CN109040130A - Mainframe network behavior pattern measure based on attributed relational graph - Google Patents
Mainframe network behavior pattern measure based on attributed relational graph Download PDFInfo
- Publication number
- CN109040130A CN109040130A CN201811105929.5A CN201811105929A CN109040130A CN 109040130 A CN109040130 A CN 109040130A CN 201811105929 A CN201811105929 A CN 201811105929A CN 109040130 A CN109040130 A CN 109040130A
- Authority
- CN
- China
- Prior art keywords
- host
- mainframe network
- relational graph
- network behavior
- behavior pattern
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of mainframe network behavior pattern measure based on attributed relational graph, technical solution are mainly acquired by network flow, and --- four committed steps of abnormal determination form mainframe network behavior pattern formalization characterization --- detection of mainframe network abnormal behavior ---.Designed technical solution through the invention, the training data for having well solved traditional method for detecting abnormality is difficult to obtain the problem with abnormality detection system of behavior adaptability difference, it can effectively cope with the security protection demand that the novel threat that host faces and unknown abnormal and attack emerge one after another completely, reduce target attack and lose caused by enterprises and institutions.
Description
Technical field
The present invention relates in terms of the description of server behavior pattern and abnormality detection, and in particular to be a kind of to be closed based on attribute
It is the mainframe network behavior pattern measure of figure.
Background technique
The server network hardware resources main body important as enterprises and institutions, network application and data resource are all stored in
Service end main frame.With the growth of network application and the diversification of service type, number of users also sharp increase certainly will face one
Series of security questions.For the research work of host system level safety detection, data source is mostly from the audit day of host system
Will, system call sequence, memory and situation of change of file etc. are distinguished normal in host by the Audit data of analysis system
And illegal act.The advantages of this kind of research is to be easy to monitor some system activities, such as to sensitive document, catalogue, program or port
Access behavior, and these behaviors are difficult to find in network flow data.With the exception for the target attack type paid close attention at present
For behavior, invader's final goal is data theft, but the intrusion behavior of its early period is difficult to find again.So, work as attacker
After the user right for obtaining host, leaking data behavior will not exactly be caused the internal systems activity such as file, memory, program
Change, just will cause network communication behavior change when only progress data are externally transmitted.Therefore, the change of host individual behavior is paid close attention to
Change is the best opportunity of detection data leakage, and reduces the crucial step that target attack causes damages to enterprises and institutions
Suddenly.
In the large-scale network architecture, it will usually a large amount of network security defensive equipments of subordinate, to host security protection layer by layer
It reinforces, can all generate a large amount of warning information every day and every minute, a large amount of specialty safety analysis personnel is needed to analyze, arrange in this way
The availability for looking into and confirming warning message, in particular for the safety analysis of particular host, so there is also information to be difficult to
Collect, contain much information and analyze the practical problems such as difficulty.In the network system of lasting variation, a server and the external world have greatly
The network communication of amount, the individual behavior profile that will lead in network are difficult to portray.
In conclusion the shortcomings that safety monitoring of service-oriented device, mainly there is following two:
(1) existing analysis of research achievements is found, in large network environment, it is difficult to collect and analyze miscellaneous master
Machine security log, one of main cause, which seeks to deployment software agency, many and diverse work on the server, certainly will expend very
High cost, and the inconsistent caused data acquisition of these host software and hardware versions, data-interface, access control right is asked
Topic, in addition to fancy price cost, also reduces host performance, increases the complexity of safety management, will all give enterprises and institutions
Safety management bring more risks;
(2) insensitive to the variation of the network flow of host individual, the network flow that will not generally pay close attention to host individual increases
It adds deduct less and its variation of the host model of individual behavior, host individual behavior can not be analyzed and be detected.Therefore, network is utilized
Data on flows Analysis server personal safety does not obtain extensive concern.
Understand that host individual behavior feature provides important prerequisite for many research work such as network security defence, passes through measurement
And analysis, authentic and valid data are provided for the understanding of host individual behavior feature.Therefore, the measurement of host individual behavior and analysis
It is the basis for studying its individual behavior, this just needs to be grasped the essential characteristic of mainframe network behavior, it is found that its individual behavior changes
Basic law, construct host individual behavior mathematical model.It, can by the host individual behavior research in enterprises and institutions
To carry out an accurately assessment to this mainframe network behavior, this has very for server network security control
Important meaning.
Summary of the invention
The purpose of the present invention is to provide a kind of the mainframe network behavior pattern measure based on attributed relational graph, solution
The prior art is difficult to cope with novel threat and unknown exception, can not adapt to the complex network environment security protection that attack emerges one after another
The problem of demand.
