][1], and by element X_[4][1]Value add 1.Due to element X_[4][1]Initial value be 0, element after adding 1 X_[4][1]Value be 1.

The 2nd character o in the payload content of message 1 is read, due to being the 15th row in array corresponding to character o, and Position in payload content is the offset 2 on the basis of original position.Therefore the row the 2nd of two-dimensional array the 15th is searched to arrange Position correspondence element X_[15][2], and by element X_[15][2]Value add 1.Due to element X_[15][2]Initial value be 0, after adding 1 Element X_[15][2]Value be 1.

The 3rd character m in the payload content of message 1 is read, due to being the 13rd row in array corresponding to character m, and Position in payload content is the offset 3 on the basis of original position.Therefore the row the 3rd of two-dimensional array the 13rd is searched to arrange Position correspondence element X_[13][3], and by element X_[13][3]Value add 1.Due to element X_[13][3]Initial value be 0, after adding 1 Element X_[13][3]Value be 1.

The 4th character a in the payload content of message 1 is read, due to being the 1st row in array corresponding to character a, and Position in payload content is the offset 4 on the basis of original position.Therefore the position that the row the 4th of two-dimensional array the 1st arranges is searched Element X corresponding to putting_[1][4], and by element X_[1][4]Value add 1.Due to element X_[1][4]Initial value be 0, element after adding 1 X_[1][4]Value be 1.

The 5th character i in the payload content of message 1 is read, due to being the 9th row in array corresponding to character i, and Position in payload content is the offset 5 on the basis of original position.Therefore the position that the row the 5th of two-dimensional array the 9th arranges is searched Element X corresponding to putting_[9][5], and by element X_[9][5]Value add 1.Due to element X_[9][5]Initial value be 0, element after adding 1 X_[9][5]Value be 1.

The 6th character w in the payload content of message 1 is read, due to being the 23rd row in array corresponding to character w, and Position in payload content is the offset 6 on the basis of original position.Therefore the row the 6th of two-dimensional array the 23rd is searched to arrange Position correspondence element X_[23][6], and by element X_[23][6]Value add 1.Due to element X_[23][6]Initial value be 0, after adding 1 Element X_[23][6]Value be 1.

The 7th character w in the payload content of message 1 is read, due to being the 23rd row in array corresponding to character w, and Position in payload content is the offset 7 on the basis of original position.Therefore the row the 7th of two-dimensional array the 23rd is searched to arrange Position correspondence element X_[23][7], and by element X_[23][7]Value add 1.Due to element X_[23][7]Initial value be 0, after adding 1 Element X_[23][7]Value be 1.

The 8th character w in the payload content of message 1 is read, due to being the 23rd row in array corresponding to character w, and Position in payload content is the offset 8 on the basis of original position.Therefore the row the 8th of two-dimensional array the 23rd is searched to arrange Position correspondence element X_[23][8], and by element X_[23][8]Value add 1.Due to element X_[23][8]Initial value be 0, after adding 1 Element X_[23][8]Value be 1.

The 9th character s in the payload content of message 1 is read, due to being the 19th row in array corresponding to character s, and Position in payload content is the offset 9 on the basis of original position.Therefore the row the 9th of two-dimensional array the 19th is searched to arrange Position correspondence element X_[19][9], and by element X_[19][9]Value add 1.Due to element X_[19][9]Initial value be 0, after adding 1 Element X_[19][9]Value be 1.

The 10th character i in the payload content of message 1 is read, due to being the 9th row in array corresponding to character i, and Position in payload content is the offset 10 on the basis of original position.Therefore the row the 10th of two-dimensional array the 9th is searched to arrange Position correspondence element X_[9][10], and by element X_[9][10]Value add 1.Due to element X_[9][10]Initial value be 0, after adding 1 Element X_[9][10]Value be 1.

The 11st character n in the payload content of message 1 is read, due to being the 14th row in array corresponding to character n, and Position in payload content is the offset 11 on the basis of original position.Therefore the row the 11st of two-dimensional array the 14th is searched The element X of the position correspondence of row_[14][11], and by element X_[14][11]Value add 1.Due to element X_[14][11]Initial value be 0, Element X after adding 1_[14][11]Value be 1.

