CN111092900A - Method and device for monitoring abnormal connection and scanning behavior of server - Google Patents

Method and device for monitoring abnormal connection and scanning behavior of server Download PDF

Info

Publication number
CN111092900A
CN111092900A CN201911348877.9A CN201911348877A CN111092900A CN 111092900 A CN111092900 A CN 111092900A CN 201911348877 A CN201911348877 A CN 201911348877A CN 111092900 A CN111092900 A CN 111092900A
Authority
CN
China
Prior art keywords
connection
abnormal
behavior
data record
scanning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911348877.9A
Other languages
Chinese (zh)
Other versions
CN111092900B (en
Inventor
林皓
朱志明
余方和
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Linkdood Technologies SdnBhd
Beijing VRV Software Corp Ltd
Original Assignee
Linkdood Technologies SdnBhd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Linkdood Technologies SdnBhd filed Critical Linkdood Technologies SdnBhd
Priority to CN201911348877.9A priority Critical patent/CN111092900B/en
Publication of CN111092900A publication Critical patent/CN111092900A/en
Application granted granted Critical
Publication of CN111092900B publication Critical patent/CN111092900B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computational Linguistics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a method and a device for monitoring abnormal connection and scanning behaviors of a server, wherein the method comprises the following steps: capturing network session data of a central switch; storing the network session data into a distributed database in a data record mode, wherein one data record corresponds to one request or confirmation; extracting behavior data of each IP from data records in the distributed database, wherein the behavior data comprises the times of each connection behavior, the times of IP scanning and the times of port scanning; judging abnormal behaviors of each IP based on the behavior data, wherein the abnormal behaviors comprise abnormal half connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal port scanning; and displaying the abnormal behaviors of the IPs. The method and the device provided by the embodiment of the invention can process a large amount of network session data, update the abnormal network behavior in real time and improve the monitoring efficiency of the abnormal network behavior.