To achieve the above object, The technical solution adopted by the invention is as follows:
Mainframe network behavior pattern measure based on attributed relational graph, comprising the following steps:
(1) mainframe network data on flows is acquired;
(2) attributed relational graph is built for main machine frame, the attributed relational graph includes several spies arranged in any order
Reference ceases, and different values is as a node in each column feature;
(3) connection is established according to the node that the network connection between host is adjacent two column feature, non-conterminous node is not
It can connect, so that the network flow data for keeping host all corresponds in attributed relational graph;
(4) at the end of each time window, extraction feature value in the node of dependence relational graph and feature, when will fix
Between the mainframe network behavior pattern of window be illustrated as having the baseline characteristic vector matrix of multidimensional characteristic value;
(5) angle value, and excluding outlier are deviateed based on the mainframe network behavior of set time window calculation, forms mainframe network
The irrelevance of behavior;
(6) the irrelevance central tendency of every mainframe network behavior pattern, the irrelevance threshold value of setting time window are obtained;
(7) according to network flow data, the mainframe network behavior pattern of the set time window of statistic mixed-state time it is more
Dimensional feature value, and host layer is converged to, form detection eigenvectors matrix;
(8) the current network behavior irrelevance of the monitored host of set time window calculation every based on detection time
Value;
(9) according to the irrelevance threshold value of the time window of step (6) setting, the deviation angle value for determining that step (8) calculate is
It is no to be in irrelevance threshold value, therefore, it is determined that whether Host Status is abnormal.
Specifically, in the step (1), mode used in mainframe network data on flows is acquired are as follows: by mainframe network flow
Data are forwarded to the server for deploying host unusual checking by Port Mirroring router.
Further, the tree-like relational graph includes independent seven column characteristic information, and the sequence of arrangement is followed successively by service
Device IP address, protocol number, server end slogan, remote port slogan, remote ip address, byte number, time type.
Still further, mainframe network connects the communication pattern according to actual scene server, area in the step (3)
It is divided into actively connection and by dynamic response two ways.
Further, in the step (2), protocol number, server end slogan are respectively 6 and 80;Byte number is divided into 0,
3,5 three nodes;Time type is divided into 0,1 two node.
In the step (4), when extracting byte number as characteristic value, the byte number of successive value need to be passed through discretization method
Reduce data value number.
Preferably, the discretization method uses branch mailbox method, specifically: writing number is divided into 12 branch mailbox, is
The packet of each byte number is (2 in bin1 to bin12, bin1k-1,2k], k is the index value of branch mailbox;Each data packet in bin12
Writing number be (210,∞)。
Still further, the present invention deviates angle value using following formula calculating main frame network behavior:
In formula,Indicate the suspicious degree of history, namely when detection
Between host individual behavior profile and historical behavior baseline feature vector space length, Mean thereonhisIndicate host
The mean value of body historical behavior baseline, IPjIndicate that j-th of host, Td indicate detection time;log(countblk) indicate aggrieved suspicious
The host that degree namely detection time and server carry out telecommunication is in the quantity of IP blacklist, count thereonblkIt indicates
Rank the IP address number of blacklist;α, β are weight, and alpha+beta=1.
Preferably, in the step (5), according to Grubbs test method excluding outlier.
Major design principle of the invention is that dependence relational graph characteristic quantification method constructs model of individual behavior measurement
Aspect is started with, and the host normal behaviour of set time window is illustrated as having to the baseline characteristic vector matrix of multidimensional characteristic value,
The data on flows of set time window is aggregated to each host according to detection time, forms detection eigenvectors matrix, then
Quantify the feature vector of current each mainframe network flow and its proper network flow according to the moving distance of characteristic vector space
Spatial offset degree finally judges whether Host Status is normal according to the size for deviateing angle value.
Compared with prior art, the invention has the following advantages:
The present invention innovatively introduces the concept of attributed relational graph, constructs the master based on attributed relational graph by network flow
Machine network behavior mode, and with the detection means based on the mobile individual behavior irrelevance of characteristic vector space, binding characteristic to
The moving distance of quantity space quantifies the characteristic vector space irrelevance of current each mainframe network flow and its proper network flow,
Detection of abnormal network behavior is carried out to host, so not only takes full advantage of network flow data analysis host personal safety, and
And more fully analysis view can be provided.The feature vector constituted due to the multidimensional characteristic value of host proper network behavior pattern
It can show the stable characteristic of timing (of individual behavior similitude, different time scales including the more hosts of vertical time point
The individual behavior similitude of the more hosts of the vertical time of body behavior timing characteristic values and different time scales point), therefore, work as feature
When vector space moving distance substantial deviation proper network behavior pattern baseline, it is unusual can to predict that host currently has occurred
Network safety event, such as detection, scanning, Malware injection, operation service failure and network configuration error be abnormal.
In addition, the present invention calculates the mainframe network behavior of detection time and the deviation of normal time mainframe network behavior baseline
When spending, not only allow for the behavior pattern space length mobile relative to historical time feature vector, it is also contemplated that access server
User be in the quantity of IP blacklist, and joined the setting of weight α, β, thus also more tight in the calculating of irrelevance
Sincerely, comprehensively.
It should say, the present invention is by the analysis to mainframe network behavior pattern feature vector dynamic rule, accurate handle
Mainframe network behavior has been held in the normal individual behavior profile of sometime window, at the same to converge to the network flow of host into
Row behavioural analysis can so accurately hold the state of host, to increase the security protection to host.So by using
Scheme designed by the present invention, can effectively cope with novel threat that host faces completely and unknown abnormal and attack layer goes out
Not poor security protection problem reduces target attack loss caused by enterprises and institutions well.
Detailed description of the invention
Fig. 1 is flow diagram of the invention.
Fig. 2 is to implement system architecture figure applied by the present invention.
Fig. 3 is the attributed relational graph of host in the present invention.
Fig. 4 is the cosine similarity schematic diagram of vertical time window individual behavior feature vector in the present invention-embodiment.
Fig. 5 is the cosine phase of different time scales vertical time window individual behavior feature vector in the present invention-embodiment
Like degree schematic diagram.
Fig. 6 is the data distribution schematic diagram of the irrelevance of mainframe network behavior pattern in the present invention-embodiment.
Fig. 7 is the box traction substation of the abnormal deviation degree of mainframe network behavior pattern in the present invention-embodiment.
Fig. 8 is the irrelevance schematic diagram of host abnormal network behavior pattern in the present invention-embodiment.
Specific embodiment
The invention will be further described with embodiment for explanation with reference to the accompanying drawing, and mode of the invention includes but not only limits
In following embodiment.
It, will since the detection method at present to host off-note is first to collect known attack and abnormal sample information
Abnormal and normal sample is marked, and after forming training dataset, can detect corresponding exception, and with attacker's skill
The continuous renewal of art, attack means show diversity, complexity and crypticity, and network attack attempts around original security strategy
Detection.Therefore, the detection method of existing Intrusion Detection based on host off-note is difficult to cope with novel threat and unknown exception, can not adapt to
Attack the security protection demand of the complex network environment to emerge one after another.For this purpose, the present invention provides one kind to be based on attributed relational graph
Mainframe network behavior pattern measure, pass through network flow construct the mainframe network behavior mould based on attributed relational graph
Formula compares the dynamic mobile distance of the characteristic vector space of current multidimensional characteristic value and normal behaviour mode baseline to judge host
Abnormal conditions.Present invention is generally directed to the important hosts of enterprises and institutions to carry out abnormality detection, and detailed process is following (such as
Shown in Fig. 1):
Firstly, enterprises and institutions' critical host network flow data is acquired, and in the present embodiment, the network flow of host resource
The server for deploying host unusual checking is forwarded to by Port Mirroring router, system architecture is as shown in Figure 2.By
It is that multidimensional characteristic extracts and irrelevance calculates, thus it is first right as unit of time window in the main embodiment of the present invention
Server traffic multidimensional characteristic value carries out aggregate statistics and dimensionality reduction, and utilizes the historical data dynamic learning behavior pattern base of storage
Line after obtaining normal system parameter, then passes through the modeling and abnormality detection of system progress mainframe network behavior pattern.
After acquiring network flow data, need to carry out formalization characterization to mainframe network behavior pattern, specifically:
1, attributed relational graph is built for main machine frame, the attributed relational graph includes several features arranged in any order
Information, different values is a node in each column feature.In the present embodiment, the attributed relational graph of building includes independent seven column
Characteristic information, the sequence of arrangement is with being followed successively by server ip address, protocol number, server end slogan, remote port slogan, remote I P
Location, byte number, time type.Column information using the attributed relational graph of seven column characteristic informations is as shown in table 1 below:
Table 1
Attributed relational graph be initially for explain different type behavior pattern in a description method of application layer, mainly
Network connection mode between some host and other hosts is described.The present embodiment uses 7 tuples, i.e., and service IP address,
Protocol number, server end slogan, remote port slogan, remote ip address, byte number, time type }, it can be with by visual means
Types of applications FTP, P2P, Mail, Web, dns server and the network attack of server transport layer are described.The relation on attributes of host
Figure is as shown in figure 3, protocol number, server end slogan are respectively 6 and 80 in the present embodiment;Byte number is divided into 0,3,5 three section
Point;Time type is divided into 0,1 two node.80 ports of host opening provide service, and other users host can be with master
Machine IP address carries out network communication, and subscriber's main station initiates network connection, requests the network service of 80 ports, in communication with multiple
Source port number is communicated with 80 ports of host.
In addition, it is necessary to, it is noted that since the mainframe network behavior profile attribute proposed in the research of host is relatively single
And limitation, may only have flow attribution (as send byte number, receiver packet number, send packet number, receive byte number, duration),
Host connects (fluxion connecting with host), is seldom related to quantization (connection number, master with some port of application layer relation on attributes
The relationship of generator terminal mouth and remote port).Therefore, invention introduces the federation properties of relation on attributes map analysis host individual behavior
Relationship proposes the method for 7 Column Properties relational graph characteristic quantifications, wherein the 5th column destination address (remote ip address) is crucial.
2, side is established according to the node that mainframe network is connected as adjacent two column feature, makes the network flow data that host is all
Correspond in attributed relational graph.The present invention has carried out host-level attribute extension to relation on attributes drawing method, in this relational graph
Columns determine that each tuple occupies the column in this figure by the number of tuples used, there is connection and close in the nodes of adjacent two column
It is there is no connection relationship between non-conterminous column node.In addition, the present invention defines in-degree (out to the relationship quantization tuple
Degree) be each column the node left side (the right) number of nodes, to portray the characteristic of mainframe network behavior.
3, at the end of each time window, extraction feature value in the node of dependence relational graph and feature constructs host
Proper network behavior pattern profile, and the mainframe network behavior pattern of set time window is illustrated as having multidimensional characteristic value
Baseline characteristic vector matrix.It should be noted that in the present invention, feature quantity, be sequentially can be changed, and it is different
Feature quantity and sequence, the feature extracted is just different, but may be expressed as having the baseline characteristic of multidimensional characteristic value to
Moment matrix will not change subsequent step and execute, and the present embodiment is to extract spy in the method for 7 Column Properties relational graph characteristic quantifications
Value indicative, to form the baseline characteristic vector matrix with multidimensional characteristic value.
The present invention is unified to take out to the characteristic value of mainframe network behavior pattern when each time window terminates
It takes.By the set time, the data of window T converge to host layer, and characteristic statistics are carried out using host as research object, operate in this way,
It on the one hand is to consider that information as much as possible describes host;It on the other hand is to analyze processing for algorithm and explain to retain as far as possible
Few feature space, feature set also need to carry out data prediction, reduction and Feature Dimension Reduction.Pass through convergence flow to host layer
Face, on the original 9 attributes basis of network flow data, using attributed relational graph characteristic measure method, by the feature based on stream
Expanded, wherein network flow feature 33, the attributive character of server-side and client behavior is respectively 70, Partial Feature
As shown in table 2 below.
Table 2
In addition, the attribute quantification attribute is extraction feature (such as table in dependence figure invention introduces attribute quantification attribute
Shown in 3), and among these, in order to use byte number the byte number of successive value need to be passed through discretization method as feature and reduced
Data value number.Discretization method in the present embodiment uses branch mailbox method, and byte number is divided into 12 branch mailbox, from bin1 to
bin12.The value setting of branch mailbox is derived from maximum transmission unit (MTU), wherein the MSS the biggest subsection=packet header MTU-IP length
The packet header (20bytes)-TCP length (20bytes).The packet of the 1st each byte number of branch mailbox bin1 is (2k-1,2k], k is here
The byte number of the index value of branch mailbox, each data packet of the last one branch mailbox bin12 is exactly (210,∞)。
Table 3
The present invention connects mainframe network, according to the communication pattern of actual scene server, has distinguished the actively company of initiation
It connects and by two kinds of situations of dynamic response (such as table 4 describe shown in), and in order to portray host individual behavior, while also adding byte
Number.
Table 4
After carrying out formalization characterization to mainframe network behavior pattern, need based on the normal of set time window calculation host
Network behavior deviates angle value, and excluding outlier (according to Grubbs test method), forms the irrelevance of mainframe network behavior pattern.
The feature vector of proper network behavior pattern is the multidimensional characteristic updated with server real network changes in flow rate
Value can show the stable characteristic of timing, and confirmatory experiment designed by the present invention is as follows:
(1) the mutually stability characteristic (quality) of different mainframe network behavior patterns of same time window in the same time
Multiple host same time, the individual behavior feature vector of same time window have been randomly selected in experiment, have been calculated
Cosine similarity.6 hosts are randomly choosed in this experiment, time window is 5 minutes, and data are features proposed by the present invention
Collection, randomly selects the very data of the morning on 19 day working day nine points five, calculates similarity two-by-two, obtains amounting to 171 (19*18/
2) cosine similarity value.The experimental results showed that every host is similar in the behavior pattern of same time, same time window, data
There is stability as the result is shown, as shown in figure 4, its similarity value is all higher than 0.994.
(2) the mutually stability characteristic (quality) of every mainframe network behavior pattern of time windows mouth in the same time
Time window has been randomly choosed in experiment to have selected respectively 60 minutes, 30 minutes, 10 minutes, 5 minutes and 1 minute,
The similarity that statistics randomly selects 6 hosts is average, vertically randomly selects the very data of the morning on 17 day working day nine points five, and two
Two calculate similarity, obtain amounting to 136 cosine similarity values.As shown in figure 5, the similarity value of each time window is all higher than
The similarity of 0.994,10 minutes window is minimum, remaining 60 minutes, 1 minute, 5 minutes similarities be all higher than 0.999.It is real
It tests the result shows that each host in same time, the multidimensional characteristic value of the behavior pattern of same time window is similar, data
There is stability as the result is shown.
Above-mentioned experiment shows for different time window, different hosts, the multidimensional characteristic value of mainframe network behavior pattern
Very high similitude is all shown, the deviation situation of the stable characteristic calculating main frame network behavior mode of timing can be utilized.
Real data experiment analysis results show that server provides the service such as Web, mail and information management, it is contemplated that the society of server
The service use habit that user is fixed in meeting characteristic, functional characteristic and application characteristic and enterprises and institutions all shows long-term
The state to tend towards stability, mainframe network behavior pattern will not mutate.
The mainframe network behavior pattern of set time window is illustrated as having to the baseline characteristic moment of a vector of multidimensional characteristic value
After battle array, the irrelevance central tendency of mainframe network behavior pattern, and the irrelevance threshold value of setting time window are obtained.Then, root
According to network flow data, the multidimensional characteristic value of the set time window mainframe network behavior pattern of statistic mixed-state time, and converge
To host layer, detection eigenvectors matrix is formed.
Then, the current network behavior irrelevance of the monitored host of set time window calculation every based on detection time
Value.Finally, the irrelevance threshold value according to the time window of setting (in practical applications, can dynamically be iterated more threshold value
Newly), determine that the current behavior calculated deviates whether angle value is in irrelevance threshold value, that is, it is different to can determine that whether Host Status occurs
Often.That is, being considered as leading when the mainframe network behavior profile of detection time is close or equal to web-based history behavior profile
Machine is normally that vice versa.
The above-mentioned text of calculating in to(for) irrelevance, in addition to mainframe network behavior pattern is mobile relative to historical time feature vector
Space length outside, invention also contemplates that suspicious metrization index, because the user of access server be in a of blacklist
Number is more, and the probability for being implanted Malware or the probability that malicious act occurs will be higher.
This definition of suspicious degree is illustrated in detail below.
Define 1: the suspicious degree S of history1, i.e., the feature of the host individual behavior profile Yu historical behavior baseline of detection time to
The space length of amount.
The characteristic vector space position for quantifying host itself and history individual behavior profile is mobile.Master is monitored between when detecting
Machine calculates individual behavior at a distance from historical behavior feature space center, identifies host-feature in the situation of movement of feature space
Whether vector space position is abnormal.
It is ensured that customer access network resource has fixed habit, rule, so the server of data center
Metastable application service can be externally provided.Therefore, it in the temporal evolution process of network behavior profile, can show as having steady
Qualitative network communication mode.Simultaneously, it is contemplated that mean value has the function of measurement data trend, obtains historical data this time
Each mean value as feature vector datum mark (note: will filter out when extracting historical time point feature labeled as the abnormal time, after
Face is identical), the relative displacement of current signature vector is calculated as suspicious angle value, shown in mathematic calculation such as formula (1):
In formula, MeanhisIndicate the mean value of host individual historical behavior baseline, IPjIndicate that j-th of host, Td indicate detection
Time.
Define 2: aggrieved suspicious degree S2Namely the host that detection time and server carry out telecommunication is in IP blacklist
Quantity, pass through the acquisition of information such as analysis malice domain name, IP blacklist in the present embodiment.
Quantification service device host becomes a possibility that victim host, using blacklist is published, calculates the long-range of communication
Host IP address ranks the number of blacklist.
Currently, many mechanisms and company can issue the blacklist of IP address and domain name, black name is limited according to these information
IP on list, the access to the important network facilities are also a kind of effective Prevention-Security means.By searching for the access of which host
Malice domain name or IP address can not only help quick lock in Botnet main control end, victim host, but also can reduce corpse
It is influenced caused by network.Therefore, it is more that blacklist quantity is ranked in the individual behavior of server host, then suspicious degree is higher.
The present invention is using the data of China Science & Technology University, Northeastern University and German free blacklist library publication as foundation, system
Count whether the IP that the corresponding period interacts with monitoring host computer belongs to open blacklist, if the blacklist IP of interaction is more, infection
Malware, the probability for being known as victim host by attack are higher, shown in mathematic calculation such as formula (2):
s2=log (countblk)(2)
In formula, countblkThe IP address number of blacklist is ranked in expression.
Definition 3: the suspicious degree score of individual behavior namely individual behavior compare the accumulation irrelevance of behavior baseline.
The abnormality detection of host individual behavior can be realized using the otherness and similitude of individual behavior.Attacker utilizes master
Machine hardware and software loophole is implanted into Malware, recycles the network identity of victim host to infect, attacks other hosts, aggrieved
The individual behavior of host is inevitable and normal behaviour is had any different;When the host of infected with malware launches a offensive, infects other hosts
When behavior, network communication behavior and the normal communication behavior of pairs of host are necessarily had any different;Attacker in order to cover victim host,
And obscure true target of attack, multiple victim hosts are necessarily had in network, these hosts necessarily numerous similitudes, such as phase
It is cooperated between operating system, browser with security breaches etc. or victim host, there is simultaneous engagement, make this
A little hosts have more general character and few otherness.
In conclusion the suspicious degree score value of host includes s1(formula 1), s2(formula 2) standardizes these three numerical value,
And weight { α, β } is set, and alpha+beta=1, it concludes and obtains shown in the mathematic calculation such as formula (3) of the suspicious degree of individual behavior,
It is exactly to calculate to deviate formula based on angle value:
The data distribution experiment of a mainframe network behavior pattern irrelevance is provided below.
The spy for the mainframe network behavior pattern that 11 points of enterprises and institutions of noon one day are protected in random selection data set
Vector is levied, and according to the irrelevance calculation method statistical data distribution situation of behavior pattern.Fig. 6 illustrates mainframe network behavior mould
The irrelevance data distribution of formula, identifies the statistical informations such as maximum value, minimum value, mean value, mode.
Experimental data shows the mainframe network behavior pattern abnormal deviation degree of actual monitored in current network environment lower than 4
Server host number account for 98.65% or more, similarly, randomly select 17 days data, as the result is shown most hosts
It is substantially steady that network behavior mode deviates angle value.The normal mainframe network behavior mould of other times section is observed by many experiments
The irrelevance of formula, the data distribution of irrelevance all concentrates on a relatively fixed range, therefore can set threshold on this basis
Value is used for abnormal determination.
Fig. 7, Fig. 8 show the test experience situation to mainframe network behavior pattern exception.It is using network flow first
Data count the multidimensional characteristic value of set time window server behavior pattern.It is then based on time window and calculates and deviate angle value,
And by Grubbs test method excluding outlier, the irrelevance of one day mainframe network behavior pattern is formed, as shown in Figure 7.
Then, the irrelevance central tendency of every mainframe network behavior pattern, the irrelevance threshold of setting time window are obtained
Value.
Then, using network flow data, the set time window mainframe network behavior pattern of statistic mixed-state time it is more
Dimensional feature value is then based on the deviation angle value that time window calculates every monitored host.
Finally, the threshold value of the time window irrelevance of the mainframe network behavior pattern calculated according to front, judges server
The state of host is normal or abnormal.
The timing variations that data shown in Fig. 8 illustrate six days abnormal deviation degree of host abnormal network behavior pattern are bent
Line intuitively shows mainframe network behavior pattern irrelevance from normal, to abnormal, then restores normal complete change procedure.
Dotted line represents the median of overall data distribution in figure, this meets normal irrelevance range in figure.The invention detects that different
It is often to present unusual behavior pattern after host implants Malware, network behavior does not influence the normal of network
It runs, is mainly shown as that host always strives to attempt connection distance host, and broken out the malicious act of leaking data in the later period,
The discovery mainframe network behavior pattern before serious network harm promptly and accurately is caused to deviate normal behaviour particularly important.
To sum up, the present invention can effectively cope with novel threat and unknown abnormal and nothing by reasonable conceptual design
Method adapts to the security protection demand for the complex network environment that attack emerges one after another, and solves the training number of traditional method for detecting abnormality
According to being difficult to obtain the problem with unusual checking system adaptability difference.Scheme designed by the present invention, not only accords with well
The trend for having closed development in science and technology realizes great innovation, and is of great significance to server network security control.
Therefore, compared with prior art, the present invention has substantive distinguishing features outstanding and significant progress.
Above-described embodiment is only one of the preferred embodiment of the present invention, should not be taken to limit protection model of the invention
It encloses, as long as that in body design thought of the invention and mentally makes has no the change of essential meaning or polishing, is solved
The technical issues of it is still consistent with the present invention, should all be included within protection scope of the present invention.
Claims (9)
1. the mainframe network behavior pattern measure based on attributed relational graph, which comprises the following steps:
(1) mainframe network data on flows is acquired;
(2) attributed relational graph is built for main machine frame, the attributed relational graph includes several feature letters arranged in any order
It ceases, different values is as a node in each column feature;
(3) connection is established according to the node that the network connection between host is adjacent two column feature, non-conterminous node cannot connect
It connects, so that the network flow data for keeping host all corresponds in attributed relational graph;
(4) at the end of each time window, extraction feature value in the node of dependence relational graph and feature, by set time window
The mainframe network behavior pattern of mouth is illustrated as having the baseline characteristic vector matrix of multidimensional characteristic value;
(5) angle value, and excluding outlier are deviateed based on the mainframe network behavior of set time window calculation, forms mainframe network behavior
Irrelevance;
(6) the irrelevance central tendency of every mainframe network behavior pattern, the irrelevance threshold value of setting time window are obtained;
(7) according to network flow data, the multidimensional of the mainframe network behavior pattern of the set time window of statistic mixed-state time is special
Value indicative, and host layer is converged to, form detection eigenvectors matrix;
(8) the current network behavior of the monitored host of set time window calculation every based on detection time deviates angle value;
(9) according to the irrelevance threshold value of the time window of step (6) setting, whether the deviation angle value for determining that step (8) calculate is located
In in irrelevance threshold value, therefore, it is determined that whether Host Status is abnormal.
2. the mainframe network behavior pattern measure according to claim 1 based on attributed relational graph, which is characterized in that
In the step (1), mode used in mainframe network data on flows is acquired are as follows: mainframe network data on flows is passed through into Port Mirroring
Router is forwarded to the server for deploying host unusual checking.
3. the mainframe network behavior pattern measure according to claim 1 or 2 based on attributed relational graph, feature exist
In the tree-like relational graph includes independent seven column characteristic information, and the sequence of arrangement is followed successively by server ip address, agreement
Number, server end slogan, remote port slogan, remote ip address, byte number, time type.
4. the mainframe network behavior pattern measure according to claim 3 based on attributed relational graph, which is characterized in that
In the step (3), mainframe network connects the communication pattern according to actual scene server, divides into actively connection and by the sound of something astir
Answer two ways.
5. the mainframe network behavior pattern measure according to claim 4 based on attributed relational graph, which is characterized in that
In the step (2), protocol number, server end slogan are respectively 6 and 80;Byte number is divided into 0,3,5 three node;Time type
It is divided into 0,1 two node.
6. the mainframe network behavior pattern measure according to claim 5 based on attributed relational graph, which is characterized in that
In the step (4), when extracting byte number as characteristic value, the byte number of successive value need to be reduced data by discretization method
It is worth number.
7. the mainframe network behavior pattern measure according to claim 6 based on attributed relational graph, which is characterized in that
The discretization method uses branch mailbox method, specifically: writing number is divided into 12 branch mailbox, is bin1 to bin12, in bin1
The packet of each byte number is (2k-1,2k], k is the index value of branch mailbox;The writing number of each data packet is (2 in bin1210,∞)。
8. the mainframe network behavior pattern measure according to claim 6 or 7 based on attributed relational graph, feature exist
In using following formula calculating main frame network behavior deviation angle value:
In formula,Indicate the master of the suspicious degree of history namely detection time
The space length of the feature vector of machine individual behavior profile and historical behavior baseline, Mean thereonhisIndicate host individual history
The mean value of behavior baseline, IPjIndicate that j-th of host, Td indicate detection time;log(countblk) indicate aggrieved suspicious degree,
The host that i.e. detection time and server carry out telecommunication is in the quantity of IP blacklist, count thereonblkExpression is ranked
The IP address number of blacklist;α, β are weight, and alpha+beta=1.
9. the mainframe network behavior pattern measure according to claim 1 based on attributed relational graph, which is characterized in that
In the step (5), according to Grubbs test method excluding outlier.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811105929.5A CN109040130B (en) | 2018-09-21 | 2018-09-21 | Method for measuring host network behavior pattern based on attribute relation graph |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811105929.5A CN109040130B (en) | 2018-09-21 | 2018-09-21 | Method for measuring host network behavior pattern based on attribute relation graph |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109040130A true CN109040130A (en) | 2018-12-18 |
CN109040130B CN109040130B (en) | 2020-12-22 |
Family
ID=64617495
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811105929.5A Active CN109040130B (en) | 2018-09-21 | 2018-09-21 | Method for measuring host network behavior pattern based on attribute relation graph |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109040130B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111259088A (en) * | 2020-01-13 | 2020-06-09 | 中孚安全技术有限公司 | User network behavior audit modeling method based on portrait technology |
CN111756708A (en) * | 2020-06-09 | 2020-10-09 | 北京天空卫士网络安全技术有限公司 | Method and device for detecting directional threat attack |
EP3739475A1 (en) | 2019-05-17 | 2020-11-18 | Universitat Politécnica De Catalunya | A computer implemented method, a system and computer programs for anomaly detection using network analysis |
CN112437091A (en) * | 2020-11-30 | 2021-03-02 | 成都信息工程大学 | Abnormal flow detection method oriented to host community behaviors |
CN113162951A (en) * | 2021-05-20 | 2021-07-23 | 深信服科技股份有限公司 | Threat detection method, threat model generation method, threat detection device, threat model generation device, electronic equipment and storage medium |
CN113225349A (en) * | 2021-05-21 | 2021-08-06 | 中国工商银行股份有限公司 | Method and device for establishing malicious IP address threat intelligence library and preventing malicious attack |
CN113298345A (en) * | 2021-04-06 | 2021-08-24 | 杭州未名信科科技有限公司 | Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium |
CN115580486A (en) * | 2022-11-18 | 2023-01-06 | 宁波市镇海区大数据投资发展有限公司 | Network security sensing method and device based on big data |
CN111259088B (en) * | 2020-01-13 | 2024-04-26 | 中孚安全技术有限公司 | User network behavior audit modeling method based on portrait technology |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1460932A (en) * | 2003-06-18 | 2003-12-10 | 北京首信股份有限公司 | Hierarchial invasion detection system based on related characteristic cluster |
CN103095728A (en) * | 2013-02-07 | 2013-05-08 | 重庆大学 | Network security marking system based on behavioral data fusion and method |
CN104935570A (en) * | 2015-04-22 | 2015-09-23 | 电子科技大学 | Network flow connection behavior characteristic analysis method based on network flow connection graph |
CN105071985A (en) * | 2015-07-24 | 2015-11-18 | 四川大学 | Server network behavior description method |
CN107528734A (en) * | 2017-08-31 | 2017-12-29 | 叶晓鸣 | A kind of abnormal host group's detection method based on Dynamic Graph |
-
2018
- 2018-09-21 CN CN201811105929.5A patent/CN109040130B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1460932A (en) * | 2003-06-18 | 2003-12-10 | 北京首信股份有限公司 | Hierarchial invasion detection system based on related characteristic cluster |
CN103095728A (en) * | 2013-02-07 | 2013-05-08 | 重庆大学 | Network security marking system based on behavioral data fusion and method |
CN104935570A (en) * | 2015-04-22 | 2015-09-23 | 电子科技大学 | Network flow connection behavior characteristic analysis method based on network flow connection graph |
CN105071985A (en) * | 2015-07-24 | 2015-11-18 | 四川大学 | Server network behavior description method |
CN107528734A (en) * | 2017-08-31 | 2017-12-29 | 叶晓鸣 | A kind of abnormal host group's detection method based on Dynamic Graph |
Non-Patent Citations (2)
Title |
---|
胡瑞详,叶晓鸣等: ""基于流量行为特征的异常流量检测"", 《信息网络安全》 * |
邵国林,叶晓鸣等: ""基于流量结构稳定性的服务器网络行为描述:建模与系统"", 《电子科技大学学报》 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3739475A1 (en) | 2019-05-17 | 2020-11-18 | Universitat Politécnica De Catalunya | A computer implemented method, a system and computer programs for anomaly detection using network analysis |
CN111259088A (en) * | 2020-01-13 | 2020-06-09 | 中孚安全技术有限公司 | User network behavior audit modeling method based on portrait technology |
CN111259088B (en) * | 2020-01-13 | 2024-04-26 | 中孚安全技术有限公司 | User network behavior audit modeling method based on portrait technology |
CN111756708A (en) * | 2020-06-09 | 2020-10-09 | 北京天空卫士网络安全技术有限公司 | Method and device for detecting directional threat attack |
CN111756708B (en) * | 2020-06-09 | 2022-06-28 | 北京天空卫士网络安全技术有限公司 | Method and device for detecting directional threat attack |
CN112437091A (en) * | 2020-11-30 | 2021-03-02 | 成都信息工程大学 | Abnormal flow detection method oriented to host community behaviors |
CN112437091B (en) * | 2020-11-30 | 2021-09-21 | 成都信息工程大学 | Abnormal flow detection method oriented to host community behaviors |
CN113298345A (en) * | 2021-04-06 | 2021-08-24 | 杭州未名信科科技有限公司 | Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium |
CN113298345B (en) * | 2021-04-06 | 2022-11-18 | 杭州未名信科科技有限公司 | Abnormal behavior detection method, abnormal behavior detection device, electronic device and medium |
CN113162951A (en) * | 2021-05-20 | 2021-07-23 | 深信服科技股份有限公司 | Threat detection method, threat model generation method, threat detection device, threat model generation device, electronic equipment and storage medium |
CN113225349A (en) * | 2021-05-21 | 2021-08-06 | 中国工商银行股份有限公司 | Method and device for establishing malicious IP address threat intelligence library and preventing malicious attack |
CN115580486A (en) * | 2022-11-18 | 2023-01-06 | 宁波市镇海区大数据投资发展有限公司 | Network security sensing method and device based on big data |
Also Published As
Publication number | Publication date |
---|---|
CN109040130B (en) | 2020-12-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109040130A (en) | Mainframe network behavior pattern measure based on attributed relational graph | |
ES2945836T3 (en) | Systems and methods for the detection of behavioral threats | |
US10296739B2 (en) | Event correlation based on confidence factor | |
US10291637B1 (en) | Network anomaly detection and profiling | |
EP4033387A1 (en) | Cyber security | |
CN113079143A (en) | Flow data-based anomaly detection method and system | |
US20140165207A1 (en) | Method for detecting anomaly action within a computer network | |
Ye et al. | EWMA forecast of normal system activity for computer intrusion detection | |
CN105491055B (en) | A kind of network host accident detection method based on mobile agent | |
Lappas et al. | Data mining techniques for (network) intrusion detection systems | |
EP3742700B1 (en) | Method, product, and system for maintaining an ensemble of hierarchical machine learning models for detection of security risks and breaches in a network | |
Kholidy | Correlation‐based sequence alignment models for detecting masquerades in cloud computing | |
US20220083916A1 (en) | System and method for detecting and rectifying concept drift in federated learning | |
JP7389806B2 (en) | Systems and methods for behavioral threat detection | |
EP3329640A1 (en) | Network operation | |
Gomes et al. | Cryingjackpot: Network flows and performance counters against cryptojacking | |
Krügel et al. | Sparta: A Mobile Agent based Intrusion Detection System | |
Elekar | Combination of data mining techniques for intrusion detection system | |
JP6616045B2 (en) | Graph-based combination of heterogeneous alerts | |
Li et al. | A distributed intrusion detection model based on cloud theory | |
CN115085948B (en) | Network security situation assessment method based on improved D-S evidence theory | |
Bravo et al. | Distributed Denial of Service Attack Detection in Application Layer Based on User Behavior. | |
Kalutarage | Effective monitoring of slow suspicious activites on computer networks. | |
Bravo et al. | New Features of User's Behavior to Distributed Denial of Service Attacks Detection in Application Layer. | |
ES2949033T3 (en) | Systems and methods for detecting behavioral threats |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |