CN109040130A - Mainframe network behavior pattern measure based on attributed relational graph - Google Patents

Mainframe network behavior pattern measure based on attributed relational graph Download PDF

Info

Publication number
CN109040130A
CN109040130A CN201811105929.5A CN201811105929A CN109040130A CN 109040130 A CN109040130 A CN 109040130A CN 201811105929 A CN201811105929 A CN 201811105929A CN 109040130 A CN109040130 A CN 109040130A
Authority
CN
China
Prior art keywords
host
mainframe network
relational graph
network behavior
behavior pattern
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811105929.5A
Other languages
Chinese (zh)
Other versions
CN109040130B (en
Inventor
叶晓鸣
杨力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Liming Information Technology Co Ltd
Original Assignee
Chengdu Liming Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Liming Information Technology Co Ltd filed Critical Chengdu Liming Information Technology Co Ltd
Priority to CN201811105929.5A priority Critical patent/CN109040130B/en
Publication of CN109040130A publication Critical patent/CN109040130A/en
Application granted granted Critical
Publication of CN109040130B publication Critical patent/CN109040130B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of mainframe network behavior pattern measure based on attributed relational graph, technical solution are mainly acquired by network flow, and --- four committed steps of abnormal determination form mainframe network behavior pattern formalization characterization --- detection of mainframe network abnormal behavior ---.Designed technical solution through the invention, the training data for having well solved traditional method for detecting abnormality is difficult to obtain the problem with abnormality detection system of behavior adaptability difference, it can effectively cope with the security protection demand that the novel threat that host faces and unknown abnormal and attack emerge one after another completely, reduce target attack and lose caused by enterprises and institutions.

Description

Mainframe network behavior pattern measure based on attributed relational graph
Technical field
The present invention relates in terms of the description of server behavior pattern and abnormality detection, and in particular to be a kind of to be closed based on attribute It is the mainframe network behavior pattern measure of figure.
Background technique
The server network hardware resources main body important as enterprises and institutions, network application and data resource are all stored in Service end main frame.With the growth of network application and the diversification of service type, number of users also sharp increase certainly will face one Series of security questions.For the research work of host system level safety detection, data source is mostly from the audit day of host system Will, system call sequence, memory and situation of change of file etc. are distinguished normal in host by the Audit data of analysis system And illegal act.The advantages of this kind of research is to be easy to monitor some system activities, such as to sensitive document, catalogue, program or port Access behavior, and these behaviors are difficult to find in network flow data.With the exception for the target attack type paid close attention at present For behavior, invader's final goal is data theft, but the intrusion behavior of its early period is difficult to find again.So, work as attacker After the user right for obtaining host, leaking data behavior will not exactly be caused the internal systems activity such as file, memory, program Change, just will cause network communication behavior change when only progress data are externally transmitted.Therefore, the change of host individual behavior is paid close attention to Change is the best opportunity of detection data leakage, and reduces the crucial step that target attack causes damages to enterprises and institutions Suddenly.
In the large-scale network architecture, it will usually a large amount of network security defensive equipments of subordinate, to host security protection layer by layer It reinforces, can all generate a large amount of warning information every day and every minute, a large amount of specialty safety analysis personnel is needed to analyze, arrange in this way The availability for looking into and confirming warning message, in particular for the safety analysis of particular host, so there is also information to be difficult to Collect, contain much information and analyze the practical problems such as difficulty.In the network system of lasting variation, a server and the external world have greatly The network communication of amount, the individual behavior profile that will lead in network are difficult to portray.
In conclusion the shortcomings that safety monitoring of service-oriented device, mainly there is following two:
(1) existing analysis of research achievements is found, in large network environment, it is difficult to collect and analyze miscellaneous master Machine security log, one of main cause, which seeks to deployment software agency, many and diverse work on the server, certainly will expend very High cost, and the inconsistent caused data acquisition of these host software and hardware versions, data-interface, access control right is asked Topic, in addition to fancy price cost, also reduces host performance, increases the complexity of safety management, will all give enterprises and institutions Safety management bring more risks;
(2) insensitive to the variation of the network flow of host individual, the network flow that will not generally pay close attention to host individual increases It adds deduct less and its variation of the host model of individual behavior, host individual behavior can not be analyzed and be detected.Therefore, network is utilized Data on flows Analysis server personal safety does not obtain extensive concern.
Understand that host individual behavior feature provides important prerequisite for many research work such as network security defence, passes through measurement And analysis, authentic and valid data are provided for the understanding of host individual behavior feature.Therefore, the measurement of host individual behavior and analysis It is the basis for studying its individual behavior, this just needs to be grasped the essential characteristic of mainframe network behavior, it is found that its individual behavior changes Basic law, construct host individual behavior mathematical model.It, can by the host individual behavior research in enterprises and institutions To carry out an accurately assessment to this mainframe network behavior, this has very for server network security control Important meaning.
Summary of the invention
The purpose of the present invention is to provide a kind of the mainframe network behavior pattern measure based on attributed relational graph, solution The prior art is difficult to cope with novel threat and unknown exception, can not adapt to the complex network environment security protection that attack emerges one after another The problem of demand.
To achieve the above object, The technical solution adopted by the invention is as follows:
Mainframe network behavior pattern measure based on attributed relational graph, comprising the following steps:
(1) mainframe network data on flows is acquired;
(2) attributed relational graph is built for main machine frame, the attributed relational graph includes several spies arranged in any order Reference ceases, and different values is as a node in each column feature;
(3) connection is established according to the node that the network connection between host is adjacent two column feature, non-conterminous node is not It can connect, so that the network flow data for keeping host all corresponds in attributed relational graph;
(4) at the end of each time window, extraction feature value in the node of dependence relational graph and feature, when will fix Between the mainframe network behavior pattern of window be illustrated as having the baseline characteristic vector matrix of multidimensional characteristic value;
(5) angle value, and excluding outlier are deviateed based on the mainframe network behavior of set time window calculation, forms mainframe network The irrelevance of behavior;
(6) the irrelevance central tendency of every mainframe network behavior pattern, the irrelevance threshold value of setting time window are obtained;
(7) according to network flow data, the mainframe network behavior pattern of the set time window of statistic mixed-state time it is more Dimensional feature value, and host layer is converged to, form detection eigenvectors matrix;
(8) the current network behavior irrelevance of the monitored host of set time window calculation every based on detection time Value;
(9) according to the irrelevance threshold value of the time window of step (6) setting, the deviation angle value for determining that step (8) calculate is It is no to be in irrelevance threshold value, therefore, it is determined that whether Host Status is abnormal.
Specifically, in the step (1), mode used in mainframe network data on flows is acquired are as follows: by mainframe network flow Data are forwarded to the server for deploying host unusual checking by Port Mirroring router.
Further, the tree-like relational graph includes independent seven column characteristic information, and the sequence of arrangement is followed successively by service Device IP address, protocol number, server end slogan, remote port slogan, remote ip address, byte number, time type.
Still further, mainframe network connects the communication pattern according to actual scene server, area in the step (3) It is divided into actively connection and by dynamic response two ways.
Further, in the step (2), protocol number, server end slogan are respectively 6 and 80;Byte number is divided into 0, 3,5 three nodes;Time type is divided into 0,1 two node.
In the step (4), when extracting byte number as characteristic value, the byte number of successive value need to be passed through discretization method Reduce data value number.
Preferably, the discretization method uses branch mailbox method, specifically: writing number is divided into 12 branch mailbox, is The packet of each byte number is (2 in bin1 to bin12, bin1k-1,2k], k is the index value of branch mailbox;Each data packet in bin12 Writing number be (210,∞)。
Still further, the present invention deviates angle value using following formula calculating main frame network behavior:
In formula,Indicate the suspicious degree of history, namely when detection Between host individual behavior profile and historical behavior baseline feature vector space length, Mean thereonhisIndicate host The mean value of body historical behavior baseline, IPjIndicate that j-th of host, Td indicate detection time;log(countblk) indicate aggrieved suspicious The host that degree namely detection time and server carry out telecommunication is in the quantity of IP blacklist, count thereonblkIt indicates Rank the IP address number of blacklist;α, β are weight, and alpha+beta=1.
Preferably, in the step (5), according to Grubbs test method excluding outlier.
Major design principle of the invention is that dependence relational graph characteristic quantification method constructs model of individual behavior measurement Aspect is started with, and the host normal behaviour of set time window is illustrated as having to the baseline characteristic vector matrix of multidimensional characteristic value, The data on flows of set time window is aggregated to each host according to detection time, forms detection eigenvectors matrix, then Quantify the feature vector of current each mainframe network flow and its proper network flow according to the moving distance of characteristic vector space Spatial offset degree finally judges whether Host Status is normal according to the size for deviateing angle value.
Compared with prior art, the invention has the following advantages:
The present invention innovatively introduces the concept of attributed relational graph, constructs the master based on attributed relational graph by network flow Machine network behavior mode, and with the detection means based on the mobile individual behavior irrelevance of characteristic vector space, binding characteristic to The moving distance of quantity space quantifies the characteristic vector space irrelevance of current each mainframe network flow and its proper network flow, Detection of abnormal network behavior is carried out to host, so not only takes full advantage of network flow data analysis host personal safety, and And more fully analysis view can be provided.The feature vector constituted due to the multidimensional characteristic value of host proper network behavior pattern It can show the stable characteristic of timing (of individual behavior similitude, different time scales including the more hosts of vertical time point The individual behavior similitude of the more hosts of the vertical time of body behavior timing characteristic values and different time scales point), therefore, work as feature When vector space moving distance substantial deviation proper network behavior pattern baseline, it is unusual can to predict that host currently has occurred Network safety event, such as detection, scanning, Malware injection, operation service failure and network configuration error be abnormal.
In addition, the present invention calculates the mainframe network behavior of detection time and the deviation of normal time mainframe network behavior baseline When spending, not only allow for the behavior pattern space length mobile relative to historical time feature vector, it is also contemplated that access server User be in the quantity of IP blacklist, and joined the setting of weight α, β, thus also more tight in the calculating of irrelevance Sincerely, comprehensively.
It should say, the present invention is by the analysis to mainframe network behavior pattern feature vector dynamic rule, accurate handle Mainframe network behavior has been held in the normal individual behavior profile of sometime window, at the same to converge to the network flow of host into Row behavioural analysis can so accurately hold the state of host, to increase the security protection to host.So by using Scheme designed by the present invention, can effectively cope with novel threat that host faces completely and unknown abnormal and attack layer goes out Not poor security protection problem reduces target attack loss caused by enterprises and institutions well.
Detailed description of the invention
Fig. 1 is flow diagram of the invention.
Fig. 2 is to implement system architecture figure applied by the present invention.
Fig. 3 is the attributed relational graph of host in the present invention.
Fig. 4 is the cosine similarity schematic diagram of vertical time window individual behavior feature vector in the present invention-embodiment.
Fig. 5 is the cosine phase of different time scales vertical time window individual behavior feature vector in the present invention-embodiment Like degree schematic diagram.
Fig. 6 is the data distribution schematic diagram of the irrelevance of mainframe network behavior pattern in the present invention-embodiment.
Fig. 7 is the box traction substation of the abnormal deviation degree of mainframe network behavior pattern in the present invention-embodiment.
Fig. 8 is the irrelevance schematic diagram of host abnormal network behavior pattern in the present invention-embodiment.
Specific embodiment
The invention will be further described with embodiment for explanation with reference to the accompanying drawing, and mode of the invention includes but not only limits In following embodiment.
It, will since the detection method at present to host off-note is first to collect known attack and abnormal sample information Abnormal and normal sample is marked, and after forming training dataset, can detect corresponding exception, and with attacker's skill The continuous renewal of art, attack means show diversity, complexity and crypticity, and network attack attempts around original security strategy Detection.Therefore, the detection method of existing Intrusion Detection based on host off-note is difficult to cope with novel threat and unknown exception, can not adapt to Attack the security protection demand of the complex network environment to emerge one after another.For this purpose, the present invention provides one kind to be based on attributed relational graph Mainframe network behavior pattern measure, pass through network flow construct the mainframe network behavior mould based on attributed relational graph Formula compares the dynamic mobile distance of the characteristic vector space of current multidimensional characteristic value and normal behaviour mode baseline to judge host Abnormal conditions.Present invention is generally directed to the important hosts of enterprises and institutions to carry out abnormality detection, and detailed process is following (such as Shown in Fig. 1):
Firstly, enterprises and institutions' critical host network flow data is acquired, and in the present embodiment, the network flow of host resource The server for deploying host unusual checking is forwarded to by Port Mirroring router, system architecture is as shown in Figure 2.By It is that multidimensional characteristic extracts and irrelevance calculates, thus it is first right as unit of time window in the main embodiment of the present invention Server traffic multidimensional characteristic value carries out aggregate statistics and dimensionality reduction, and utilizes the historical data dynamic learning behavior pattern base of storage Line after obtaining normal system parameter, then passes through the modeling and abnormality detection of system progress mainframe network behavior pattern.
After acquiring network flow data, need to carry out formalization characterization to mainframe network behavior pattern, specifically:
1, attributed relational graph is built for main machine frame, the attributed relational graph includes several features arranged in any order Information, different values is a node in each column feature.In the present embodiment, the attributed relational graph of building includes independent seven column Characteristic information, the sequence of arrangement is with being followed successively by server ip address, protocol number, server end slogan, remote port slogan, remote I P Location, byte number, time type.Column information using the attributed relational graph of seven column characteristic informations is as shown in table 1 below:
Table 1
Attributed relational graph be initially for explain different type behavior pattern in a description method of application layer, mainly Network connection mode between some host and other hosts is described.The present embodiment uses 7 tuples, i.e., and service IP address, Protocol number, server end slogan, remote port slogan, remote ip address, byte number, time type }, it can be with by visual means Types of applications FTP, P2P, Mail, Web, dns server and the network attack of server transport layer are described.The relation on attributes of host Figure is as shown in figure 3, protocol number, server end slogan are respectively 6 and 80 in the present embodiment;Byte number is divided into 0,3,5 three section Point;Time type is divided into 0,1 two node.80 ports of host opening provide service, and other users host can be with master Machine IP address carries out network communication, and subscriber's main station initiates network connection, requests the network service of 80 ports, in communication with multiple Source port number is communicated with 80 ports of host.
In addition, it is necessary to, it is noted that since the mainframe network behavior profile attribute proposed in the research of host is relatively single And limitation, may only have flow attribution (as send byte number, receiver packet number, send packet number, receive byte number, duration), Host connects (fluxion connecting with host), is seldom related to quantization (connection number, master with some port of application layer relation on attributes The relationship of generator terminal mouth and remote port).Therefore, invention introduces the federation properties of relation on attributes map analysis host individual behavior Relationship proposes the method for 7 Column Properties relational graph characteristic quantifications, wherein the 5th column destination address (remote ip address) is crucial.
2, side is established according to the node that mainframe network is connected as adjacent two column feature, makes the network flow data that host is all Correspond in attributed relational graph.The present invention has carried out host-level attribute extension to relation on attributes drawing method, in this relational graph Columns determine that each tuple occupies the column in this figure by the number of tuples used, there is connection and close in the nodes of adjacent two column It is there is no connection relationship between non-conterminous column node.In addition, the present invention defines in-degree (out to the relationship quantization tuple Degree) be each column the node left side (the right) number of nodes, to portray the characteristic of mainframe network behavior.
3, at the end of each time window, extraction feature value in the node of dependence relational graph and feature constructs host Proper network behavior pattern profile, and the mainframe network behavior pattern of set time window is illustrated as having multidimensional characteristic value Baseline characteristic vector matrix.It should be noted that in the present invention, feature quantity, be sequentially can be changed, and it is different Feature quantity and sequence, the feature extracted is just different, but may be expressed as having the baseline characteristic of multidimensional characteristic value to Moment matrix will not change subsequent step and execute, and the present embodiment is to extract spy in the method for 7 Column Properties relational graph characteristic quantifications Value indicative, to form the baseline characteristic vector matrix with multidimensional characteristic value.
The present invention is unified to take out to the characteristic value of mainframe network behavior pattern when each time window terminates It takes.By the set time, the data of window T converge to host layer, and characteristic statistics are carried out using host as research object, operate in this way, It on the one hand is to consider that information as much as possible describes host;It on the other hand is to analyze processing for algorithm and explain to retain as far as possible Few feature space, feature set also need to carry out data prediction, reduction and Feature Dimension Reduction.Pass through convergence flow to host layer Face, on the original 9 attributes basis of network flow data, using attributed relational graph characteristic measure method, by the feature based on stream Expanded, wherein network flow feature 33, the attributive character of server-side and client behavior is respectively 70, Partial Feature As shown in table 2 below.
Table 2
In addition, the attribute quantification attribute is extraction feature (such as table in dependence figure invention introduces attribute quantification attribute Shown in 3), and among these, in order to use byte number the byte number of successive value need to be passed through discretization method as feature and reduced Data value number.Discretization method in the present embodiment uses branch mailbox method, and byte number is divided into 12 branch mailbox, from bin1 to bin12.The value setting of branch mailbox is derived from maximum transmission unit (MTU), wherein the MSS the biggest subsection=packet header MTU-IP length The packet header (20bytes)-TCP length (20bytes).The packet of the 1st each byte number of branch mailbox bin1 is (2k-1,2k], k is here The byte number of the index value of branch mailbox, each data packet of the last one branch mailbox bin12 is exactly (210,∞)。
Table 3
The present invention connects mainframe network, according to the communication pattern of actual scene server, has distinguished the actively company of initiation It connects and by two kinds of situations of dynamic response (such as table 4 describe shown in), and in order to portray host individual behavior, while also adding byte Number.
Table 4
After carrying out formalization characterization to mainframe network behavior pattern, need based on the normal of set time window calculation host Network behavior deviates angle value, and excluding outlier (according to Grubbs test method), forms the irrelevance of mainframe network behavior pattern.
The feature vector of proper network behavior pattern is the multidimensional characteristic updated with server real network changes in flow rate Value can show the stable characteristic of timing, and confirmatory experiment designed by the present invention is as follows:
(1) the mutually stability characteristic (quality) of different mainframe network behavior patterns of same time window in the same time
Multiple host same time, the individual behavior feature vector of same time window have been randomly selected in experiment, have been calculated Cosine similarity.6 hosts are randomly choosed in this experiment, time window is 5 minutes, and data are features proposed by the present invention Collection, randomly selects the very data of the morning on 19 day working day nine points five, calculates similarity two-by-two, obtains amounting to 171 (19*18/ 2) cosine similarity value.The experimental results showed that every host is similar in the behavior pattern of same time, same time window, data There is stability as the result is shown, as shown in figure 4, its similarity value is all higher than 0.994.
(2) the mutually stability characteristic (quality) of every mainframe network behavior pattern of time windows mouth in the same time
Time window has been randomly choosed in experiment to have selected respectively 60 minutes, 30 minutes, 10 minutes, 5 minutes and 1 minute, The similarity that statistics randomly selects 6 hosts is average, vertically randomly selects the very data of the morning on 17 day working day nine points five, and two Two calculate similarity, obtain amounting to 136 cosine similarity values.As shown in figure 5, the similarity value of each time window is all higher than The similarity of 0.994,10 minutes window is minimum, remaining 60 minutes, 1 minute, 5 minutes similarities be all higher than 0.999.It is real It tests the result shows that each host in same time, the multidimensional characteristic value of the behavior pattern of same time window is similar, data There is stability as the result is shown.
Above-mentioned experiment shows for different time window, different hosts, the multidimensional characteristic value of mainframe network behavior pattern Very high similitude is all shown, the deviation situation of the stable characteristic calculating main frame network behavior mode of timing can be utilized. Real data experiment analysis results show that server provides the service such as Web, mail and information management, it is contemplated that the society of server The service use habit that user is fixed in meeting characteristic, functional characteristic and application characteristic and enterprises and institutions all shows long-term The state to tend towards stability, mainframe network behavior pattern will not mutate.
The mainframe network behavior pattern of set time window is illustrated as having to the baseline characteristic moment of a vector of multidimensional characteristic value After battle array, the irrelevance central tendency of mainframe network behavior pattern, and the irrelevance threshold value of setting time window are obtained.Then, root According to network flow data, the multidimensional characteristic value of the set time window mainframe network behavior pattern of statistic mixed-state time, and converge To host layer, detection eigenvectors matrix is formed.
Then, the current network behavior irrelevance of the monitored host of set time window calculation every based on detection time Value.Finally, the irrelevance threshold value according to the time window of setting (in practical applications, can dynamically be iterated more threshold value Newly), determine that the current behavior calculated deviates whether angle value is in irrelevance threshold value, that is, it is different to can determine that whether Host Status occurs Often.That is, being considered as leading when the mainframe network behavior profile of detection time is close or equal to web-based history behavior profile Machine is normally that vice versa.
The above-mentioned text of calculating in to(for) irrelevance, in addition to mainframe network behavior pattern is mobile relative to historical time feature vector Space length outside, invention also contemplates that suspicious metrization index, because the user of access server be in a of blacklist Number is more, and the probability for being implanted Malware or the probability that malicious act occurs will be higher.
This definition of suspicious degree is illustrated in detail below.
Define 1: the suspicious degree S of history1, i.e., the feature of the host individual behavior profile Yu historical behavior baseline of detection time to The space length of amount.
The characteristic vector space position for quantifying host itself and history individual behavior profile is mobile.Master is monitored between when detecting Machine calculates individual behavior at a distance from historical behavior feature space center, identifies host-feature in the situation of movement of feature space Whether vector space position is abnormal.
It is ensured that customer access network resource has fixed habit, rule, so the server of data center Metastable application service can be externally provided.Therefore, it in the temporal evolution process of network behavior profile, can show as having steady Qualitative network communication mode.Simultaneously, it is contemplated that mean value has the function of measurement data trend, obtains historical data this time Each mean value as feature vector datum mark (note: will filter out when extracting historical time point feature labeled as the abnormal time, after Face is identical), the relative displacement of current signature vector is calculated as suspicious angle value, shown in mathematic calculation such as formula (1):
In formula, MeanhisIndicate the mean value of host individual historical behavior baseline, IPjIndicate that j-th of host, Td indicate detection Time.
Define 2: aggrieved suspicious degree S2Namely the host that detection time and server carry out telecommunication is in IP blacklist Quantity, pass through the acquisition of information such as analysis malice domain name, IP blacklist in the present embodiment.
Quantification service device host becomes a possibility that victim host, using blacklist is published, calculates the long-range of communication Host IP address ranks the number of blacklist.
Currently, many mechanisms and company can issue the blacklist of IP address and domain name, black name is limited according to these information IP on list, the access to the important network facilities are also a kind of effective Prevention-Security means.By searching for the access of which host Malice domain name or IP address can not only help quick lock in Botnet main control end, victim host, but also can reduce corpse It is influenced caused by network.Therefore, it is more that blacklist quantity is ranked in the individual behavior of server host, then suspicious degree is higher. The present invention is using the data of China Science & Technology University, Northeastern University and German free blacklist library publication as foundation, system Count whether the IP that the corresponding period interacts with monitoring host computer belongs to open blacklist, if the blacklist IP of interaction is more, infection Malware, the probability for being known as victim host by attack are higher, shown in mathematic calculation such as formula (2):
s2=log (countblk)(2)
In formula, countblkThe IP address number of blacklist is ranked in expression.
Definition 3: the suspicious degree score of individual behavior namely individual behavior compare the accumulation irrelevance of behavior baseline.
The abnormality detection of host individual behavior can be realized using the otherness and similitude of individual behavior.Attacker utilizes master Machine hardware and software loophole is implanted into Malware, recycles the network identity of victim host to infect, attacks other hosts, aggrieved The individual behavior of host is inevitable and normal behaviour is had any different;When the host of infected with malware launches a offensive, infects other hosts When behavior, network communication behavior and the normal communication behavior of pairs of host are necessarily had any different;Attacker in order to cover victim host, And obscure true target of attack, multiple victim hosts are necessarily had in network, these hosts necessarily numerous similitudes, such as phase It is cooperated between operating system, browser with security breaches etc. or victim host, there is simultaneous engagement, make this A little hosts have more general character and few otherness.
In conclusion the suspicious degree score value of host includes s1(formula 1), s2(formula 2) standardizes these three numerical value, And weight { α, β } is set, and alpha+beta=1, it concludes and obtains shown in the mathematic calculation such as formula (3) of the suspicious degree of individual behavior, It is exactly to calculate to deviate formula based on angle value:
The data distribution experiment of a mainframe network behavior pattern irrelevance is provided below.
The spy for the mainframe network behavior pattern that 11 points of enterprises and institutions of noon one day are protected in random selection data set Vector is levied, and according to the irrelevance calculation method statistical data distribution situation of behavior pattern.Fig. 6 illustrates mainframe network behavior mould The irrelevance data distribution of formula, identifies the statistical informations such as maximum value, minimum value, mean value, mode.
Experimental data shows the mainframe network behavior pattern abnormal deviation degree of actual monitored in current network environment lower than 4 Server host number account for 98.65% or more, similarly, randomly select 17 days data, as the result is shown most hosts It is substantially steady that network behavior mode deviates angle value.The normal mainframe network behavior mould of other times section is observed by many experiments The irrelevance of formula, the data distribution of irrelevance all concentrates on a relatively fixed range, therefore can set threshold on this basis Value is used for abnormal determination.
Fig. 7, Fig. 8 show the test experience situation to mainframe network behavior pattern exception.It is using network flow first Data count the multidimensional characteristic value of set time window server behavior pattern.It is then based on time window and calculates and deviate angle value, And by Grubbs test method excluding outlier, the irrelevance of one day mainframe network behavior pattern is formed, as shown in Figure 7.
Then, the irrelevance central tendency of every mainframe network behavior pattern, the irrelevance threshold of setting time window are obtained Value.
Then, using network flow data, the set time window mainframe network behavior pattern of statistic mixed-state time it is more Dimensional feature value is then based on the deviation angle value that time window calculates every monitored host.
Finally, the threshold value of the time window irrelevance of the mainframe network behavior pattern calculated according to front, judges server The state of host is normal or abnormal.
The timing variations that data shown in Fig. 8 illustrate six days abnormal deviation degree of host abnormal network behavior pattern are bent Line intuitively shows mainframe network behavior pattern irrelevance from normal, to abnormal, then restores normal complete change procedure. Dotted line represents the median of overall data distribution in figure, this meets normal irrelevance range in figure.The invention detects that different It is often to present unusual behavior pattern after host implants Malware, network behavior does not influence the normal of network It runs, is mainly shown as that host always strives to attempt connection distance host, and broken out the malicious act of leaking data in the later period, The discovery mainframe network behavior pattern before serious network harm promptly and accurately is caused to deviate normal behaviour particularly important.
To sum up, the present invention can effectively cope with novel threat and unknown abnormal and nothing by reasonable conceptual design Method adapts to the security protection demand for the complex network environment that attack emerges one after another, and solves the training number of traditional method for detecting abnormality According to being difficult to obtain the problem with unusual checking system adaptability difference.Scheme designed by the present invention, not only accords with well The trend for having closed development in science and technology realizes great innovation, and is of great significance to server network security control. Therefore, compared with prior art, the present invention has substantive distinguishing features outstanding and significant progress.
Above-described embodiment is only one of the preferred embodiment of the present invention, should not be taken to limit protection model of the invention It encloses, as long as that in body design thought of the invention and mentally makes has no the change of essential meaning or polishing, is solved The technical issues of it is still consistent with the present invention, should all be included within protection scope of the present invention.

Claims (9)

1. the mainframe network behavior pattern measure based on attributed relational graph, which comprises the following steps:
(1) mainframe network data on flows is acquired;
(2) attributed relational graph is built for main machine frame, the attributed relational graph includes several feature letters arranged in any order It ceases, different values is as a node in each column feature;
(3) connection is established according to the node that the network connection between host is adjacent two column feature, non-conterminous node cannot connect It connects, so that the network flow data for keeping host all corresponds in attributed relational graph;
(4) at the end of each time window, extraction feature value in the node of dependence relational graph and feature, by set time window The mainframe network behavior pattern of mouth is illustrated as having the baseline characteristic vector matrix of multidimensional characteristic value;
(5) angle value, and excluding outlier are deviateed based on the mainframe network behavior of set time window calculation, forms mainframe network behavior Irrelevance;
(6) the irrelevance central tendency of every mainframe network behavior pattern, the irrelevance threshold value of setting time window are obtained;
(7) according to network flow data, the multidimensional of the mainframe network behavior pattern of the set time window of statistic mixed-state time is special Value indicative, and host layer is converged to, form detection eigenvectors matrix;
(8) the current network behavior of the monitored host of set time window calculation every based on detection time deviates angle value;
(9) according to the irrelevance threshold value of the time window of step (6) setting, whether the deviation angle value for determining that step (8) calculate is located In in irrelevance threshold value, therefore, it is determined that whether Host Status is abnormal.
2. the mainframe network behavior pattern measure according to claim 1 based on attributed relational graph, which is characterized in that In the step (1), mode used in mainframe network data on flows is acquired are as follows: mainframe network data on flows is passed through into Port Mirroring Router is forwarded to the server for deploying host unusual checking.
3. the mainframe network behavior pattern measure according to claim 1 or 2 based on attributed relational graph, feature exist In the tree-like relational graph includes independent seven column characteristic information, and the sequence of arrangement is followed successively by server ip address, agreement Number, server end slogan, remote port slogan, remote ip address, byte number, time type.
4. the mainframe network behavior pattern measure according to claim 3 based on attributed relational graph, which is characterized in that In the step (3), mainframe network connects the communication pattern according to actual scene server, divides into actively connection and by the sound of something astir Answer two ways.
5. the mainframe network behavior pattern measure according to claim 4 based on attributed relational graph, which is characterized in that In the step (2), protocol number, server end slogan are respectively 6 and 80;Byte number is divided into 0,3,5 three node;Time type It is divided into 0,1 two node.
6. the mainframe network behavior pattern measure according to claim 5 based on attributed relational graph, which is characterized in that In the step (4), when extracting byte number as characteristic value, the byte number of successive value need to be reduced data by discretization method It is worth number.
7. the mainframe network behavior pattern measure according to claim 6 based on attributed relational graph, which is characterized in that The discretization method uses branch mailbox method, specifically: writing number is divided into 12 branch mailbox, is bin1 to bin12, in bin1 The packet of each byte number is (2k-1,2k], k is the index value of branch mailbox;The writing number of each data packet is (2 in bin1210,∞)。
8. the mainframe network behavior pattern measure according to claim 6 or 7 based on attributed relational graph, feature exist In using following formula calculating main frame network behavior deviation angle value:
In formula,Indicate the master of the suspicious degree of history namely detection time The space length of the feature vector of machine individual behavior profile and historical behavior baseline, Mean thereonhisIndicate host individual history The mean value of behavior baseline, IPjIndicate that j-th of host, Td indicate detection time;log(countblk) indicate aggrieved suspicious degree, The host that i.e. detection time and server carry out telecommunication is in the quantity of IP blacklist, count thereonblkExpression is ranked The IP address number of blacklist;α, β are weight, and alpha+beta=1.
9. the mainframe network behavior pattern measure according to claim 1 based on attributed relational graph, which is characterized in that In the step (5), according to Grubbs test method excluding outlier.
CN201811105929.5A 2018-09-21 2018-09-21 Method for measuring host network behavior pattern based on attribute relation graph Active CN109040130B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811105929.5A CN109040130B (en) 2018-09-21 2018-09-21 Method for measuring host network behavior pattern based on attribute relation graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811105929.5A CN109040130B (en) 2018-09-21 2018-09-21 Method for measuring host network behavior pattern based on attribute relation graph

Publications (2)

Publication Number Publication Date
CN109040130A true CN109040130A (en) 2018-12-18
CN109040130B CN109040130B (en) 2020-12-22

Family

ID=64617495

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811105929.5A Active CN109040130B (en) 2018-09-21 2018-09-21 Method for measuring host network behavior pattern based on attribute relation graph

Country Status (1)

Country Link
CN (1) CN109040130B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111259088A (en) * 2020-01-13 2020-06-09 中孚安全技术有限公司 User network behavior audit modeling method based on portrait technology
CN111756708A (en) * 2020-06-09 2020-10-09 北京天空卫士网络安全技术有限公司 Method and device for detecting directional threat attack
EP3739475A1 (en) 2019-05-17 2020-11-18 Universitat Politécnica De Catalunya A computer implemented method, a system and computer programs for anomaly detection using network analysis
CN112437091A (en) * 2020-11-30 2021-03-02 成都信息工程大学 Abnormal flow detection method oriented to host community behaviors
CN113162951A (en) * 2021-05-20 2021-07-23 深信服科技股份有限公司 Threat detection method, threat model generation method, threat detection device, threat model generation device, electronic equipment and storage medium
CN113225349A (en) * 2021-05-21 2021-08-06 中国工商银行股份有限公司 Method and device for establishing malicious IP address threat intelligence library and preventing malicious attack
CN113298345A (en) * 2021-04-06 2021-08-24 杭州未名信科科技有限公司 Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium
CN115580486A (en) * 2022-11-18 2023-01-06 宁波市镇海区大数据投资发展有限公司 Network security sensing method and device based on big data
CN111259088B (en) * 2020-01-13 2024-04-26 中孚安全技术有限公司 User network behavior audit modeling method based on portrait technology

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1460932A (en) * 2003-06-18 2003-12-10 北京首信股份有限公司 Hierarchial invasion detection system based on related characteristic cluster
CN103095728A (en) * 2013-02-07 2013-05-08 重庆大学 Network security marking system based on behavioral data fusion and method
CN104935570A (en) * 2015-04-22 2015-09-23 电子科技大学 Network flow connection behavior characteristic analysis method based on network flow connection graph
CN105071985A (en) * 2015-07-24 2015-11-18 四川大学 Server network behavior description method
CN107528734A (en) * 2017-08-31 2017-12-29 叶晓鸣 A kind of abnormal host group's detection method based on Dynamic Graph

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1460932A (en) * 2003-06-18 2003-12-10 北京首信股份有限公司 Hierarchial invasion detection system based on related characteristic cluster
CN103095728A (en) * 2013-02-07 2013-05-08 重庆大学 Network security marking system based on behavioral data fusion and method
CN104935570A (en) * 2015-04-22 2015-09-23 电子科技大学 Network flow connection behavior characteristic analysis method based on network flow connection graph
CN105071985A (en) * 2015-07-24 2015-11-18 四川大学 Server network behavior description method
CN107528734A (en) * 2017-08-31 2017-12-29 叶晓鸣 A kind of abnormal host group's detection method based on Dynamic Graph

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
胡瑞详,叶晓鸣等: ""基于流量行为特征的异常流量检测"", 《信息网络安全》 *
邵国林,叶晓鸣等: ""基于流量结构稳定性的服务器网络行为描述:建模与系统"", 《电子科技大学学报》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3739475A1 (en) 2019-05-17 2020-11-18 Universitat Politécnica De Catalunya A computer implemented method, a system and computer programs for anomaly detection using network analysis
CN111259088A (en) * 2020-01-13 2020-06-09 中孚安全技术有限公司 User network behavior audit modeling method based on portrait technology
CN111259088B (en) * 2020-01-13 2024-04-26 中孚安全技术有限公司 User network behavior audit modeling method based on portrait technology
CN111756708A (en) * 2020-06-09 2020-10-09 北京天空卫士网络安全技术有限公司 Method and device for detecting directional threat attack
CN111756708B (en) * 2020-06-09 2022-06-28 北京天空卫士网络安全技术有限公司 Method and device for detecting directional threat attack
CN112437091A (en) * 2020-11-30 2021-03-02 成都信息工程大学 Abnormal flow detection method oriented to host community behaviors
CN112437091B (en) * 2020-11-30 2021-09-21 成都信息工程大学 Abnormal flow detection method oriented to host community behaviors
CN113298345A (en) * 2021-04-06 2021-08-24 杭州未名信科科技有限公司 Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium
CN113298345B (en) * 2021-04-06 2022-11-18 杭州未名信科科技有限公司 Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium
CN113162951A (en) * 2021-05-20 2021-07-23 深信服科技股份有限公司 Threat detection method, threat model generation method, threat detection device, threat model generation device, electronic equipment and storage medium
CN113225349A (en) * 2021-05-21 2021-08-06 中国工商银行股份有限公司 Method and device for establishing malicious IP address threat intelligence library and preventing malicious attack
CN115580486A (en) * 2022-11-18 2023-01-06 宁波市镇海区大数据投资发展有限公司 Network security sensing method and device based on big data

Also Published As

Publication number Publication date
CN109040130B (en) 2020-12-22

Similar Documents

Publication Publication Date Title
CN109040130A (en) Mainframe network behavior pattern measure based on attributed relational graph
ES2945836T3 (en) Systems and methods for the detection of behavioral threats
US10296739B2 (en) Event correlation based on confidence factor
US10291637B1 (en) Network anomaly detection and profiling
EP4033387A1 (en) Cyber security
CN113079143A (en) Flow data-based anomaly detection method and system
US20140165207A1 (en) Method for detecting anomaly action within a computer network
Ye et al. EWMA forecast of normal system activity for computer intrusion detection
CN105491055B (en) A kind of network host accident detection method based on mobile agent
Lappas et al. Data mining techniques for (network) intrusion detection systems
EP3742700B1 (en) Method, product, and system for maintaining an ensemble of hierarchical machine learning models for detection of security risks and breaches in a network
Kholidy Correlation‐based sequence alignment models for detecting masquerades in cloud computing
US20220083916A1 (en) System and method for detecting and rectifying concept drift in federated learning
JP7389806B2 (en) Systems and methods for behavioral threat detection
EP3329640A1 (en) Network operation
Gomes et al. Cryingjackpot: Network flows and performance counters against cryptojacking
Krügel et al. Sparta: A Mobile Agent based Intrusion Detection System
Elekar Combination of data mining techniques for intrusion detection system
JP6616045B2 (en) Graph-based combination of heterogeneous alerts
Li et al. A distributed intrusion detection model based on cloud theory
CN115085948B (en) Network security situation assessment method based on improved D-S evidence theory
Bravo et al. Distributed Denial of Service Attack Detection in Application Layer Based on User Behavior.
Kalutarage Effective monitoring of slow suspicious activites on computer networks.
Bravo et al. New Features of User's Behavior to Distributed Denial of Service Attacks Detection in Application Layer.
ES2949033T3 (en) Systems and methods for detecting behavioral threats

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant