CN107819606A

CN107819606A - Network attack alarm method and device

Info

Publication number: CN107819606A
Application number: CN201710905355.9A
Authority: CN
Inventors: 杨文玉; 车祺丰
Original assignee: Beijing Kingsoft Internet Security Software Co Ltd
Current assignee: Beijing Kingsoft Internet Security Software Co Ltd
Priority date: 2017-09-29
Filing date: 2017-09-29
Publication date: 2018-03-20

Abstract

The embodiment of the invention provides an alarm method and device for network attack, wherein the alarm method for network attack comprises the following steps: acquiring to-be-alarmed information for alarming when the network is attacked, wherein the to-be-alarmed information comprises: an attack signature of an attack to which the network is subject; determining the similarity between the alarm information to be detected and the alarm information based on the similarity between the attack characteristics of the alarm information to be detected and the attack characteristics of the alarm information; and when the similarity between the information to be warned and the warned information does not meet the preset similar condition, using the information to be warned.

Description

A kind of network alarm method and device under fire

Technical field

The present invention relates to computer network security technology field, more particularly to a kind of network alarm method under fire And device.

Background technology

Important means of the webpage Web intruding detection systems as network safety prevention, it is typically deployed on Web server Or in bypass, and analysis can be monitored to the real-time traffic of web access, the attack for Web, energy are found in time It is enough effectively to solve the safety problem that Web is faced.

If system discovery attack, it should respond within the very first time.The mode of common response includes Alarm, suspension, strategy processing etc..Type of alarm can be by attacking as a kind of common response means, system to Web at present The behavior of hitting is alarmed, and informs the threat corresponding to attack pass through the alarm to alarm to keeper, keeper in time Information is handled, and further handles the threat, and the key step of the method for the alarm includes：

Obtain the warning message of current alerts；

Judge whether the threat information in the warning message of current alerts is advance ready-portioned high-risk alarm, and this draws in advance What the threat information in warning message of the high-risk alarm divided by dividing alarm in advance obtained, the alarm of division alarm in advance Threat information in information includes：High-risk alarm and minor alarm；

If the threat information in the warning message of current alerts is high-risk alarm, directly alert；If current alerts Warning message in threat information be not high-risk alarm, then postpone predetermined time period after alerted, the preset time length Degree can be 1 hour.

However, inventor during the present invention is realized, it is found that at least there are the following problems for prior art：

Because the dividing mode of threat information in warning message is simple, there are a large amount of high-risk alarms in system, and identical is high Danger alarm threatens message to carry out repeating alarm, increases the redundancy of message, and keeper can not be from a large amount of high-risk warning messages Extract the effective information of alarm；Or after predetermined time period, there are a large amount of minor alarms in system, and identical is typically reported It is alert to threaten message to carry out repeating alarm, the redundancy of message is increased, keeper also can not extract alarm from minor alarm There is substantial amounts of warning message in effective information, in a word, system, and keeper extracts warning message from the threat information in warning message Difficulty is big.

The content of the invention

The purpose of the embodiment of the present invention be to provide a kind of network alarm method and device under fire, reduced with realizing The redundancy of warning message, reduce the warning message of system, facilitate keeper to extract warning message.Concrete technical scheme is as follows：

In a first aspect, the embodiments of the invention provide a kind of network alarm method under fire, including：

Acquisition under fire needs that is alarmed to treat warning message on network, wherein, this treats that warning message includes：It is described Network attack signature under fire；

Based on the attack signature for the treating warning message and similarity between the attack signature of warning message, determines institute State and treat similarity between warning message and the warning message；

When the similarity when warning message between the warning message is unsatisfactory for default condition of similarity, use It is described to treat that warning message is alarmed.

Optionally, this treats that warning message includes：The network various attacks feature under fire；

Based on the attack signature for the treating warning message and similarity between the attack signature of warning message, really The fixed similarity treated between warning message and the warning message, including：

For every kind of attack signature in the various attacks feature treated in warning message, calculate the attack signature with it is right Similarity between the attack signature for the warning message answered；

Based on all attack signatures treated in warning message each, it is special with the attack of the corresponding warning message Similarity between sign, the similarity between warning message and the warning message is treated described in calculating.

Optionally, the similarity calculated between the attack signature and the attack signature of corresponding warning message, bag Include：

The similarity between the attack signature and the attack signature of corresponding warning message is calculated respectively；

Computing mode is preset according to corresponding to the attack signature, for attacking for the attack signature and corresponding warning message The similarity hit between feature carries out computing, obtains the phase between the attack signature and the attack signature of corresponding warning message Like degree.

Optionally, it is described based on all attack signatures treated in warning message each, described alarmed with corresponding Similarity between the attack signature of information, the similarity between warning message and the warning message, bag are treated described in calculating Include：

Weight corresponding to each attack signature in the various attacks feature in warning message is treated described in acquisition, wherein, institute Weight sum corresponding to each attack signature is stated as 100%；

By each attack signature in the various attacks feature treated in warning message and the corresponding alarm signal Similarity between the attack signature of breath, with being weighted corresponding to the weight of each attack signature, obtain weighted results；

The weighted results are treated into the similarity between warning message and the warning message as described in.

Optionally, the various attacks feature treated in warning message includes：Attack time, the traffic sources IP attacked Location, the flow purpose IP address of attack and attack type；

Weight corresponding to each attack signature in the various attacks feature in warning message is treated described in acquisition, including：

Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes Warning message sum corresponding to the message sum of all warning messages and each attack signature；

For each attack signature, if warning message corresponding to the same attack signature in the information of all warning messages Sum, the percentage for accounting for the message sum is more than preset percentage, then increases weight corresponding to the attack signature, corresponding to reduce Weight corresponding to remaining attack signature in addition to the attack signature；

Using weight corresponding to the attack signature after increase as weight corresponding to the attack signature；After corresponding reduce Weight is as remaining attack signature pair in addition to the attack signature corresponding to remaining attack signature in addition to the attack signature The weight answered.

Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes Multiple unit interval that preset time period is averagely divided, the number that the warning message in each unit interval occurs；

If the number that warning message occurs in the unit interval is more than preset times, the number occurred that adds up is more than default time Each unit interval where several warning messages, obtain cumulative duration；

If the percentage that the cumulative duration accounts for the preset time period is more than preset percentage, when increasing the attack Between corresponding weight, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time；

Using weight corresponding to the attack time after increase as weight corresponding to attack time；Should by removing after corresponding reduce Weight is as corresponding to remaining attack signature in addition to the attack time corresponding to remaining attack signature beyond attack time Weight.

Optionally, the default condition of similarity is to be obtained more than similarity threshold, the similarity threshold by following steps ：

Obtain in preset time period, the information of all warning messages of statistics, the information of all warning messages includes owning The message sum of warning message；

If the message sum of all warning messages is higher than the first preset alarm quantity, and is not less than the second preset alarm number Amount, then reduce the similarity threshold, and updates the similarity threshold for the similarity threshold after reducing, wherein, described the Two preset alarm quantity are more than the first preset alarm quantity；

If the message sum of all warning messages is higher than the first preset alarm quantity, less than the described second default report Alert quantity, then the similarity threshold is updated for all warning message sums；

If the message sum of all warning messages is less than the first preset alarm quantity, increase the similarity threshold Value, and the similarity threshold is updated for the similarity threshold after increase.

Optionally, it is described to reduce the similarity threshold, the similarity threshold is updated for the similarity threshold after reduction, Including：

Based on fixed numbers are reduced on the similarity threshold, after updating the similarity threshold to reduce fixed numbers Similarity threshold；

The increase similarity threshold, the similarity threshold is updated for the similarity threshold after increase, including：

Based on fixed numbers are increased on the similarity threshold, after updating the similarity threshold for increase fixed numbers Similarity threshold.

Optionally, it is described after the similarity between warning message and the warning message is treated described in the determination Method also includes：

If the similarity treated between warning message and the warning message meets default condition of similarity, institute is obtained State in warning message and treat warning message similarity highest warning message with this；

The mode under fire being handled in the similarity highest warning message is obtained, alarm signal is treated described in processing Attack in breath.

Second aspect, the embodiment of the present invention provide a kind of network warning device under fire, including：

First acquisition module, under fire need that is alarmed to treat warning message on network for obtaining, wherein, this is treated Warning message includes：The network attack signature under fire；

Determining module, for based on the attack signature for treating warning message and between the attack signature of warning message Similarity, it is determined that the similarity treated between warning message and the warning message；

First processing module, the similarity for being treated described between warning message and the warning message are unsatisfactory for pre- If during condition of similarity, treat that warning message is alarmed using described.

The determining module includes：

First computing module, for for every kind of attack signature in the various attacks feature treated in warning message, Calculate the similarity between the attack signature and the attack signature of corresponding warning message；

Second computing module, for based on all attack signatures treated in warning message each, it is and corresponding described Similarity between the attack signature of warning message, treat described in calculating similar between warning message and the warning message Degree.

Optionally, first computing module is specifically used for：

Optionally, second computing module includes：

Acquisition submodule, it is corresponding for obtaining each attack signature in the various attacks feature treated in warning message Weight, wherein, weight sum corresponding to each attack signature is 100%；

Weight submodule, for by each attack signature in the various attacks feature treated in warning message with it is corresponding The warning message attack signature between similarity, with being weighted corresponding to the weight of each attack signature, obtain Weighted results；

The acquisition submodule is specifically used for：

Optionally, the default condition of similarity is to obtain mould by second more than similarity threshold, the similarity threshold Block obtains, and second acquisition module, is used for：

Optionally, second acquisition module, specifically for based on fixed numbers are reduced on the similarity threshold, updating The similarity threshold is the similarity threshold after reduction fixed numbers；

Optionally, described device also includes：

3rd acquisition module, for being treated described in determining module determination between warning message and the warning message Similarity after, if the similarity treated between warning message and the warning message meets default condition of similarity, Warning message similarity highest warning message is treated with this in warning message described in obtaining；

Second processing module, for obtaining the side under fire being handled in the similarity highest warning message Formula, the attack in warning message is treated described in processing.

The third aspect, the embodiment of the present invention provide a kind of electronic equipment, including processor, communication interface, memory and logical Believe bus, wherein, processor, communication interface, memory completes mutual communication by communication bus；

Memory, for depositing computer program；

Processor, during for performing the program deposited on memory, realize the method and step described in first aspect.

Fourth aspect, the embodiment of the present invention provide a kind of computer-readable recording medium, the computer-readable storage medium Matter internal memory contains computer program, and the computer program realizes the method and step described in first aspect when being executed by processor.

5th aspect, the embodiment of the present invention provide a kind of computer equipment, it is characterised in that are connect including processor, communication Mouthful, memory and communication bus, wherein, processor, communication interface, memory completes mutual communication by bus；Storage Device, for depositing computer program；Processor, for performing the program deposited on memory, realize the first aspect institute The method and step stated.

6th aspect, the embodiments of the invention provide a kind of computer program product for including instruction, when it is in computer During upper operation so that computer performs the step described in the first aspect.

7th aspect, the embodiments of the invention provide a kind of computer program, when run on a computer so that meter Calculation machine performs the step described in the first aspect.

A kind of network provided in an embodiment of the present invention alarm method and device under fire, can be by obtaining to network Under fire need that is alarmed to treat warning message；Attacking based on the attack signature for treating warning message and warning message The similarity hit between feature, it is determined that the similarity treated between warning message and the warning message；Wait to report when described When similarity between alert information and the warning message is unsatisfactory for default condition of similarity, warning message report is treated using described It is alert.

