CN107404459A - Obtain the method and the network equipment of the fingerprint characteristic of network attack message - Google Patents
Obtain the method and the network equipment of the fingerprint characteristic of network attack message Download PDFInfo
- Publication number
- CN107404459A CN107404459A CN201610338317.5A CN201610338317A CN107404459A CN 107404459 A CN107404459 A CN 107404459A CN 201610338317 A CN201610338317 A CN 201610338317A CN 107404459 A CN107404459 A CN 107404459A
- Authority
- CN
- China
- Prior art keywords
- message
- character
- network
- row
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application discloses a kind of method and the network equipment of the fingerprint characteristic for obtaining network attack message, to solve the problems, such as that existing static fingerprint characteristic acquisition modes are less efficient to a certain extent.This method includes:Network traffics are received, normal message and network attack message are included in the network traffics;Arranged by n, the two-dimensional array of m rows, the message in the network traffics is recorded on the diverse location of payload content, the number that each character occurs, each column during n is arranged is corresponding with a position of payload content respectively, and the often row in m rows is corresponding with a character in ASCII character respectively;Feature string is obtained according to the two-dimensional array, the feature string refers to that occurrence number is more than the character string of setpoint frequency threshold value on the fixed position of the message payload content in the network traffics;The fingerprint characteristic for determining the network attack message is the position of the feature string and the feature string in the payload content.
Description
Technical field
The application is related to technical field of the computer network, more particularly to a kind of fingerprint characteristic for obtaining network attack message
Method and a kind of network equipment for the fingerprint characteristic for obtaining network attack message.
Background technology
Refusal service (DoS, Denial of Service) attack is a kind of common network attack means, DoS attack
Purpose is the Internet resources or system resource exhaustion for making target device, and then the service that target device provides temporarily is interrupted
Or stop, causing target device unavailable to client.Distributed denial of service (DDoS, Distributed Denial of
Service) attack refers to that attacker mobilizes DoS to attack using the main frame of on network at least two under fire controls to target device
Hit.For DoS attack, ddos attack it is disguised and destructive all stronger.
In order to take precautions against DoS attack or ddos attack, prior art proposes a kind of static fingerprint technique.Static fingerprint technique
Refer to that network traffics when attacking are carried out into contrast with network traffics when not attacking identifies attack message;It is and right
The content of attack message carries out manual analysis, obtains the fingerprint characteristic that attack message can be identified.Fingerprint characteristic refers to
The character string that can occur on the fixed position of each attack message.After obtaining fingerprint characteristic, network manager fire wall,
Fingerprint characteristic is configured on the Network Security Devices such as security gateway and then content matching, realization pair are carried out to the message in rear afterflow rate
The attack message being likely to occur is identified and filtered, so as to improve network for DoS attack or the prevention ability of ddos attack.
However, attacker, in order to escape detection, the regular content to attack message of meeting is modified, after content change
Attack message can not be detected by configured fingerprint characteristic.Static fingerprint technique by manual analysis after being changed
Attack message fingerprint characteristic when, on the one hand can expend a large amount of manpowers, on the other hand due to manual analysis expend the time it is longer
The hysteresis quality of detection can be caused, i.e., the fingerprint characteristic of the attack message after change is acquired before, take precautions against DoS attack or
Ddos attack has often caused heavy damage to network.It can be seen that attacker can escape detection with less into original.
The content of the invention
The embodiment of the present application provides a kind of method for the fingerprint characteristic for obtaining network attack message, to a certain extent
Solve the problems, such as that existing static fingerprint characteristic acquisition modes are less efficient.
First aspect, there is provided a kind of method for the fingerprint characteristic for obtaining network attack message, including:
Network traffics are received, include normal message and network attack message in the network traffics, the normal message is
Refer to message caused by the proper network behavior of user, the network attack message refers to that attacker is performed caused by network attack
Message;
Arranged by n, the two-dimensional array of m rows, record the message in the network traffics on the diverse location of payload content,
The number that each character occurs, wherein, n span is 1 to the natural number between the byte number of message load, m value model
Enclose for the natural number between 1 to 255, each column in n row is corresponding with a position of payload content respectively, often going in m rows
Corresponding with a character in ASCII character respectively, the character in ASCII character corresponding to each row is different, the two-dimensional array i-th
The element X of row, jth rowijValue with the basis of payload content original position, offset is on j position, and the i-th row is corresponding
Character occur number positive correlation;
Feature string is obtained according to the two-dimensional array, the feature string refers to the report in the network traffics
Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of literary payload content;
The fingerprint characteristic for determining the network attack message is the feature string and the feature string in institute
State the position in payload content.
Alternatively, in some implementations, network traffics can be recorded by the way of byte-by-byte scanning.Specifically
Ground, arranged by n, the two-dimensional array of m rows, record the message of the network traffics on the diverse location of payload content, each character
The number of appearance, including:
For every message in the network traffics, the payload content original position using the message is successively read as base
Standard, offset are the character C on p positionp, p value is each natural number untill k since 1 ing, wherein k be n with
Smaller value in both message loaded lengths;
In the two-dimensional array, lookup position is arranged by pth, the character CpElement determined by corresponding row;
The value of the element found is increased to setting incremental units, the value of the incremental units on the basis of currency
For positive number.
Alternatively, in some implementations, according to the two-dimensional array, obtain in the fixed position of the network traffics
Upper occurrence number exceedes the feature string of setpoint frequency threshold value, including:
For the two-dimensional array, determine that element value is more than or equal to the element of setpoint frequency threshold value;
The continuation column in the two-dimensional array is determined, the position respectively arranged in the continuation column is adjacent two-by-two and includes member
Element of the element value more than the setpoint frequency threshold value;
The columns included according to the continuation column, determine position range of the continuation column in payload content;
Characteristic character corresponding to each row in the continuation column is determined, the characteristic character refers to each element in the row
Value is more than character corresponding to the element of the setpoint frequency threshold value;
According to the order respectively arranged in continuation column, a characteristic character corresponding to each column in the continuation column is chosen, is combined into
Feature string, the position of the feature string is position range of the continuation column in payload content.
Alternatively, in some implementations, before the acquisition feature string according to the two-dimensional array, also wrap
Include:
Obtain the message amount included in the network traffics;
The message amount is multiplied to obtain product with preset percentage value, using product as the setpoint frequency threshold value.
Wherein, the span of the preset percentage value is 10% to 100%.The value of certain preset percentage value is between 10% He
It is a kind of preferable set-up mode between 100%, accurate result can be obtained.If provided as 8%, 9% etc.
The fingerprint characteristic of network attack message can still be obtained.
Alternatively, after the fingerprint characteristic of network attack message is obtained, the fingerprint characteristic of acquisition can also be applied to
To above-mentioned network traffics, and the network traffics received after above-mentioned network traffics are identified and filtered.Specifically, institute
State and determine that the fingerprint characteristic of the network attack message is the feature string and the feature string in the load
After position in content, in addition to:
The first message in the network traffics is matched with the fingerprint characteristic, if first message includes
The fingerprint characteristic, it is determined that first message is network attack message.Filtering abandons the first message.
The second message in the network traffics is matched with the fingerprint characteristic, if second message does not wrap
Include the fingerprint characteristic, it is determined that second message is normal message.And forward the second message.
The method of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application provides without distinguishing in flow in advance
Normal message and network attack message, by two-dimensional array record network traffics in message in each position of payload content
The character of upper appearance, and the number that character occurs.And then obtain to go out on the fixed position of payload content using two-dimensional array
The fingerprint characteristic of the higher character string network attack message the most of existing frequency.Load without manual analysis message in above process
Lotus content, cost and spent time are saved, there is preferable real-time, improve the fingerprint spy for obtaining network attack message
The efficiency of sign.
Second aspect, a kind of device for the fingerprint characteristic for obtaining network attack message is additionally provided, including:Receiving module,
For receiving network traffics, normal message and network attack message are included in the network traffics;
Processing module, for being arranged by n, the two-dimensional array of m rows, the message in the network traffics is recorded in payload content
Diverse location on, number that each character occurs, wherein, n span is 1 to the nature between the byte number of message load
Number, m span are the natural number between 1 to 255, and each column during n is arranged is corresponding with a position of payload content respectively,
Often row in m rows is corresponding with a character in ASCII character respectively, and the character in ASCII character corresponding to each row is different, described
The element X of the row of two-dimensional array i-th, jth rowijValue with the basis of payload content original position, offset is j position
On, the number positive correlation of character appearance corresponding to the i-th row;
Feature string is obtained according to the two-dimensional array, the feature string refers to the report in the network traffics
Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of literary payload content;
The fingerprint characteristic for determining the network attack message is the feature string and the feature string in institute
State the position in payload content.
Alternatively, in some implementations, said apparatus can record network flow by the way of byte-by-byte scanning
Amount.Specifically,
The processing module, for for every message in the network traffics, being successively read with the load of the message
On the basis of lotus content original position, offset is the character C on p positionp, p value be since 1, it is each untill k
Natural number, wherein k are the smaller value in both n and the message loaded length;
In the two-dimensional array, lookup position is arranged by pth, the character CpElement determined by corresponding row;
The value of the element found is increased to setting incremental units, the value of the incremental units on the basis of currency
For positive number.
Alternatively, in some implementations, the processing module is used to be directed to the two-dimensional array, determines that element value is big
In or equal to the setpoint frequency threshold value element;
The continuation column in the two-dimensional array is determined, the position respectively arranged in the continuation column is adjacent two-by-two and includes member
Element of the element value more than the setpoint frequency threshold value;
The columns included according to the continuation column, determine position range of the continuation column in payload content;
Characteristic character corresponding to each row in the continuation column is determined, the characteristic character refers to each element in the row
Value is more than character corresponding to the element of the setpoint frequency threshold value;
According to the order respectively arranged in continuation column, a characteristic character corresponding to each column in the continuation column is chosen, is combined into
Feature string, the position of the feature string is position range of the continuation column in payload content.
Alternatively, the processing module, before being additionally operable to obtain feature string according to the two-dimensional array, described in acquisition
The message amount included in network traffics;
The message amount is multiplied to obtain product with preset percentage value, using product as the setpoint frequency threshold value.
Wherein, the span of the preset percentage value is 10% to 100%.The value of certain preset percentage value is between 10% He
It is a kind of preferable set-up mode between 100%, accurate result can be obtained.If provided as 8%, 9% etc.
The fingerprint characteristic of network attack message can still be obtained.
The device of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application provides without distinguishing in flow in advance
Normal message and network attack message, by two-dimensional array record network traffics in message in each position of payload content
The character of upper appearance, and the number that character occurs.And then obtain to go out on the fixed position of payload content using two-dimensional array
The fingerprint characteristic of the higher character string network attack message the most of existing frequency.Load without manual analysis message in above process
Lotus content, cost and spent time are saved, there is preferable real-time, improve the fingerprint spy for obtaining network attack message
The efficiency of sign.
The third aspect, additionally provide a kind of Network Security Device, including memory, processor, network interface and bus, institute
Memory is stated, the processor and the network interface are connected with each other by the bus, it is characterised in that
The network interface, for receiving network traffics, normal message and network attack report are included in the network traffics
Text, the normal message refer to message caused by the proper network behavior of user, and the network attack message refers to that attacker holds
Message caused by row network attack;
After the processor reads the program code stored in the memory, following operate is performed:
Arranged by n, the two-dimensional array of m rows, record the message in the network traffics on the diverse location of payload content,
The number that each character occurs, wherein, n span is 1 to the natural number between the byte number of message load, m value model
Enclose for the natural number between 1 to 255, each column in n row is corresponding with a position of payload content respectively, often going in m rows
Corresponding with a character in ASCII character respectively, the character in ASCII character corresponding to each row is different, the two-dimensional array i-th
The element X of row, jth rowijValue with the basis of payload content original position, offset is on j position, and the i-th row is corresponding
Character occur number positive correlation;
Feature string is obtained according to the two-dimensional array, the feature string refers to the report in the network traffics
Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of literary payload content;
The fingerprint characteristic for determining the network attack message is the feature string and the feature string in institute
State the position in payload content.
Method in any possible implementation of the computing device first aspect or first aspect.
Fourth aspect, the application provide a kind of computer-readable medium, for storing computer program, the computer program
Include the instruction of the method in any possible implementation for performing first aspect or first aspect.
Brief description of the drawings
, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are this Shens
Some embodiments please, for those of ordinary skill in the art, on the premise of not paying creative work, can be with root
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of application scenarios of the scheme of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application provides
Schematic diagram;
Fig. 2A is a kind of structural representation for Network Security Device that the embodiment of the present application provides;
Fig. 2 B are the schematic flow sheets for the method that the embodiment of the present application provides the fingerprint characteristic for obtaining network attack message;
Fig. 3 is a kind of operation principle schematic diagram for Network Security Device that the embodiment of the present application provides;
Fig. 4 A are a kind of schematic diagram for the two-dimensional array example original state that the embodiment of the present application provides;
Fig. 4 B are a kind of schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides;
Fig. 4 C are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides;
Fig. 4 D are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides;
Fig. 4 E are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides;
Fig. 4 F are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides;
Fig. 4 G are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides;
Fig. 4 H are another schematic diagram for the two-dimensional array example intermediateness that the embodiment of the present application provides;
Fig. 5 is the stream that the Network Security Device that the embodiment of the present application provides is recorded using two-dimensional array to network traffics
Journey schematic diagram;
Fig. 6 A are the flow for the fingerprint characteristic that network attack message is obtained based on two-dimensional array that the embodiment of the present application provides
Schematic diagram;
Fig. 6 B are a kind of schematic diagram of state after the processing for the two-dimensional array example that the embodiment of the present application provides;
Fig. 6 C are the state another kind schematic diagram after the processing for the two-dimensional array example that the embodiment of the present application provides;
Fig. 7 is the structural representation of the device of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application provides.
Embodiment
Taken time and effort because existing static fingerprint technique is present, detect the problem of hysteresis, the embodiment of the present application proposes
A kind of method of the automatic fingerprint characteristic for obtaining network attack message.Fingerprint characteristic in the embodiment of the present application refers in each attack
The character string that can all occur on the fixed position of message, for example, each attack message payload content the 2nd character to the 5th
Can all occur character string abcd between character.Fingerprint characteristic is a kind of basic of Network Security Device identification network attack message
Foundation.How timely and effectively to obtain the fingerprint characteristic of network attack message is that the application will solve the problems, such as.
With reference to each accompanying drawing, embodiments herein is described.
Accompanying drawing 1 is a kind of applied field of the scheme of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application provides
Scape schematic diagram.In the network scenarios including the equipment such as interchanger, router, Network Security Device, each protected net
An interchanger is deployed with network, each interchanger is connected by Network Security Device with router.Network Security Device can be with
The flow transmitted between Internet and protected network is obtained, and the legitimacy of flow is carried out according to feature set in advance
Identification, such as normal message or network attack message are identified, or the protocol type to carrying data is identified.Enter
One step, Network Security Device can also be filtered or forwarded to flow according to preassigned forwarding strategy, such as be filtered
Discard network attack message, forwarding normal message etc..Exemplarily, Network Security Device can be fire wall, safety net
Close, deep message identification (DPI, Deep packet inspection) equipment.Network Security Device in accompanying drawing 1 can use
The scheme that the present embodiment provides below obtains the fingerprint characteristic of network attack message, and the legitimacy of flow is identified accordingly.
Obviously, the scheme that the present embodiment provides can also be applied in other scenes.For example, set to reduce network security
Standby processing pressure, each Network Security Device are connected with a flow cleaning equipment respectively.Network Security Device knows legitimacy
Not Shi Bai flow be forwarded to flow cleaning equipment, scheme that flow cleaning equipment utilization the present embodiment provides below obtains network
The fingerprint characteristic of attack message, the legitimacy of flow is identified accordingly, the flow cleaned after filtering is back to network peace
Full equipment is subsequently to be forwarded.
Later in association with accompanying drawing 2A, the structure of accompanying drawing 2B and accompanying drawing 3 to the Network Security Device in the scene shown in accompanying drawing 1
It is described in detail with operation principle.
Accompanying drawing 2A is a kind of structural representation for Network Security Device that the embodiment of the present application provides.Network Security Device bag
Include memory 210, processor 220, network interface 230 and bus 240.Memory 210, processor 220 and network interface 230 are logical
Bus 240 is crossed to be connected with each other.
It is random access memory (RAM), read-only storage (ROM) that memory 210, which includes but is not limited to, erasable is compiled
Journey read-only storage (EPROM) or portable read-only storage (CD-ROM).Memory 210 is used to store Network Security Device
The operating system of upper operation, the program code of application program, in the present embodiment memory 210 be additionally operable to store feature database, it is special
Preserve the fingerprint characteristic of network attack message in sign storehouse.
Processor 220 can be one or more central processing units (CPU, Central Processing Unit), locate
In the case that reason device 210 is a CPU, the CPU can be monokaryon CPU or multi-core CPU.
Network interface 230 can be wireline interface, such as Fiber Distributed Data Interface (FDDI, Fiber
Distributed Data Interface), gigabit Ethernet (GE, Gigabit Ethernet) interface;Network interface 230
It can be wave point.
Network Security Device realizes transmission control protocol/Yin Te jointly by the hardware and operating system of network interface 230
At the protocol stack of net interconnection protocol (TCP/IP, Transmission Control Protocol/Internet Protocol)
Manage function.As a rule, network interface 230 is realized to the area protocol of physical layer in message and data link layer by hardware
Processing function, such as message related data is parsed and encapsulated, the area protocol of wherein data link layer refers to comparison bottom
Layer protocol, such as media access control (MAC, medium access control) related protocol.Operating system realizes Data-Link
Other agreements of road floor, all accord of Internet, transport layer all accord processing function, such as to message related data
Parsed and encapsulated.Operating system provides application program by the way of socket or dynamic link library, to application layer and compiled
Journey interface (API, Application Programming Interface), application layer program only need to call API to complete net
Network communicates.In other words, by the above-mentioned means, so that ICP/IP protocol stack is transparent for application layer.
Accompanying drawing 2B is the side of the fingerprint characteristic for the acquisition network attack message that the Network Security Device shown in accompanying drawing 2A performs
The flow chart of method.
Step 20, network interface 230 is used to receive network traffics.Normal message and network attack report are included in network traffics
Text, the normal message refer to message caused by the proper network behavior of user, and the network attack message refers to that attacker holds
Message caused by row network attack.In the present embodiment without by manual analysis distinguish network traffics in normal message and
Network attack message.Only need directly to perform subsequent treatment i.e. to the network traffics for being mixed with normal message and network attack message
Can.
After processor 220 reads the program code stored in the memory 220, following operate is performed:
Step 40, processor 220 arranged by n, the two-dimensional array of m rows, record the message in the network traffics in load
On the diverse location of content, the number of each character appearance.
In fact, n span is according to the protocol layer where the obtained payload content of parsing, and it is widely accepted
The MTU (MTU, Maximum Transmission Unit) of the protocol layer message that defines of technical standard determine
's.For example, according to Institute of Electrical and Electric Engineers (IEEE, Institute of Electrical and Electronics
Engineers) the Ether frame internal structure specified in 802.3-2012 standards, Internet load maximum length are 1500 bytes.
Message payload content in the application refers in the TCP layer load that is obtained after being parsed by ICP/IP protocol stack to message
Hold, UDP layer payload content or with HTTP (HTTP, HyperText Transfer Protocol) layer exemplified by
Application layer payload content.N span is 1 to the natural number between the byte number of message load.Each column difference in n row
Corresponding with a position of payload content, position corresponding to each column is different.For example, when n values are 1500,1 to 1500 row
In each column it is corresponding with a byte in the byte of payload content 1500 respectively, the 1st word of the 1st corresponding payload content of row
Section, the 2nd byte of the corresponding payload content of the 2nd row, by that analogy, the 1500th byte of the corresponding payload content of the 1500th row.
The payload content of message is binary data, and each byte is made up of 8bit, the value corresponding A SCII of each byte
A character in code.255 characters are shared in ASCII character, m span is the natural number between 1 to 255.In m rows
Often row is corresponding with a character in ASCII character respectively, and the character in ASCII character corresponding to each row is different.
In order to lift the treatment effeciency of processor 220, the memory headroom of occupancy is reduced, can be only to fixed in payload content
A part of data of position are recorded, such as only record preceding 20 bytes in payload content, or only record payload content
101st byte is to 100 bytes between the 200th byte etc..Equally, can also be only to the part in payload content
The character being likely to occur is counted, such as only records the number that 26 English alphabets that each position occurs occur, if
Position as statistics target occurs that other symbols, such as "+", then does not count.Therefore when message payload content is HTTP
During layer payload content, n value is the byte number no more than message payload, and m value is the natural number among 1 to 255.
In this application for the sake of simple, intuitive, carried by the HTTP layers being only made up of ASCII character of message payload content
Two-dimensional array is described exemplified by lotus content.In order to further reduce the scale of two-dimensional array, m=26 is employed, n=20's
Two-dimensional array.I.e. just for the value corresponding A SCII codes of 20 bytes before message payload content and each byte of payload content
In the situations of 26 English alphabets recorded.
In the present embodiment, each column in two-dimensional array n row is corresponding with a position in 20 bytes before payload content,
Often row in m rows is corresponding with a letter in 26 English alphabets in ASCII character respectively.The original state of two-dimensional array is such as
Shown in Fig. 4 A.
Step 60, processor 220 obtains feature string according to two-dimensional array, and the feature string refers in the net
Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of message payload content in network flow.
Step 80, processor 220 determines that the fingerprint characteristic of the network attack message is the feature string and spy
Levy position of the character string in payload content.
Later in association with instantiation to the mode that is recorded using two-dimensional array to network traffics and according to record
The process that obtained two-dimensional array obtains the fingerprint characteristic of network attack message describes in detail.After the recording is completed, two
For message in the value instruction network traffics of each element in dimension group on each position of payload content, there is frequency in kinds of characters
The height of rate.In other words, the row of two-dimensional array i-th, the element X of jth rowijValue with using payload content original position as base
Standard, offset are the number positive correlation that character corresponding to the i-th row occurs on the position of j bytes.Specifically, in two-dimensional array
The value of element can directly pointing character occur number, can also with character occur number it is proportional.
Alternatively, Network Security Device also includes input equipment 250.Input equipment 250 can be touch-screen, and keyboard is real
Body button etc..Keeper can input equipment 250 in a manner of order line or graphic user interface to network security
The data such as the configuration parameter of equipment, presetting rule are modified.
Alternatively, Network Security Device also includes output equipment 260, and output equipment 260 can be printer, display.
It can also be the stereo set such as sound card and the earphone being connected with sound card, loudspeaker.Network Security Device can be set by output
Standby 260 transmission is alerted, or the configuration operation to keeper is fed back.Keeper can pass through input equipment 250 and output
Equipment 260 interacts with Network Security Device.
Accompanying drawing 3 is a kind of operation principle schematic diagram for the Network Security Device that the embodiment of the present application provides.Network in Fig. 3
As shown in Figure 1, Network Security Device accesses network transmission road to the deployed position of safety means in a network in a manner of direct-connected
In footpath, network traffics are filtered in real time.Normal message is represented with blank boxes in accompanying drawing 3, net is represented with shaded box
Network attack message.
Network Security Device receives network traffics T1 by network interface 230.As illustrated, comprising just in network traffics T1
Normal message and network attack message.
Step 302, the processor 220 of Network Security Device arranged by n, the two-dimensional array of m rows, in record network traffics T1
Message on each position of payload content, number that each character occurs.Processor 220 obtains network attack according to dimension group
The fingerprint characteristic of message.Fingerprint characteristic indicates the feature string occurred on the fixed position of message payload content, such as
With the original position of payload content, offset is character occur in the position range of 5 bytes to 11 bytes for fingerprint characteristic A instructions
Go here and there " xafeea ".
Generally in the case where network attack occurs, such as DDOS attack, the number of network attack message are more than normal report
Text.Normal message is that message caused by the proper network behavior of user or user use message caused by normal network traffic,
Such as user by browser surf the Net caused by message, or user downloads message caused by file, and user passes through instant messaging
Instrument carries out the caused message that communicates with other users.The content of normal message has higher randomness, in payload content
The possibility for occurring identical content on fixed position with upper frequency is relatively low.Network Security Device utilizes this phenomenon study fingerprint
Feature.
Step 303, the fingerprint characteristic for the network attack message that the processor 220 of Network Security Device obtains step 302
In the feature database preserved added to memory 210, so as to update feature database.
Alternatively, controllability during fingerprint characteristic is added to improve processor 220 into feature database, improves fingerprint characteristic
The fingerprint characteristic for the network attack message that step 302 obtains is in by the accuracy of acquisition, processor 220 by output equipment 260
Now give keeper, after waiting the confirmation feedback that keeper is inputted by input equipment 250, then fingerprint characteristic is added to memory
In.
Alternatively, in order to save the memory space of memory 210, processor 220 can be to protect in periodic statistical feature database
The fingerprint characteristic deposited is hit the number of (hit), and the fingerprint characteristic not being hit for a long time is deleted.
Step 305, feature database of the processor 220 based on renewal of Network Security Device, is matched to network traffics T2,
So as to distinguish normal message and network attack message.Wherein network traffics T2 can be network traffics T1 or in network
The subsequent network flow that network interface 230 receives after flow T1.If a message includes a fingerprint spy in feature database
During sign, confirm that the message belongs to network attack message T3.If a message does not include any fingerprint characteristic in feature database, really
Recognize the message and belong to normal message T4.
Specifically, Network Security Device 220 is special by each fingerprint in each message in network traffics T2 and feature database
Sign is compared one by one.By taking fingerprint characteristic A as an example, if a message, with the original position of payload content, offset is 5 words
There is character string " xafeea " in section to the position range of 11 bytes, then confirm that the payload content of the message includes fingerprint characteristic A
During the content of description, it is network attack message to confirm the message.
Alternatively, after Network Security Device realizes differentiation normal message and network attack message, can normally forward just
Normal message T4, filtering or blocks network attack message T3, avoid network attack message in a network continue to propagate, reduce network
Influence of the attack message to network service.
Below in conjunction with the example of the two-dimensional array shown in accompanying drawing 4A, 4B, 4C, 4D, 4E, 4F, 4G, 4H, and the institute of accompanying drawing 5
The flow chart shown, the mode recorded to Network Security Device using two-dimensional array to network traffics are introduced.
Step 51, the memory 210 of Network Security Device preserves the network traffics that network interface 230 receives.Specifically,
Each message in the network traffics that Network Security Device can receive to network interface 230 carries out protocol analysis, memory
210 only preserve the HTTP layer payload contents of each message.
Alternatively, in order to realize analyzing adjuncts and statistical function, the other information of message can also be preserved.Such as in order to unite
The intensity of network attack is counted, the timestamp of each message can also be preserved., can be with for analytical attack source and attack destination
Source IP address and purpose IP address of message etc. are preserved, is no longer described in detail one by one herein.
Step 52, the processor 220 of Network Security Device reads the HTTP layer payload contents of every message one by one, for every
The HTTP layers payload content of bar message performs 53~step 55 of subsequent step, until handled preserved in memory 210 it is last
Untill the HTTP layer payload contents of one message.
In the present embodiment, it is described exemplified by preserving 7 messages in the memory 210 of Network Security Device.Thing
In order to improve the accuracy of fingerprint characteristic study in reality, class often is carried out to a large amount of messages, such as thousands of, tens of thousands of messages
As processing.The HTTP layer payload contents of 7 messages are as shown in table 1.
Table 1
Test serial number | The HTTP layer payload contents of message |
1 | domainwwwsinacom |
2 | padkexafeeajnveiqhgn |
3 | kjeclxaffeeaqizp |
4 | oicaexafeeaxmndea |
5 | qcpuixafeeawpnbjdeq |
6 | iuvbdxafeeaqw |
7 | getindexhtml |
Step 53, it is successively read on the basis of the payload content original position of the message, offset is on p position
Character Cp, p value is each natural number untill k since 1.Wherein k is in both n and the message loaded length
Smaller value.
Step 54, in the two-dimensional array, lookup position is arranged by pth, the character CpIt is first determined by corresponding row
Element.Element columns residing in two-dimensional array is p, residing behavior character CpCorresponding row.
Step 55, the value of the element found is increased to setting incremental units on the basis of currency, it is described to be incremented by list
The value of position is positive number.In the present embodiment, incremental units are set as 1, the base of the value of the element that will be found in currency
Add 1 on plinth.
Exemplary, every a line in two-dimensional array is all corresponding with a letter in English alphabet a~z.In two-dimemsional number
During group initialization, the value of each element is 0.
(1) each character in the payload content of message 1 is scanned, the payload content of message 1 is " domainwwwsinacom ".
The 1st character d in the payload content of message 1 is read, due to being the 4th row in array corresponding to character d, and
Position in payload content is the offset 1 on the basis of original position.Therefore the position that the row the 1st of two-dimensional array the 4th arranges is searched
Element X corresponding to putting[4][1], and by element X[4][1]Value add 1.Due to element X[4][1]Initial value be 0, element after adding 1
X[4][1]Value be 1.
The 2nd character o in the payload content of message 1 is read, due to being the 15th row in array corresponding to character o, and
Position in payload content is the offset 2 on the basis of original position.Therefore the row the 2nd of two-dimensional array the 15th is searched to arrange
Position correspondence element X[15][2], and by element X[15][2]Value add 1.Due to element X[15][2]Initial value be 0, after adding 1
Element X[15][2]Value be 1.
The 3rd character m in the payload content of message 1 is read, due to being the 13rd row in array corresponding to character m, and
Position in payload content is the offset 3 on the basis of original position.Therefore the row the 3rd of two-dimensional array the 13rd is searched to arrange
Position correspondence element X[13][3], and by element X[13][3]Value add 1.Due to element X[13][3]Initial value be 0, after adding 1
Element X[13][3]Value be 1.
The 4th character a in the payload content of message 1 is read, due to being the 1st row in array corresponding to character a, and
Position in payload content is the offset 4 on the basis of original position.Therefore the position that the row the 4th of two-dimensional array the 1st arranges is searched
Element X corresponding to putting[1][4], and by element X[1][4]Value add 1.Due to element X[1][4]Initial value be 0, element after adding 1
X[1][4]Value be 1.
The 5th character i in the payload content of message 1 is read, due to being the 9th row in array corresponding to character i, and
Position in payload content is the offset 5 on the basis of original position.Therefore the position that the row the 5th of two-dimensional array the 9th arranges is searched
Element X corresponding to putting[9][5], and by element X[9][5]Value add 1.Due to element X[9][5]Initial value be 0, element after adding 1
X[9][5]Value be 1.
The 6th character w in the payload content of message 1 is read, due to being the 23rd row in array corresponding to character w, and
Position in payload content is the offset 6 on the basis of original position.Therefore the row the 6th of two-dimensional array the 23rd is searched to arrange
Position correspondence element X[23][6], and by element X[23][6]Value add 1.Due to element X[23][6]Initial value be 0, after adding 1
Element X[23][6]Value be 1.
The 7th character w in the payload content of message 1 is read, due to being the 23rd row in array corresponding to character w, and
Position in payload content is the offset 7 on the basis of original position.Therefore the row the 7th of two-dimensional array the 23rd is searched to arrange
Position correspondence element X[23][7], and by element X[23][7]Value add 1.Due to element X[23][7]Initial value be 0, after adding 1
Element X[23][7]Value be 1.
The 8th character w in the payload content of message 1 is read, due to being the 23rd row in array corresponding to character w, and
Position in payload content is the offset 8 on the basis of original position.Therefore the row the 8th of two-dimensional array the 23rd is searched to arrange
Position correspondence element X[23][8], and by element X[23][8]Value add 1.Due to element X[23][8]Initial value be 0, after adding 1
Element X[23][8]Value be 1.
The 9th character s in the payload content of message 1 is read, due to being the 19th row in array corresponding to character s, and
Position in payload content is the offset 9 on the basis of original position.Therefore the row the 9th of two-dimensional array the 19th is searched to arrange
Position correspondence element X[19][9], and by element X[19][9]Value add 1.Due to element X[19][9]Initial value be 0, after adding 1
Element X[19][9]Value be 1.
The 10th character i in the payload content of message 1 is read, due to being the 9th row in array corresponding to character i, and
Position in payload content is the offset 10 on the basis of original position.Therefore the row the 10th of two-dimensional array the 9th is searched to arrange
Position correspondence element X[9][10], and by element X[9][10]Value add 1.Due to element X[9][10]Initial value be 0, after adding 1
Element X[9][10]Value be 1.
The 11st character n in the payload content of message 1 is read, due to being the 14th row in array corresponding to character n, and
Position in payload content is the offset 11 on the basis of original position.Therefore the row the 11st of two-dimensional array the 14th is searched
The element X of the position correspondence of row[14][11], and by element X[14][11]Value add 1.Due to element X[14][11]Initial value be 0,
Element X after adding 1[14][11]Value be 1.
The 12nd character a in the payload content of message 1 is read, due to being the 1st row in array corresponding to character a, and
Position in payload content is the offset 12 on the basis of original position.Therefore the row the 12nd of two-dimensional array the 1st is searched to arrange
Position correspondence element X[1][12], and by element X[1][12]Value add 1.Due to element X[1][12]Initial value be 0, after adding 1
Element X[1][12]Value be 1.
The 13rd character c in the payload content of message 1 is read, due to being the 3rd row in array corresponding to character c, and
Position in payload content is the offset 13 on the basis of original position.Therefore the row the 13rd of two-dimensional array the 3rd is searched to arrange
Position correspondence element X[3][13], and by element X[3][13]Value add 1.Due to element X[3][13]Initial value be 0, after adding 1
Element X[3][13]Value be 1.
The 14th character o in the payload content of message 1 is read, due to being the 15th row in array corresponding to character o, and
Position in payload content is the offset 14 on the basis of original position.Therefore the row the 14th of two-dimensional array the 15th is searched
The element X of the position correspondence of row[15][14], and by element X[15][14]Value add 1.Due to element X[15][14]Initial value be 0,
Element X after adding 1[15][14]Value be 1.
The 15th character m in the payload content of message 1 is read, due to being the 13rd row in array corresponding to character m, and
Position in payload content is the offset 15 on the basis of original position.Therefore the row the 15th of two-dimensional array the 13rd is searched
The element X of the position correspondence of row[13][15], and by element X[13][15]Value add 1.Due to element X[13][15]Initial value be 0,
Element X after adding 1[13][15]Value be 1.
After being completed to the processing of message 1, the content of two-dimensional array is as shown in fig. 4b.
(2) each character in the payload content of message 2 is scanned, the payload content of message 2 is
“padkexafeeajnveiqhgn”。
The 1st character p in the payload content of message 2 is read, due to being the 16th row in array corresponding to character p, and
Position in payload content is the offset 1 on the basis of original position.Therefore in the two-dimensional array shown in accompanying drawing 4B
Search the element X of the position correspondence of the 16th row the 1st row[16][1], and by element X[16][1]Value add 1.Due to element X[16][1]'s
Initial value is 0, element X after adding 1[16][1]Value be 1.
The 2nd character a in the payload content of message 2 is read, due to being the 1st row in array corresponding to character a, and
Position in payload content is the offset 2 on the basis of original position.Therefore search in the two-dimensional array shown in accompanying drawing 4B
The element X of the position correspondence of 1st row the 2nd row[1][2], and by element X[1][2]Value add 1.Due to element X[1][2]Initial value
For 0, element X after adding 1[1][2]Value be 1.
To the 3rd~20 character in the payload content of message 2, perform successively similar with above-mentioned 1st character and the 2nd character
Processing after, the content of two-dimensional array is as shown in accompanying drawing 4C.
(3) scan the payload content of message 3 in each character, using with shown in (1) and (2) to message 1 and the institute of message 2
The mode of type is processed, the element value in the two-dimensional array shown in accompanying drawing 4C is updated, and is obtained as shown in accompanying drawing 4D
Two-dimensional array.
(4) scan the payload content of message 4 in each character, using with shown in (1) and (2) to message 1 and the institute of message 2
The mode of type is processed, the element value in the two-dimensional array shown in accompanying drawing 4D is updated, and is obtained as shown in accompanying drawing 4E
Two-dimensional array.
(5) scan the payload content of message 5 in each character, using with shown in (1) and (2) to message 1 and the institute of message 2
The mode of type is processed, the element value in the two-dimensional array shown in accompanying drawing 4E is updated, and is obtained as shown in accompanying drawing 4F
Two-dimensional array.
(6) scan the payload content of message 6 in each character, using with shown in (1) and (2) to message 1 and the institute of message 2
The mode of type is processed, the element value in the two-dimensional array shown in accompanying drawing 4F is updated, and is obtained as shown in accompanying drawing 4G
Two-dimensional array.
(7) scan the payload content of message 7 in each character, using with shown in (1) and (2) to message 1 and the institute of message 2
The mode of type is processed, the element value in the two-dimensional array shown in accompanying drawing 4G is updated, and is obtained as shown in accompanying drawing 4H
Two-dimensional array.
Mode shown in accompanying drawing 5 records network traffics by the way of byte-by-byte scanning, it is clear that simply a kind of possible
Recording mode, each CPU core in multi-core CPU can also be used to read what multiple bytes of fixed position recorded respectively respectively
Mode, because principle is similar, no longer it is described in detail herein.
Below in conjunction with the flow chart shown in accompanying drawing 6A, the two-dimensional array shown in accompanying drawing 6B, 6C, to Network Security Device root
The process that the two-dimensional array obtained according to record obtains the fingerprint characteristic of network attack message is introduced.
Step 61, the processor 220 in Network Security Device is directed to two-dimensional array, determines that element value is more than or equal to setting
The element of frequency threshold.
Indeed, it is possible to retain the value that numerical value in the row is more than or equal to the element of setpoint frequency threshold value, from two-dimemsional number
The value that numerical value is less than the element of setpoint frequency threshold value is deleted in group.Can also be that these numerical value are more than or equal to setpoint frequency threshold value
Element special indicating bit is set.As long as the element for ensureing to only have numerical value to be more than or equal to setpoint frequency threshold value is considered for
Determine the fingerprint characteristic of network attack.
Alternatively, setpoint frequency threshold value can be the fixed value being pre-configured with, such as 5.
Alternatively, setpoint frequency threshold value can also be according to the message number range and the correspondence of frequency threshold being pre-configured with
What relation was found.Table 2 is the example of the corresponding relation of message number range and frequency threshold.
Table 2
Message number range | Frequency threshold |
2~100 | 5 |
101~1000 | 50 |
1001~10000 | 200 |
More than 10001 | 500 |
The message amount stored in the example shown in accompanying drawing 5 in memory 210 is 7, then searches and set from table 2
Frequency threshold is 5.Assuming that the message amount stored in memory 210 is 1000, is then searched from table 2 and obtain setpoint frequency threshold value
For 50.
Alternatively, setpoint frequency threshold value can also be according to the message amount and preset percentage stored in memory 210
The product that value multiplication obtains.Wherein, the span of preset percentage value is 10% to 100%.Assuming that stored in memory 210
Message amount be 1000, the value of preset percentage value is 10%, and the product of message amount and preset percentage value is 1000*
10%=100, the i.e. value of setpoint frequency threshold value are 100.
Still illustrated with the example shown in accompanying drawing 5, setpoint frequency threshold value is 5, then numerical value in the two-dimensional array shown in accompanying drawing 4H
Value more than the element of setpoint frequency threshold value will be retained, as shown in fig. 6b.
Step 62, processor 220 determines the continuation column in the two-dimensional array, and the position respectively arranged in the continuation column is two-by-two
Value that is adjacent and including element is more than or equal to the element of the setpoint frequency threshold value.
As shown in fig. 6b, a continuation column is made up of the 6th row, the 7th row, the 8th row, the 9th row, the 10th row and the 11st row.
It should be pointed out that the number of continuation column may be greater than 1.
Step 63, the columns that processor 220 includes according to the continuation column, determine the continuation column in payload content
Position range.
Because continuation column includes the 6th~11 row, so position of the continuation column in payload content is with load original position
On the basis of, the 6th~11 byte.
Step 64, characteristic character corresponding to each row in continuation column is determined, the characteristic character refers to each in the row
The value of element is more than character corresponding to the element of the setpoint frequency threshold value.
In the example shown in accompanying drawing 6B, character corresponding to the 6th row is x, and character corresponding to the 7th row is a, and the 8th row are corresponding
Character be f, character corresponding to the 9th row be e, and character corresponding to the 10th row is e, the 11st arrange corresponding to character be a.
Step 65, processor 220 chooses a feature corresponding to each column in continuation column according to the order respectively arranged in continuation column
Character, feature string is combined into, the position of the feature string is position range of the continuation column in payload content.
In the example shown in accompanying drawing 6B, according to the order of the 6th~11 row in continuation column, it is corresponding to choose each column in continuation column
A characteristic character, it is xafeea to be combined into feature string, and position of the feature string in payload content is with load
On the basis of original position, the 6th~11 byte.
In fact, shown in accompanying drawing 6B being a kind of fairly simple situation.Under many circumstances, some row in continuation column
The middle element value that at least two elements be present is more than setpoint frequency threshold value, at this moment can obtain at least two feature strings.It is such as attached
Shown in Fig. 6 C, it is assumed that the value for having two elements in the 6th row is more than setpoint frequency threshold value, the element of respectively the 3rd row the 6th row
X[3][6]With the element X of the 24th row the 6th row[24][6].The element X of 3rd row the 6th row[3][6]Corresponding letter is c, the 24th row the 6th
The element X of row[24][6]Corresponding letter is x.At this moment the feature string obtained has two, respectively xafeea and cafeea.
It is appreciated that when the element value that a certain row have two or more element in continuation column is more than setpoint frequency threshold value, or continuation column
When the more such element value comprising multiple elements of middle presence is more than the row of setpoint frequency threshold value, it will generation more features character
String.
Step 66, processor 220 determines that the fingerprint characteristic of the network attack message is the feature string and spy
Position of the character string in payload content is levied, and by fingerprint characteristic storage in memory 210.
For example, in the example shown in accompanying drawing 5B, processor 220 determines that fingerprint characteristic 1 is character string xafeea, position
For on the basis of load original position, the 6th~11 byte.In the example shown in accompanying drawing 5C, processor 220 determines fingerprint spy
Sign 1 is character string xafeea, and position is that the 6th~11 byte, fingerprint characteristic 2 is character string on the basis of load original position
Cafeea, position are the 6th~11 byte on the basis of load original position.
The fingerprint characteristic of acquisition network attack message shown in accompanying drawing 6A is a kind of possible acquisition modes.It is actual to implement
During can also using other acquisition continuation columns by the way of, as long as continuation column can be obtained.
The method of the fingerprint characteristic for the acquisition network attack message that the embodiment of the present application proposes without distinguishing in flow in advance
Normal message and network attack message, by two-dimensional array record network traffics in message in each position of payload content
The character of upper appearance, and the number that character occurs.And then obtain to go out on the fixed position of payload content using two-dimensional array
The fingerprint characteristic of the higher character string network attack message the most of existing frequency.Hereafter, the net that will can be obtained using two-dimensional array
The fingerprint characteristic of network attack message is applied in Network Security Device, to carry out attack detecting and packet filtering.In above-mentioned mistake
Payload content in journey without manual analysis message, cost and spent time are saved, there is preferable real-time.
The embodiment of the present application additionally provides a kind of device for the fingerprint characteristic for obtaining network attack message, the logic of the device
Structure chart is as shown in Figure 7.The device can be that Network Security Device in preceding embodiment or one are relatively independent
Hardware module or software module, it is integrated in the Network Security Device in preceding embodiment.For example, the device is patched in network
A plate in the machine frame of safety means, or the device are a relatively independent application software.Or the device can also
It is another independent physical equipment being connected with the Network Security Device in preceding embodiment, such as flow cleaning equipment.On
The application scenarios for stating the device for the fingerprint characteristic for obtaining network attack message refer to accompanying drawing 1 and related text in preceding embodiment
Word description.In the device implementation detail of each module also refer to accompanying drawing 3 in preceding embodiment, accompanying drawing 4A, 4B, 4C, 4D, 4E,
4F, 4G, 4H, accompanying drawing 5, accompanying drawing 6A, 6B, 6C and related text description.It is not repeated herein.
Obtaining the device of the fingerprint characteristic of network attack message includes following functions module:Receiving module 701 and processing mould
Block 702.These functional modules can use software mode to realize, hardware mode can also be used to realize, can also used soft
The mode that part and hardware are combined is realized.For example, when being realized using software mode, receiving module 701 and processing module 702 can
To be the software function of generation after reading the program code of application software stored in memory by the CPU of Network Security Device
Module is realized.Receiving module 701 reads the network flow data that network interface is sent by bus, and processing module 702 is carried out
The processing of follow-up record flow and determination fingerprint characteristic.
When being realized by the way of being combined using software and hardware, receiving module 701 can be network interface, processing module
701 can be that the software function module of generation comes after reading the program code stored in memory by the CPU of Network Security Device
Realize.Receiving module 701 sends the network flow data received to CPU, the processing module 702 of CPU generations by bus
Carry out follow-up record flow and determine the processing of fingerprint characteristic.
Receiving module 701, for receiving network traffics, normal message and network attack report are included in the network traffics
Text.
Processing module 702, for being arranged by n, the two-dimensional array of m rows, the message in the network traffics is recorded in load
On the diverse location of content, number that each character occurs, wherein, n span is for 1 between the byte number of message load
Natural number, m span are the natural number between 1 to 255, the position phase with payload content respectively of each column in n row
Corresponding, the often row in m rows is corresponding with a character in ASCII character respectively, and the character in ASCII character corresponding to each row is not
Together, the row of two-dimensional array i-th, the element X of jth rowijValue with the basis of payload content original position, offset j
Position on, corresponding to the i-th row character occur number positive correlation.
Processing module 702, it is additionally operable to obtain feature string according to the two-dimensional array, the feature string refers to
Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of message payload content in the network traffics.It is determined that
The fingerprint characteristic of the network attack message is the feature string and the feature string in the payload content
Position.
Alternatively, processing module 702 arranged by n, the two-dimensional array of m rows, record the message of the network traffics in load
On the diverse location of content, the number of each character appearance, including:
For every message in the network traffics, the payload content original position using the message is successively read as base
Standard, offset are the character C on p positionp, p value is each natural number untill k since 1.Wherein k be n and
Smaller value in both message loaded lengths.In the two-dimensional array, lookup position is arranged by pth, the character CpIt is right
Element determined by the row answered.
The value of the element found is increased to setting incremental units, the value of the incremental units on the basis of currency
For positive number.
Alternatively, processing module 702 is obtained and occurred on the fixed position of the network traffics according to the two-dimensional array
Number exceedes the feature string of setpoint frequency threshold value, including:
For the two-dimensional array, determine that element value is more than or equal to the element of setpoint frequency threshold value.Further, it is determined that
Continuation column in the two-dimensional array, the position respectively arranged in the continuation column is adjacent two-by-two and is more than comprising element value described
The element of setpoint frequency threshold value.
The columns included according to the continuation column, determine position range of the continuation column in payload content.
Characteristic character corresponding to each row in the continuation column is determined, the characteristic character refers to each element in the row
Value is more than character corresponding to the element of the setpoint frequency threshold value.According to the order respectively arranged in continuation column, the continuation column is chosen
A characteristic character corresponding to middle each column, is combined into feature string, and the position of the feature string exists for the continuation column
Position range in payload content.
Alternatively, above-mentioned setpoint frequency threshold value can have various ways acquisition, and one of which obtains setpoint frequency threshold value
Mode is before processing module 702 obtains feature string according to the two-dimensional array, to obtain what is included in the network traffics
Message amount, the message amount is multiplied to obtain product with preset percentage value, using product as the setpoint frequency threshold value.
The span of the preset percentage value is 10% to 100%.
Alternatively, the device of the fingerprint characteristic of the acquisition network attack message shown in accompanying drawing 7 also includes matching module 703,
For the first message in the network traffics to be matched with the fingerprint characteristic, if first message is including described
Fingerprint characteristic, it is determined that first message is network attack message.By the second message in the network traffics and the finger
Line feature is matched, if second message does not include the fingerprint characteristic, it is determined that second message is normal report
Text.
Further, the device of the fingerprint characteristic of the acquisition network attack message shown in accompanying drawing 7 also includes filtering module 704
With forwarding module 705.
Filtering module 704, for by first packet loss.
Forwarding module 705, for forwarding second message, specifically, forwarding module 705 is according to the purpose of the second message
Address, search route and carry out message forwarding, the process of message forwarding is prior art, is no longer described in detail herein.
The embodiment of the present application provides a kind of device for the fingerprint characteristic for obtaining network attack message and is deployed in network transmission
In path, the network traffics for flowing through the device are received, without distinguishing normal message and network attack message in flow in advance.
The character occurred by the message in two-dimensional array record network traffics on each position of payload content, and character occur
Number.And then obtain the higher character string of the frequency of occurrences network the most on the fixed position of payload content using two-dimensional array
The fingerprint characteristic of attack message.Hereafter, the fingerprint characteristic of the network attack message obtained using two-dimensional array can be applied to
In Network Security Device, to carry out attack detecting and packet filtering.Load without manual analysis message in above process
Content, cost and spent time are saved, there is preferable real-time.
In addition, the embodiment of the present application additionally provides a kind of non-volatile computer-readable medium, for storing computer journey
Sequence.Computer-readable recording medium including but not limited to electronics, magnetic, optics, electromagnetism, infrared or semiconductor system, equipment or
Person's device, or foregoing any appropriately combined, such as random access memory (RAM), read-only storage (ROM), with EPROM or
Erasable Programmable Read Only Memory EPROM, optical fiber, portable read-only storage (CD-ROM) exemplified by person's flash memory.The calculating
Machine program includes being used to perform accompanying drawing 3, accompanying drawing 4A, 4B, 4C, 4D, 4E, 4F, 4G, 4H, accompanying drawing 5, accompanying drawing 6A, 6B, 6C and phase
Close the instruction of the method for word description.
Claims (10)
- A kind of 1. method for the fingerprint characteristic for obtaining network attack message, it is characterised in that including:Network traffics are received, include normal message and network attack message in the network traffics, the normal message refers to use Message caused by the proper network behavior at family, the network attack message refer to that attacker performs report caused by network attack Text;Arranged by n, the two-dimensional array of m rows, record the message in the network traffics on the diverse location of payload content, each word The number occurred is accorded with, wherein, n span is 1 to the natural number between the byte number of message load, and m span is 1 Natural number between to 255, n row in each column it is corresponding with a position of payload content respectively, in m rows often row respectively with A character in ASCII character is corresponding, and the character in ASCII character corresponding to each row is different, the row of two-dimensional array i-th, jth The element X of rowijValue with the basis of payload content original position, offset is character corresponding to the i-th row on j position The number positive correlation of appearance;Feature string is obtained according to the two-dimensional array, the feature string refers to that the message in the network traffics carries Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of lotus content;The fingerprint characteristic for determining the network attack message is the feature string and the feature string in the load Position in lotus content.
- 2. according to the method for claim 1, it is characterised in that arranged by n, the two-dimensional array of m rows, record the network flow The message of amount is on the diverse location of payload content, the number of each character appearance, including:For every message in the network traffics, it is successively read on the basis of the payload content original position of the message, Offset is the character C on p positionp, p value is each natural number untill k since 1 ing, and wherein k is n and described Smaller value in both message loaded lengths;In the two-dimensional array, lookup position is arranged by pth, the character CpElement determined by corresponding row;The value of the element found is increased to setting incremental units on the basis of currency, the value of the incremental units is just Number.
- 3. method according to claim 1 or 2, it is characterised in that according to the two-dimensional array, obtain in the network flow Occurrence number exceedes the feature string of setpoint frequency threshold value on the fixed position of amount, including:For the two-dimensional array, determine that element value is more than or equal to the element of the setpoint frequency threshold value;The continuation column in the two-dimensional array is determined, the position respectively arranged in the continuation column is adjacent two-by-two and includes element value More than the element of the setpoint frequency threshold value;The columns included according to the continuation column, determine position range of the continuation column in payload content;Characteristic character corresponding to each row in the continuation column is determined, the characteristic character refers to that each element value is big in the row Character corresponding to element in the setpoint frequency threshold value;According to the order respectively arranged in continuation column, a characteristic character corresponding to each column in the continuation column is chosen, is combined into feature Character string, the position of the feature string is position range of the continuation column in payload content.
- 4. according to any described method in claims 1 to 3, it is characterised in that described to obtain spy according to the two-dimensional array Before levying character string, in addition to:Obtain the message amount included in the network traffics;The message amount is multiplied to obtain product with preset percentage value, using product as the setpoint frequency threshold value.
- 5. according to the method for claim 4, it is characterised in that the span of the preset percentage value be 10% to 100%.
- A kind of 6. device for the fingerprint characteristic for obtaining network attack message, it is characterised in that including:Receiving module, for receiving network traffics, normal message and network attack message are included in the network traffics;Processing module, for being arranged by n, the two-dimensional array of m rows, record the message in the network traffics in payload content not With the number that on position, each character occurs, wherein, n span is 1 to the natural number between the byte number of message load, m Span be 1 to 255 between natural number, n row in each column it is corresponding with a position of payload content respectively, m rows In often row it is corresponding with a character in ASCII character respectively, character in ASCII character corresponding to each row is different, described two The element X of the row of dimension group i-th, jth rowijValue with the basis of payload content original position, offset is on j position, The number positive correlation that character corresponding to i-th row occurs;Feature string is obtained according to the two-dimensional array, the feature string refers to that the message in the network traffics carries Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of lotus content;The fingerprint characteristic for determining the network attack message is the feature string and the feature string in the load Position in lotus content.
- 7. device according to claim 6, it is characterised in thatThe processing module, for for every message in the network traffics, being successively read with the load of the message On the basis of holding original position, offset is the character C on p positionp, p value is each nature untill k since 1 Number, wherein k are the smaller value in both n and the message loaded length;In the two-dimensional array, lookup position is arranged by pth, the character CpElement determined by corresponding row;The value of the element found is increased to setting incremental units on the basis of currency, the value of the incremental units is just Number.
- 8. the device according to claim 6 or 7, it is characterised in thatThe processing module, for for the two-dimensional array, determining that element value is more than or equal to the setpoint frequency threshold value Element;The continuation column in the two-dimensional array is determined, the position respectively arranged in the continuation column is adjacent two-by-two and includes element value More than the element of the setpoint frequency threshold value;The columns included according to the continuation column, determine position range of the continuation column in payload content;Characteristic character corresponding to each row in the continuation column is determined, the characteristic character refers to that each element value is big in the row Character corresponding to element in the setpoint frequency threshold value;According to the order respectively arranged in continuation column, a characteristic character corresponding to each column in the continuation column is chosen, is combined into feature Character string, the position of the feature string is position range of the continuation column in payload content.
- 9. the device according to claim 6 or 7, it is characterised in thatThe processing module, before being additionally operable to obtain feature string according to the two-dimensional array, obtain in the network traffics Comprising message amount;The message amount is multiplied to obtain product with preset percentage value, using product as the setpoint frequency threshold value.
- 10. a kind of Network Security Device, including memory, processor, network interface and bus, the memory, the processing Device and the network interface are connected with each other by the bus, it is characterised in thatThe network interface, for receiving network traffics, normal message and network attack message, institute are included in the network traffics State normal message and refer to message caused by the proper network behavior of user, the network attack message refers to that attacker performs network Message caused by attack;After the processor reads the program code stored in the memory, following operate is performed:Arranged by n, the two-dimensional array of m rows, record the message in the network traffics on the diverse location of payload content, each word The number occurred is accorded with, wherein, n span is 1 to the natural number between the byte number of message load, and m span is 1 Natural number between to 255, n row in each column it is corresponding with a position of payload content respectively, in m rows often row respectively with A character in ASCII character is corresponding, and the character in ASCII character corresponding to each row is different, the row of two-dimensional array i-th, jth The element X of rowijValue with the basis of payload content original position, offset is character corresponding to the i-th row on j position The number positive correlation of appearance;Feature string is obtained according to the two-dimensional array, the feature string refers to that the message in the network traffics carries Occurrence number exceedes the character string of setpoint frequency threshold value on the fixed position of lotus content;The fingerprint characteristic for determining the network attack message is the feature string and the feature string in the load Position in lotus content.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610338317.5A CN107404459B (en) | 2016-05-19 | 2016-05-19 | Method for acquiring fingerprint characteristics of network attack message and network equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610338317.5A CN107404459B (en) | 2016-05-19 | 2016-05-19 | Method for acquiring fingerprint characteristics of network attack message and network equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107404459A true CN107404459A (en) | 2017-11-28 |
CN107404459B CN107404459B (en) | 2020-09-04 |
Family
ID=60389112
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610338317.5A Active CN107404459B (en) | 2016-05-19 | 2016-05-19 | Method for acquiring fingerprint characteristics of network attack message and network equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107404459B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108566384A (en) * | 2018-03-23 | 2018-09-21 | 腾讯科技(深圳)有限公司 | A kind of flow attacking means of defence, device, protection server and storage medium |
CN109684301A (en) * | 2018-11-26 | 2019-04-26 | 武汉烽火信息集成技术有限公司 | A kind of multistage network flow storage method and system based on big data |
CN110808915A (en) * | 2019-10-21 | 2020-02-18 | 新华三信息安全技术有限公司 | Data stream affiliated application identification method and device and data processing equipment |
CN112910797A (en) * | 2021-01-20 | 2021-06-04 | 中国科学院计算技术研究所 | I2P flow identification method and system based on feature matching |
CN114124562A (en) * | 2021-12-02 | 2022-03-01 | 湖北天融信网络安全技术有限公司 | Defense method, defense device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1422039A (en) * | 2001-11-29 | 2003-06-04 | 上海交通大学 | Distributed hacker tracking system in controllable computer network |
CN101605067A (en) * | 2009-04-22 | 2009-12-16 | 网经科技(苏州)有限公司 | Network behavior active analysis diagnostic method |
US20130318116A1 (en) * | 2003-06-23 | 2013-11-28 | Microsoft Corporation | Advanced Spam Detection Techniques |
US20140078913A1 (en) * | 2012-09-20 | 2014-03-20 | Hewlett-Packard Development Company, L.P. | Data packet stream fingerprint |
CN105430021A (en) * | 2015-12-31 | 2016-03-23 | 中国人民解放军国防科学技术大学 | Encrypted traffic identification method based on load adjacent probability model |
-
2016
- 2016-05-19 CN CN201610338317.5A patent/CN107404459B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1422039A (en) * | 2001-11-29 | 2003-06-04 | 上海交通大学 | Distributed hacker tracking system in controllable computer network |
US20130318116A1 (en) * | 2003-06-23 | 2013-11-28 | Microsoft Corporation | Advanced Spam Detection Techniques |
CN101605067A (en) * | 2009-04-22 | 2009-12-16 | 网经科技(苏州)有限公司 | Network behavior active analysis diagnostic method |
US20140078913A1 (en) * | 2012-09-20 | 2014-03-20 | Hewlett-Packard Development Company, L.P. | Data packet stream fingerprint |
CN105430021A (en) * | 2015-12-31 | 2016-03-23 | 中国人民解放军国防科学技术大学 | Encrypted traffic identification method based on load adjacent probability model |
Non-Patent Citations (1)
Title |
---|
吴昊,程光: ""HTTP网络应用特征串的自动提取"", 《广西大学学报:自然科学版》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108566384A (en) * | 2018-03-23 | 2018-09-21 | 腾讯科技(深圳)有限公司 | A kind of flow attacking means of defence, device, protection server and storage medium |
CN108566384B (en) * | 2018-03-23 | 2021-09-28 | 腾讯科技(深圳)有限公司 | Traffic attack protection method and device, protection server and storage medium |
CN109684301A (en) * | 2018-11-26 | 2019-04-26 | 武汉烽火信息集成技术有限公司 | A kind of multistage network flow storage method and system based on big data |
CN110808915A (en) * | 2019-10-21 | 2020-02-18 | 新华三信息安全技术有限公司 | Data stream affiliated application identification method and device and data processing equipment |
CN110808915B (en) * | 2019-10-21 | 2022-03-08 | 新华三信息安全技术有限公司 | Data stream affiliated application identification method and device and data processing equipment |
CN112910797A (en) * | 2021-01-20 | 2021-06-04 | 中国科学院计算技术研究所 | I2P flow identification method and system based on feature matching |
CN112910797B (en) * | 2021-01-20 | 2023-04-11 | 中国科学院计算技术研究所 | I2P flow identification method and system based on feature matching |
CN114124562A (en) * | 2021-12-02 | 2022-03-01 | 湖北天融信网络安全技术有限公司 | Defense method, defense device, electronic equipment and storage medium |
CN114124562B (en) * | 2021-12-02 | 2024-05-28 | 湖北天融信网络安全技术有限公司 | Defense method, defense device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN107404459B (en) | 2020-09-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107404459A (en) | Obtain the method and the network equipment of the fingerprint characteristic of network attack message | |
CN103825976B (en) | NAT (network address translation) processing method and device in distributed system architecture | |
US7240048B2 (en) | System and method of parallel pattern matching | |
JP6055548B2 (en) | Apparatus, method, and network server for detecting data pattern in data stream | |
US7411418B2 (en) | Efficient representation of state transition tables | |
Lu et al. | A memory-efficient parallel string matching architecture for high-speed intrusion detection | |
CN1757220B (en) | Apparatus and method for detecting tiny fragment attacks | |
CN112468370A (en) | High-speed network message monitoring and analyzing method and system supporting custom rules | |
CN107707477A (en) | The processing method and processing device of message, computer-readable recording medium | |
CN109450845B (en) | Detection method for generating malicious domain name based on deep neural network algorithm | |
KR20140061359A (en) | Anchored patterns | |
CN103415836A (en) | Network processor and method for accelerating data packet parsing | |
KR20140051914A (en) | Compiler for regular expressions | |
CN111224941B (en) | Threat type identification method and device | |
CN107222491A (en) | A kind of inbreak detection rule creation method based on industrial control network mutation attacks | |
CN107979581A (en) | The detection method and device of corpse feature | |
CN107786628A (en) | Business numbering distribution method, device, computer equipment and storage medium | |
CN103414701A (en) | Rule matching method and device | |
CN101079890B (en) | A method and device for generating characteristic code and identifying status machine | |
EP3211853B1 (en) | Real-time validation of json data applying tree graph properties | |
CN107040427A (en) | A kind of method and device of network card configuration | |
CN114070800A (en) | SECS2 traffic rapid identification method combining deep packet inspection and deep stream inspection | |
CN105516114B (en) | Method and device for scanning vulnerability based on webpage hash value and electronic equipment | |
CN107404515A (en) | The processing method and processing device of asynchronous http request | |
CN103957012B (en) | A kind of compression method and device of DFA matrixes |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |