CN111600880A - Method, system, storage medium and terminal for detecting abnormal access behavior - Google Patents
Method, system, storage medium and terminal for detecting abnormal access behavior Download PDFInfo
- Publication number
- CN111600880A CN111600880A CN202010406978.3A CN202010406978A CN111600880A CN 111600880 A CN111600880 A CN 111600880A CN 202010406978 A CN202010406978 A CN 202010406978A CN 111600880 A CN111600880 A CN 111600880A
- Authority
- CN
- China
- Prior art keywords
- access
- detection model
- terminal
- behavior
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 99
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000006399 behavior Effects 0.000 claims abstract description 203
- 238000001514 detection method Methods 0.000 claims abstract description 189
- 238000012549 training Methods 0.000 claims abstract description 14
- 238000004891 communication Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 9
- 230000002547 anomalous effect Effects 0.000 claims description 2
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000004422 calculation algorithm Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000003064 k means clustering Methods 0.000 description 3
- 230000035515 penetration Effects 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000007621 cluster analysis Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004141 dimensional analysis Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The application provides a detection method of abnormal access behaviors, which comprises the steps of recording an access relation set of the access behaviors of a terminal; inputting the access behavior characteristics of the access relation set into an access detection model; the access detection model is obtained by training access behavior characteristics in historical access data of the terminal; and determining whether the access behavior in the access relation set is an abnormal access behavior according to the output result of the access detection model. The method and the device can greatly improve the potential safety hazard of the terminal and improve the safety performance of the terminal. The application also provides a system for detecting the abnormal access behavior, a computer readable storage medium and a terminal, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method and a system for detecting an abnormal access behavior, a computer-readable storage medium, and a terminal.
Background
At present, a malicious attacker often needs to firstly acquire a certain terminal in an intranet and use the terminal as a springboard machine for penetrating the intranet in the real penetration test and invasion process. Because the intranet often deploys more security equipment, sensitive behaviors are easy to be found by the security equipment, experienced malicious attackers often use some hidden methods to carry out transverse attack on the intranet, and use some unconventional attack methods, killing-free tools or even unpublished 0day to carry out attack so as to achieve operations of stealing sensitive information, obtaining higher authority, installing backdoor trojans or carrying out intranet roaming and the like. Currently, the industry commonly uses intrusion detection equipment to perform intranet security detection, but intranet detection is generally based on traditional security detection rules, and the possibility of being bypassed exists for unknown threats such as 0day and killing-free tools. Secondly, the traditional security detection can only detect some network attack behaviors, and often malicious attackers often steal data by using some normal service flows or forge normal access methods when performing intranet penetration, so that the security equipment cannot be normally detected.
Therefore, how to improve the detection capability of the abnormal access behavior of the terminal is a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
The application aims to provide a detection method, a detection system, a computer readable storage medium and a terminal of abnormal access behaviors, which can effectively reduce the false alarm of client side flow monitoring.
In order to solve the above technical problem, the present application provides a method for detecting an abnormal access behavior, which has the following specific technical scheme:
recording an access relation set of access behaviors of the terminal;
inputting the access behavior characteristics of the access relation set into an access detection model; the access detection model is obtained by training access behavior characteristics in historical access data of the terminal;
and determining whether the access behavior in the access relation set is an abnormal access behavior according to the output result of the access detection model.
Wherein, the access relation set for recording the access behavior of the terminal comprises:
and when the terminal is attacked and/or the security level of the terminal is changed, recording an access relation set of the access behavior of the terminal.
Acquiring access behavior characteristics of each access behavior in historical access data within a preset time range; the access behavior characteristics comprise one or any combination of several of access time, access network characteristics and access frequency, and the access network characteristics comprise one or any combination of several of destination IP, destination ports, communication protocols, uplink flow and downlink flow;
and performing cluster training on the access behavior characteristics to obtain the access detection model.
Optionally, a normal access feature set and an abnormal access feature set are learned in advance in the access detection model;
the determining whether the access behavior in the access relationship set is an abnormal access behavior according to the output result of the access detection model includes:
calculating a first distance between the access behavior feature in the access relationship set and the normal access feature set;
calculating a second distance between the access behavior feature in the access relationship set and the abnormal access feature set;
and if the first distance is greater than the second distance, the access behavior in the access relation set is abnormal access behavior.
Optionally, the accessing detection model includes a black flow detection model and a white flow detection model, and inputting the access behavior characteristics of the access relationship set into the accessing detection model includes:
inputting the access behavior characteristics of the access relation set into the black flow detection model to obtain the black flow detection result;
and if the black flow detection result is normal, inputting the access behavior characteristics of the access relation set into the white flow detection model.
After determining the abnormal access behavior in the access relationship set according to the output result of the access detection model, the method further includes:
and determining an attack chain according to all abnormal access behaviors, and performing network attack protection by using the attack chain.
Wherein, still include:
optimizing the access detection model by using a second access detection model of the second terminal to obtain an optimized access detection model;
and replacing the access detection model with the optimized access detection model to detect abnormal access behaviors.
The application also provides a system for detecting the abnormal access behavior, which has the following specific technical scheme:
the recording module is used for recording an access relation set of the access behavior of the terminal;
the data input module is used for inputting the access behavior characteristics of the access relation set into an access detection model; the access detection model is obtained by training access behavior characteristics in historical access data of the terminal;
and the abnormal detection module is used for determining whether the access behaviors in the access relation set are abnormal access behaviors or not according to the output result of the access detection model.
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method as set forth above.
The present application further provides a terminal, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the method when calling the computer program in the memory.
The application provides a method for detecting abnormal access behaviors, which comprises the following steps: recording an access relation set of access behaviors of the terminal; inputting the access behavior characteristics of the access relation set into an access detection model; the access detection model is obtained by training access behavior characteristics in historical access data of the terminal; and determining whether the access behavior in the access relation set is an abnormal access behavior according to the output result of the access detection model.
According to the method and the device, when the security level of the terminal changes, the access relation set of the current terminal is detected by using the access detection model, so that abnormal access behaviors in the access relation set are determined. The access detection model is obtained by training access behavior characteristics in historical access data of the terminal, and network attacks which are difficult to detect by the intrusion device can be accurately detected by utilizing the model obtained by analyzing the historical access data, so that potential safety hazards of the terminal are greatly improved, and the safety performance of the terminal is improved. The application also provides a system for detecting the abnormal access behavior, a computer readable storage medium and a terminal, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a method for detecting an abnormal access behavior according to an embodiment of the present application;
fig. 2 is a schematic diagram illustrating a distinction between a normal access behavior and an abnormal access behavior provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a system for detecting an abnormal access behavior according to an embodiment of the present application:
fig. 4 is a schematic structural diagram of a terminal according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, intrusion detection equipment is generally adopted in the industry, namely the detection equipment is accessed to a terminal for detection, but the intrusion detection equipment can only detect some obvious network attacks, but the network attacks which are not obvious, such as flow stealing, access behavior counterfeiting and the like, are difficult to discover. Therefore, the application provides an effective abnormal access behavior detection method, which comprises the following specific processes:
referring to fig. 1, fig. 1 is a flowchart of a method for detecting an abnormal access behavior according to an embodiment of the present application, where the method includes the following specific steps:
s101: recording an access relation set of access behaviors of the terminal;
this step is intended to record the set of access relationships of the terminal.
There is no specific limitation on when the access relationship set is recorded, and the access relationship set of the current terminal may be recorded when the terminal is attacked or when the security level of the terminal changes.
It is easy to understand that there is a corresponding security status identifier for each terminal in the terminal cluster, which is used to refer to whether the terminal is secure or its specific security level. The specific division manner of the security level is not limited, and may be a two-level, three-level or even multi-level division manner. Whether the security level changes can be continuously judged. If the safety level changes, there are no two different ways of changing from the current level to a more dangerous level or from the current level to a safer level. When the terminal changes from the current level to a more dangerous level, the abnormal behavior detection is required to be easily understood, and when the terminal changes from the current level to a safer level, the terminal is not necessarily in a real safety state. Since a current malicious attacker can forge normal access behavior, once a terminal changes from a current level to a more secure level due to the pseudo-normal access behavior, the terminal has actually been infiltrated more seriously. For example, when the number of access behaviors of a certain terminal in unit time is N and an attacker forges a normal access behavior, the access behavior in unit time is greatly improved because a large amount of terminal data needs to be acquired, so that the number of the access behaviors of the terminal in unit time is improved to N + M, while the access behavior disguised by the attacker cannot be detected by the conventional detection rule and still is regarded as normal access, but as the normal access number in unit time is improved, the security level of the terminal is improved to a safer level, even the monitoring strength of a subsequent terminal is reduced, and the penetration of the attacker to the terminal is more difficult to find. Therefore, as long as the security level changes, an access relation set for recording the access behavior of the terminal is required.
When the terminal is attacked, the security of the terminal is obviously threatened, and then the terminal needs to be detected at this time.
This step is intended to record an access relationship set when the security level of the terminal changes, and the access relationship set refers to an access behavior set in which the terminal performs network communication with other terminals, network devices, or hosts. Each access behavior mainly includes access time, access network characteristics and access frequency, and the access network characteristics may include parameters such as destination IP, destination port, communication protocol, uplink traffic and downlink traffic. It should be noted that the access times are recorded for the access behaviors that the destination IP, the destination port and the communication protocol are the same but the access time is different. The number of accesses is usually limited to a unit time, and the unit time is not limited herein, but may be usually 24 hours, and of course, those skilled in the art may make other settings according to the actual attack level of each terminal so as to calculate the number of accesses.
S102: inputting the access behavior characteristics of the access relation set into an access detection model;
in this step, the recorded access relation set needs to be input into the access detection model, and the detection result is output by the access detection model.
It is easily understood that the access detection model needs to be established before this step is defaulted in the embodiments of the present application. The access detection model is obtained by training access behavior characteristics in historical access data of the terminal. How to obtain the historical access data and how to select the historical access data is not limited. The historical access data may be only the historical access data of the terminal, or may be the historical access data of all terminals in the whole intranet or the local area network. When the historical access data for generating the access detection model is from the terminal, the generated access detection model has stronger pertinence to the abnormal access behavior of the terminal, and the detection efficiency is higher. For the preset time range, which is not specifically limited herein, data of a past period of time of the terminal, for example, data of 30 days or 60 days, may be acquired as the historical access data. And then determining the access behavior characteristics of each access behavior in the historical access data, wherein the access behavior characteristics mainly comprise access time, access network characteristics and access frequency, and the access network characteristics can comprise one or any combination of destination IP, destination port, communication protocol, uplink traffic and downlink traffic.
Regarding the visit time, the visit behavior which is not in the daily visit time period is regarded as the abnormal visit behavior and is attributed to the abnormal visit set. For example, when the normal access behaviors of the terminal are all in the daytime, if a certain access behavior occurs in the late night, the access behavior is regarded as an abnormal access behavior, and the abnormal access behavior is added to the abnormal access set.
Regarding the destination IP and the destination port, an access behavior in which the IP address and the port number of the destination IP list and the destination port list are not accessed at the terminal as the destination IP or the destination port is regarded as an abnormal access behavior. In other words, access behaviors to both the strange destination IP and the strange destination port can be attributed to the abnormal access set.
Regarding the communication protocol, regarding the access behaviors of the same destination IP and the same destination port, the communication protocol does not usually change with the increase of the access times, and once the change occurs, the access behavior can be regarded as abnormal access behavior.
For the access frequency, the access frequency between two hosts is generally stable, namely, a change interval exists, the access frequency fluctuates in the change interval, and once the access frequency exceeds the change interval, namely, the access frequency is abnormal, the abnormal access behavior can be considered to exist.
For the uplink traffic size and the downlink traffic size, since an attacker usually needs to acquire data from an attacked terminal, the downlink traffic size of the abnormal access behavior is greatly increased compared with the conventional secure access behavior, and therefore, the downlink traffic size can be used as an important reference for the abnormal access. Likewise, the size of the upstream traffic may vary significantly due to the presence of network attacks. Therefore, the uplink traffic size and the downlink traffic size can be used as the first reference element of the abnormal access behavior.
Of course, the preset dimension required for each access detection model is not limited herein, and those skilled in the art can also refer to and apply other dimensions with similar functions and analyze the dimensions based on the present application, and all of them should be within the scope of the present application. It can be understood that the more preset dimensions are adopted, the more accurate the analysis of the abnormal access behavior is, and the more accurate the judgment effect of the obtained access detection model on each access behavior is. It is easy to understand that, when multi-dimensional analysis is adopted, if a certain access behavior is simultaneously in accordance with abnormal behavior judgment of multiple dimensions, it can be basically determined that the access behavior is an abnormal access behavior.
Any one access behavior is not black or white, and no matter the access behavior is analyzed by adopting several dimensions, a normal access relation set and an abnormal access relation set can be obtained, namely the normal access relation is regarded as white data, and the abnormal access relation is regarded as black data. After distinguishing the black and white data, the access detection model can be obtained by utilizing the preset clustering analysis algorithm for training. The preset cluster analysis algorithm is not particularly limited, and for example, a K-means clustering algorithm (K-means clustering algorithm) may be used. The K-means clustering algorithm is a clustering analysis algorithm for iterative solution, and comprises the steps of randomly selecting K objects as initial clustering centers, then calculating the distance between each object and each seed clustering center, assigning each object to the nearest clustering center, and representing a cluster by the clustering centers and the objects assigned to the clustering centers. Of course, other clustering algorithms, such as hierarchical clustering, etc., may be used, and are not limited herein.
S103: and determining whether the access behavior in the access relation set is an abnormal access behavior according to the output result of the access detection model.
According to the method and the device, the access relation set of the current terminal is detected by using the access detection model, so that abnormal access behaviors in the access relation set are determined. The access detection model is a model obtained by clustering analysis of historical access data of the terminal, and has characteristics in access behaviors no matter what kind of attacks, the access behaviors are definitely abnormal compared with normal access behaviors, each access action in a current access relation set can be compared with a clustering result obtained for the historical access data by using the model obtained by clustering analysis according to the historical access data, so that the subsequent access behaviors can be detected by using the historical access data of the terminal, network attacks which are difficult to detect by intrusion equipment can be more accurately detected, the pertinence is stronger, the safety degree of the terminal is greatly improved, and the safety performance of the terminal is improved.
It will be readily appreciated that the access detection model is used to detect anomalous access behaviour, and in actual detection it may contain multiple detection functions. For example, black traffic detection and white traffic detection may be performed for each access behavior, respectively, to obtain a black traffic detection result and a white traffic detection result, and a final output result of the access detection model may be determined according to the black traffic detection result and the white traffic detection result.
Further, a normal access feature set and an abnormal access feature set are learned in the access detection model in advance;
the determining whether the access behavior in the access relationship set is an abnormal access behavior according to the output result of the access detection model includes:
calculating a first distance between the access behavior feature in the access relationship set and the normal access feature set; calculating a second distance between the access behavior feature in the access relationship set and the abnormal access feature set; and if the first distance is greater than the second distance, the access behavior in the access relation set is abnormal access behavior.
Specifically, a normal access feature set and an abnormal access feature set are also learned in advance in the access detection model, and the normal access feature set is obtained by learning normal access behaviors in historical access data of the terminal; the abnormal access characteristic set is obtained by learning abnormal access behaviors in historical access data of the terminal.
In this embodiment, the first distance and the second distance may be euclidean distances.
Under the condition that the first distance is smaller than the second distance, the access behavior in the access relation set is a normal access behavior; and if the first distance is equal to the second distance, the access behavior in the access relationship set cannot be determined.
In the case of calculating a first distance between the access behavior feature in the access relationship set and the normal access feature set, and calculating a second distance between the access behavior feature in the access relationship set and the abnormal access feature set, a distance between the access behavior feature in the access relationship set and a particle in the normal access feature set may be calculated as the first distance, or distances between the access behavior feature in the access relationship set and all normal access features in the normal access feature set may be calculated separately, and an average value of all the distances is calculated as the first distance. The calculation method of the second distance is the same as the first distance, and is not described herein again.
It should be noted that, the execution sequence of the operation step of calculating the first distance between the access behavior feature in the access relationship set and the normal access feature set and the operation step of calculating the second distance between the access behavior feature in the access relationship set and the abnormal access feature set is not limited, and the first distance may be calculated first, or the second distance may be calculated first, or the operation step of calculating the first distance and the operation step of calculating the second distance may be executed in parallel.
On the basis of the above embodiment, as a preferred embodiment, in the process of generating the access detection model, the abnormal access relationship may be used as a black traffic, the normal access relationship may be used as a white traffic, and a preset clustering analysis algorithm is used to perform two types of clustering to obtain a black traffic detection model and a white traffic detection model respectively, at this time, both the black traffic detection model and the white traffic detection model are used as sub-models of the access detection model.
Further, when the access detection model includes a black traffic detection model and a white traffic detection model, in the above embodiment, S104 may be executed to input the access behavior characteristics of the access relationship set to the black traffic detection model first to obtain a black traffic detection result, and if the black traffic detection result is normal, input the access relationship set to the white traffic detection model. Of course, if the black traffic detection result is abnormal, the access behavior can be directly confirmed to be abnormal, and the detection of the white traffic detection model is not required to be input. If the black flow detection result is normal and the white flow detection result of the white flow detection model is also normal, the access behavior can be considered to be abnormal.
The embodiment aims to obtain two access detection models, and once the black flow detection model detects that the access relation set has a problem, the abnormal access behavior is naturally demonstrated. However, if the access relation set is detected by the black flow detection model, the white flow detection model can be reused for secondary detection, and if the secondary detection is passed, the access relation set can be determined to have no abnormality. If the secondary detection fails, it indicates that there may be abnormal access behaviors in the access relationship set that are not detected by the black traffic detection model, meaning that a malicious attacker may use a new attack means or incomplete detection caused by the defects of the black traffic detection model itself, and the accuracy of detecting the abnormal access behaviors can be further improved by using the two access detection models.
On the basis of the above embodiment, as a preferred embodiment, after S105, the following steps may be further included:
and determining an attack chain according to all abnormal access behaviors, and performing network attack protection by using the attack chain when the security level changes next time.
The embodiment aims to analyze and comb all abnormal access behaviors according to factors such as time relation of the abnormal access behaviors after determining all the abnormal access behaviors, so that an attack chain of a malicious attacker can be quickly obtained, and a lost terminal can be positioned in time. If the abnormal access behavior detection method used in the embodiment is adopted for each terminal of the cluster, the initially invaded terminal and the attack chain path in the whole attack process can be traced, so that effective network defense can be implemented, even the terminal where an attacker is located can be traced, the anti-threat and network pursuit functions are realized, the problems that the attack chain of a malicious attacker cannot be restored by only detecting a certain threat by adopting a traditional detection method or adopting an intrusion detection device at present and effective counterattack is difficult to implement are effectively solved, and an effective attack means is provided for network defense and counter attack.
On the basis that each access detection model of the above embodiments is generally specific to an applied terminal, as a preferred embodiment, after the access detection model is established, the access detection model may be optimized by using a second access detection model of a second terminal to obtain an optimized access detection model, and then the optimized access detection model is used to replace the access detection model to perform abnormal access behavior detection.
When the historical access data only comes from the terminal, the access detection model obtained according to the historical access data has stronger pertinence, all subsequent access behaviors of the terminal can be detected in a targeted manner, and the detection efficiency is higher.
Since abnormal access behavior usually has a certain attack chain, that is, an attacker is not only satisfied with one device or a few devices, but usually directly attacks the local area network or the whole intranet. At this time, the access detection model on the terminal can be optimized by using the access detection model obtained by the model generation process on other terminals, so that the obtained optimized access detection model can judge abnormal access behaviors more accurately and can identify the abnormal access behaviors in time.
It should be noted that the second terminal in this embodiment means any one or more terminals other than the present terminal. In other words, the present embodiment aims to achieve mutual optimization of access detection models on different terminals, so as to achieve a better abnormal access behavior detection effect.
As shown in fig. 2, fig. 2 is a schematic diagram illustrating a normal access behavior and an abnormal access behavior provided in an embodiment of the present application, in fig. 2, a host a and a host B have normal access, a destination IP of 192.168.1.2, a port 445, based on smb (server Message block) protocol, establishes a one-time access behavior with the host B at 18 th 12 th and 18 th 2019, and has an uplink traffic of 100Kb and a downlink traffic of 1M.
And abnormal access exists between the host A and the host C, the target IP is 192.168.1.1, the port 3306, three access behaviors are established with 17 o' clock 19/12/2019 based on mysql, the uplink flow is 35Kb, and the downlink flow is 200M.
Obviously, both the destination IP and the destination port of the host are changed, and the protocol used is also changed, and more importantly, the downstream flow of the access behavior between the host a and the host C is increased by 199 times compared with the access behavior between the host a and the host B, which obviously belongs to abnormal access.
In the following, the malicious encrypted traffic detection system provided by the present application is introduced, and the malicious encrypted traffic detection system described below and the malicious encrypted traffic detection method described above may be referred to in a mutually corresponding manner.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a malicious encrypted traffic detection system provided in an embodiment of the present application, and the present application further provides a malicious encrypted traffic detection system, which includes the following specific technical solutions:
the present application further provides a system for detecting an abnormal access behavior, which may include:
a recording module 100, configured to record an access relationship set of an access behavior of a terminal;
a data input module 200, configured to input the access behavior characteristics of the access relationship set into an access detection model; the access detection model is obtained by training access behavior characteristics in historical access data of the terminal;
an anomaly detection module 300, configured to determine whether an access behavior in the access relationship set is an abnormal access behavior according to an output result of the access detection model.
Based on the foregoing embodiment, as a preferred embodiment, the recording module 100 is configured to record an access relation set of an access behavior of the terminal when the terminal is attacked and/or when a security level of the terminal changes.
Based on the above embodiment, as a preferred embodiment, the detection system may further include:
the model establishing module is used for acquiring access behavior characteristics of each access behavior in historical access data within a preset time range; the access behavior characteristics comprise one or any combination of several of access time, access network characteristics and access frequency, and the access network characteristics comprise one or any combination of several of destination IP, destination ports, communication protocols, uplink flow and downlink flow; and performing cluster training on the access behavior characteristics to obtain the access detection model.
Based on the above embodiments, as a preferred embodiment, the anomaly detection module 300 is configured to obtain a black traffic detection result and a white traffic detection result of the access detection model; determining an output result according to the black flow detection result and the white flow detection result; and determining whether the access behavior in the access relation set is an abnormal access behavior according to the output result.
Based on the above embodiment, as a preferred embodiment, the data input module 200 is configured to input the access relationship set into the black traffic detection model first to obtain the black traffic detection result; and if the black flow detection result is normal, inputting the access relation set into a module of the white flow detection model.
Based on the foregoing embodiment, as a preferred embodiment, the malicious encrypted traffic detection system may further include:
and the attack chain determining module is used for determining an attack chain according to all the abnormal access behaviors after the abnormal access behaviors in the access relation set are determined according to the output result of the access detection model, and performing network attack protection by using the attack chain.
The malicious encrypted traffic detection system may further include:
the model optimization module is used for optimizing the access detection model by utilizing a second access detection model of the second terminal to obtain an optimized access detection model; and replacing the access detection model with the optimized access detection model to detect abnormal access behaviors.
The present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program can implement the steps of the abnormal access behavior detection method provided in the foregoing embodiments when executed. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides a terminal, which may include a memory and a processor, where the memory stores a computer program, and when the processor calls the computer program in the memory, the steps of the abnormal access behavior detection method provided in the foregoing embodiment may be implemented. In particular, the terminal may be a terminal or a server in a network. Of course, the terminal may also include various network interfaces, power supplies, and the like. Referring to fig. 4, fig. 4 is a schematic structural diagram of a terminal provided in an embodiment of the present application, where the terminal of the embodiment may include: a processor 2101 and a memory 2102.
Optionally, the terminal may further comprise a communication interface 2103, an input unit 2104 and a display 2105 and a communication bus 2106.
The processor 2101, the memory 2102, the communication interface 2103, the input unit 2104, the display 2105, and the like communicate with each other via the communication bus 2106.
In the embodiment of the present application, the processor 2101 may be a Central Processing Unit (CPU), an application specific integrated circuit (asic), a digital signal processor, an off-the-shelf programmable gate array (fpga) or other programmable logic device.
The processor may call a program stored in the memory 2102. In particular, the processor may perform the operations performed by the terminal in the above embodiments.
The memory 2102 stores one or more programs, which may include program code including computer operating instructions, and in this embodiment, at least one program for implementing the following functions is stored in the memory:
recording an access relation set of access behaviors of the terminal;
inputting the access behavior characteristics of the access relation set into an access detection model; the access detection model is obtained by training access behavior characteristics in historical access data of the terminal;
and determining whether the access behavior in the access relation set is an abnormal access behavior according to the output result of the access detection model.
In one possible implementation, the memory 2102 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a topic detection function, etc.), and the like; the storage data area may store data created according to the use of the computer.
Further, the memory 2102 may include high speed random access memory, and may also include non-volatile memory, such as at least one disk storage device or other volatile solid state storage device.
The communication interface 2103 may be an interface of a communication module, such as an interface of a GSM module.
The present application may also include a display 2105 and an input unit 2104, among others.
The structure of the terminal shown in fig. 3 does not constitute a limitation of the terminal in the embodiments of the present application, and in practical applications the terminal may include more or less components than those shown in fig. 3, or some components in combination.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system provided by the embodiment, the description is relatively simple because the system corresponds to the method provided by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method for detecting abnormal access behavior, comprising:
recording an access relation set of access behaviors of the terminal;
inputting the access behavior characteristics of the access relation set into an access detection model; the access detection model is obtained by training access behavior characteristics in historical access data of the terminal;
and determining whether the access behavior in the access relation set is an abnormal access behavior according to the output result of the access detection model.
2. The detection method according to claim 1, wherein the recording of the access relationship set of the access behavior of the terminal comprises:
and when the terminal is attacked and/or the security level of the terminal is changed, recording an access relation set of the access behavior of the terminal.
3. The detection method according to claim 1, further comprising:
acquiring access behavior characteristics of each access behavior in historical access data within a preset time range; the access behavior characteristics comprise one or any combination of several of access time, access network characteristics and access frequency, and the access network characteristics comprise one or any combination of several of destination IP, destination ports, communication protocols, uplink flow and downlink flow;
and performing cluster training on the access behavior characteristics to obtain the access detection model.
4. The detection method according to claim 1, wherein a normal access feature set and an abnormal access feature set are learned in advance in the access detection model;
the determining whether the access behavior in the access relationship set is an abnormal access behavior according to the output result of the access detection model includes:
calculating a first distance between the access behavior feature in the access relationship set and the normal access feature set;
calculating a second distance between the access behavior feature in the access relationship set and the abnormal access feature set;
and if the first distance is greater than the second distance, the access behavior in the access relation set is abnormal access behavior.
5. The detection method of claim 4, wherein the access detection model comprises a black traffic detection model and a white traffic detection model, and wherein inputting the access behavior characteristics of the set of access relationships into the access detection model comprises:
inputting the access behavior characteristics of the access relation set into the black flow detection model to obtain the black flow detection result;
and if the black flow detection result is normal, inputting the access behavior characteristics of the access relation set into the white flow detection model.
6. The detection method according to any one of claims 1 to 5, further comprising, after determining the abnormal access behavior in the access relationship set according to the output result of the access detection model:
and determining an attack chain according to all abnormal access behaviors, and performing network attack protection by using the attack chain.
7. The detection method according to any one of claims 1 to 5, further comprising:
optimizing the access detection model by using a second access detection model of the second terminal to obtain an optimized access detection model;
and replacing the access detection model with the optimized access detection model to detect abnormal access behaviors.
8. A system for detecting anomalous access behavior, comprising:
the recording module is used for recording an access relation set of the access behavior of the terminal;
the data input module is used for inputting the access behavior characteristics of the access relation set into an access detection model; the access detection model is obtained by training access behavior characteristics in historical access data of the terminal;
and the abnormal detection module is used for determining whether the access behaviors in the access relation set are abnormal access behaviors or not according to the output result of the access detection model.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
10. A terminal, characterized in that it comprises a memory in which a computer program is stored and a processor which, when it is called up in said memory, implements the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010406978.3A CN111600880A (en) | 2020-05-14 | 2020-05-14 | Method, system, storage medium and terminal for detecting abnormal access behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010406978.3A CN111600880A (en) | 2020-05-14 | 2020-05-14 | Method, system, storage medium and terminal for detecting abnormal access behavior |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111600880A true CN111600880A (en) | 2020-08-28 |
Family
ID=72190789
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010406978.3A Pending CN111600880A (en) | 2020-05-14 | 2020-05-14 | Method, system, storage medium and terminal for detecting abnormal access behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111600880A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112187762A (en) * | 2020-09-22 | 2021-01-05 | 国网湖南省电力有限公司 | Abnormal network access monitoring method and monitoring device based on clustering algorithm |
| CN112511372A (en) * | 2020-11-06 | 2021-03-16 | 新华三技术有限公司 | Anomaly detection method, device and equipment |
| CN112543186A (en) * | 2020-11-23 | 2021-03-23 | 西安四叶草信息技术有限公司 | Network behavior detection method and device, storage medium and electronic equipment |
| CN113438244A (en) * | 2021-06-28 | 2021-09-24 | 安天科技集团股份有限公司 | Penetration testing method and device, computing equipment and storage medium |
| CN113630415A (en) * | 2021-08-10 | 2021-11-09 | 工银科技有限公司 | Network admission control method, apparatus, system, device, medium and product |
| CN114124560A (en) * | 2021-12-01 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
| CN114285604A (en) * | 2021-12-07 | 2022-04-05 | 集美大学 | Network access behavior detection method and device |
| CN114301610A (en) * | 2020-09-21 | 2022-04-08 | 华为技术有限公司 | Method and equipment for identifying computer with defect |
| CN114363212A (en) * | 2021-12-27 | 2022-04-15 | 绿盟科技集团股份有限公司 | Equipment detection method, device, equipment and storage medium |
| CN114817912A (en) * | 2022-06-15 | 2022-07-29 | 国网浙江省电力有限公司杭州供电公司 | Virus blocking processing method and platform based on behavior recognition model |
| CN116257884A (en) * | 2023-03-20 | 2023-06-13 | 杭州霖芮科技有限公司 | E-commerce platform customer data processing method and system based on flow analysis |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789885A (en) * | 2016-11-17 | 2017-05-31 | 国家电网公司 | User's unusual checking analysis method under a kind of big data environment |
| CN107302547A (en) * | 2017-08-21 | 2017-10-27 | 深信服科技股份有限公司 | A kind of web service exceptions detection method and device |
| CN108377240A (en) * | 2018-02-07 | 2018-08-07 | 平安科技(深圳)有限公司 | Exceptional interface detection method, device, computer equipment and storage medium |
| CN110445753A (en) * | 2019-06-28 | 2019-11-12 | 平安科技(深圳)有限公司 | The partition method and device of terminal device abnormal access |
| CN111107096A (en) * | 2019-12-27 | 2020-05-05 | 杭州迪普科技股份有限公司 | Web site safety protection method and device |
-
2020
- 2020-05-14 CN CN202010406978.3A patent/CN111600880A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789885A (en) * | 2016-11-17 | 2017-05-31 | 国家电网公司 | User's unusual checking analysis method under a kind of big data environment |
| CN107302547A (en) * | 2017-08-21 | 2017-10-27 | 深信服科技股份有限公司 | A kind of web service exceptions detection method and device |
| CN108377240A (en) * | 2018-02-07 | 2018-08-07 | 平安科技(深圳)有限公司 | Exceptional interface detection method, device, computer equipment and storage medium |
| CN110445753A (en) * | 2019-06-28 | 2019-11-12 | 平安科技(深圳)有限公司 | The partition method and device of terminal device abnormal access |
| CN111107096A (en) * | 2019-12-27 | 2020-05-05 | 杭州迪普科技股份有限公司 | Web site safety protection method and device |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114301610B (en) * | 2020-09-21 | 2022-11-08 | 华为技术有限公司 | Method and equipment for identifying computer with defect |
| CN114301610A (en) * | 2020-09-21 | 2022-04-08 | 华为技术有限公司 | Method and equipment for identifying computer with defect |
| CN112187762A (en) * | 2020-09-22 | 2021-01-05 | 国网湖南省电力有限公司 | Abnormal network access monitoring method and monitoring device based on clustering algorithm |
| CN112511372B (en) * | 2020-11-06 | 2022-03-01 | 新华三技术有限公司 | Anomaly detection method, device and equipment |
| CN112511372A (en) * | 2020-11-06 | 2021-03-16 | 新华三技术有限公司 | Anomaly detection method, device and equipment |
| CN112543186B (en) * | 2020-11-23 | 2023-02-14 | 西安四叶草信息技术有限公司 | Network behavior detection method and device, storage medium and electronic equipment |
| CN112543186A (en) * | 2020-11-23 | 2021-03-23 | 西安四叶草信息技术有限公司 | Network behavior detection method and device, storage medium and electronic equipment |
| CN113438244A (en) * | 2021-06-28 | 2021-09-24 | 安天科技集团股份有限公司 | Penetration testing method and device, computing equipment and storage medium |
| CN113630415A (en) * | 2021-08-10 | 2021-11-09 | 工银科技有限公司 | Network admission control method, apparatus, system, device, medium and product |
| CN114124560A (en) * | 2021-12-01 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
| CN114285604A (en) * | 2021-12-07 | 2022-04-05 | 集美大学 | Network access behavior detection method and device |
| CN114363212A (en) * | 2021-12-27 | 2022-04-15 | 绿盟科技集团股份有限公司 | Equipment detection method, device, equipment and storage medium |
| CN114363212B (en) * | 2021-12-27 | 2023-12-26 | 绿盟科技集团股份有限公司 | Equipment detection method, device, equipment and storage medium |
| CN114817912A (en) * | 2022-06-15 | 2022-07-29 | 国网浙江省电力有限公司杭州供电公司 | Virus blocking processing method and platform based on behavior recognition model |
| CN114817912B (en) * | 2022-06-15 | 2022-11-04 | 国网浙江省电力有限公司杭州供电公司 | Virus blocking processing method and platform based on behavior recognition model |
| CN116257884A (en) * | 2023-03-20 | 2023-06-13 | 杭州霖芮科技有限公司 | E-commerce platform customer data processing method and system based on flow analysis |
| CN116257884B (en) * | 2023-03-20 | 2023-09-05 | 杭州霖芮科技有限公司 | E-commerce platform customer data processing method and system based on flow analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111600880A (en) | Method, system, storage medium and terminal for detecting abnormal access behavior | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US8549645B2 (en) | System and method for detection of denial of service attacks | |
| US10635817B2 (en) | Targeted security alerts | |
| CN104361283A (en) | Web attack protection method | |
| CN106850647B (en) | Malicious domain name detection algorithm based on DNS request period | |
| US9479521B2 (en) | Software network behavior analysis and identification system | |
| CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
| KR101692982B1 (en) | Automatic access control system of detecting threat using log analysis and automatic feature learning | |
| CN110769007B (en) | Network security situation sensing method and device based on abnormal traffic detection | |
| WO2019035120A1 (en) | Cyber threat detection system and method | |
| CN110868418A (en) | Threat information generation method and device | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN115996146A (en) | Numerical control system security situation sensing and analyzing system, method, equipment and terminal | |
| Mangrulkar et al. | Network attacks and their detection mechanisms: A review | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN114024761A (en) | Network threat data detection method and device, storage medium and electronic equipment | |
| CN112966264A (en) | XSS attack detection method, device, equipment and machine-readable storage medium | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN112347484A (en) | Software vulnerability detection method, device, equipment and computer readable storage medium | |
| US20230018096A1 (en) | Analysis apparatus, analysis method, and non-transitory computer readable medium storing analysis program | |
| CN113709097B (en) | Network risk sensing method and defense method | |
| CN113132316A (en) | Web attack detection method and device, electronic equipment and storage medium | |
| CN114257403B (en) | False alarm detection method, equipment and readable storage medium | |
| CN108509796B (en) | Method for detecting risk and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200828 |
|
| RJ01 | Rejection of invention patent application after publication |