CN107819606A - Network attack alarm method and device - Google Patents
Network attack alarm method and device Download PDFInfo
- Publication number
- CN107819606A CN107819606A CN201710905355.9A CN201710905355A CN107819606A CN 107819606 A CN107819606 A CN 107819606A CN 201710905355 A CN201710905355 A CN 201710905355A CN 107819606 A CN107819606 A CN 107819606A
- Authority
- CN
- China
- Prior art keywords
- warning message
- attack
- similarity
- attack signature
- warning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides an alarm method and device for network attack, wherein the alarm method for network attack comprises the following steps: acquiring to-be-alarmed information for alarming when the network is attacked, wherein the to-be-alarmed information comprises: an attack signature of an attack to which the network is subject; determining the similarity between the alarm information to be detected and the alarm information based on the similarity between the attack characteristics of the alarm information to be detected and the attack characteristics of the alarm information; and when the similarity between the information to be warned and the warned information does not meet the preset similar condition, using the information to be warned.
Description
Technical field
The present invention relates to computer network security technology field, more particularly to a kind of network alarm method under fire
And device.
Background technology
Important means of the webpage Web intruding detection systems as network safety prevention, it is typically deployed on Web server
Or in bypass, and analysis can be monitored to the real-time traffic of web access, the attack for Web, energy are found in time
It is enough effectively to solve the safety problem that Web is faced.
If system discovery attack, it should respond within the very first time.The mode of common response includes
Alarm, suspension, strategy processing etc..Type of alarm can be by attacking as a kind of common response means, system to Web at present
The behavior of hitting is alarmed, and informs the threat corresponding to attack pass through the alarm to alarm to keeper, keeper in time
Information is handled, and further handles the threat, and the key step of the method for the alarm includes:
Obtain the warning message of current alerts;
Judge whether the threat information in the warning message of current alerts is advance ready-portioned high-risk alarm, and this draws in advance
What the threat information in warning message of the high-risk alarm divided by dividing alarm in advance obtained, the alarm of division alarm in advance
Threat information in information includes:High-risk alarm and minor alarm;
If the threat information in the warning message of current alerts is high-risk alarm, directly alert;If current alerts
Warning message in threat information be not high-risk alarm, then postpone predetermined time period after alerted, the preset time length
Degree can be 1 hour.
However, inventor during the present invention is realized, it is found that at least there are the following problems for prior art:
Because the dividing mode of threat information in warning message is simple, there are a large amount of high-risk alarms in system, and identical is high
Danger alarm threatens message to carry out repeating alarm, increases the redundancy of message, and keeper can not be from a large amount of high-risk warning messages
Extract the effective information of alarm;Or after predetermined time period, there are a large amount of minor alarms in system, and identical is typically reported
It is alert to threaten message to carry out repeating alarm, the redundancy of message is increased, keeper also can not extract alarm from minor alarm
There is substantial amounts of warning message in effective information, in a word, system, and keeper extracts warning message from the threat information in warning message
Difficulty is big.
The content of the invention
The purpose of the embodiment of the present invention be to provide a kind of network alarm method and device under fire, reduced with realizing
The redundancy of warning message, reduce the warning message of system, facilitate keeper to extract warning message.Concrete technical scheme is as follows:
In a first aspect, the embodiments of the invention provide a kind of network alarm method under fire, including:
Acquisition under fire needs that is alarmed to treat warning message on network, wherein, this treats that warning message includes:It is described
Network attack signature under fire;
Based on the attack signature for the treating warning message and similarity between the attack signature of warning message, determines institute
State and treat similarity between warning message and the warning message;
When the similarity when warning message between the warning message is unsatisfactory for default condition of similarity, use
It is described to treat that warning message is alarmed.
Optionally, this treats that warning message includes:The network various attacks feature under fire;
Based on the attack signature for the treating warning message and similarity between the attack signature of warning message, really
The fixed similarity treated between warning message and the warning message, including:
For every kind of attack signature in the various attacks feature treated in warning message, calculate the attack signature with it is right
Similarity between the attack signature for the warning message answered;
Based on all attack signatures treated in warning message each, it is special with the attack of the corresponding warning message
Similarity between sign, the similarity between warning message and the warning message is treated described in calculating.
Optionally, the similarity calculated between the attack signature and the attack signature of corresponding warning message, bag
Include:
The similarity between the attack signature and the attack signature of corresponding warning message is calculated respectively;
Computing mode is preset according to corresponding to the attack signature, for attacking for the attack signature and corresponding warning message
The similarity hit between feature carries out computing, obtains the phase between the attack signature and the attack signature of corresponding warning message
Like degree.
Optionally, it is described based on all attack signatures treated in warning message each, described alarmed with corresponding
Similarity between the attack signature of information, the similarity between warning message and the warning message, bag are treated described in calculating
Include:
Weight corresponding to each attack signature in the various attacks feature in warning message is treated described in acquisition, wherein, institute
Weight sum corresponding to each attack signature is stated as 100%;
By each attack signature in the various attacks feature treated in warning message and the corresponding alarm signal
Similarity between the attack signature of breath, with being weighted corresponding to the weight of each attack signature, obtain weighted results;
The weighted results are treated into the similarity between warning message and the warning message as described in.
Optionally, the various attacks feature treated in warning message includes:Attack time, the traffic sources IP attacked
Location, the flow purpose IP address of attack and attack type;
Weight corresponding to each attack signature in the various attacks feature in warning message is treated described in acquisition, including:
Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes
Warning message sum corresponding to the message sum of all warning messages and each attack signature;
For each attack signature, if warning message corresponding to the same attack signature in the information of all warning messages
Sum, the percentage for accounting for the message sum is more than preset percentage, then increases weight corresponding to the attack signature, corresponding to reduce
Weight corresponding to remaining attack signature in addition to the attack signature;
Using weight corresponding to the attack signature after increase as weight corresponding to the attack signature;After corresponding reduce
Weight is as remaining attack signature pair in addition to the attack signature corresponding to remaining attack signature in addition to the attack signature
The weight answered.
Optionally, the various attacks feature treated in warning message includes:Attack time, the traffic sources IP attacked
Location, the flow purpose IP address of attack and attack type;
Weight corresponding to each attack signature in the various attacks feature in warning message is treated described in acquisition, including:
Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes
Multiple unit interval that preset time period is averagely divided, the number that the warning message in each unit interval occurs;
If the number that warning message occurs in the unit interval is more than preset times, the number occurred that adds up is more than default time
Each unit interval where several warning messages, obtain cumulative duration;
If the percentage that the cumulative duration accounts for the preset time period is more than preset percentage, when increasing the attack
Between corresponding weight, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time;
Using weight corresponding to the attack time after increase as weight corresponding to attack time;Should by removing after corresponding reduce
Weight is as corresponding to remaining attack signature in addition to the attack time corresponding to remaining attack signature beyond attack time
Weight.
Optionally, the default condition of similarity is to be obtained more than similarity threshold, the similarity threshold by following steps
:
Obtain in preset time period, the information of all warning messages of statistics, the information of all warning messages includes owning
The message sum of warning message;
If the message sum of all warning messages is higher than the first preset alarm quantity, and is not less than the second preset alarm number
Amount, then reduce the similarity threshold, and updates the similarity threshold for the similarity threshold after reducing, wherein, described the
Two preset alarm quantity are more than the first preset alarm quantity;
If the message sum of all warning messages is higher than the first preset alarm quantity, less than the described second default report
Alert quantity, then the similarity threshold is updated for all warning message sums;
If the message sum of all warning messages is less than the first preset alarm quantity, increase the similarity threshold
Value, and the similarity threshold is updated for the similarity threshold after increase.