Treat that warning message is alarmed corresponding to the similarity that default condition of similarity will be unsatisfactory for, avoid similarity-rough set Big warning message carries out repetition of alarms, so as to reduce the redundancy of warning message, further reduces the warning message of system, side Just keeper extracts warning message.

Certainly, any product or method for implementing the present invention must be not necessarily required to reach all the above excellent simultaneously Point.

Brief description of the drawings

In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.

Fig. 1 for the embodiment of the present invention network alarm method under fire schematic flow sheet；

Fig. 2 for the embodiment of the present invention network alarm method under fire first structure schematic diagram；

Fig. 3 for the embodiment of the present invention network alarm method under fire the second structural representation；

Fig. 4 is the structural representation of the electronic equipment of the embodiment of the present invention.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made Embodiment, belong to the scope of protection of the invention.

There is substantial amounts of warning message for system of the prior art, keeper carries from the threat information in warning message The problem of taking warning message difficulty big, the embodiment of the present invention provide a kind of network alarm method and device under fire, pass through The similarity between warning message and warning message is treated, when treating that the similarity between warning message and warning message is unsatisfactory for During default condition of similarity, treat that warning message is alarmed using this.Treated corresponding to the similarity that will so default condition of similarity be unsatisfactory for Warning message is alarmed, and is avoided the big warning message of similarity-rough set and is carried out repetition of alarms, so as to reduce warning message Redundancy, the warning message of system is further reduced, facilitate keeper to extract warning message.

The network provided first below the embodiment of the present invention alarm method under fire be introduced.

A kind of network that the embodiment of the present invention is provided alarm method under fire can apply to internet industry, have Body can apply to electronic equipment.

As shown in figure 1, a kind of network that the embodiment of the present invention is provided alarm method under fire, can include as follows Step：

Step 101, obtaining under fire needs that is alarmed to treat warning message on network, wherein, this treats warning message Including：The network attack signature under fire.

In a kind of embodiment, the number of attack signature can be a kind of.Suffered by the network characterized using a kind of attack signature Attack, used information content is small, take running memory it is small.

In other embodiments, the number of attack signature can be a variety of to utilize the network institute of various attacks characteristic present The attack received, determine that this treats that the similarity between warning message and warning message is more accurate.

Attack signature can include but is not limited to attack time, the flow source IP address of attack, the flow purpose IP of attack Address and attack type.

Step 102, the attack signature and the similarity between the attack signature of warning message of warning message are treated based on this, Determine that this treats the similarity between warning message and warning message.

When this is when the similarity between warning message and warning message is unsatisfactory for default similarity condition, show to wait to report Alert information has differences with existing warning message, then treats that warning message is alarmed using this.

In one embodiment, the attack signature of the warning message in this step 102 can obtain as follows 's：

First the attack signature of warning message is stored into a default database, then this step 201 can be straight Connect the attack signature that warning message is obtained from default database.

In one embodiment, this in the step 102 treats the attack of the attack signature and warning message of warning message Similarity between feature can determine as follows：

First than the attack signature of the attack signature and warning message for the treatment of warning message, distinguish and treat alarm signal with this Attack signature in warning message, and not corresponding with the attack signature for treating warning message corresponding to the attack signature of breath The attack signature of warning message；

Then the attack signature being directed to respectively in warning message corresponding with the attack signature that this treats warning message, is calculated This treats the similarity between the attack signature of warning message and the attack signature in corresponding warning message；

The attack signature in the not corresponding warning message of attack signature for treating warning message with this, calculates this and waits to report The attack signature of alert information is zero with the similarity between the attack signature in not corresponding warning message.Alarm signal is treated with this Attack signature in the not corresponding warning message of the attack signature of breath, show that this treats that the attack signature of warning message is not right with this The attack signature for the warning message answered is different.

In one embodiment, treat that warning message includes at this：The network a kind of attack signature under fire when, this step In rapid 102 as follows, determine that this treats the similarity between warning message and warning message：

This is treated into similarity between the attack signature of warning message and the attack signature of corresponding warning message, by this This treats that warning message is treated in the similarity conduct between the attack signature of warning message and the attack signature of corresponding warning message With the similarity between warning message.Only have so in this treats warning message network a kind of attack signature under fire When, the attack signature can be utilized, can quickly determine that this treats the similarity between warning message and warning message.

In other embodiments, treat that warning message includes at this：The network various attacks feature under fire when, step In 102 as follows, it is determined that treating the similarity between warning message and warning message：

Every kind of attack signature in the various attacks feature in warning message is treated for this, calculate the attack signature with it is corresponding Warning message attack signature between similarity.Based on all attack signatures treated in warning message each, with Similarity between the attack signature of corresponding warning message, calculate this treat it is similar between warning message and warning message Degree.So this when warning message include the network various attacks feature under fire when, can use treat in warning message Various attacks feature, accurately determine this and treat similarity between warning message and warning message.

Step 103, when this is when the similarity between warning message and warning message is unsatisfactory for default condition of similarity, make Treat that warning message is alarmed with this.

Default similarity condition is needed according to user or industry needs to set.The default similarity condition can fix not Become, can also dynamically adjust.

In a kind of embodiment, the default condition of similarity be more than similarity threshold, the similarity threshold can 60% to Value in 100% number range.The value of the similarity threshold is bigger, it is determined that this treats warning message and existing warning message Similarity accuracy it is higher.

In other embodiments, it is more than similarity threshold, the similarity threshold that this in the step 103, which presets condition of similarity, Value can be obtained by following steps：

First obtain in preset time period, the information of all warning messages of statistics, the information includes all warning messages Message sum, then judge that the message sum of all warning messages in the information is default with the first preset alarm quantity and second respectively The relation for quantity of alarming.

If the message sum of all warning messages is higher than the first preset alarm quantity, and is not less than the second preset alarm number Amount, then reduce similarity threshold, and updates the similarity threshold for the similarity threshold after reduction.

If the message sum of all warning messages is higher than the first preset alarm quantity, less than the described second default report Alert quantity, then the similarity threshold is updated for all warning message sums, wherein, the second preset alarm quantity is more than The first preset alarm quantity.

If the message sum of all warning messages is less than the first preset alarm quantity, increase similarity threshold, And the similarity threshold is updated for the similarity threshold after increase.

The preset time period can need to set according to user's request and industry.Exemplary, preset time period is 1 small When, half a day, one day, two weeks or one month.

In one embodiment, can obtain as follows in preset time period, all warning messages of statistics Information：

First by the information record of all warning messages in the preset time period, counted in default database, so This step can be obtained in preset time period from default database afterwards, the information of all warning messages of statistics.

In other embodiments, can obtain as follows in preset time period, all warning messages of statistics Information：

Terminal records the information of all warning messages in preset time period first, and then user's using terminal is recorded Information, and the information of all warning messages by terminal into electronic equipment feedback preset time period.It is corresponding, electronic equipment Receive information of the user for all warning messages of preset time period internal feedback.This step can be by receiving user feedback The information of all warning messages.The terminal can be any terminal, such as, mobile phone.It can realize in the embodiment of the present invention Terminal, belong to protection scope of the present invention.

User can select feed back in electronic equipment feedback page, the letter of all warning messages in preset time period The information of the select button of breath, then all warning messages into electronic equipment feedback preset time period.Corresponding, electronics is set The selection signal of the standby select button for receiving the feedback page, then start and receive the institute that user is directed to preset time period internal feedback There is the information of warning message.

The first preset alarm quantity and the second preset alarm quantity can need according to user or industry need into Row is set., can be with the message sum of all warning messages by the first preset alarm quantity and the second preset alarm quantity Compare, to adjust similarity threshold.

The message sum of all warning messages received is more than the second preset alarm quantity, illustrates all alarm signals received The message sum of breath is excessive, and the difficulty that user extracts warning message is big, then needs to reduce similarity threshold, can so filter out The less warning message of similarity, it is, the larger warning message of otherness is filtered out, so as to reduce the use of warning message Quantity.

The message sum of all warning messages received is less than the first preset alarm quantity, illustrates all alarm signals received The message sum of breath is very few, and warning message is excessively limited, although the difficulty that user extracts warning message is small, electronic equipment In the portion of time of preset time period, may there is no warning message, user's extraction then needs to increase phase less than warning message Like degree threshold value, the not high warning message of similarity can be so filtered out, it is, filtering out the little alarm signal of otherness Breath, so as to increase the usage quantity of warning message.

The reduction similarity threshold can be based on reducing fixed numbers on similarity threshold, can so update described Similarity threshold is the similarity threshold after reduction fixed numbers.The fixed numbers can be needed according to user and industrial requirement is true It is fixed.It is exemplary, the fixed numbers can in 0.5% to 10% number range value.So every time can be according to fixation Numerical value reduces similarity threshold, convenient adjustment similarity threshold every time.

If the message sum of all warning messages is higher than the first preset alarm quantity, less than the described second default report Alert quantity, show that the similarity threshold of setting is suitable.

The increase similarity threshold can be based on increasing fixed numbers on the similarity threshold, can so update this Similarity threshold is the similarity threshold after increase fixed numbers.The fixed numbers are fixed used in similarity threshold with reducing Numerical value is similar, and can reach same or analogous beneficial effect, will not be repeated here.

As can be seen here, wait to alarm due to that in the embodiment of the present invention, will be unsatisfactory for presetting corresponding to the similarity of condition of similarity Information is alarmed, and is avoided the big warning message of similarity-rough set and is carried out repetition of alarms, so as to reduce the redundancy of warning message Degree, the warning message of system is further reduced, facilitate keeper to extract warning message, also improve the security of system.

In one embodiment, it is described that all attack signatures in warning message are treated each based on this, with it is corresponding Similarity between the attack signature of warning message, calculate this and treat similarity between warning message and warning message, including：

The similarity between the attack signature and the attack signature of corresponding warning message is calculated respectively.

The attack signature is obtained as follows when attack signature is attack time, in this step to have reported with corresponding Similarity between the attack signature of alert information：

This is treated that the attack time in warning message and the attack time work in corresponding each warning message are poor, obtained Very first time interval between first attack time and the second attack time.

According to the corresponding relation between time interval and similarity, it is determined that corresponding with very first time interval first is similar Degree, is treated first similarity as this between the attack time in warning message and the attack time of corresponding warning message Similarity.

In one embodiment, the corresponding relation between time interval and similarity can be represented by form, and the table 1 can Think the corresponding relation between time interval and similarity.

Table 1

Time interval	Similarity
		0~0.2	100
0.2~0.4	80
		0.4~0.6	60
0.6~0.8	30
		0.8~1	10
More than 1	0

Exemplary, by the very first time between described first attack time and the second attack time at intervals of 0.8 Hour, then the first similarity of corresponding determination is 10, that is to say, that this treat attack time in warning message with it is corresponding Similarity between the attack time of warning message is 10.

The unit of the time interval can be minute, or hour, can also be day.Certain time interval Residing different time scope is merely illustrative.If desired this treats the attack time in warning message and corresponding alarm signal Similarity between the attack time of breath is more accurate, and the time range divided between 0 to 1 is finer, with time range Corresponding similarity setting is also required to finer.

In other embodiments, the corresponding relation between time interval and similarity can be represented by inverse proportion function, Time interval and the inverse proportion function that similarity is in inverse relation are can be identified for that, belongs to the protection domain of the embodiment of the present invention.

Exemplary inverse proportion function,

Wherein, x is time interval, and the value of the time interval is the natural number more than or equal to 0, and Y is similarity, and k is Inverse proportion coefficient, k value are the natural number more than or equal to 0, and k and x unit can be minute, or hour, and also Can be day, the inverse proportion coefficient can need to be configured according to user.Differ a citing herein.

It is IP address in attack signature, the IP address is for the flow source IP address attacked or the flow purpose IP of attack The attack signature is obtained during location, in this step as follows and treats that the attack signature in warning message is corresponding with this Similarity between the attack signature of warning message：

Change this and treat IP address in warning message as binary IP address, the attack in warning message is treated in conversion with this IP address in each warning message corresponding to feature is binary IP address；

By Hamming distance function, the binary IP address after the IP address conversion in warning message is calculated, and with The binary IP address after the IP address conversion in each warning message corresponding to the attack signature in warning message Between the first Hamming distance；Using all first Hamming distances, calculate this treat the attack signature in warning message and, with this Treat corresponding to the attack signature in warning message the second Hamming distance of the attack signature of warning message.

According to the corresponding relation between Hamming distance and similarity, it is determined that corresponding with the second Hamming distance second is similar Degree, using second similarity as this treat the attack signature in warning message and, treat that the attack in warning message is special with this Similarity between the attack signature of warning message corresponding to sign.

In one embodiment, the corresponding relation between Hamming distance and similarity can be represented by form, and the table 2 can Think the corresponding relation between Hamming distance and similarity.

Table 2

Hamming distance	Similarity
		Less than default Hamming distance	100
More than default Hamming distance	0

The default relation between Hamming distance and similarity can be configured according to user's request, preset Hamming distance It can adjust, will not be repeated here with similarity.

In other embodiments, the corresponding relation between Hamming distance and similarity can be to characterize Hamming distance and similar The function of degree.

The Hamming distance function can be

Wherein,

H treats first Hamming of the attack signature in warning message with the attack signature of corresponding warning message for this Distance, n are the binary IP address after the IP address conversion in warning message or the attack in warning message are treated with this The character number of the binary IP address after IP address conversion in each warning message corresponding to feature.It should be noted Be, n generally take the binary IP address after the IP address conversion in warning message or treat in warning message with this this attack Binary IP address after the IP address conversion hit in each warning message corresponding to feature corresponds to the character number of character string In character number corresponding to more binary IP address.Work as V_iFor two the entering after the IP address conversion in warning message During the i-th character in IP address processed, V_jTo be treated with this in corresponding each warning message of attack signature in warning message IP address conversion after binary IP address in jth character, or, work as V_iTo treat the spy of the attack in warning message with this During the i-th character of the binary IP address after IP address conversion in each warning message corresponding to sign, V_jWait to alarm for this The jth character in the binary IP address after IP address conversion in information.

The function for characterizing Hamming distance and similarity is：

Wherein, Adj (P, T) is character string P corresponding to the binary IP address after the IP address conversion in warning message With with the binary system IP after the IP address conversion in the corresponding each warning message of the attack signature in warning message The second similarity between character string T corresponding to address, H be this treat the attack signature in warning message and, wait to alarm with this The first Hamming distance of the attack signature of warning message, maxH treat alarm signal for this corresponding to the attack signature in information The attack signature in breath and, the attack signature of the corresponding warning message of the attack signature in warning message is treated with this Maximum first Hamming distance.

For example, predetermined threshold value is B, as Adj (P, T)>During B, treat the attack signature in warning message and, wait to alarm with this The attack signature of warning message differs corresponding to the attack signature in information；As Adj (P, T)≤B, alarm signal is treated The attack signature in breath and, the attack signature phase of the corresponding warning message of the attack signature in warning message is treated with this Together.

The attack signature is obtained as follows when attack signature is attack type, in this step to have reported with corresponding Similarity between the attack signature of alert information：

Changing this treats attack type in warning message into the first attack state；

Compare the first attack state and turn with the state that corresponding each attack type having in warning message is formed The attack state moved in figure, the state transition probability of the first attack state is determined, wherein, the state transition probability characterizes first Attack state becomes the attack shape probability of state in the state transition diagram；

The state transition probability is averaged, and using the average value obtained by state transition probability as treating warning message In attack type and the attack type of corresponding warning message between similarity.

In one embodiment, each attack in the various attacks feature treated based on this in warning message is special Sign, and corresponding similarity between the attack signature of warning message, calculate this and treat warning message and the warning message Between similarity, including：

In a kind of specific embodiment, this is treated to the phase of each attack signature in the various attacks feature in warning message Make like degree and, treat warning message and the similarity between warning message using this and as this.So should using work and calculating Treat warning message and this similarity between warning message, calculation are convenient and swift.

In other embodiments,

The first step, obtain this and treat weight corresponding to each attack signature in the various attacks feature in warning message, its In, weight corresponding to each attack signature is determined by the significance level of each attack signature, and each attack signature is corresponding Weight sum be 100%.

Second step, this is treated in the various attacks feature in warning message each attack signature and the corresponding alarm signal Similarity between the attack signature of breath, with being weighted corresponding to the weight of each attack signature, obtain weighted results.

3rd step, warning message and the similarity between warning message are treated using the weighted results as this.

Optionally, the feature that each attack signature in the various attacks feature treated in warning message defines respectively to Measure as (time, src_ip, dest_ip, type), wherein, characteristic vector time represents attack time, characteristic vector src_ip tables Show that traffic sources IP, the characteristic vector dest_ip of attack represent that flow purpose IP, the characteristic vector type of attack represent attack class Type.

According to it is described acquisition the attack signature and the attack signature of corresponding warning message between similarity the step of, Determination attack time, the traffic sources IP of attack, the flow purpose IP of attack, the similarity of attack type respectively, the attack time, The traffic sources IP of attack, the flow purpose IP of attack, the similarity of attack type correspond to Sim (time), Sim (src_ respectively Ip), Sim (dst_ip), Sim (type).

Obtain attack time, attack traffic sources IP, attack flow purpose IP, attack type respectively corresponding to weight be P, q, m, n；

The calculation formula for calculating weighted results SIM is as follows：

SIM=Sim (time) × p+Sim (src_ip) × q+Sim (dst_ip) × m+Sim (type) × n, weighting is tied Fruit SIM treats warning message and the similarity between warning message as this.The p, q, m, n could be arranged to the number of fixation Value, or variable numerical value.Specifically, p, q, m, n can need to set according to user's request or industry.

In the described embodiment, first obtain each attack signature corresponding to weight, then treat alarm signal using weighted calculation Breath and the similarity between warning message, so treat warning message with having reported according to the importance of each attack signature to calculate Similarity between alert information, can meet the needs of user or electronic equipment are to different attack signatures, can also improve calculating The accuracy of similarity.

In one embodiment, obtain corresponding to each attack signature that this is treated in the various attacks feature in warning message Weight, including：

Obtain in the preset time, the information of all warning messages of statistics, the information of all warning messages includes institute There is warning message sum corresponding to the message sum and each attack signature of warning message.

For each attack signature, if warning message corresponding to the same attack signature in the information of all warning messages Sum, the percentage for accounting for the message sum is more than preset percentage, then increases weight corresponding to the attack signature, corresponding to reduce Weight corresponding to remaining attack signature in addition to the attack signature.

Preset percentage can need according to user and industry needs to be configured.Exemplary, the preset percentage can With the value in 20% to 40% number range.

In embodiments of the present invention, alarm corresponding to same attack signature in the information according to all warning messages is passed through Information sum, the percentage for accounting for message sum are more than preset percentage, adjust the attack signature corresponding to weight, so may be used With according to actual conditions, according to the importance of each attack signature come calculate this treat warning message and this between warning message Similarity, the accuracy of result of calculation can also be improved.

Exemplary, for the flow source IP address of attack, if in the information of all warning messages same attack flow Warning message sum corresponding to source IP address, the percentage for accounting for the message sum are more than 30%, then increase the attack signature pair The weight answered, accordingly reduce weight corresponding to remaining attack signature in addition to the attack signature.

Weight corresponding to described increase attack signature can increase fixed numbers, and the reduction is in addition to the attack signature Remaining attack signature corresponding to weight can reduce fixed numbers.The fixed numbers can be needed according to user and industrial requirement It is determined that.It is exemplary, the fixed numbers can in 0.5% to 10% number range value.So every time can be according to solid Fixed number value reduces similarity threshold, convenient adjustment weight every time.

In embodiments of the present invention, by automatically adjusting weight corresponding to each attack signature, can better conform to Actual alarm scene, improve the degree of accuracy that warning message is alarmed.

In a kind of other embodiments, obtain this and treat each attack signature pair in the various attacks feature in warning message The weight answered, including：

First obtain in preset time period, the information of all warning messages of statistics, the information of all warning messages includes will Multiple unit interval that preset time period averagely divides, the number that the warning message in each unit interval occurs.

If the number that warning message occurs in the unit interval is more than preset times, the number occurred that adds up is more than default time Each unit interval where several warning messages, obtain cumulative duration.The preset times can need to be set according to user Put.

If the percentage that the cumulative duration accounts for the preset time period is more than preset percentage, increase the attack time pair The weight answered, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time.

The implementation process process of the weight for obtaining attack signature is specific as follows：

The preset time period is 5 seconds, and each unit interval is 1 second, and the preset time period has 5 unit interval；

The number that warning message occurs in 1st second is 20；

The number that warning message occurs in 2nd second is 10；

The number that warning message occurs in 3rd second is 0 time；

The number that warning message occurs in 4th second is 5 times；

The number that warning message occurs in 5th second is 12 times；

Assuming that preset times are 8 times, then the number that warning message occurs in the 1st second, the 2nd second, the 5th second respectively is more than 8 Secondary, the 1st second, the 2nd second and the 5th second where the number for obtaining occurring this warning message is more than 8 times is cumulative, when obtaining cumulative Long, a length of 3 seconds when this is cumulative, then the number of the appearance of warning message is more than 8 times in this 3 seconds.

Assuming that preset percentage is 30%, the 3 seconds percentage for accounting for 5 seconds is 60%；60% is more than 30%, then during increase attack Between corresponding weight, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time.

In embodiments of the present invention, by automatically adjusting weight corresponding to each attack signature, can better conform to Actual alarm scene, improve the degree of accuracy that information to be warned is alarmed.

In a kind of embodiment, after the step 103, methods described also includes：

When this when warning message and this similarity between warning message meets default condition of similarity when, then obtained this In warning message warning message similarity highest warning message is treated with this；

The mode that the institute is under fire handled includes：Add blacklist.As long as can realize warning message alarm to After user, user is under fire handling, used processing mode, belongs to the protection model of the embodiment of the present invention Enclose, this is no longer going to repeat them.

In embodiments of the present invention, by after the message alarmed is compared with the warning message alarmed, if Similarity is higher than predetermined threshold value, illustrates that similarity is larger, and the otherness of the warning message with having alarmed is smaller, then directly presses Operation processing is carried out according to the attack processing operation corresponding to the warning message alarmed, keeper is reduced and attack is waited to report The analysis of alert information and processing time, drastically increase keeper to network timely processing under fire, so as to improve net The overall security of network web system.

As shown in Fig. 2 the embodiment of the present invention also provide a kind of network warning device under fire, including：

First acquisition module 201, under fire need that is alarmed to treat warning message on network for obtaining, wherein, This treats that warning message includes：The network attack signature under fire；

Determining module 202, for treating the attack signature of warning message based on this and between the attack signature of warning message Similarity, determine that this treats warning message and the similarity between warning message；

First processing module 203, for when this treat warning message and the similarity between warning message be unsatisfactory for it is pre- If during condition of similarity, treat that warning message is alarmed using this.

On the basis of described Fig. 2, as shown in figure 3, optionally, this treats that warning message includes：Attacked suffered by the network The various attacks feature hit；

The determining module 202 includes：

First computing module 301, for treating every kind of attack signature in the various attacks feature in warning message for this, Calculate the similarity between the attack signature and the attack signature of corresponding warning message；

Second computing module 302, for treating all attack signatures in warning message based on this each, with it is corresponding this Similarity between the attack signature of warning message, calculate this and treat warning message and the similarity between warning message.

Optionally, first computing module 301 is specifically used for：

Optionally, second computing module 302 includes：

Acquisition submodule 3021, each attack signature pair in the various attacks feature in warning message is treated for obtaining this The weight answered, wherein, weight sum corresponding to each attack signature is 100%；

Weight submodule 3022, for this is treated each attack signature in the various attacks feature in warning message with it is right The similarity between the attack signature of warning message answered, with being weighted corresponding to the weight of each attack signature, is obtained Weighted results；

Warning message and the similarity between warning message are treated using the weighted results as this.

Optionally, the various attacks feature treated in warning message includes：Attack time, attack flow source IP address, The flow purpose IP address and attack type of attack；

The acquisition submodule 3021 is specifically used for：

Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes institute There is warning message sum corresponding to the message sum and each attack signature of warning message；

For each attack signature, if warning message corresponding to the same attack signature in the information of all warning messages Sum, the percentage for accounting for message sum are more than preset percentage, then increase weight corresponding to the attack signature, and corresponding reduce removes Weight corresponding to remaining attack signature beyond the attack signature；

The acquisition submodule 3021 is specifically used for：

Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes will Multiple unit interval that preset time period averagely divides, the number that the warning message in each unit interval occurs；

If the percentage that the cumulative duration accounts for the preset time period is more than preset percentage, it is corresponding to increase the attack time Weight, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time；

Optionally, the default condition of similarity is to be obtained more than similarity threshold, the similarity threshold by the second acquisition module , second acquisition module, it is used for：

If the message sum of all warning messages is higher than the first preset alarm quantity, and is not less than the second preset alarm number Amount, then reduce the similarity threshold, and updates the similarity threshold for the similarity threshold after reduction, wherein, described second is pre- If alarm quantity is more than the first preset alarm quantity；

If the message sum of all warning messages is higher than the first preset alarm quantity, less than the second preset alarm number Amount, then the similarity threshold is updated for all warning message sums；

If the message sum of all warning messages is less than the first preset alarm quantity, increase the similarity threshold, And the similarity threshold is updated for the similarity threshold after increase.

Optionally, second acquisition module, specifically for based on fixed numbers are reduced on the similarity threshold, updating the phase It is the similarity threshold after reduction fixed numbers like degree threshold value；

Based on fixed numbers are increased on the similarity threshold, it is similar after fixed numbers to increase to update the similarity threshold Spend threshold value.

Optionally, the device also includes：

3rd acquisition module 303, for the determining module 202 determine this treat warning message and this between warning message Similarity after, if this treat warning message and this similarity between warning message meets default condition of similarity, obtain This treats warning message similarity highest warning message in warning message with this；

Second processing module 304, for obtaining under fire being handled in the similarity highest warning message Mode, handle this and treat attack in warning message.

Corresponding to the embodiment of the method shown in described Fig. 1, the embodiment of the present invention additionally provides a kind of electronic equipment, such as Fig. 4 It is shown, including processor 401, communication interface 402, memory 403 and communication bus 404, wherein, processor 401, communication interface 402, memory 403 completes mutual communication by communication bus 404,

Memory 403, for depositing computer program；

Processor 401, during for performing the program deposited on memory 403, realize following steps：

Acquisition under fire needs that is alarmed to treat warning message on network, wherein, this treats that warning message includes：The net Network attack signature under fire；

The attack signature and the similarity between the attack signature of warning message of warning message are treated based on this, it is determined that this is treated Warning message and the similarity between warning message；

When this is when warning message and the similarity between warning message are unsatisfactory for default condition of similarity, treated using this Warning message is alarmed.

The embodiment of the present invention provides a kind of computer equipment, including processor, communication interface, memory and communication bus, Wherein, processor, communication interface, memory complete mutual communication by bus；Memory, for depositing computer journey Sequence；Processor, for performing the program deposited on memory, realize the network alarm method under fire the step of.

The communication bus that the electronic equipment is mentioned can be Peripheral Component Interconnect standard (PerIP addresses heral Component Interconnect, PCI) bus or EISA (Extended Industry Standard Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, controlling bus etc..For just Only represented in expression, figure with a thick line, it is not intended that an only bus or a type of bus.

The communication that communication interface is used between the electronic equipment and other equipment.

Memory can include random access memory (Random Access Memory, RAM), can also include non-easy The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also To be at least one storage device for being located remotely from aforementioned processor.

Described processor can be general processor, including central processing unit (Central Processing Unit, CPU), network processing unit (Network Processor, NP) etc.；It can also be digital signal processor (Digital Signal Processing, DSP), it is application specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other PLDs, discrete Door or transistor logic, discrete hardware components.

Method provided in an embodiment of the present invention can apply to electronic equipment.Specifically, the electronic equipment can be：It is desk-top Computer, portable computer, intelligent mobile terminal, server etc..It is not limited thereto, any electricity that can realize the present invention Sub- equipment, belongs to protection scope of the present invention.

The embodiments of the invention provide a kind of computer-readable recording medium, the storage medium internal memory contains computer journey Sequence, the computer program realized when being executed by processor the network alarm method under fire the step of.

The embodiments of the invention provide it is a kind of comprising instruction computer program product, when run on a computer, So that computer perform the network alarm method under fire the step of.

The embodiments of the invention provide a kind of computer program, when run on a computer so that computer performs The network alarm method under fire the step of.

For device/electronic equipment/computer-readable recording medium/comprising instruction computer program product/computer For program embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to method The part explanation of embodiment.

It should be noted that herein, such as first and second or the like relational terms are used merely to a reality Body or operation make a distinction with another entity or operation, and not necessarily require or imply and deposited between these entities or operation In any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to Nonexcludability includes, so that process, method, article or equipment including a series of elements not only will including those Element, but also the other element including being not expressly set out, or it is this process, method, article or equipment also to include Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that Other identical element also be present in process, method, article or equipment including the key element.

Each embodiment in this specification is described by the way of related, identical similar portion between each embodiment Divide mutually referring to what each embodiment stressed is the difference with other embodiment.Especially for device/ For electronic equipment/computer-readable recording medium/computer program product/computer program embodiments comprising instruction, by Embodiment of the method is substantially similar in it, so description is fairly simple, referring to the part explanation of embodiment of the method in place of correlation .

The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., are all contained in protection scope of the present invention It is interior.

Claims

1. a kind of network alarm method under fire, it is characterised in that including：

Acquisition under fire needs that is alarmed to treat warning message on network, wherein, this treats that warning message includes：The network Attack signature under fire；

Based on the attack signature for the treating warning message and similarity between the attack signature of warning message, it is determined that described treat Similarity between warning message and the warning message；

When the similarity when warning message between the warning message is unsatisfactory for default condition of similarity, using described Treat that warning message is alarmed.

2. the method as described in claim 1, it is characterised in that this treats that warning message includes：The network under fire more Kind attack signature；

Based on the attack signature for the treating warning message and similarity between the attack signature of warning message, determines institute State and treat similarity between warning message and the warning message, including：

For every kind of attack signature in the various attacks feature treated in warning message, calculate the attack signature with it is corresponding Similarity between the attack signature of warning message；

Based on all attack signatures treated in warning message each, with the attack signature of the corresponding warning message it Between similarity, the similarity between warning message and the warning message is treated described in calculating.

3. method as claimed in claim 2, it is characterised in that

The similarity calculated between the attack signature and the attack signature of corresponding warning message, including：

Computing mode is preset according to corresponding to the attack signature, it is special for the attack signature and the attack of corresponding warning message Similarity between sign carries out computing, obtains similar between the attack signature and the attack signature of corresponding warning message Degree.

4. method as claimed in claim 2, it is characterised in that

It is described based on all attack signatures treated in warning message each, it is special with the attack of the corresponding warning message Similarity between sign, the similarity between warning message and the warning message is treated described in calculating, including：

Weight corresponding to each attack signature in the various attacks feature in warning message is treated described in acquisition, wherein, it is described every Weight sum corresponding to individual attack signature is 100%；

By each attack signature in the various attacks feature treated in warning message and the corresponding warning message Similarity between attack signature, with being weighted corresponding to the weight of each attack signature, obtain weighted results；

5. method as claimed in claim 4, it is characterised in that

The various attacks feature treated in warning message includes：Attack time, the flow source IP address of attack, the flow of attack Purpose IP address and attack type；

Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes owning Warning message sum corresponding to the message sum of warning message and each attack signature；

For each attack signature, if warning message corresponding to the same attack signature is total in the information of all warning messages Number, the percentage for accounting for the message sum are more than preset percentage, then increase weight corresponding to the attack signature, and corresponding reduce removes Weight corresponding to remaining attack signature beyond the attack signature；

Using weight corresponding to the attack signature after increase as weight corresponding to the attack signature；Should by removing after corresponding reduce Weight is as corresponding to remaining attack signature in addition to the attack signature corresponding to remaining attack signature beyond attack signature Weight.

6. method as claimed in claim 4, it is characterised in that

Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes will be pre- If multiple unit interval that the period averagely divides, the number of the warning message appearance in each unit interval；

If the number that warning message occurs in the unit interval is more than preset times, the number occurred that adds up is more than preset times Each unit interval where warning message, obtain cumulative duration；

If the percentage that the cumulative duration accounts for the preset time period is more than preset percentage, increase the attack time pair The weight answered, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time；

Using weight corresponding to the attack time after increase as weight corresponding to attack time；The attack will be removed after corresponding reduce Weight corresponding to remaining attack signature beyond time is as weight corresponding to remaining attack signature in addition to the attack time.

7. the method as described in claim 1, it is characterised in that

The default condition of similarity is to be obtained more than similarity threshold, the similarity threshold by following steps：

Obtain in preset time period, the information of all warning messages of statistics, the information of all warning messages includes all alarms The message sum of information；

If the message sum of all warning messages is higher than the first preset alarm quantity, and is not less than the second preset alarm quantity, Then reduce the similarity threshold, and update the similarity threshold for the similarity threshold after reduction, wherein, described second is pre- If alarm quantity is more than the first preset alarm quantity；

8. method as claimed in claim 7, it is characterised in that it is described to reduce the similarity threshold, update the similarity Threshold value is the similarity threshold after reduction, including：

Based on fixed numbers are reduced on the similarity threshold, it is similar after fixed numbers to reduce to update the similarity threshold Spend threshold value；

9. the method as described in any one of claim 1 to 8, it is characterised in that

After the similarity between warning message and the warning message is treated described in the determination, methods described also includes：

If the default condition of similarity of similarity satisfaction treated between warning message and the warning message, described in acquisition In warning message warning message similarity highest warning message is treated with this；

The mode under fire being handled in the similarity highest warning message is obtained, is treated described in processing in warning message Attack.

10. a kind of network warning device under fire, it is characterised in that including：

First acquisition module, under fire need that is alarmed to treat warning message on network for obtaining, wherein, this waits to alarm Information includes：The network attack signature under fire；

Determining module, for based on similar between the attack signature for treating warning message and the attack signature of warning message Degree, it is determined that the similarity treated between warning message and the warning message；

First processing module, for being unsatisfactory for default phase when the similarity treated between warning message and the warning message During like condition, treat that warning message is alarmed using described.