Description

Method and device for monitoring abnormal connection and scanning behavior of server
Technical Field
The invention relates to the technical field of network monitoring, in particular to a method and a device for monitoring abnormal connection and scanning behaviors of a server.
Background
Network failures occur all the time, the throughput of a port of a cross-connecting machine is high and low, and operation and maintenance personnel can often encounter the problems: users often complain that the intranet service system has slow access or slow copying of files, or guess that the intranet may have port data attacks, but cannot figure out which machines originated in time.
Malicious port traffic attacks cause a large amount of resources of the server to be occupied, so that normal processes are not effectively processed, bandwidth is occupied in a large amount, and in order to find an abnormal attack source, the server is screened layer by layer through tools, so that time and labor are wasted. The monitoring of the abnormal connection behavior of the port is not only referred by operation and maintenance personnel when a fault occurs, but also important point is that the abnormal equipment condition can be counted according to time periods, a solution is found out or the management of the host port is enhanced.
Therefore, how to process a large amount of network traffic data, implement a large amount of network session data to update analysis results in real time, and improve the monitoring efficiency of network abnormal behavior is still a problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the invention provides a method and a device for monitoring abnormal connection and scanning behaviors of a server, which are used for solving the problems that a large amount of network flow cannot be processed, the analysis result of a large amount of network session data cannot be updated in real time, and the monitoring efficiency of the abnormal behaviors of a network is low in the prior art.
In a first aspect, an embodiment of the present invention provides a method for monitoring abnormal connection and scanning behavior of a server, including:
capturing network session data of a central switch;
storing the network session data into a distributed database in a data record mode, wherein one data record corresponds to one request or confirmation;
extracting behavior data of each IP from data records in the distributed database, wherein the behavior data comprises the times of each connection behavior, the times of IP scanning and the times of port scanning;
judging abnormal behaviors of each IP based on the behavior data, wherein the abnormal behaviors comprise abnormal half connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal port scanning;
and displaying the abnormal behaviors of the IPs.
Preferably, in the method, each connection behavior number includes an attempted connection behavior number, a complete connection behavior number, a semi-connection behavior number, an active connection number, and a passive connection number;
correspondingly, the extracting of the number of attempted connection behaviors specifically includes:
judging whether the type of the current data record is SYN, and judging whether the current data record corresponds to a connection attempt behavior;
extracting the IP as the number of times of all attempted connection behaviors of the source IP in unit time;
the extraction of the complete connection behavior times specifically comprises the following steps:
judging and knowing that the type of the current data record is SYN, the type of the next data record is SYN, ACK and the type of the next data record is ACK, and judging that the current data record corresponds to a complete connection behavior;
extracting the times of all complete connection behaviors of the IP as a source IP in the unit time;
the extraction of the number of the semi-connection behaviors specifically comprises the following steps:
calculating the difference between the times of all attempted connection behaviors in unit time with the IP as a source IP and the times of all complete connection behaviors in unit time with the IP as a source IP to obtain the times of all half connection behaviors in unit time with the IP as a source IP;
the extraction of the number of times of the active behavior specifically comprises the following steps:
extracting the number of times that the IP is used as a source IP to connect a plurality of target IPs in the unit time;
the extraction of the passive behavior times specifically comprises the following steps:
extracting the IP as the number of times the target IP is connected by a plurality of source IPs within the unit time.
Preferably, in the method, the determining abnormal behavior of each IP based on the behavior data includes abnormal half-connection, abnormal active connection, abnormal passive connection, abnormal IP scanning, and abnormal port scanning, and specifically includes:
if the times of all semi-connection behaviors of the IP as a source IP in unit time are larger than a first threshold, judging that the abnormal semi-connection occurs to the IP;
if the number of times that the IP is used as a source IP to connect a plurality of target IPs in the unit time is larger than a second threshold value, judging that the IP is in abnormal active connection;
if the number of times that the IP is connected by a plurality of source IPs in the unit time as a target IP is larger than a third threshold value, judging that the IP is abnormally and passively connected;
if the number of times that the IP is used as a source IP and is connected with different IPs of the same port in the unit time is larger than a fourth threshold value, judging that abnormal IP scanning occurs to the IP;
and if the number of times that the IP is used as a source IP and is connected with different ports of the same IP in the unit time is larger than a fifth threshold, judging that abnormal port scanning occurs to the IP.
Preferably, in the method, the storing the network session data into a distributed database in the form of data records, where one data record corresponds to one request or confirmation, specifically includes:
extracting information of each field of the network session data, and storing the information into a distributed database in a data record form;
one data record corresponds to one-time request or confirmation, and each data record comprises a type field, a seq sequence number field, an ack sequence number field, a source IP field, a target IP field, a source port field and a target port field;
correspondingly, if the judging knows that the type of the current data record is SYN, the type of the next data record is SYN, ACK, and the type of the next data record is ACK, it is judged that the current data record corresponds to a one-time complete connection behavior, and the method specifically includes:
and if the numerical value of the seq sequence number field corresponding to the current data record is J and the type is SYN, the numerical value of the seq sequence number field corresponding to the ACK sequence number field J +1 is K and the type is SYN and ACK, and the numerical value of the ACK sequence number field is K +1 and the type of the data record corresponding to the data record is ACK, judging that the current data record corresponds to one-time complete connection behavior.
Preferably, in the method, the distributed database is an ES library.
In a second aspect, an embodiment of the present invention provides a device for monitoring abnormal connection and scanning behavior of a server, including:
the packet capturing unit is used for capturing network session data of the central switch;
the storage unit is used for storing the network session data into a distributed database in a data record mode, wherein one data record corresponds to one request or confirmation;
the extraction unit is used for extracting behavior data of each IP from data records in the distributed database, wherein the behavior data comprises the times of each connection behavior, the times of IP scanning and the times of port scanning;
a determining unit, configured to determine abnormal behaviors of each IP based on the behavior data, where the abnormal behaviors include abnormal half-connection, abnormal active connection, abnormal passive connection, abnormal IP scanning, and abnormal port scanning;
and the display unit is used for displaying the abnormal behaviors of the IPs.