The 12nd character a in the payload content of message 1 is read, due to being the 1st row in array corresponding to character a, and Position in payload content is the offset 12 on the basis of original position.Therefore the row the 12nd of two-dimensional array the 1st is searched to arrange Position correspondence element X_[1][12], and by element X_[1][12]Value add 1.Due to element X_[1][12]Initial value be 0, after adding 1 Element X_[1][12]Value be 1.

The 13rd character c in the payload content of message 1 is read, due to being the 3rd row in array corresponding to character c, and Position in payload content is the offset 13 on the basis of original position.Therefore the row the 13rd of two-dimensional array the 3rd is searched to arrange Position correspondence element X_[3][13], and by element X_[3][13]Value add 1.Due to element X_[3][13]Initial value be 0, after adding 1 Element X_[3][13]Value be 1.

The 14th character o in the payload content of message 1 is read, due to being the 15th row in array corresponding to character o, and Position in payload content is the offset 14 on the basis of original position.Therefore the row the 14th of two-dimensional array the 15th is searched The element X of the position correspondence of row_[15][14], and by element X_[15][14]Value add 1.Due to element X_[15][14]Initial value be 0, Element X after adding 1_[15][14]Value be 1.

The 15th character m in the payload content of message 1 is read, due to being the 13rd row in array corresponding to character m, and Position in payload content is the offset 15 on the basis of original position.Therefore the row the 15th of two-dimensional array the 13rd is searched The element X of the position correspondence of row_[13][15], and by element X_[13][15]Value add 1.Due to element X_[13][15]Initial value be 0, Element X after adding 1_[13][15]Value be 1.

After being completed to the processing of message 1, the content of two-dimensional array is as shown in fig. 4b.

(2) each character in the payload content of message 2 is scanned, the payload content of message 2 is “padkexafeeajnveiqhgn”。

The 1st character p in the payload content of message 2 is read, due to being the 16th row in array corresponding to character p, and Position in payload content is the offset 1 on the basis of original position.Therefore in the two-dimensional array shown in accompanying drawing 4B Search the element X of the position correspondence of the 16th row the 1st row_[16][1], and by element X_[16][1]Value add 1.Due to element X_[16][1]'s Initial value is 0, element X after adding 1_[16][1]Value be 1.

The 2nd character a in the payload content of message 2 is read, due to being the 1st row in array corresponding to character a, and Position in payload content is the offset 2 on the basis of original position.Therefore search in the two-dimensional array shown in accompanying drawing 4B The element X of the position correspondence of 1st row the 2nd row_[1][2], and by element X_[1][2]Value add 1.Due to element X_[1][2]Initial value For 0, element X after adding 1_[1][2]Value be 1.

To the 3rd~20 character in the payload content of message 2, perform successively similar with above-mentioned 1st character and the 2nd character Processing after, the content of two-dimensional array is as shown in accompanying drawing 4C.

(3) scan the payload content of message 3 in each character, using with shown in (1) and (2) to message 1 and the institute of message 2 The mode of type is processed, the element value in the two-dimensional array shown in accompanying drawing 4C is updated, and is obtained as shown in accompanying drawing 4D Two-dimensional array.

(4) scan the payload content of message 4 in each character, using with shown in (1) and (2) to message 1 and the institute of message 2 The mode of type is processed, the element value in the two-dimensional array shown in accompanying drawing 4D is updated, and is obtained as shown in accompanying drawing 4E Two-dimensional array.

(5) scan the payload content of message 5 in each character, using with shown in (1) and (2) to message 1 and the institute of message 2 The mode of type is processed, the element value in the two-dimensional array shown in accompanying drawing 4E is updated, and is obtained as shown in accompanying drawing 4F Two-dimensional array.

(6) scan the payload content of message 6 in each character, using with shown in (1) and (2) to message 1 and the institute of message 2 The mode of type is processed, the element value in the two-dimensional array shown in accompanying drawing 4F is updated, and is obtained as shown in accompanying drawing 4G Two-dimensional array.

(7) scan the payload content of message 7 in each character, using with shown in (1) and (2) to message 1 and the institute of message 2 The mode of type is processed, the element value in the two-dimensional array shown in accompanying drawing 4G is updated, and is obtained as shown in accompanying drawing 4H Two-dimensional array.

Mode shown in accompanying drawing 5 records network traffics by the way of byte-by-byte scanning, it is clear that simply a kind of possible Recording mode, each CPU core in multi-core CPU can also be used to read what multiple bytes of fixed position recorded respectively respectively Mode, because principle is similar, no longer it is described in detail herein.

Below in conjunction with the flow chart shown in accompanying drawing 6A, the two-dimensional array shown in accompanying drawing 6B, 6C, to Network Security Device root The process that the two-dimensional array obtained according to record obtains the fingerprint characteristic of network attack message is introduced.

Step 61, the processor 220 in Network Security Device is directed to two-dimensional array, determines that element value is more than or equal to setting The element of frequency threshold.

Indeed, it is possible to retain the value that numerical value in the row is more than or equal to the element of setpoint frequency threshold value, from two-dimemsional number The value that numerical value is less than the element of setpoint frequency threshold value is deleted in group.Can also be that these numerical value are more than or equal to setpoint frequency threshold value Element special indicating bit is set.As long as the element for ensureing to only have numerical value to be more than or equal to setpoint frequency threshold value is considered for Determine the fingerprint characteristic of network attack.

Alternatively, setpoint frequency threshold value can be the fixed value being pre-configured with, such as 5.

Alternatively, setpoint frequency threshold value can also be according to the message number range and the correspondence of frequency threshold being pre-configured with What relation was found.Table 2 is the example of the corresponding relation of message number range and frequency threshold.

Table 2

Message number range	Frequency threshold
		2~100	5
101~1000	50
		1001~10000	200
More than 10001	500

The message amount stored in the example shown in accompanying drawing 5 in memory 210 is 7, then searches and set from table 2 Frequency threshold is 5.Assuming that the message amount stored in memory 210 is 1000, is then searched from table 2 and obtain setpoint frequency threshold value For 50.

Alternatively, setpoint frequency threshold value can also be according to the message amount and preset percentage stored in memory 210 The product that value multiplication obtains.Wherein, the span of preset percentage value is 10% to 100%.Assuming that stored in memory 210 Message amount be 1000, the value of preset percentage value is 10%, and the product of message amount and preset percentage value is 1000* 10%=100, the i.e. value of setpoint frequency threshold value are 100.

Still illustrated with the example shown in accompanying drawing 5, setpoint frequency threshold value is 5, then numerical value in the two-dimensional array shown in accompanying drawing 4H Value more than the element of setpoint frequency threshold value will be retained, as shown in fig. 6b.

Step 62, processor 220 determines the continuation column in the two-dimensional array, and the position respectively arranged in the continuation column is two-by-two Value that is adjacent and including element is more than or equal to the element of the setpoint frequency threshold value.

As shown in fig. 6b, a continuation column is made up of the 6th row, the 7th row, the 8th row, the 9th row, the 10th row and the 11st row. It should be pointed out that the number of continuation column may be greater than 1.

Step 63, the columns that processor 220 includes according to the continuation column, determine the continuation column in payload content Position range.

Because continuation column includes the 6th~11 row, so position of the continuation column in payload content is with load original position On the basis of, the 6th~11 byte.

Step 64, characteristic character corresponding to each row in continuation column is determined, the characteristic character refers to each in the row The value of element is more than character corresponding to the element of the setpoint frequency threshold value.

In the example shown in accompanying drawing 6B, character corresponding to the 6th row is x, and character corresponding to the 7th row is a, and the 8th row are corresponding Character be f, character corresponding to the 9th row be e, and character corresponding to the 10th row is e, the 11st arrange corresponding to character be a.

Step 65, processor 220 chooses a feature corresponding to each column in continuation column according to the order respectively arranged in continuation column Character, feature string is combined into, the position of the feature string is position range of the continuation column in payload content.

In the example shown in accompanying drawing 6B, according to the order of the 6th~11 row in continuation column, it is corresponding to choose each column in continuation column A characteristic character, it is xafeea to be combined into feature string, and position of the feature string in payload content is with load On the basis of original position, the 6th~11 byte.

In fact, shown in accompanying drawing 6B being a kind of fairly simple situation.Under many circumstances, some row in continuation column The middle element value that at least two elements be present is more than setpoint frequency threshold value, at this moment can obtain at least two feature strings.It is such as attached Shown in Fig. 6 C, it is assumed that the value for having two elements in the 6th row is more than setpoint frequency threshold value, the element of respectively the 3rd row the 6th row X_[3][6]With the element X of the 24th row the 6th row_[24][6].The element X of 3rd row the 6th row_[3][6]Corresponding letter is c, the 24th row the 6th The element X of row_[24][6]Corresponding letter is x.At this moment the feature string obtained has two, respectively xafeea and cafeea. It is appreciated that when the element value that a certain row have two or more element in continuation column is more than setpoint frequency threshold value, or continuation column When the more such element value comprising multiple elements of middle presence is more than the row of setpoint frequency threshold value, it will generation more features character String.

Step 66, processor 220 determines that the fingerprint characteristic of the network attack message is the feature string and spy Position of the character string in payload content is levied, and by fingerprint characteristic storage in memory 210.

For example, in the example shown in accompanying drawing 5B, processor 220 determines that fingerprint characteristic 1 is character string xafeea, position For on the basis of load original position, the 6th~11 byte.In the example shown in accompanying drawing 5C, processor 220 determines fingerprint spy Sign 1 is character string xafeea, and position is that the 6th~11 byte, fingerprint characteristic 2 is character string on the basis of load original position Cafeea, position are the 6th~11 byte on the basis of load original position.

The fingerprint characteristic of acquisition network attack message shown in accompanying drawing 6A is a kind of possible acquisition modes.It is actual to implement During can also using other acquisition continuation columns by the way of, as long as continuation column can be obtained.

The method of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application proposes without distinguishing in flow in advance Normal message and network attack message, by two-dimensional array record network traffics in message in each position of payload content The character of upper appearance, and the number that character occurs.And then obtain to go out on the fixed position of payload content using two-dimensional array The fingerprint characteristic of the higher character string network attack message the most of existing frequency.Hereafter, the net that will can be obtained using two-dimensional array The fingerprint characteristic of network attack message is applied in Network Security Device, to carry out attack detecting and packet filtering.In above-mentioned mistake Payload content in journey without manual analysis message, cost and spent time are saved, there is preferable real-time.

The embodiment of the present application additionally provides a kind of device for the fingerprint characteristic for obtaining network attack message, the logic of the device Structure chart is as shown in Figure 7.The device can be that Network Security Device in preceding embodiment or one are relatively independent Hardware module or software module, it is integrated in the Network Security Device in preceding embodiment.For example, the device is patched in network A plate in the machine frame of safety means, or the device are a relatively independent application software.Or the device can also It is another independent physical equipment being connected with the Network Security Device in preceding embodiment, such as flow cleaning equipment.On The application scenarios for stating the device for the fingerprint characteristic for obtaining network attack message refer to accompanying drawing 1 and related text in preceding embodiment Word description.In the device implementation detail of each module also refer to accompanying drawing 3 in preceding embodiment, accompanying drawing 4A, 4B, 4C, 4D, 4E, 4F, 4G, 4H, accompanying drawing 5, accompanying drawing 6A, 6B, 6C and related text description.It is not repeated herein.

Obtaining the device of the fingerprint characteristic of network attack message includes following functions module：Receiving module 701 and processing mould Block 702.These functional modules can use software mode to realize, hardware mode can also be used to realize, can also used soft The mode that part and hardware are combined is realized.For example, when being realized using software mode, receiving module 701 and processing module 702 can To be the software function of generation after reading the program code of application software stored in memory by the CPU of Network Security Device Module is realized.Receiving module 701 reads the network flow data that network interface is sent by bus, and processing module 702 is carried out The processing of follow-up record flow and determination fingerprint characteristic.

When being realized by the way of being combined using software and hardware, receiving module 701 can be network interface, processing module 701 can be that the software function module of generation comes after reading the program code stored in memory by the CPU of Network Security Device Realize.Receiving module 701 sends the network flow data received to CPU, the processing module 702 of CPU generations by bus Carry out follow-up record flow and determine the processing of fingerprint characteristic.

Receiving module 701, for receiving network traffics, normal message and network attack report are included in the network traffics Text.

Processing module 702, for being arranged by n, the two-dimensional array of m rows, the message in the network traffics is recorded in load On the diverse location of content, number that each character occurs, wherein, n span is for 1 between the byte number of message load Natural number, m span are the natural number between 1 to 255, the position phase with payload content respectively of each column in n row Corresponding, the often row in m rows is corresponding with a character in ASCII character respectively, and the character in ASCII character corresponding to each row is not Together, the row of two-dimensional array i-th, the element X of jth row_ijValue with the basis of payload content original position, offset j Position on, corresponding to the i-th row character occur number positive correlation.

Processing module 702, it is additionally operable to obtain feature string according to the two-dimensional array, the feature string refers to Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of message payload content in the network traffics.It is determined that The fingerprint characteristic of the network attack message is the feature string and the feature string in the payload content Position.

Alternatively, processing module 702 arranged by n, the two-dimensional array of m rows, record the message of the network traffics in load On the diverse location of content, the number of each character appearance, including：

For every message in the network traffics, the payload content original position using the message is successively read as base Standard, offset are the character C on p position_p, p value is each natural number untill k since 1.Wherein k be n and Smaller value in both message loaded lengths.In the two-dimensional array, lookup position is arranged by pth, the character C_pIt is right Element determined by the row answered.

Alternatively, processing module 702 is obtained and occurred on the fixed position of the network traffics according to the two-dimensional array Number exceedes the feature string of setpoint frequency threshold value, including：

For the two-dimensional array, determine that element value is more than or equal to the element of setpoint frequency threshold value.Further, it is determined that Continuation column in the two-dimensional array, the position respectively arranged in the continuation column is adjacent two-by-two and is more than comprising element value described The element of setpoint frequency threshold value.

The columns included according to the continuation column, determine position range of the continuation column in payload content.

Characteristic character corresponding to each row in the continuation column is determined, the characteristic character refers to each element in the row Value is more than character corresponding to the element of the setpoint frequency threshold value.According to the order respectively arranged in continuation column, the continuation column is chosen A characteristic character corresponding to middle each column, is combined into feature string, and the position of the feature string exists for the continuation column Position range in payload content.

Alternatively, above-mentioned setpoint frequency threshold value can have various ways acquisition, and one of which obtains setpoint frequency threshold value Mode is before processing module 702 obtains feature string according to the two-dimensional array, to obtain what is included in the network traffics Message amount, the message amount is multiplied to obtain product with preset percentage value, using product as the setpoint frequency threshold value. The span of the preset percentage value is 10% to 100%.

Alternatively, the device of the fingerprint characteristic of the acquisition network attack message shown in accompanying drawing 7 also includes matching module 703, For the first message in the network traffics to be matched with the fingerprint characteristic, if first message is including described Fingerprint characteristic, it is determined that first message is network attack message.By the second message in the network traffics and the finger Line feature is matched, if second message does not include the fingerprint characteristic, it is determined that second message is normal report Text.

Further, the device of the fingerprint characteristic of the acquisition network attack message shown in accompanying drawing 7 also includes filtering module 704 With forwarding module 705.

Filtering module 704, for by first packet loss.

Forwarding module 705, for forwarding second message, specifically, forwarding module 705 is according to the purpose of the second message Address, search route and carry out message forwarding, the process of message forwarding is prior art, is no longer described in detail herein.

The embodiment of the present application provides a kind of device for the fingerprint characteristic for obtaining network attack message and is deployed in network transmission In path, the network traffics for flowing through the device are received, without distinguishing normal message and network attack message in flow in advance. The character occurred by the message in two-dimensional array record network traffics on each position of payload content, and character occur Number.And then obtain the higher character string of the frequency of occurrences network the most on the fixed position of payload content using two-dimensional array The fingerprint characteristic of attack message.Hereafter, the fingerprint characteristic of the network attack message obtained using two-dimensional array can be applied to In Network Security Device, to carry out attack detecting and packet filtering.Load without manual analysis message in above process Content, cost and spent time are saved, there is preferable real-time.

In addition, the embodiment of the present application additionally provides a kind of non-volatile computer-readable medium, for storing computer journey Sequence.Computer-readable recording medium including but not limited to electronics, magnetic, optics, electromagnetism, infrared or semiconductor system, equipment or Person's device, or foregoing any appropriately combined, such as random access memory (RAM), read-only storage (ROM), with EPROM or Erasable Programmable Read Only Memory EPROM, optical fiber, portable read-only storage (CD-ROM) exemplified by person's flash memory.The calculating Machine program includes being used to perform accompanying drawing 3, accompanying drawing 4A, 4B, 4C, 4D, 4E, 4F, 4G, 4H, accompanying drawing 5, accompanying drawing 6A, 6B, 6C and phase Close the instruction of the method for word description.

Claims

A kind of 1. method for the fingerprint characteristic for obtaining network attack message, it is characterised in that including：

Network traffics are received, include normal message and network attack message in the network traffics, the normal message refers to use Message caused by the proper network behavior at family, the network attack message refer to that attacker performs report caused by network attack Text；

Arranged by n, the two-dimensional array of m rows, record the message in the network traffics on the diverse location of payload content, each word The number occurred is accorded with, wherein, n span is 1 to the natural number between the byte number of message load, and m span is 1 Natural number between to 255, n row in each column it is corresponding with a position of payload content respectively, in m rows often row respectively with A character in ASCII character is corresponding, and the character in ASCII character corresponding to each row is different, the row of two-dimensional array i-th, jth The element X of row_ijValue with the basis of payload content original position, offset is character corresponding to the i-th row on j position The number positive correlation of appearance；

Feature string is obtained according to the two-dimensional array, the feature string refers to that the message in the network traffics carries Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of lotus content；

The fingerprint characteristic for determining the network attack message is the feature string and the feature string in the load Position in lotus content.
2. according to the method for claim 1, it is characterised in that arranged by n, the two-dimensional array of m rows, record the network flow The message of amount is on the diverse location of payload content, the number of each character appearance, including：

For every message in the network traffics, it is successively read on the basis of the payload content original position of the message, Offset is the character C on p position_p, p value is each natural number untill k since 1 ing, and wherein k is n and described Smaller value in both message loaded lengths；

In the two-dimensional array, lookup position is arranged by pth, the character C_pElement determined by corresponding row；

The value of the element found is increased to setting incremental units on the basis of currency, the value of the incremental units is just Number.
3. method according to claim 1 or 2, it is characterised in that according to the two-dimensional array, obtain in the network flow Occurrence number exceedes the feature string of setpoint frequency threshold value on the fixed position of amount, including：

For the two-dimensional array, determine that element value is more than or equal to the element of the setpoint frequency threshold value；

The continuation column in the two-dimensional array is determined, the position respectively arranged in the continuation column is adjacent two-by-two and includes element value More than the element of the setpoint frequency threshold value；

The columns included according to the continuation column, determine position range of the continuation column in payload content；

Characteristic character corresponding to each row in the continuation column is determined, the characteristic character refers to that each element value is big in the row Character corresponding to element in the setpoint frequency threshold value；

According to the order respectively arranged in continuation column, a characteristic character corresponding to each column in the continuation column is chosen, is combined into feature Character string, the position of the feature string is position range of the continuation column in payload content.
4. according to any described method in claims 1 to 3, it is characterised in that described to obtain spy according to the two-dimensional array Before levying character string, in addition to：

Obtain the message amount included in the network traffics；

The message amount is multiplied to obtain product with preset percentage value, using product as the setpoint frequency threshold value.
5. according to the method for claim 4, it is characterised in that the span of the preset percentage value be 10% to 100%.
A kind of 6. device for the fingerprint characteristic for obtaining network attack message, it is characterised in that including：

Receiving module, for receiving network traffics, normal message and network attack message are included in the network traffics；

Processing module, for being arranged by n, the two-dimensional array of m rows, record the message in the network traffics in payload content not With the number that on position, each character occurs, wherein, n span is 1 to the natural number between the byte number of message load, m Span be 1 to 255 between natural number, n row in each column it is corresponding with a position of payload content respectively, m rows In often row it is corresponding with a character in ASCII character respectively, character in ASCII character corresponding to each row is different, described two The element X of the row of dimension group i-th, jth row_ijValue with the basis of payload content original position, offset is on j position, The number positive correlation that character corresponding to i-th row occurs；

Feature string is obtained according to the two-dimensional array, the feature string refers to that the message in the network traffics carries Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of lotus content；

The fingerprint characteristic for determining the network attack message is the feature string and the feature string in the load Position in lotus content.
7. device according to claim 6, it is characterised in that

The processing module, for for every message in the network traffics, being successively read with the load of the message On the basis of holding original position, offset is the character C on p position_p, p value is each nature untill k since 1 Number, wherein k are the smaller value in both n and the message loaded length；

In the two-dimensional array, lookup position is arranged by pth, the character C_pElement determined by corresponding row；

The value of the element found is increased to setting incremental units on the basis of currency, the value of the incremental units is just Number.
8. the device according to claim 6 or 7, it is characterised in that

The processing module, for for the two-dimensional array, determining that element value is more than or equal to the setpoint frequency threshold value Element；

The continuation column in the two-dimensional array is determined, the position respectively arranged in the continuation column is adjacent two-by-two and includes element value More than the element of the setpoint frequency threshold value；

The columns included according to the continuation column, determine position range of the continuation column in payload content；

Characteristic character corresponding to each row in the continuation column is determined, the characteristic character refers to that each element value is big in the row Character corresponding to element in the setpoint frequency threshold value；

According to the order respectively arranged in continuation column, a characteristic character corresponding to each column in the continuation column is chosen, is combined into feature Character string, the position of the feature string is position range of the continuation column in payload content.
9. the device according to claim 6 or 7, it is characterised in that

The processing module, before being additionally operable to obtain feature string according to the two-dimensional array, obtain in the network traffics Comprising message amount；

The message amount is multiplied to obtain product with preset percentage value, using product as the setpoint frequency threshold value.
10. a kind of Network Security Device, including memory, processor, network interface and bus, the memory, the processing Device and the network interface are connected with each other by the bus, it is characterised in that

The network interface, for receiving network traffics, normal message and network attack message, institute are included in the network traffics State normal message and refer to message caused by the proper network behavior of user, the network attack message refers to that attacker performs network Message caused by attack；

After the processor reads the program code stored in the memory, following operate is performed：

Arranged by n, the two-dimensional array of m rows, record the message in the network traffics on the diverse location of payload content, each word The number occurred is accorded with, wherein, n span is 1 to the natural number between the byte number of message load, and m span is 1 Natural number between to 255, n row in each column it is corresponding with a position of payload content respectively, in m rows often row respectively with A character in ASCII character is corresponding, and the character in ASCII character corresponding to each row is different, the row of two-dimensional array i-th, jth The element X of row_ijValue with the basis of payload content original position, offset is character corresponding to the i-th row on j position The number positive correlation of appearance；

Feature string is obtained according to the two-dimensional array, the feature string refers to that the message in the network traffics carries Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of lotus content；

The fingerprint characteristic for determining the network attack message is the feature string and the feature string in the load Position in lotus content.