Optionally, it is described to reduce the similarity threshold, the similarity threshold is updated for the similarity threshold after reduction,
Including:
Based on fixed numbers are reduced on the similarity threshold, after updating the similarity threshold to reduce fixed numbers
Similarity threshold;
The increase similarity threshold, the similarity threshold is updated for the similarity threshold after increase, including:
Based on fixed numbers are increased on the similarity threshold, after updating the similarity threshold for increase fixed numbers
Similarity threshold.
Optionally, it is described after the similarity between warning message and the warning message is treated described in the determination
Method also includes:
If the similarity treated between warning message and the warning message meets default condition of similarity, institute is obtained
State in warning message and treat warning message similarity highest warning message with this;
The mode under fire being handled in the similarity highest warning message is obtained, alarm signal is treated described in processing
Attack in breath.
Second aspect, the embodiment of the present invention provide a kind of network warning device under fire, including:
First acquisition module, under fire need that is alarmed to treat warning message on network for obtaining, wherein, this is treated
Warning message includes:The network attack signature under fire;
Determining module, for based on the attack signature for treating warning message and between the attack signature of warning message
Similarity, it is determined that the similarity treated between warning message and the warning message;
First processing module, the similarity for being treated described between warning message and the warning message are unsatisfactory for pre-
If during condition of similarity, treat that warning message is alarmed using described.
Optionally, this treats that warning message includes:The network various attacks feature under fire;
The determining module includes:
First computing module, for for every kind of attack signature in the various attacks feature treated in warning message,
Calculate the similarity between the attack signature and the attack signature of corresponding warning message;
Second computing module, for based on all attack signatures treated in warning message each, it is and corresponding described
Similarity between the attack signature of warning message, treat described in calculating similar between warning message and the warning message
Degree.
Optionally, first computing module is specifically used for:
The similarity between the attack signature and the attack signature of corresponding warning message is calculated respectively;
Computing mode is preset according to corresponding to the attack signature, for attacking for the attack signature and corresponding warning message
The similarity hit between feature carries out computing, obtains the phase between the attack signature and the attack signature of corresponding warning message
Like degree.
Optionally, second computing module includes:
Acquisition submodule, it is corresponding for obtaining each attack signature in the various attacks feature treated in warning message
Weight, wherein, weight sum corresponding to each attack signature is 100%;
Weight submodule, for by each attack signature in the various attacks feature treated in warning message with it is corresponding
The warning message attack signature between similarity, with being weighted corresponding to the weight of each attack signature, obtain
Weighted results;
The weighted results are treated into the similarity between warning message and the warning message as described in.
Optionally, the various attacks feature treated in warning message includes:Attack time, the traffic sources IP attacked
Location, the flow purpose IP address of attack and attack type;
The acquisition submodule is specifically used for:
Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes
Warning message sum corresponding to the message sum of all warning messages and each attack signature;
For each attack signature, if warning message corresponding to the same attack signature in the information of all warning messages
Sum, the percentage for accounting for the message sum is more than preset percentage, then increases weight corresponding to the attack signature, corresponding to reduce
Weight corresponding to remaining attack signature in addition to the attack signature;
Using weight corresponding to the attack signature after increase as weight corresponding to the attack signature;After corresponding reduce
Weight is as remaining attack signature pair in addition to the attack signature corresponding to remaining attack signature in addition to the attack signature
The weight answered.
Optionally, the various attacks feature treated in warning message includes:Attack time, the traffic sources IP attacked
Location, the flow purpose IP address of attack and attack type;
The acquisition submodule is specifically used for:
Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes
Multiple unit interval that preset time period is averagely divided, the number that the warning message in each unit interval occurs;
If the number that warning message occurs in the unit interval is more than preset times, the number occurred that adds up is more than default time
Each unit interval where several warning messages, obtain cumulative duration;
If the percentage that the cumulative duration accounts for the preset time period is more than preset percentage, when increasing the attack
Between corresponding weight, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time;
Using weight corresponding to the attack time after increase as weight corresponding to attack time;Should by removing after corresponding reduce
Weight is as corresponding to remaining attack signature in addition to the attack time corresponding to remaining attack signature beyond attack time
Weight.
Optionally, the default condition of similarity is to obtain mould by second more than similarity threshold, the similarity threshold
Block obtains, and second acquisition module, is used for:
Obtain in preset time period, the information of all warning messages of statistics, the information of all warning messages includes owning
The message sum of warning message;
If the message sum of all warning messages is higher than the first preset alarm quantity, and is not less than the second preset alarm number
Amount, then reduce the similarity threshold, and updates the similarity threshold for the similarity threshold after reducing, wherein, described the
Two preset alarm quantity are more than the first preset alarm quantity;
If the message sum of all warning messages is higher than the first preset alarm quantity, less than the described second default report
Alert quantity, then the similarity threshold is updated for all warning message sums;
If the message sum of all warning messages is less than the first preset alarm quantity, increase the similarity threshold
Value, and the similarity threshold is updated for the similarity threshold after increase.
Optionally, second acquisition module, specifically for based on fixed numbers are reduced on the similarity threshold, updating
The similarity threshold is the similarity threshold after reduction fixed numbers;
Based on fixed numbers are increased on the similarity threshold, after updating the similarity threshold for increase fixed numbers
Similarity threshold.
Optionally, described device also includes:
3rd acquisition module, for being treated described in determining module determination between warning message and the warning message
Similarity after, if the similarity treated between warning message and the warning message meets default condition of similarity,
Warning message similarity highest warning message is treated with this in warning message described in obtaining;
Second processing module, for obtaining the side under fire being handled in the similarity highest warning message
Formula, the attack in warning message is treated described in processing.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, including processor, communication interface, memory and logical
Believe bus, wherein, processor, communication interface, memory completes mutual communication by communication bus;
Memory, for depositing computer program;
Processor, during for performing the program deposited on memory, realize the method and step described in first aspect.
Fourth aspect, the embodiment of the present invention provide a kind of computer-readable recording medium, the computer-readable storage medium
Matter internal memory contains computer program, and the computer program realizes the method and step described in first aspect when being executed by processor.
5th aspect, the embodiment of the present invention provide a kind of computer equipment, it is characterised in that are connect including processor, communication
Mouthful, memory and communication bus, wherein, processor, communication interface, memory completes mutual communication by bus;Storage
Device, for depositing computer program;Processor, for performing the program deposited on memory, realize the first aspect institute
The method and step stated.
6th aspect, the embodiments of the invention provide a kind of computer program product for including instruction, when it is in computer
During upper operation so that computer performs the step described in the first aspect.
7th aspect, the embodiments of the invention provide a kind of computer program, when run on a computer so that meter
Calculation machine performs the step described in the first aspect.
A kind of network provided in an embodiment of the present invention alarm method and device under fire, can be by obtaining to network
Under fire need that is alarmed to treat warning message;Attacking based on the attack signature for treating warning message and warning message
The similarity hit between feature, it is determined that the similarity treated between warning message and the warning message;Wait to report when described
When similarity between alert information and the warning message is unsatisfactory for default condition of similarity, warning message report is treated using described
It is alert.
Treat that warning message is alarmed corresponding to the similarity that default condition of similarity will be unsatisfactory for, avoid similarity-rough set
Big warning message carries out repetition of alarms, so as to reduce the redundancy of warning message, further reduces the warning message of system, side
Just keeper extracts warning message.
Certainly, any product or method for implementing the present invention must be not necessarily required to reach all the above excellent simultaneously
Point.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 for the embodiment of the present invention network alarm method under fire schematic flow sheet;
Fig. 2 for the embodiment of the present invention network alarm method under fire first structure schematic diagram;
Fig. 3 for the embodiment of the present invention network alarm method under fire the second structural representation;
Fig. 4 is the structural representation of the electronic equipment of the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made
Embodiment, belong to the scope of protection of the invention.
There is substantial amounts of warning message for system of the prior art, keeper carries from the threat information in warning message
The problem of taking warning message difficulty big, the embodiment of the present invention provide a kind of network alarm method and device under fire, pass through
The similarity between warning message and warning message is treated, when treating that the similarity between warning message and warning message is unsatisfactory for
During default condition of similarity, treat that warning message is alarmed using this.Treated corresponding to the similarity that will so default condition of similarity be unsatisfactory for
Warning message is alarmed, and is avoided the big warning message of similarity-rough set and is carried out repetition of alarms, so as to reduce warning message
Redundancy, the warning message of system is further reduced, facilitate keeper to extract warning message.
The network provided first below the embodiment of the present invention alarm method under fire be introduced.
A kind of network that the embodiment of the present invention is provided alarm method under fire can apply to internet industry, have
Body can apply to electronic equipment.
As shown in figure 1, a kind of network that the embodiment of the present invention is provided alarm method under fire, can include as follows
Step:
Step 101, obtaining under fire needs that is alarmed to treat warning message on network, wherein, this treats warning message
Including:The network attack signature under fire.
In a kind of embodiment, the number of attack signature can be a kind of.Suffered by the network characterized using a kind of attack signature
Attack, used information content is small, take running memory it is small.
In other embodiments, the number of attack signature can be a variety of to utilize the network institute of various attacks characteristic present
The attack received, determine that this treats that the similarity between warning message and warning message is more accurate.
Attack signature can include but is not limited to attack time, the flow source IP address of attack, the flow purpose IP of attack
Address and attack type.
Step 102, the attack signature and the similarity between the attack signature of warning message of warning message are treated based on this,
Determine that this treats the similarity between warning message and warning message.
When this is when the similarity between warning message and warning message is unsatisfactory for default similarity condition, show to wait to report
Alert information has differences with existing warning message, then treats that warning message is alarmed using this.
In one embodiment, the attack signature of the warning message in this step 102 can obtain as follows
's:
First the attack signature of warning message is stored into a default database, then this step 201 can be straight
Connect the attack signature that warning message is obtained from default database.
In one embodiment, this in the step 102 treats the attack of the attack signature and warning message of warning message
Similarity between feature can determine as follows:
First than the attack signature of the attack signature and warning message for the treatment of warning message, distinguish and treat alarm signal with this
Attack signature in warning message, and not corresponding with the attack signature for treating warning message corresponding to the attack signature of breath
The attack signature of warning message;
Then the attack signature being directed to respectively in warning message corresponding with the attack signature that this treats warning message, is calculated
This treats the similarity between the attack signature of warning message and the attack signature in corresponding warning message;
The attack signature in the not corresponding warning message of attack signature for treating warning message with this, calculates this and waits to report
The attack signature of alert information is zero with the similarity between the attack signature in not corresponding warning message.Alarm signal is treated with this
Attack signature in the not corresponding warning message of the attack signature of breath, show that this treats that the attack signature of warning message is not right with this
The attack signature for the warning message answered is different.
In one embodiment, treat that warning message includes at this:The network a kind of attack signature under fire when, this step
In rapid 102 as follows, determine that this treats the similarity between warning message and warning message:
This is treated into similarity between the attack signature of warning message and the attack signature of corresponding warning message, by this
This treats that warning message is treated in the similarity conduct between the attack signature of warning message and the attack signature of corresponding warning message
With the similarity between warning message.Only have so in this treats warning message network a kind of attack signature under fire
When, the attack signature can be utilized, can quickly determine that this treats the similarity between warning message and warning message.
In other embodiments, treat that warning message includes at this:The network various attacks feature under fire when, step
In 102 as follows, it is determined that treating the similarity between warning message and warning message:
Every kind of attack signature in the various attacks feature in warning message is treated for this, calculate the attack signature with it is corresponding
Warning message attack signature between similarity.Based on all attack signatures treated in warning message each, with
Similarity between the attack signature of corresponding warning message, calculate this treat it is similar between warning message and warning message
Degree.So this when warning message include the network various attacks feature under fire when, can use treat in warning message
Various attacks feature, accurately determine this and treat similarity between warning message and warning message.
Step 103, when this is when the similarity between warning message and warning message is unsatisfactory for default condition of similarity, make
Treat that warning message is alarmed with this.
Default similarity condition is needed according to user or industry needs to set.The default similarity condition can fix not
Become, can also dynamically adjust.
In a kind of embodiment, the default condition of similarity be more than similarity threshold, the similarity threshold can 60% to
Value in 100% number range.The value of the similarity threshold is bigger, it is determined that this treats warning message and existing warning message
Similarity accuracy it is higher.
In other embodiments, it is more than similarity threshold, the similarity threshold that this in the step 103, which presets condition of similarity,
Value can be obtained by following steps:
First obtain in preset time period, the information of all warning messages of statistics, the information includes all warning messages
Message sum, then judge that the message sum of all warning messages in the information is default with the first preset alarm quantity and second respectively
The relation for quantity of alarming.
If the message sum of all warning messages is higher than the first preset alarm quantity, and is not less than the second preset alarm number
Amount, then reduce similarity threshold, and updates the similarity threshold for the similarity threshold after reduction.
If the message sum of all warning messages is higher than the first preset alarm quantity, less than the described second default report
Alert quantity, then the similarity threshold is updated for all warning message sums, wherein, the second preset alarm quantity is more than
The first preset alarm quantity.
If the message sum of all warning messages is less than the first preset alarm quantity, increase similarity threshold,
And the similarity threshold is updated for the similarity threshold after increase.
The preset time period can need to set according to user's request and industry.Exemplary, preset time period is 1 small
When, half a day, one day, two weeks or one month.
In one embodiment, can obtain as follows in preset time period, all warning messages of statistics
Information:
First by the information record of all warning messages in the preset time period, counted in default database, so
This step can be obtained in preset time period from default database afterwards, the information of all warning messages of statistics.
In other embodiments, can obtain as follows in preset time period, all warning messages of statistics
Information:
Terminal records the information of all warning messages in preset time period first, and then user's using terminal is recorded
Information, and the information of all warning messages by terminal into electronic equipment feedback preset time period.It is corresponding, electronic equipment
Receive information of the user for all warning messages of preset time period internal feedback.This step can be by receiving user feedback
The information of all warning messages.The terminal can be any terminal, such as, mobile phone.It can realize in the embodiment of the present invention
Terminal, belong to protection scope of the present invention.
User can select feed back in electronic equipment feedback page, the letter of all warning messages in preset time period
The information of the select button of breath, then all warning messages into electronic equipment feedback preset time period.Corresponding, electronics is set
The selection signal of the standby select button for receiving the feedback page, then start and receive the institute that user is directed to preset time period internal feedback
There is the information of warning message.
The first preset alarm quantity and the second preset alarm quantity can need according to user or industry need into
Row is set., can be with the message sum of all warning messages by the first preset alarm quantity and the second preset alarm quantity
Compare, to adjust similarity threshold.
The message sum of all warning messages received is more than the second preset alarm quantity, illustrates all alarm signals received
The message sum of breath is excessive, and the difficulty that user extracts warning message is big, then needs to reduce similarity threshold, can so filter out
The less warning message of similarity, it is, the larger warning message of otherness is filtered out, so as to reduce the use of warning message
Quantity.
The message sum of all warning messages received is less than the first preset alarm quantity, illustrates all alarm signals received
The message sum of breath is very few, and warning message is excessively limited, although the difficulty that user extracts warning message is small, electronic equipment
In the portion of time of preset time period, may there is no warning message, user's extraction then needs to increase phase less than warning message
Like degree threshold value, the not high warning message of similarity can be so filtered out, it is, filtering out the little alarm signal of otherness
Breath, so as to increase the usage quantity of warning message.
The reduction similarity threshold can be based on reducing fixed numbers on similarity threshold, can so update described
Similarity threshold is the similarity threshold after reduction fixed numbers.The fixed numbers can be needed according to user and industrial requirement is true
It is fixed.It is exemplary, the fixed numbers can in 0.5% to 10% number range value.So every time can be according to fixation
Numerical value reduces similarity threshold, convenient adjustment similarity threshold every time.
If the message sum of all warning messages is higher than the first preset alarm quantity, less than the described second default report
Alert quantity, show that the similarity threshold of setting is suitable.
The increase similarity threshold can be based on increasing fixed numbers on the similarity threshold, can so update this
Similarity threshold is the similarity threshold after increase fixed numbers.The fixed numbers are fixed used in similarity threshold with reducing
Numerical value is similar, and can reach same or analogous beneficial effect, will not be repeated here.
As can be seen here, wait to alarm due to that in the embodiment of the present invention, will be unsatisfactory for presetting corresponding to the similarity of condition of similarity
Information is alarmed, and is avoided the big warning message of similarity-rough set and is carried out repetition of alarms, so as to reduce the redundancy of warning message
Degree, the warning message of system is further reduced, facilitate keeper to extract warning message, also improve the security of system.
In one embodiment, it is described that all attack signatures in warning message are treated each based on this, with it is corresponding
Similarity between the attack signature of warning message, calculate this and treat similarity between warning message and warning message, including:
The similarity between the attack signature and the attack signature of corresponding warning message is calculated respectively.
Computing mode is preset according to corresponding to the attack signature, for attacking for the attack signature and corresponding warning message
The similarity hit between feature carries out computing, obtains the phase between the attack signature and the attack signature of corresponding warning message
Like degree.
The attack signature is obtained as follows when attack signature is attack time, in this step to have reported with corresponding
Similarity between the attack signature of alert information:
This is treated that the attack time in warning message and the attack time work in corresponding each warning message are poor, obtained
Very first time interval between first attack time and the second attack time.
According to the corresponding relation between time interval and similarity, it is determined that corresponding with very first time interval first is similar
Degree, is treated first similarity as this between the attack time in warning message and the attack time of corresponding warning message
Similarity.
In one embodiment, the corresponding relation between time interval and similarity can be represented by form, and the table 1 can
Think the corresponding relation between time interval and similarity.
Table 1
Time interval | Similarity |
0~0.2 | 100 |
0.2~0.4 | 80 |
0.4~0.6 | 60 |
0.6~0.8 | 30 |
0.8~1 | 10 |
More than 1 | 0 |
Exemplary, by the very first time between described first attack time and the second attack time at intervals of 0.8
Hour, then the first similarity of corresponding determination is 10, that is to say, that this treat attack time in warning message with it is corresponding
Similarity between the attack time of warning message is 10.
The unit of the time interval can be minute, or hour, can also be day.Certain time interval
Residing different time scope is merely illustrative.If desired this treats the attack time in warning message and corresponding alarm signal
Similarity between the attack time of breath is more accurate, and the time range divided between 0 to 1 is finer, with time range
Corresponding similarity setting is also required to finer.
In other embodiments, the corresponding relation between time interval and similarity can be represented by inverse proportion function,
Time interval and the inverse proportion function that similarity is in inverse relation are can be identified for that, belongs to the protection domain of the embodiment of the present invention.
Exemplary inverse proportion function,
Wherein, x is time interval, and the value of the time interval is the natural number more than or equal to 0, and Y is similarity, and k is
Inverse proportion coefficient, k value are the natural number more than or equal to 0, and k and x unit can be minute, or hour, and also
Can be day, the inverse proportion coefficient can need to be configured according to user.Differ a citing herein.
It is IP address in attack signature, the IP address is for the flow source IP address attacked or the flow purpose IP of attack
The attack signature is obtained during location, in this step as follows and treats that the attack signature in warning message is corresponding with this
Similarity between the attack signature of warning message:
Change this and treat IP address in warning message as binary IP address, the attack in warning message is treated in conversion with this
IP address in each warning message corresponding to feature is binary IP address;
By Hamming distance function, the binary IP address after the IP address conversion in warning message is calculated, and with
The binary IP address after the IP address conversion in each warning message corresponding to the attack signature in warning message
Between the first Hamming distance;Using all first Hamming distances, calculate this treat the attack signature in warning message and, with this
Treat corresponding to the attack signature in warning message the second Hamming distance of the attack signature of warning message.
According to the corresponding relation between Hamming distance and similarity, it is determined that corresponding with the second Hamming distance second is similar
Degree, using second similarity as this treat the attack signature in warning message and, treat that the attack in warning message is special with this
Similarity between the attack signature of warning message corresponding to sign.
In one embodiment, the corresponding relation between Hamming distance and similarity can be represented by form, and the table 2 can
Think the corresponding relation between Hamming distance and similarity.
Table 2
Hamming distance | Similarity |
Less than default Hamming distance | 100 |
More than default Hamming distance | 0 |
The default relation between Hamming distance and similarity can be configured according to user's request, preset Hamming distance
It can adjust, will not be repeated here with similarity.
In other embodiments, the corresponding relation between Hamming distance and similarity can be to characterize Hamming distance and similar
The function of degree.
The Hamming distance function can be
Wherein,
H treats first Hamming of the attack signature in warning message with the attack signature of corresponding warning message for this
Distance, n are the binary IP address after the IP address conversion in warning message or the attack in warning message are treated with this
The character number of the binary IP address after IP address conversion in each warning message corresponding to feature.It should be noted
Be, n generally take the binary IP address after the IP address conversion in warning message or treat in warning message with this this attack
Binary IP address after the IP address conversion hit in each warning message corresponding to feature corresponds to the character number of character string
In character number corresponding to more binary IP address.Work as ViFor two the entering after the IP address conversion in warning message
During the i-th character in IP address processed, VjTo be treated with this in corresponding each warning message of attack signature in warning message
IP address conversion after binary IP address in jth character, or, work as ViTo treat the spy of the attack in warning message with this
During the i-th character of the binary IP address after IP address conversion in each warning message corresponding to sign, VjWait to alarm for this
The jth character in the binary IP address after IP address conversion in information.
The function for characterizing Hamming distance and similarity is:
Wherein, Adj (P, T) is character string P corresponding to the binary IP address after the IP address conversion in warning message
With with the binary system IP after the IP address conversion in the corresponding each warning message of the attack signature in warning message
The second similarity between character string T corresponding to address, H be this treat the attack signature in warning message and, wait to alarm with this
The first Hamming distance of the attack signature of warning message, maxH treat alarm signal for this corresponding to the attack signature in information
The attack signature in breath and, the attack signature of the corresponding warning message of the attack signature in warning message is treated with this
Maximum first Hamming distance.
For example, predetermined threshold value is B, as Adj (P, T)>During B, treat the attack signature in warning message and, wait to alarm with this
The attack signature of warning message differs corresponding to the attack signature in information;As Adj (P, T)≤B, alarm signal is treated
The attack signature in breath and, the attack signature phase of the corresponding warning message of the attack signature in warning message is treated with this
Together.
The attack signature is obtained as follows when attack signature is attack type, in this step to have reported with corresponding
Similarity between the attack signature of alert information:
Changing this treats attack type in warning message into the first attack state;
Compare the first attack state and turn with the state that corresponding each attack type having in warning message is formed
The attack state moved in figure, the state transition probability of the first attack state is determined, wherein, the state transition probability characterizes first
Attack state becomes the attack shape probability of state in the state transition diagram;
The state transition probability is averaged, and using the average value obtained by state transition probability as treating warning message
In attack type and the attack type of corresponding warning message between similarity.
In one embodiment, each attack in the various attacks feature treated based on this in warning message is special
Sign, and corresponding similarity between the attack signature of warning message, calculate this and treat warning message and the warning message
Between similarity, including:
In a kind of specific embodiment, this is treated to the phase of each attack signature in the various attacks feature in warning message
Make like degree and, treat warning message and the similarity between warning message using this and as this.So should using work and calculating
Treat warning message and this similarity between warning message, calculation are convenient and swift.
In other embodiments,
The first step, obtain this and treat weight corresponding to each attack signature in the various attacks feature in warning message, its
In, weight corresponding to each attack signature is determined by the significance level of each attack signature, and each attack signature is corresponding
Weight sum be 100%.
Second step, this is treated in the various attacks feature in warning message each attack signature and the corresponding alarm signal
Similarity between the attack signature of breath, with being weighted corresponding to the weight of each attack signature, obtain weighted results.
3rd step, warning message and the similarity between warning message are treated using the weighted results as this.
Optionally, the feature that each attack signature in the various attacks feature treated in warning message defines respectively to
Measure as (time, src_ip, dest_ip, type), wherein, characteristic vector time represents attack time, characteristic vector src_ip tables
Show that traffic sources IP, the characteristic vector dest_ip of attack represent that flow purpose IP, the characteristic vector type of attack represent attack class
Type.
According to it is described acquisition the attack signature and the attack signature of corresponding warning message between similarity the step of,
Determination attack time, the traffic sources IP of attack, the flow purpose IP of attack, the similarity of attack type respectively, the attack time,
The traffic sources IP of attack, the flow purpose IP of attack, the similarity of attack type correspond to Sim (time), Sim (src_ respectively
Ip), Sim (dst_ip), Sim (type).
Obtain attack time, attack traffic sources IP, attack flow purpose IP, attack type respectively corresponding to weight be
P, q, m, n;
The calculation formula for calculating weighted results SIM is as follows:
SIM=Sim (time) × p+Sim (src_ip) × q+Sim (dst_ip) × m+Sim (type) × n, weighting is tied
Fruit SIM treats warning message and the similarity between warning message as this.The p, q, m, n could be arranged to the number of fixation
Value, or variable numerical value.Specifically, p, q, m, n can need to set according to user's request or industry.
In the described embodiment, first obtain each attack signature corresponding to weight, then treat alarm signal using weighted calculation
Breath and the similarity between warning message, so treat warning message with having reported according to the importance of each attack signature to calculate
Similarity between alert information, can meet the needs of user or electronic equipment are to different attack signatures, can also improve calculating
The accuracy of similarity.
In one embodiment, obtain corresponding to each attack signature that this is treated in the various attacks feature in warning message
Weight, including:
Obtain in the preset time, the information of all warning messages of statistics, the information of all warning messages includes institute
There is warning message sum corresponding to the message sum and each attack signature of warning message.
For each attack signature, if warning message corresponding to the same attack signature in the information of all warning messages
Sum, the percentage for accounting for the message sum is more than preset percentage, then increases weight corresponding to the attack signature, corresponding to reduce
Weight corresponding to remaining attack signature in addition to the attack signature.
Using weight corresponding to the attack signature after increase as weight corresponding to the attack signature;After corresponding reduce
Weight is as remaining attack signature pair in addition to the attack signature corresponding to remaining attack signature in addition to the attack signature
The weight answered.
Preset percentage can need according to user and industry needs to be configured.Exemplary, the preset percentage can
With the value in 20% to 40% number range.
In embodiments of the present invention, alarm corresponding to same attack signature in the information according to all warning messages is passed through
Information sum, the percentage for accounting for message sum are more than preset percentage, adjust the attack signature corresponding to weight, so may be used
With according to actual conditions, according to the importance of each attack signature come calculate this treat warning message and this between warning message
Similarity, the accuracy of result of calculation can also be improved.
Exemplary, for the flow source IP address of attack, if in the information of all warning messages same attack flow
Warning message sum corresponding to source IP address, the percentage for accounting for the message sum are more than 30%, then increase the attack signature pair
The weight answered, accordingly reduce weight corresponding to remaining attack signature in addition to the attack signature.
Weight corresponding to described increase attack signature can increase fixed numbers, and the reduction is in addition to the attack signature
Remaining attack signature corresponding to weight can reduce fixed numbers.The fixed numbers can be needed according to user and industrial requirement
It is determined that.It is exemplary, the fixed numbers can in 0.5% to 10% number range value.So every time can be according to solid
Fixed number value reduces similarity threshold, convenient adjustment weight every time.
In embodiments of the present invention, by automatically adjusting weight corresponding to each attack signature, can better conform to
Actual alarm scene, improve the degree of accuracy that warning message is alarmed.
In a kind of other embodiments, obtain this and treat each attack signature pair in the various attacks feature in warning message
The weight answered, including:
First obtain in preset time period, the information of all warning messages of statistics, the information of all warning messages includes will
Multiple unit interval that preset time period averagely divides, the number that the warning message in each unit interval occurs.
If the number that warning message occurs in the unit interval is more than preset times, the number occurred that adds up is more than default time
Each unit interval where several warning messages, obtain cumulative duration.The preset times can need to be set according to user
Put.
If the percentage that the cumulative duration accounts for the preset time period is more than preset percentage, increase the attack time pair
The weight answered, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time.
Using weight corresponding to the attack time after increase as weight corresponding to attack time;Should by removing after corresponding reduce
Weight is as corresponding to remaining attack signature in addition to the attack time corresponding to remaining attack signature beyond attack time
Weight.
The implementation process process of the weight for obtaining attack signature is specific as follows:
The preset time period is 5 seconds, and each unit interval is 1 second, and the preset time period has 5 unit interval;
The number that warning message occurs in 1st second is 20;
The number that warning message occurs in 2nd second is 10;
The number that warning message occurs in 3rd second is 0 time;
The number that warning message occurs in 4th second is 5 times;
The number that warning message occurs in 5th second is 12 times;
Assuming that preset times are 8 times, then the number that warning message occurs in the 1st second, the 2nd second, the 5th second respectively is more than 8
Secondary, the 1st second, the 2nd second and the 5th second where the number for obtaining occurring this warning message is more than 8 times is cumulative, when obtaining cumulative
Long, a length of 3 seconds when this is cumulative, then the number of the appearance of warning message is more than 8 times in this 3 seconds.
Assuming that preset percentage is 30%, the 3 seconds percentage for accounting for 5 seconds is 60%;60% is more than 30%, then during increase attack
Between corresponding weight, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time.
Using weight corresponding to the attack time after increase as weight corresponding to attack time;Should by removing after corresponding reduce
Weight is as corresponding to remaining attack signature in addition to the attack time corresponding to remaining attack signature beyond attack time
Weight.
In embodiments of the present invention, by automatically adjusting weight corresponding to each attack signature, can better conform to
Actual alarm scene, improve the degree of accuracy that information to be warned is alarmed.
In a kind of embodiment, after the step 103, methods described also includes:
When this when warning message and this similarity between warning message meets default condition of similarity when, then obtained this
In warning message warning message similarity highest warning message is treated with this;
The mode under fire being handled in the similarity highest warning message is obtained, alarm signal is treated described in processing
Attack in breath.
The mode that the institute is under fire handled includes:Add blacklist.As long as can realize warning message alarm to
After user, user is under fire handling, used processing mode, belongs to the protection model of the embodiment of the present invention
Enclose, this is no longer going to repeat them.
In embodiments of the present invention, by after the message alarmed is compared with the warning message alarmed, if
Similarity is higher than predetermined threshold value, illustrates that similarity is larger, and the otherness of the warning message with having alarmed is smaller, then directly presses
Operation processing is carried out according to the attack processing operation corresponding to the warning message alarmed, keeper is reduced and attack is waited to report
The analysis of alert information and processing time, drastically increase keeper to network timely processing under fire, so as to improve net
The overall security of network web system.
As shown in Fig. 2 the embodiment of the present invention also provide a kind of network warning device under fire, including:
First acquisition module 201, under fire need that is alarmed to treat warning message on network for obtaining, wherein,
This treats that warning message includes:The network attack signature under fire;
Determining module 202, for treating the attack signature of warning message based on this and between the attack signature of warning message
Similarity, determine that this treats warning message and the similarity between warning message;
First processing module 203, for when this treat warning message and the similarity between warning message be unsatisfactory for it is pre-
If during condition of similarity, treat that warning message is alarmed using this.
On the basis of described Fig. 2, as shown in figure 3, optionally, this treats that warning message includes:Attacked suffered by the network
The various attacks feature hit;
The determining module 202 includes:
First computing module 301, for treating every kind of attack signature in the various attacks feature in warning message for this,
Calculate the similarity between the attack signature and the attack signature of corresponding warning message;
Second computing module 302, for treating all attack signatures in warning message based on this each, with it is corresponding this
Similarity between the attack signature of warning message, calculate this and treat warning message and the similarity between warning message.
Optionally, first computing module 301 is specifically used for:
The similarity between the attack signature and the attack signature of corresponding warning message is calculated respectively;
Computing mode is preset according to corresponding to the attack signature, for attacking for the attack signature and corresponding warning message
The similarity hit between feature carries out computing, obtains the phase between the attack signature and the attack signature of corresponding warning message
Like degree.
Optionally, second computing module 302 includes:
Acquisition submodule 3021, each attack signature pair in the various attacks feature in warning message is treated for obtaining this
The weight answered, wherein, weight sum corresponding to each attack signature is 100%;
Weight submodule 3022, for this is treated each attack signature in the various attacks feature in warning message with it is right
The similarity between the attack signature of warning message answered, with being weighted corresponding to the weight of each attack signature, is obtained
Weighted results;
Warning message and the similarity between warning message are treated using the weighted results as this.
Optionally, the various attacks feature treated in warning message includes:Attack time, attack flow source IP address,
The flow purpose IP address and attack type of attack;
The acquisition submodule 3021 is specifically used for:
Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes institute
There is warning message sum corresponding to the message sum and each attack signature of warning message;
For each attack signature, if warning message corresponding to the same attack signature in the information of all warning messages
Sum, the percentage for accounting for message sum are more than preset percentage, then increase weight corresponding to the attack signature, and corresponding reduce removes
Weight corresponding to remaining attack signature beyond the attack signature;
Using weight corresponding to the attack signature after increase as weight corresponding to the attack signature;After corresponding reduce
Weight is as remaining attack signature pair in addition to the attack signature corresponding to remaining attack signature in addition to the attack signature
The weight answered.
Optionally, the various attacks feature treated in warning message includes:Attack time, attack flow source IP address,
The flow purpose IP address and attack type of attack;
The acquisition submodule 3021 is specifically used for:
Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes will
Multiple unit interval that preset time period averagely divides, the number that the warning message in each unit interval occurs;
If the number that warning message occurs in the unit interval is more than preset times, the number occurred that adds up is more than default time
Each unit interval where several warning messages, obtain cumulative duration;
If the percentage that the cumulative duration accounts for the preset time period is more than preset percentage, it is corresponding to increase the attack time
Weight, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time;
Using weight corresponding to the attack time after increase as weight corresponding to attack time;Should by removing after corresponding reduce
Weight is as corresponding to remaining attack signature in addition to the attack time corresponding to remaining attack signature beyond attack time
Weight.
Optionally, the default condition of similarity is to be obtained more than similarity threshold, the similarity threshold by the second acquisition module
, second acquisition module, it is used for:
Obtain in preset time period, the information of all warning messages of statistics, the information of all warning messages includes owning
The message sum of warning message;
If the message sum of all warning messages is higher than the first preset alarm quantity, and is not less than the second preset alarm number
Amount, then reduce the similarity threshold, and updates the similarity threshold for the similarity threshold after reduction, wherein, described second is pre-
If alarm quantity is more than the first preset alarm quantity;
If the message sum of all warning messages is higher than the first preset alarm quantity, less than the second preset alarm number
Amount, then the similarity threshold is updated for all warning message sums;
If the message sum of all warning messages is less than the first preset alarm quantity, increase the similarity threshold,
And the similarity threshold is updated for the similarity threshold after increase.
Optionally, second acquisition module, specifically for based on fixed numbers are reduced on the similarity threshold, updating the phase
It is the similarity threshold after reduction fixed numbers like degree threshold value;
Based on fixed numbers are increased on the similarity threshold, it is similar after fixed numbers to increase to update the similarity threshold
Spend threshold value.
Optionally, the device also includes:
3rd acquisition module 303, for the determining module 202 determine this treat warning message and this between warning message
Similarity after, if this treat warning message and this similarity between warning message meets default condition of similarity, obtain
This treats warning message similarity highest warning message in warning message with this;
Second processing module 304, for obtaining under fire being handled in the similarity highest warning message
Mode, handle this and treat attack in warning message.
Corresponding to the embodiment of the method shown in described Fig. 1, the embodiment of the present invention additionally provides a kind of electronic equipment, such as Fig. 4
It is shown, including processor 401, communication interface 402, memory 403 and communication bus 404, wherein, processor 401, communication interface
402, memory 403 completes mutual communication by communication bus 404,
Memory 403, for depositing computer program;
Processor 401, during for performing the program deposited on memory 403, realize following steps:
Acquisition under fire needs that is alarmed to treat warning message on network, wherein, this treats that warning message includes:The net
Network attack signature under fire;
The attack signature and the similarity between the attack signature of warning message of warning message are treated based on this, it is determined that this is treated
Warning message and the similarity between warning message;
When this is when warning message and the similarity between warning message are unsatisfactory for default condition of similarity, treated using this
Warning message is alarmed.
The embodiment of the present invention provides a kind of computer equipment, including processor, communication interface, memory and communication bus,
Wherein, processor, communication interface, memory complete mutual communication by bus;Memory, for depositing computer journey
Sequence;Processor, for performing the program deposited on memory, realize the network alarm method under fire the step of.
The communication bus that the electronic equipment is mentioned can be Peripheral Component Interconnect standard (PerIP addresses heral
Component Interconnect, PCI) bus or EISA (Extended Industry Standard
Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, controlling bus etc..For just
Only represented in expression, figure with a thick line, it is not intended that an only bus or a type of bus.
The communication that communication interface is used between the electronic equipment and other equipment.
Memory can include random access memory (Random Access Memory, RAM), can also include non-easy
The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also
To be at least one storage device for being located remotely from aforementioned processor.
Described processor can be general processor, including central processing unit (Central Processing Unit,
CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal
Processing, DSP), it is application specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing
It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other PLDs, discrete
Door or transistor logic, discrete hardware components.
Method provided in an embodiment of the present invention can apply to electronic equipment.Specifically, the electronic equipment can be:It is desk-top
Computer, portable computer, intelligent mobile terminal, server etc..It is not limited thereto, any electricity that can realize the present invention
Sub- equipment, belongs to protection scope of the present invention.
The embodiments of the invention provide a kind of computer-readable recording medium, the storage medium internal memory contains computer journey
Sequence, the computer program realized when being executed by processor the network alarm method under fire the step of.
The embodiments of the invention provide it is a kind of comprising instruction computer program product, when run on a computer,
So that computer perform the network alarm method under fire the step of.
The embodiments of the invention provide a kind of computer program, when run on a computer so that computer performs
The network alarm method under fire the step of.
For device/electronic equipment/computer-readable recording medium/comprising instruction computer program product/computer
For program embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to method
The part explanation of embodiment.
It should be noted that herein, such as first and second or the like relational terms are used merely to a reality
Body or operation make a distinction with another entity or operation, and not necessarily require or imply and deposited between these entities or operation
In any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to
Nonexcludability includes, so that process, method, article or equipment including a series of elements not only will including those
Element, but also the other element including being not expressly set out, or it is this process, method, article or equipment also to include
Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that
Other identical element also be present in process, method, article or equipment including the key element.
Each embodiment in this specification is described by the way of related, identical similar portion between each embodiment
Divide mutually referring to what each embodiment stressed is the difference with other embodiment.Especially for device/
For electronic equipment/computer-readable recording medium/computer program product/computer program embodiments comprising instruction, by
Embodiment of the method is substantially similar in it, so description is fairly simple, referring to the part explanation of embodiment of the method in place of correlation
.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., are all contained in protection scope of the present invention
It is interior.
Claims (10)
1. a kind of network alarm method under fire, it is characterised in that including:
Acquisition under fire needs that is alarmed to treat warning message on network, wherein, this treats that warning message includes:The network
Attack signature under fire;
Based on the attack signature for the treating warning message and similarity between the attack signature of warning message, it is determined that described treat
Similarity between warning message and the warning message;
When the similarity when warning message between the warning message is unsatisfactory for default condition of similarity, using described
Treat that warning message is alarmed.
2. the method as described in claim 1, it is characterised in that this treats that warning message includes:The network under fire more
Kind attack signature;
Based on the attack signature for the treating warning message and similarity between the attack signature of warning message, determines institute
State and treat similarity between warning message and the warning message, including:
For every kind of attack signature in the various attacks feature treated in warning message, calculate the attack signature with it is corresponding
Similarity between the attack signature of warning message;
Based on all attack signatures treated in warning message each, with the attack signature of the corresponding warning message it
Between similarity, the similarity between warning message and the warning message is treated described in calculating.
3. method as claimed in claim 2, it is characterised in that
The similarity calculated between the attack signature and the attack signature of corresponding warning message, including:
The similarity between the attack signature and the attack signature of corresponding warning message is calculated respectively;
Computing mode is preset according to corresponding to the attack signature, it is special for the attack signature and the attack of corresponding warning message
Similarity between sign carries out computing, obtains similar between the attack signature and the attack signature of corresponding warning message
Degree.
4. method as claimed in claim 2, it is characterised in that
It is described based on all attack signatures treated in warning message each, it is special with the attack of the corresponding warning message
Similarity between sign, the similarity between warning message and the warning message is treated described in calculating, including:
Weight corresponding to each attack signature in the various attacks feature in warning message is treated described in acquisition, wherein, it is described every
Weight sum corresponding to individual attack signature is 100%;
By each attack signature in the various attacks feature treated in warning message and the corresponding warning message
Similarity between attack signature, with being weighted corresponding to the weight of each attack signature, obtain weighted results;
The weighted results are treated into the similarity between warning message and the warning message as described in.
5. method as claimed in claim 4, it is characterised in that
The various attacks feature treated in warning message includes:Attack time, the flow source IP address of attack, the flow of attack
Purpose IP address and attack type;
Weight corresponding to each attack signature in the various attacks feature in warning message is treated described in acquisition, including:
Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes owning
Warning message sum corresponding to the message sum of warning message and each attack signature;
For each attack signature, if warning message corresponding to the same attack signature is total in the information of all warning messages
Number, the percentage for accounting for the message sum are more than preset percentage, then increase weight corresponding to the attack signature, and corresponding reduce removes
Weight corresponding to remaining attack signature beyond the attack signature;
Using weight corresponding to the attack signature after increase as weight corresponding to the attack signature;Should by removing after corresponding reduce
Weight is as corresponding to remaining attack signature in addition to the attack signature corresponding to remaining attack signature beyond attack signature
Weight.
6. method as claimed in claim 4, it is characterised in that
The various attacks feature treated in warning message includes:Attack time, the flow source IP address of attack, the flow of attack
Purpose IP address and attack type;
Weight corresponding to each attack signature in the various attacks feature in warning message is treated described in acquisition, including:
Obtain in the preset time period, the information of all warning messages of statistics, the information of all warning messages includes will be pre-
If multiple unit interval that the period averagely divides, the number of the warning message appearance in each unit interval;
If the number that warning message occurs in the unit interval is more than preset times, the number occurred that adds up is more than preset times
Each unit interval where warning message, obtain cumulative duration;
If the percentage that the cumulative duration accounts for the preset time period is more than preset percentage, increase the attack time pair
The weight answered, accordingly reduce weight corresponding to remaining attack signature in addition to the attack time;
Using weight corresponding to the attack time after increase as weight corresponding to attack time;The attack will be removed after corresponding reduce
Weight corresponding to remaining attack signature beyond time is as weight corresponding to remaining attack signature in addition to the attack time.
7. the method as described in claim 1, it is characterised in that
The default condition of similarity is to be obtained more than similarity threshold, the similarity threshold by following steps:
Obtain in preset time period, the information of all warning messages of statistics, the information of all warning messages includes all alarms
The message sum of information;
If the message sum of all warning messages is higher than the first preset alarm quantity, and is not less than the second preset alarm quantity,
Then reduce the similarity threshold, and update the similarity threshold for the similarity threshold after reduction, wherein, described second is pre-
If alarm quantity is more than the first preset alarm quantity;
If the message sum of all warning messages is higher than the first preset alarm quantity, less than the second preset alarm number
Amount, then the similarity threshold is updated for all warning message sums;
If the message sum of all warning messages is less than the first preset alarm quantity, increase the similarity threshold,
And the similarity threshold is updated for the similarity threshold after increase.
8. method as claimed in claim 7, it is characterised in that it is described to reduce the similarity threshold, update the similarity
Threshold value is the similarity threshold after reduction, including:
Based on fixed numbers are reduced on the similarity threshold, it is similar after fixed numbers to reduce to update the similarity threshold
Spend threshold value;
The increase similarity threshold, the similarity threshold is updated for the similarity threshold after increase, including:
Based on fixed numbers are increased on the similarity threshold, it is similar after fixed numbers to increase to update the similarity threshold
Spend threshold value.
9. the method as described in any one of claim 1 to 8, it is characterised in that
After the similarity between warning message and the warning message is treated described in the determination, methods described also includes:
If the default condition of similarity of similarity satisfaction treated between warning message and the warning message, described in acquisition
In warning message warning message similarity highest warning message is treated with this;
The mode under fire being handled in the similarity highest warning message is obtained, is treated described in processing in warning message
Attack.
10. a kind of network warning device under fire, it is characterised in that including:
First acquisition module, under fire need that is alarmed to treat warning message on network for obtaining, wherein, this waits to alarm
Information includes:The network attack signature under fire;
Determining module, for based on similar between the attack signature for treating warning message and the attack signature of warning message
Degree, it is determined that the similarity treated between warning message and the warning message;
First processing module, for being unsatisfactory for default phase when the similarity treated between warning message and the warning message
During like condition, treat that warning message is alarmed using described.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710905355.9A CN107819606A (en) | 2017-09-29 | 2017-09-29 | Network attack alarm method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710905355.9A CN107819606A (en) | 2017-09-29 | 2017-09-29 | Network attack alarm method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107819606A true CN107819606A (en) | 2018-03-20 |
Family
ID=61607196
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710905355.9A Pending CN107819606A (en) | 2017-09-29 | 2017-09-29 | Network attack alarm method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107819606A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109088775A (en) * | 2018-08-29 | 2018-12-25 | 阿里巴巴集团控股有限公司 | abnormality monitoring method, device and server |
CN109688099A (en) * | 2018-09-07 | 2019-04-26 | 平安科技(深圳)有限公司 | Server end hits library recognition methods, device, equipment and readable storage medium storing program for executing |
CN110601894A (en) * | 2019-09-18 | 2019-12-20 | 中国工商银行股份有限公司 | Alarm processing method and device, electronic equipment and readable storage medium |
CN111210827A (en) * | 2020-04-20 | 2020-05-29 | 成都派沃特科技股份有限公司 | Method and device for responding to alarm, electronic equipment and readable storage medium |
CN115378791A (en) * | 2022-08-22 | 2022-11-22 | 平安银行股份有限公司 | Data management method, device, storage medium and electronic equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101465041A (en) * | 2007-12-21 | 2009-06-24 | 上海申瑞电力科技股份有限公司 | Method for automatically shielding frequent alarm |
CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
CN103441982A (en) * | 2013-06-24 | 2013-12-11 | 杭州师范大学 | Intrusion alarm analyzing method based on relative entropy |
CN105117322A (en) * | 2015-08-28 | 2015-12-02 | 国网浙江省电力公司 | Redundancy removal method based on multisource alarm log security incident feature analysis |
CN105550714A (en) * | 2015-12-30 | 2016-05-04 | 国家电网公司 | Cluster fusion method for warning information in heterogeneous network environment |
CN106411617A (en) * | 2016-11-29 | 2017-02-15 | 国网山西省电力公司忻州供电公司 | Power communication network fault warning correlation processing method |
-
2017
- 2017-09-29 CN CN201710905355.9A patent/CN107819606A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101465041A (en) * | 2007-12-21 | 2009-06-24 | 上海申瑞电力科技股份有限公司 | Method for automatically shielding frequent alarm |
CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
CN103441982A (en) * | 2013-06-24 | 2013-12-11 | 杭州师范大学 | Intrusion alarm analyzing method based on relative entropy |
CN105117322A (en) * | 2015-08-28 | 2015-12-02 | 国网浙江省电力公司 | Redundancy removal method based on multisource alarm log security incident feature analysis |
CN105550714A (en) * | 2015-12-30 | 2016-05-04 | 国家电网公司 | Cluster fusion method for warning information in heterogeneous network environment |
CN106411617A (en) * | 2016-11-29 | 2017-02-15 | 国网山西省电力公司忻州供电公司 | Power communication network fault warning correlation processing method |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109088775A (en) * | 2018-08-29 | 2018-12-25 | 阿里巴巴集团控股有限公司 | abnormality monitoring method, device and server |
CN109688099A (en) * | 2018-09-07 | 2019-04-26 | 平安科技(深圳)有限公司 | Server end hits library recognition methods, device, equipment and readable storage medium storing program for executing |
CN109688099B (en) * | 2018-09-07 | 2022-09-20 | 平安科技(深圳)有限公司 | Server-side database collision identification method, device, equipment and readable storage medium |
CN110601894A (en) * | 2019-09-18 | 2019-12-20 | 中国工商银行股份有限公司 | Alarm processing method and device, electronic equipment and readable storage medium |
CN111210827A (en) * | 2020-04-20 | 2020-05-29 | 成都派沃特科技股份有限公司 | Method and device for responding to alarm, electronic equipment and readable storage medium |
CN111210827B (en) * | 2020-04-20 | 2020-08-21 | 成都派沃特科技股份有限公司 | Method and device for responding to alarm, electronic equipment and readable storage medium |
CN115378791A (en) * | 2022-08-22 | 2022-11-22 | 平安银行股份有限公司 | Data management method, device, storage medium and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107819606A (en) | Network attack alarm method and device | |
CN104391979B (en) | Network malice reptile recognition methods and device | |
CN108615119B (en) | Abnormal user identification method and equipment | |
CN105553998A (en) | Network attack abnormality detection method | |
CN105376255A (en) | Android platform intrusion detection method based on K-means cluster | |
US11314789B2 (en) | System and method for improved anomaly detection using relationship graphs | |
CN110363076A (en) | Personal information correlating method, device and terminal device | |
CN102790700A (en) | Method and device for recognizing webpage crawler | |
CN109344617A (en) | A kind of Internet of Things assets security portrait method and system | |
CN107786564A (en) | Based on attack detection method, system and the electronic equipment for threatening information | |
CN106850647B (en) | Malicious domain name detection algorithm based on DNS request period | |
CN108243060A (en) | A kind of network security alarm risk determination method presorted based on big data | |
CN107517201A (en) | A kind of network vulnerability discrimination method removed based on sequential | |
CN107358158A (en) | A kind of clique's crime method for early warning and device | |
CN107689956A (en) | The intimidation estimating method and device of a kind of anomalous event | |
CN105187437A (en) | Centralized detection system of SDN denial of service attack | |
CN106446179A (en) | Hot topic generation method and device | |
CN107395608A (en) | A kind of network access method for detecting abnormality and device | |
CN109150817A (en) | A kind of web-page requests recognition methods and device | |
CN115225384B (en) | Network threat degree evaluation method and device, electronic equipment and storage medium | |
CN109510800B (en) | Network request processing method and device, electronic equipment and storage medium | |
CN107623691A (en) | A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm | |
CN106982415A (en) | The monitoring system and monitoring method of people streams in public places density | |
CN107465686A (en) | IP credit worthinesses computational methods and device based on the heterogeneous big data of network | |
Gong et al. | A neural network based intrusion detection data fusion model |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180320 |
|
RJ01 | Rejection of invention patent application after publication |