Preferably, in the apparatus, the connection behavior times include connection attempt times, complete connection behavior times, semi-connection behavior times, active connection times, and passive connection times;
correspondingly, the extracting of the number of attempted connection behaviors specifically includes:
judging whether the type of the current data record is SYN, and judging whether the current data record corresponds to a connection attempt behavior;
extracting the IP as the number of times of all attempted connection behaviors of the source IP in unit time;
the extraction of the complete connection behavior times specifically comprises the following steps:
judging and knowing that the type of the current data record is SYN, the type of the next data record is SYN, ACK and the type of the next data record is ACK, and judging that the current data record corresponds to a complete connection behavior;
extracting the times of all complete connection behaviors of the IP as a source IP in the unit time;
the extraction of the number of the semi-connection behaviors specifically comprises the following steps:
calculating the difference between the times of all attempted connection behaviors in unit time with the IP as a source IP and the times of all complete connection behaviors in unit time with the IP as a source IP to obtain the times of all half connection behaviors in unit time with the IP as a source IP;
the extraction of the number of times of the active behavior specifically comprises the following steps:
extracting the number of times that the IP is used as a source IP to connect a plurality of target IPs in the unit time;
the extraction of the passive behavior times specifically comprises the following steps:
extracting the IP as the number of times the target IP is connected by a plurality of source IPs within the unit time.
Preferably, in the apparatus, the determination unit is, in particular,
if the times of all semi-connection behaviors of the IP as a source IP in unit time are larger than a first threshold, judging that the abnormal semi-connection occurs to the IP;
if the number of times that the IP is used as a source IP to connect a plurality of target IPs in the unit time is larger than a second threshold value, judging that the IP is in abnormal active connection;
if the number of times that the IP is connected by a plurality of source IPs in the unit time as a target IP is larger than a third threshold value, judging that the IP is abnormally and passively connected;
if the number of times that the IP is used as a source IP and is connected with different IPs of the same port in the unit time is larger than a fourth threshold value, judging that abnormal IP scanning occurs to the IP;
and if the number of times that the IP is used as a source IP and is connected with different ports of the same IP in the unit time is larger than a fifth threshold, judging that abnormal port scanning occurs to the IP.
In a third aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the method for monitoring abnormal connection and scanning behavior of a server according to the first aspect when executing the program.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method for monitoring abnormal connection and scanning behavior of a server as provided in the first aspect.
The embodiment of the invention provides a method and a device for monitoring abnormal connection and scanning behaviors of a server, wherein captured network session data are stored in a distributed database, so that the distributed database realizes the storage of a large amount of network session data; and extracting various connection behavior times, IP scanning times and port scanning times of each IP from data records in a distributed database, judging abnormal behaviors of each IP according to the behavior data of each IP, wherein the abnormal behaviors comprise abnormal half connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal port scanning, and displaying, so that the network session data is analyzed and the network abnormal behavior is updated in real time. Therefore, the method and the device for monitoring the abnormal connection and scanning behavior of the server provided by the embodiment of the invention can process a large amount of network session data, update the abnormal behavior of the network in real time and improve the efficiency of monitoring the abnormal behavior of the network.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description will be given below of the drawings required for the embodiments or the technical solutions in the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for monitoring abnormal connection and scanning behavior of a server according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a network connection structure according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a monitoring apparatus for server abnormal connection and scanning behavior according to an embodiment of the present invention;
fig. 4 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without inventive effort based on the embodiments of the present invention, are within the scope of the present invention.
The existing network monitoring method generally has the problem that a large amount of real-time network session data is difficult to process, and the network monitoring efficiency is low. Therefore, the embodiment of the invention provides a method for monitoring abnormal connection and scanning behavior of a server. Fig. 1 is a schematic flowchart of a method for monitoring abnormal connection and scanning behavior of a server according to an embodiment of the present invention, where as shown in fig. 1, the method includes:
and step 110, capturing network session data of the central switch.
Specifically, network session data of the central switch is captured by deploying a packet capture program. All network session data of a PC (computer) connected to the switch connected to it can be grabbed at a port of the central switch. Fig. 2 is a schematic diagram of a network connection structure according to an embodiment of the present invention, and as shown in fig. 2, a central switch is connected to a plurality of switches, and all the switches connected to the central switch are connected to a plurality of PCs. And the network session data of all the PCs directly or indirectly connected with the central switch can be acquired by packet capturing from the port of the central switch.
Step 120, storing the network session data into a distributed database in the form of data records, wherein one data record corresponds to one request or confirmation.
Specifically, the captured network session data is stored in a Distributed database in a form of data records, and the data stream is huge, so the data is stored by using the Distributed database, and common Distributed databases include an ES (Elastic Search) library and an HDFS (Hadoop Distributed File System) library, which are not specifically limited herein. The data records are stored in the form of data records, each data record corresponds to a request or confirmation, and each data record comprises various attributes of the data record, such as the type of the data record, the usage protocol, the source IP, the source port, the target IP, the target port and the like.
Step 130, extracting behavior data of each IP from the data records in the distributed database, where the behavior data includes the number of times of each connection behavior, the number of times of IP scanning, and the number of times of port scanning.
In particular, analyzing data records in a distributed database generally requires deploying an analysis program, preferably a spark big data analysis program. The behavior data of each IP is extracted during analysis, the behavior data includes the times of each connection behavior, the times of IP scanning and the times of port scanning, the extraction of the behavior data is real-time extraction, and the behavior data is counted every unit time, including the times of each connection behavior in unit time, for example: the number of active connections, the number of passive connections, the number of attempted connection actions, the number of complete connection actions, the number of semi-connection actions, and the like, wherein the semi-connection actions refer to connection actions in which attempted connection actions are performed but not complete connection actions, and the number of semi-connection actions is a difference value between the number of attempted connection actions and the number of complete connection actions.
And step 140, judging abnormal behaviors of the IPs based on the behavior data, wherein the abnormal behaviors comprise abnormal half connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal port scanning.
Specifically, after behavior data is obtained by the analysis program, abnormal behavior of each IP is determined, usually a certain threshold is set, and when various behavior data exceeds the corresponding threshold, abnormal behavior is determined.
And 150, displaying the abnormal behaviors of the IPs.
Specifically, after the abnormal behavior of each IP is obtained, the abnormal behavior as the analysis result is output to a database, preferably a MySql database, and then the abnormal behavior in the database is displayed, which is usually displayed through a visual interface for operation and maintenance personnel to view.
The monitoring method for abnormal connection and scanning behavior of the server provided by the embodiment of the invention stores the captured network session data into the distributed database, so that the distributed database realizes the storage of a large amount of network session data; and extracting various connection behavior times, IP scanning times and port scanning times of each IP from data records in a distributed database, judging abnormal behaviors of each IP according to the behavior data of each IP, wherein the abnormal behaviors comprise abnormal half connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal port scanning, and displaying, so that the network session data is analyzed and the network abnormal behavior is updated in real time. Therefore, the method for monitoring the abnormal connection and scanning behavior of the server provided by the embodiment of the invention can process a large amount of network session data, update the abnormal behavior of the network in real time and improve the efficiency of monitoring the abnormal behavior of the network.
Based on the above embodiment, in the method, the connection behavior times include a connection attempt time, a complete connection behavior time, a semi-connection behavior time, an active connection time, and a passive connection time;
correspondingly, the extracting of the number of attempted connection behaviors specifically includes:
judging whether the type of the current data record is SYN, and judging whether the current data record corresponds to a connection attempt behavior;
extracting the IP as the number of times of all attempted connection behaviors of the source IP in unit time;
the extraction of the complete connection behavior times specifically comprises the following steps:
judging and knowing that the type of the current data record is SYN, the type of the next data record is SYN, ACK and the type of the next data record is ACK, and judging that the current data record corresponds to a complete connection behavior;
extracting the times of all complete connection behaviors of the IP as a source IP in the unit time;
the extraction of the number of the semi-connection behaviors specifically comprises the following steps:
calculating the difference between the times of all attempted connection behaviors in unit time with the IP as a source IP and the times of all complete connection behaviors in unit time with the IP as a source IP to obtain the times of all half connection behaviors in unit time with the IP as a source IP;
the extraction of the number of times of the active behavior specifically comprises the following steps:
extracting the number of times that the IP is used as a source IP to connect a plurality of target IPs in the unit time;
the extraction of the passive behavior times specifically comprises the following steps:
extracting the IP as the number of times the target IP is connected by a plurality of source IPs within the unit time.
Specifically, each connection behavior includes an attempted connection behavior, a full connection behavior, a semi-connection behavior, an active connection behavior, and a passive connection behavior. If the connection type is SYN connection, it indicates that the source IP of the connection sends a connection request packet to the target IP, namely, it is determined that the connection is attempted; the determination of the complete connection behavior is also obtained based on the connection type, but because one complete TCP connection includes three handshakes, it needs to be determined that the current connection is a SYN connection, the next connection is a SYN connection, an ACK connection, and the next connection is an ACK connection, that is, the first connection is a sending request establishment connection data packet, the second connection is a receiving request establishment + confirmation establishment data packet, and the third connection is a sending confirmation data packet, that is, it is determined that the connection behavior is one complete connection behavior; the number of times of the semi-connection behavior is determined by subtracting the number of times of the complete connection behavior from the number of times of trying the connection behavior in unit time, and the number of times of the semi-connection behavior in unit time can be obtained; the active connection behavior is a behavior that the IP is used as a source IP to send data packets to other different IPs; the passive connection behavior is the behavior that the IP is sent as a target IP by other different IPs to send packets. Determining the times of each connection behavior, namely determining the times of trying the connection behavior, the times of complete connection behavior, the times of semi-connection behavior, the times of active connection behavior and the times of passive connection behavior at intervals of unit time.
Based on any of the above embodiments, in the method, the determining, based on the behavior data, an abnormal behavior of each IP, where the abnormal behavior includes an abnormal half-connection, an abnormal active connection, an abnormal passive connection, an abnormal IP scan, and an abnormal port scan, specifically includes:
if the times of all semi-connection behaviors of the IP as a source IP in unit time are larger than a first threshold, judging that the abnormal semi-connection occurs to the IP;
if the number of times that the IP is used as a source IP to connect a plurality of target IPs in the unit time is larger than a second threshold value, judging that the IP is in abnormal active connection;
if the number of times that the IP is connected by a plurality of source IPs in the unit time as a target IP is larger than a third threshold value, judging that the IP is abnormally and passively connected;
if the number of times that the IP is used as a source IP and is connected with different IPs of the same port in the unit time is larger than a fourth threshold value, judging that abnormal IP scanning occurs to the IP;
and if the number of times that the IP is used as a source IP and is connected with different ports of the same IP in the unit time is larger than a fifth threshold, judging that abnormal port scanning occurs to the IP.
Specifically, the abnormal half-connection is determined, that is, if the number of times of all half-connection behaviors of the IP as a source IP in a unit time is greater than a first threshold, it is determined that the abnormal half-connection occurs in the IP. For example, if the number of half-join actions is greater than 300 times within 3 minutes (the value may be adjusted according to the requirement), it is considered that an abnormal half-join occurs, and the occurrence of the abnormal half-join indicates that a DDOS attack or a flooding attack may occur, and a large number of join requests do not respond. And judging abnormal active connection, namely judging that the IP is in abnormal active connection if the number of times of connecting a plurality of target IPs in the unit time by taking the IP as a source IP is greater than a second threshold value. For example, if the number of times that the source IP connects to the multiple target IPs is greater than 600 within 3 minutes (the value may be adjusted according to the needs), it is considered that an abnormal active connection occurs, and the occurrence of the abnormal active connection indicates that a DDOS attack or a flooding attack may occur. And judging abnormal passive connection, namely judging that the abnormal passive connection occurs in the IP if the number of times that the IP is used as a target IP and is connected by a plurality of source IPs in the unit time is larger than a third threshold value. For example, if the number of times that an IP is connected by a plurality of source IPs as a target IP is greater than 600 within 3 minutes (the value may be adjusted as necessary), it is considered that an abnormal passive connection occurs, and the occurrence of the abnormal passive connection indicates that a DDOS attack or a flooding attack may occur. And judging abnormal IP scanning, namely judging that the IP is subjected to abnormal IP scanning if the number of times of connecting different IPs of the same port in the unit time by taking the IP as a source IP is greater than a fourth threshold value. For example, if a certain source IP detects different IP transmission packets of a target port within 3 minutes, and if the number of the detection packets of different IPs of the same port exceeds 100 (the value may be adjusted and configured as required), it is determined that the source IP has an abnormal IP scanning behavior. And judging abnormal port scanning of the IP, namely judging that the abnormal port scanning of the IP occurs if the number of times that the IP is used as a source IP and is connected with different ports of the same IP in the unit time is greater than a fifth threshold value. For example, if a certain source IP detects data packets sent by different ports of a target IP within 3 minutes, and if the number of the detected data packets of different ports of the same IP exceeds 100 (the value can be adjusted and configured as required), it is determined that the source IP has an abnormal port scanning behavior.
Based on any of the above embodiments, in the method, the storing the network session data into a distributed database in the form of data records, where one data record corresponds to one request or confirmation, specifically includes:
extracting information of each field of the network session data, and storing the information into a distributed database in a data record form;
one data record corresponds to one-time request or confirmation, and each data record comprises a type field, a seq sequence number field, an ack sequence number field, a source IP field, a target IP field, a source port field and a target port field;
correspondingly, if the judging knows that the type of the current data record is SYN, the type of the next data record is SYN, ACK, and the type of the next data record is ACK, it is judged that the current data record corresponds to a one-time complete connection behavior, and the method specifically includes:
and if the numerical value of the seq sequence number field corresponding to the current data record is J and the type is SYN, the numerical value of the seq sequence number field corresponding to the ACK sequence number field J +1 is K and the type is SYN and ACK, and the numerical value of the ACK sequence number field is K +1 and the type of the data record corresponding to the data record is ACK, judging that the current data record corresponds to one-time complete connection behavior.
Specifically, storing network session data in the form of data records is to extract information in fields belonging to each data record for storage. Table 1 shows field information included in each piece of network session data, and as shown in table 1, each piece of session data includes field information such as a source IP, a source port, a destination IP, a destination port, a protocol type, a flag, and the like. Table 2 is an illustration of the flag bits, and as shown in table 2, the flag bits take different values, which represent different connection types, such as SYN connection, SYN, ACK connection, and ACK connection. The fields stored in the data record include a type field (i.e., flag bit in table 1), a seq sequence number field, an ack sequence number field, a source IP field, a destination IP field, a source port field, and a destination port field.
Table 1 data per network session
Field(s) Type (B) Description of the invention
srcIp string Source IP address
srcPort int Source port
dstIp string Destination IP address
dstPort int Target port
protocol string Type of protocol
flag string Marker bit
frameLength int Frame length
dataLength int Application data length
seq string Serial number
nxtseq string Next time serial number
ack string Confirmation number
datetime string Capturing packet length
TABLE 2 description of the flag bits
Figure BDA0002334150310000111
Figure BDA0002334150310000121
When the complete connection behavior is judged, judging that the type of the current data record is SYN, the type of the next data record is SYN, ACK and the type of the next data record is ACK, and judging that the current data record corresponds to the one-time complete connection behavior specifically comprises the following steps: if the type of the current data record is known to be SYN and the seq serial number field of the current data record is known to be J, the next data record of the current data record is searched for the data record of which the value of the ACK serial number field is J +1, at this moment, the type of the searched next data record is required to be determined to be SYN, ACK is known to be K, the next data record is searched for the data record of which the value of the ACK serial number field is K +1, and the type of the searched next data record is ACK. When all the above conditions are satisfied, it can be determined that the current data record is a one-time complete connection behavior.
Based on any of the above embodiments, in the method, the distributed database is an ES library.
Specifically, an ES (Elastic Search) library provides a distributed full-text Search engine with multi-user capability, and can efficiently and quickly complete storage processing of a large amount of data.
Based on any of the above embodiments, an embodiment of the present invention provides a monitoring apparatus for server abnormal connection and scanning behavior, and fig. 3 is a schematic structural diagram of the monitoring apparatus for server abnormal connection and scanning behavior provided in the embodiment of the present invention. As shown in fig. 3, the apparatus includes a bale plucking unit 310, a storage unit 320, an extraction unit 330, a decision unit 340, and a presentation unit 350, wherein,
the packet capturing unit 310 is configured to capture network session data of a central switch;
the storage unit 320 is configured to store the network session data into a distributed database in the form of data records, where one data record corresponds to one request or one acknowledgement;
the extracting unit 330 is configured to extract behavior data of each IP from data records in the distributed database, where the behavior data includes a connection behavior frequency, an IP scanning frequency, and a port scanning frequency;
the determining unit 340 is configured to determine abnormal behaviors of each IP based on the behavior data, where the abnormal behaviors include abnormal half-connection, abnormal active connection, abnormal passive connection, abnormal IP scanning, and abnormal port scanning;
the displaying unit 350 is configured to display the abnormal behavior of each IP.
The monitoring device for server abnormal connection and scanning behavior provided by the embodiment of the invention stores the captured network session data into the distributed database, so that the distributed database realizes the storage of a large amount of network session data; and extracting various connection behavior times, IP scanning times and port scanning times of each IP from data records in a distributed database, judging abnormal behaviors of each IP according to the behavior data of each IP, wherein the abnormal behaviors comprise abnormal half connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal port scanning, and displaying, so that the network session data is analyzed and the network abnormal behavior is updated in real time. Therefore, the monitoring device for the abnormal connection and scanning behavior of the server provided by the embodiment of the invention can process a large amount of network session data, update the abnormal behavior of the network in real time and improve the monitoring efficiency of the abnormal behavior of the network.
Based on any of the above embodiments, in the apparatus, the connection behavior times include connection attempt times, complete connection behavior times, semi-connection behavior times, active connection times, and passive connection times;
correspondingly, the extracting of the number of attempted connection behaviors specifically includes:
judging whether the type of the current data record is SYN, and judging whether the current data record corresponds to a connection attempt behavior;
extracting the IP as the number of times of all attempted connection behaviors of the source IP in unit time;
the extraction of the complete connection behavior times specifically comprises the following steps:
judging and knowing that the type of the current data record is SYN, the type of the next data record is SYN, ACK and the type of the next data record is ACK, and judging that the current data record corresponds to a complete connection behavior;
extracting the times of all complete connection behaviors of the IP as a source IP in the unit time;
the extraction of the number of the semi-connection behaviors specifically comprises the following steps:
calculating the difference between the times of all attempted connection behaviors in unit time with the IP as a source IP and the times of all complete connection behaviors in unit time with the IP as a source IP to obtain the times of all half connection behaviors in unit time with the IP as a source IP;
the extraction of the number of times of the active behavior specifically comprises the following steps:
extracting the number of times that the IP is used as a source IP to connect a plurality of destination IPs in the unit time;
the extraction of the passive behavior times specifically comprises the following steps:
the IP is extracted as the number of times the destination IP is connected by a plurality of source IPs within the unit time.
In the apparatus according to any of the above embodiments, the determination unit is specifically configured to,
if the times of all semi-connection behaviors of the IP as a source IP in unit time are larger than a first threshold, judging that the abnormal semi-connection occurs to the IP;
if the number of times that the IP is used as a source IP to connect a plurality of destination IPs in the unit time is larger than a second threshold value, judging that the IP is in abnormal active connection;
if the number of times that the IP is connected by a plurality of source IPs in the unit time as the destination IP is larger than a third threshold value, judging that the IP is abnormally and passively connected;
if the number of times that the IP is used as a source IP and is connected with different IPs of the same port in the unit time is larger than a fourth threshold value, judging that abnormal IP scanning occurs to the IP;
and if the number of times that the IP is used as a source IP and is connected with different ports of the same IP in the unit time is larger than a fifth threshold, judging that abnormal port scanning occurs to the IP.
In the device according to any of the above embodiments, the storage unit is, in particular,
extracting information of each field of the network session data, and storing the information into a distributed database in a data record form;
one data record corresponds to one-time request or confirmation, and each data record comprises a type field, a sequence number field, a source IP field, a destination IP field, a source port field and a destination port field;
correspondingly, if the judging knows that the type of the current data record is SYN, the type of the next data record is SYN, ACK, and the type of the next data record is ACK, it is judged that the current data record corresponds to a one-time complete connection behavior, and the method specifically includes:
and if the numerical value of the seq sequence number field corresponding to the current data record is J and the type is SYN, the numerical value of the seq sequence number field corresponding to the ACK sequence number field J +1 is K and the type is SYN and ACK, and the numerical value of the ACK sequence number field is K +1 and the type of the data record corresponding to the data record is ACK, judging that the current data record corresponds to one-time complete connection behavior.
According to any one of the above embodiments, in the apparatus, the distributed database is an ES library.
Fig. 4 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 4, the electronic device may include: a processor (processor)401, a communication Interface (communication Interface)402, a memory (memory)403 and a communication bus 404, wherein the processor 401, the communication Interface 402 and the memory 403 complete communication with each other through the communication bus 404. The processor 401 may call a computer program stored in the memory 403 and executable on the processor 401 to perform the method for monitoring abnormal connection and scanning behavior of the server provided by the above embodiments, for example, the method includes: capturing network session data of a central switch; storing the network session data into a distributed database in a data record mode, wherein one data record corresponds to one request or confirmation; extracting behavior data of each IP from data records in the distributed database, wherein the behavior data comprises the times of each connection behavior, the times of IP scanning and the times of port scanning; judging abnormal behaviors of each IP based on the behavior data, wherein the abnormal behaviors comprise abnormal half connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal port scanning; and displaying the abnormal behaviors of the IPs.
In addition, the logic instructions in the memory 403 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or make a contribution to the prior art, or may be implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
An embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, is implemented to perform the method for monitoring abnormal connection and scanning behavior of a server provided in the foregoing embodiments, for example, the method includes: capturing network session data of a central switch; storing the network session data into a distributed database in a data record mode, wherein one data record corresponds to one request or confirmation; extracting behavior data of each IP from data records in the distributed database, wherein the behavior data comprises the times of each connection behavior, the times of IP scanning and the times of port scanning; judging abnormal behaviors of each IP based on the behavior data, wherein the abnormal behaviors comprise abnormal half connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal port scanning; and displaying the abnormal behaviors of the IPs.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the objectives of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A method for monitoring abnormal connection and scanning behavior of a server is characterized by comprising the following steps:
capturing network session data of a central switch;
storing the network session data into a distributed database in a data record mode, wherein one data record corresponds to one request or confirmation;
extracting behavior data of each IP from data records in the distributed database, wherein the behavior data comprises the times of each connection behavior, the times of IP scanning and the times of port scanning;
judging abnormal behaviors of each IP based on the behavior data, wherein the abnormal behaviors comprise abnormal half connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal port scanning;
and displaying the abnormal behaviors of the IPs.
2. The method for monitoring abnormal connection and scanning behavior of a server according to claim 1, wherein the connection behavior times include attempted connection behavior times, complete connection behavior times, semi-connection behavior times, active connection times and passive connection times;
correspondingly, the extracting of the number of attempted connection behaviors specifically includes:
judging whether the type of the current data record is SYN, and judging whether the current data record corresponds to a connection attempt behavior;
extracting the IP as the number of times of all attempted connection behaviors of the source IP in unit time;
the extraction of the complete connection behavior times specifically comprises the following steps:
judging and knowing that the type of the current data record is SYN, the type of the next data record is SYN, ACK and the type of the next data record is ACK, and judging that the current data record corresponds to a complete connection behavior;
extracting the times of all complete connection behaviors of the IP as a source IP in the unit time;
the extraction of the number of the semi-connection behaviors specifically comprises the following steps:
calculating the difference between the times of all attempted connection behaviors in unit time with the IP as a source IP and the times of all complete connection behaviors in unit time with the IP as a source IP to obtain the times of all half connection behaviors in unit time with the IP as a source IP;
the extraction of the number of times of the active behavior specifically comprises the following steps:
extracting the number of times that the IP is used as a source IP to connect a plurality of target IPs in the unit time;
the extraction of the passive behavior times specifically comprises the following steps:
extracting the IP as the number of times the target IP is connected by a plurality of source IPs within the unit time.
3. The method for monitoring abnormal connection and scanning behavior of a server according to claim 2, wherein the abnormal behavior of each IP is determined based on the behavior data, and the abnormal behavior includes abnormal half-connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal port scanning, and specifically includes:
if the times of all semi-connection behaviors of the IP as a source IP in unit time are larger than a first threshold, judging that the abnormal semi-connection occurs to the IP;
if the number of times that the IP is used as a source IP to connect a plurality of target IPs in the unit time is larger than a second threshold value, judging that the IP is in abnormal active connection;
if the number of times that the IP is connected by a plurality of source IPs in the unit time as a target IP is larger than a third threshold value, judging that the IP is abnormally and passively connected;
if the number of times that the IP is used as a source IP and is connected with different IPs of the same port in the unit time is larger than a fourth threshold value, judging that abnormal IP scanning occurs to the IP;
and if the number of times that the IP is used as a source IP and is connected with different ports of the same IP in the unit time is larger than a fifth threshold, judging that abnormal port scanning occurs to the IP.
4. The method for monitoring abnormal connection and scanning behavior of a server according to claim 2, wherein the storing the network session data into a distributed database in the form of data records, wherein one data record corresponds to one request or confirmation, specifically comprises:
extracting information of each field of the network session data, and storing the information into a distributed database in a data record form;
one data record corresponds to one-time request or confirmation, and each data record comprises a type field, a seq sequence number field, an ack sequence number field, a source IP field, a target IP field, a source port field and a target port field;
correspondingly, if the judging knows that the type of the current data record is SYN, the type of the next data record is SYN, ACK, and the type of the next data record is ACK, it is judged that the current data record corresponds to a one-time complete connection behavior, and the method specifically includes:
and if the numerical value of the seq sequence number field corresponding to the current data record is J and the type is SYN, the numerical value of the seq sequence number field corresponding to the ACK sequence number field J +1 is K and the type is SYN and ACK, and the numerical value of the ACK sequence number field is K +1 and the type of the data record corresponding to the data record is ACK, judging that the current data record corresponds to one-time complete connection behavior.
5. The method for monitoring abnormal connection and scanning behavior of a server according to any one of claims 1 to 4, wherein the distributed database is an ES library.
6. A device for monitoring abnormal connection and scanning behavior of a server, comprising:
the packet capturing unit is used for capturing network session data of the central switch;
the storage unit is used for storing the network session data into a distributed database in a data record mode, wherein one data record corresponds to one request or confirmation;
the extraction unit is used for extracting behavior data of each IP from data records in the distributed database, wherein the behavior data comprises the times of each connection behavior, the times of IP scanning and the times of port scanning;
a determining unit, configured to determine abnormal behaviors of each IP based on the behavior data, where the abnormal behaviors include abnormal half-connection, abnormal active connection, abnormal passive connection, abnormal IP scanning, and abnormal port scanning;
and the display unit is used for displaying the abnormal behaviors of the IPs.
7. The apparatus for monitoring abnormal connection and scanning behavior of a server according to claim 6, wherein the connection behavior times include attempted connection behavior times, complete connection behavior times, semi-connection behavior times, active connection times, and passive connection times;
correspondingly, the extracting of the number of attempted connection behaviors specifically includes:
judging whether the type of the current data record is SYN, and judging whether the current data record corresponds to a connection attempt behavior;
extracting the IP as the number of times of all attempted connection behaviors of the source IP in unit time;
the extraction of the complete connection behavior times specifically comprises the following steps:
judging and knowing that the type of the current data record is SYN, the type of the next data record is SYN, ACK and the type of the next data record is ACK, and judging that the current data record corresponds to a complete connection behavior;
extracting the times of all complete connection behaviors of the IP as a source IP in the unit time;
the extraction of the number of the semi-connection behaviors specifically comprises the following steps:
calculating the difference between the times of all attempted connection behaviors in unit time with the IP as a source IP and the times of all complete connection behaviors in unit time with the IP as a source IP to obtain the times of all half connection behaviors in unit time with the IP as a source IP;
the extraction of the number of times of the active behavior specifically comprises the following steps:
extracting the number of times that the IP is used as a source IP to connect a plurality of target IPs in the unit time;
the extraction of the passive behavior times specifically comprises the following steps:
extracting the IP as the number of times the target IP is connected by a plurality of source IPs within the unit time.
8. The apparatus for monitoring server abnormal connection and scanning behavior as claimed in claim 7, wherein the determining unit is specifically configured to,
if the times of all semi-connection behaviors of the IP as a source IP in unit time are larger than a first threshold, judging that the abnormal semi-connection occurs to the IP;
if the number of times that the IP is used as a source IP to connect a plurality of target IPs in the unit time is larger than a second threshold value, judging that the IP is in abnormal active connection;
if the number of times that the IP is connected by a plurality of source IPs in the unit time as a target IP is larger than a third threshold value, judging that the IP is abnormally and passively connected;
if the number of times that the IP is used as a source IP and is connected with different IPs of the same port in the unit time is larger than a fourth threshold value, judging that abnormal IP scanning occurs to the IP;
and if the number of times that the IP is used as a source IP and is connected with different ports of the same IP in the unit time is larger than a fifth threshold, judging that abnormal port scanning occurs to the IP.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method for monitoring abnormal connection and scanning behavior of a server according to any one of claims 1 to 5 when executing the program.
10. A non-transitory computer readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the method for monitoring abnormal connection and scanning behavior of a server according to any one of claims 1 to 5.
CN201911348877.9A 2019-12-24 2019-12-24 Method and device for monitoring abnormal connection and scanning behavior of server Active CN111092900B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911348877.9A CN111092900B (en) 2019-12-24 2019-12-24 Method and device for monitoring abnormal connection and scanning behavior of server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911348877.9A CN111092900B (en) 2019-12-24 2019-12-24 Method and device for monitoring abnormal connection and scanning behavior of server

Publications (2)

Publication Number Publication Date
CN111092900A true CN111092900A (en) 2020-05-01
CN111092900B CN111092900B (en) 2022-04-05

Family

ID=70396965

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911348877.9A Active CN111092900B (en) 2019-12-24 2019-12-24 Method and device for monitoring abnormal connection and scanning behavior of server

Country Status (1)

Country Link
CN (1) CN111092900B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112187775A (en) * 2020-09-23 2021-01-05 北京微步在线科技有限公司 Port scanning detection method and device
CN113141376A (en) * 2021-05-08 2021-07-20 四川英得赛克科技有限公司 Malicious IP scanning detection method and device, electronic equipment and storage medium
CN113542310A (en) * 2021-09-17 2021-10-22 上海观安信息技术股份有限公司 Network scanning detection method and device and computer storage medium
CN113645256A (en) * 2021-10-13 2021-11-12 成都数默科技有限公司 Aggregation method without reducing TCP session data value density
CN115567322A (en) * 2022-11-15 2023-01-03 成都数默科技有限公司 Method for identifying abnormal communication based on TCP service open port
CN115580486A (en) * 2022-11-18 2023-01-06 宁波市镇海区大数据投资发展有限公司 Network security sensing method and device based on big data

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008191839A (en) * 2007-02-02 2008-08-21 Hitachi Electronics Service Co Ltd Abnormality sign detection system
CN101729513A (en) * 2008-10-27 2010-06-09 成都市华为赛门铁克科技有限公司 Network authentication method and device
CN104660584A (en) * 2014-12-30 2015-05-27 赖洪昌 Trojan virus analysis technique based on network conversation
CN104836702A (en) * 2015-05-06 2015-08-12 华中科技大学 Host network abnormal behavior detection and classification method under large flow environment
CN105207977A (en) * 2014-06-24 2015-12-30 阿里巴巴集团控股有限公司 TCP data packet processing method and device
CN105812200A (en) * 2014-12-31 2016-07-27 中国移动通信集团公司 Abnormal behavior detection method and device
CN106685984A (en) * 2017-01-16 2017-05-17 东北大学 Network threat analysis system and method based on data pocket capture technology
CN107070888A (en) * 2017-03-09 2017-08-18 北京聚睿智能科技有限公司 Gateway security management method and equipment
US20180069885A1 (en) * 2016-09-06 2018-03-08 Accenture Global Solutions Limited Graph database analysis for network anomaly detection systems
CN110149343A (en) * 2019-05-31 2019-08-20 国家计算机网络与信息安全管理中心 A kind of abnormal communications and liaison behavioral value method and system based on stream

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008191839A (en) * 2007-02-02 2008-08-21 Hitachi Electronics Service Co Ltd Abnormality sign detection system
CN101729513A (en) * 2008-10-27 2010-06-09 成都市华为赛门铁克科技有限公司 Network authentication method and device
CN105207977A (en) * 2014-06-24 2015-12-30 阿里巴巴集团控股有限公司 TCP data packet processing method and device
CN104660584A (en) * 2014-12-30 2015-05-27 赖洪昌 Trojan virus analysis technique based on network conversation
CN105812200A (en) * 2014-12-31 2016-07-27 中国移动通信集团公司 Abnormal behavior detection method and device
CN104836702A (en) * 2015-05-06 2015-08-12 华中科技大学 Host network abnormal behavior detection and classification method under large flow environment
US20180069885A1 (en) * 2016-09-06 2018-03-08 Accenture Global Solutions Limited Graph database analysis for network anomaly detection systems
CN106685984A (en) * 2017-01-16 2017-05-17 东北大学 Network threat analysis system and method based on data pocket capture technology
CN107070888A (en) * 2017-03-09 2017-08-18 北京聚睿智能科技有限公司 Gateway security management method and equipment
CN110149343A (en) * 2019-05-31 2019-08-20 国家计算机网络与信息安全管理中心 A kind of abnormal communications and liaison behavioral value method and system based on stream

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
龚俭,彭艳兵,杨望,刘卫江: "基于BloomFilter的大规模异常TCP连接参数再现方法", 《软件学报》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112187775A (en) * 2020-09-23 2021-01-05 北京微步在线科技有限公司 Port scanning detection method and device
CN112187775B (en) * 2020-09-23 2021-09-03 北京微步在线科技有限公司 Port scanning detection method and device
CN113141376A (en) * 2021-05-08 2021-07-20 四川英得赛克科技有限公司 Malicious IP scanning detection method and device, electronic equipment and storage medium
CN113542310A (en) * 2021-09-17 2021-10-22 上海观安信息技术股份有限公司 Network scanning detection method and device and computer storage medium
CN113645256A (en) * 2021-10-13 2021-11-12 成都数默科技有限公司 Aggregation method without reducing TCP session data value density
CN115567322A (en) * 2022-11-15 2023-01-03 成都数默科技有限公司 Method for identifying abnormal communication based on TCP service open port
CN115580486A (en) * 2022-11-18 2023-01-06 宁波市镇海区大数据投资发展有限公司 Network security sensing method and device based on big data
CN115580486B (en) * 2022-11-18 2023-04-07 宁波市镇海区大数据投资发展有限公司 Network security sensing method and device based on big data

Also Published As

Publication number Publication date
CN111092900B (en) 2022-04-05

Similar Documents

Publication Publication Date Title
CN111092900B (en) Method and device for monitoring abnormal connection and scanning behavior of server
US10673874B2 (en) Method, apparatus, and device for detecting e-mail attack
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
US10505952B2 (en) Attack detection device, attack detection method, and attack detection program
US10686814B2 (en) Network anomaly detection
US8001601B2 (en) Method and apparatus for large-scale automated distributed denial of service attack detection
US10476897B2 (en) Method and apparatus for improving network security
CN109194680B (en) Network attack identification method, device and equipment
EP2661049B1 (en) System and method for malware detection
US10257213B2 (en) Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program
CN108521408B (en) Method and device for resisting network attack, computer equipment and storage medium
CN103428224B (en) A kind of method and apparatus of intelligence defending DDoS (Distributed Denial of Service) attacks
CN110417717B (en) Login behavior identification method and device
EP1919162A2 (en) Identification of potential network threats using a distributed threshold random walk
CN108270722B (en) Attack behavior detection method and device
US9800593B2 (en) Controller for software defined networking and method of detecting attacker
CN110266650B (en) Identification method of Conpot industrial control honeypot
US11108801B2 (en) Low-complexity detection of potential network anomalies using intermediate-stage processing
CN108259473A (en) Web server scan protection method
CN115664833B (en) Network hijacking detection method based on local area network safety equipment
Shomura et al. Analyzing the number of varieties in frequently found flows
CN115633359A (en) PFCP session security detection method, device, electronic equipment and storage medium
KR101587845B1 (en) Method for detecting distributed denial of services attack apparatus thereto
US10257093B2 (en) Information processing device, method, and medium
CN109889619B (en) Abnormal domain name monitoring method and device based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant