CN111835708A

CN111835708A - Characteristic information analysis method and device

Info

Publication number: CN111835708A
Application number: CN202010460439.8A
Authority: CN
Inventors: 付天福; 周冲
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2014-12-30
Filing date: 2014-12-30
Publication date: 2020-10-27
Also published as: WO2016106592A1; CN106416171A; CN106416171B

Abstract

The embodiment of the invention creatively provides a method and a device for analyzing characteristic information, which are used for acquiring a plurality of data messages in a session to be analyzed; extracting a characteristic value of preset session characteristics from each data message; in the embodiment of the invention, the session is taken as a basic analysis unit, so that the session is integrally analyzed, and the session characteristic information capable of comprehensively reflecting the session is obtained. The embodiment of the invention also provides a network attack detection method and a network attack detection system, which are used for detecting the network session attack in the preset time interval according to the session characteristic information of the session to be analyzed, which is acquired in the preset time interval, so that the problem that the session attack in the network cannot be detected based on the characteristic information of the data stream in the prior art is solved, the effective detection of the session attack in the network is realized, and the completeness of the network attack detection is improved.

Description

Characteristic information analysis method and device

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for analyzing feature information.

Background

At present, data transmission in the internet is generally described by data streams, and one data stream (data stream) refers to a data message sequence which is read once according to a specified sequence. The five-tuple information of a plurality of data messages belonging to the same data flow is the same, and comprises a source Internet Protocol (IP) address, a destination IP address, a source port number, a destination port number and a transport layer protocol number.

By analyzing the information carried by the data message sequence in a data stream, the characteristic information of the data stream can be obtained. The characteristic information of a plurality of data streams is comprehensively analyzed, so that the running state of data transmission in the network can be known. For example: the duration of the data flow in the network is analyzed, so that the network data transmission speed can be known; analyzing the message length of data flow in the network, and charging network flow; and the information such as the IP address of the data stream in the network is analyzed, so that the network security detection can be carried out.

Therefore, when analyzing the network operation condition, those skilled in the art use the data stream as a basic analysis unit, but only part of the network operation condition can be obtained by analyzing the characteristic information based on the data stream.

Disclosure of Invention

The embodiment of the invention provides a method and a device for analyzing feature information, which take a conversation as a basic analysis unit to obtain the conversation feature information and solve the problem that the feature information of a data stream can only analyze part of the network operation condition.

A first aspect of an embodiment of the present invention provides a method for analyzing feature information, where the method includes:

acquiring a plurality of data messages in a session to be analyzed;

extracting a characteristic value of preset session characteristics from each data message;

and counting the characteristic values to obtain the session characteristic information of the session to be analyzed.

In a first possible implementation manner of the first aspect of the embodiment of the present invention, before extracting a feature value of a preset session feature from each data packet, the method includes:

and acquiring a session characteristic index configured in an IP data flow information output IPFIX protocol as a preset session characteristic.

With reference to the first possible implementation manner of the first aspect of the embodiment of the present invention, in a second possible implementation manner, the method further includes:

and outputting the characteristic information of the session to be analyzed by adopting the standard format of the IPFIX protocol.

With reference to the first aspect of the present invention to the second possible implementation manner of the first aspect, in a third possible implementation manner, the obtaining multiple data packets in a session to be analyzed includes:

respectively acquiring quintuple information of each data message from all received data messages;

and acquiring a plurality of data messages of the session to be analyzed from all the received data messages based on the five-tuple information of each data message.

With reference to the first aspect of the present invention to the second possible implementation manner of the first aspect, in a fourth possible implementation manner, before the obtaining a plurality of data packets in a session to be analyzed, the method further includes:

sampling all received data messages on a session basis to obtain data messages of a plurality of sampling sessions;

the acquiring a plurality of data messages in the session to be analyzed includes:

and acquiring a plurality of data messages of the session to be analyzed from the data messages of the sampling sessions.

With reference to the fourth possible implementation manner of the first aspect of the embodiment of the present invention, in a fifth possible implementation manner, the acquiring the data packet of the session to be analyzed from the data packets of the multiple sampling sessions includes:

respectively acquiring quintuple information of each data message from the data messages of the plurality of sessions;

and acquiring the data message of the session to be analyzed from the data messages of the multiple sessions based on the quintuple information of each data message.

With reference to the fourth possible implementation manner of the first aspect of the embodiment of the present invention, in a sixth possible implementation manner, the sampling all the received data packets based on sessions includes:

analyzing quintuple information of each received data message;

calculating a positive hash value and a negative hash value of the received data message by using the quintuple information, wherein the positive hash value is a hash value calculated by taking the quintuple information of the received data message as input, the negative hash value is a hash value calculated by taking a source IP address and a destination IP address in the quintuple information of the received data message as input, and a source port number and a destination port number are changed in position and then taken as input;

calculating a first remainder obtained by dividing the positive hash value by a preset sampling parameter in a preset session sampling template, and calculating a second remainder obtained by dividing the negative hash value by the preset sampling parameter in the session sampling template, wherein the preset sampling parameter is a denominator of a sampling proportion in the session sampling template;

judging whether the first remainder or the second remainder is a preset sampling remainder in the session sampling template;

and when the first remainder or the second remainder is a preset sampling remainder in the session sampling template, sampling the received data message.

A second aspect of the embodiments of the present invention provides a network attack detection method, where the method includes:

analyzing session characteristic information of all sessions to be analyzed, which is acquired within a preset time interval, wherein the session characteristic information is obtained by analyzing according to the method in the first aspect to the sixth possible implementation manner of the first aspect provided by the embodiment of the present invention;

and detecting the network session attack in the preset time interval according to the session characteristic information.

In a first possible implementation manner of the second aspect of the embodiment of the present invention, the detecting, according to the session feature information, a network session attack within the preset time interval includes:

counting a first proportion of incomplete sessions in all sessions to be analyzed, which are acquired within the preset time interval, according to the session characteristic information;

judging whether the first proportion exceeds a first preset threshold value or not;

and when the first proportion occupied by the incomplete session exceeds a first preset threshold value, identifying the network session attack in the preset time interval.

With reference to the first possible implementation manner of the second aspect of the embodiment of the present invention, in a second possible implementation manner,

the session characteristic information comprises an uplink data message number and a downlink data message number;

the incomplete session is a to-be-analyzed session with the number of the uplink data messages being greater than 1 and the number of the downlink data messages being 0.

With reference to the first possible implementation manner of the second aspect of the embodiment of the present invention, in a third possible implementation manner,

the session characteristic information comprises a Transmission Control Protocol (TCP) zone bit;

the incomplete session is a to-be-analyzed session with the incomplete TCP zone bits.

In a fourth possible implementation of the second aspect of the embodiment of the invention,

the session characteristic information comprises echo message number and echo reply message number in a network control message protocol ICMP session;

the detecting the network session attack within the preset time interval according to the session characteristic information includes:

counting a second proportion of echo messages and echo reply messages in the ICMP session acquired within a preset time interval according to the session characteristic information;

judging whether the second proportion is within a preset numerical range;

when the second ratio is not within a preset value range, identifying an ICMP session attack within the preset time interval.

In a fifth possible implementation manner of the second aspect of the embodiment of the present invention, the detecting, according to the session feature information, a network session attack within the preset time interval includes:

counting the number of service session refusals in the preset time interval according to the session characteristic information, wherein the service session refusals are the sessions to be analyzed, and the session characteristic information of the sessions contains hypertext transfer protocol (HTTP) error code information;

judging whether the number of the service rejection sessions exceeds a second preset threshold value or not;

and when the number of the service denial sessions exceeds a second preset threshold value, identifying CC session attacks within the preset event interval.

In a sixth possible implementation manner of the embodiment of the present invention, the detecting, according to the session feature information, a network session attack within the preset time interval includes:

judging whether the session characteristic information of each session to be analyzed, which is acquired within the preset time interval, contains session fragment abnormal information, wherein the session fragment abnormal information comprises any one or more of fragment incompleteness, fragment overlapping and fragment zone bit error;

and when the session characteristic information of the session to be analyzed contains session fragment abnormal information, identifying the session to be analyzed as a fragment attack session within the preset time interval.

With reference to the second aspect of the embodiment of the present invention to the sixth possible implementation manner of the second aspect, in a seventh possible implementation manner, the method further includes:

when the network session attack within the preset time interval is detected, generating an attack event according to the session characteristic information of the session to be analyzed;

and generating an attack suppression strategy according to the attack event.

With reference to the seventh possible implementation manner of the second aspect of the embodiment of the present invention, in an eighth possible implementation manner, the method further includes:

and identifying attack source equipment, attack service and attacked equipment according to the attack event.

With reference to the second aspect to the eighth possible implementation manner of the second aspect of the embodiment of the present invention, in a ninth possible implementation manner, the session feature information uses a standard output format of an IPFIX protocol.

A third aspect of an embodiment of the present invention provides a feature information analysis device, including:

the first acquisition unit is used for acquiring a plurality of data messages in a session to be analyzed;

an extracting unit, configured to extract a feature value of a preset session feature from each data packet;

and the statistical unit is used for counting the characteristic values to obtain the session characteristic information of the session to be analyzed.

In a first possible implementation manner of the third aspect of the embodiment of the present invention, the apparatus further includes:

and the second acquisition unit is used for acquiring the session characteristics configured in the IPFIX protocol as preset characteristics.

With reference to the first possible implementation manner of the third aspect of the embodiment of the present invention, in a second possible implementation manner, the apparatus further includes:

and the output unit is used for outputting the characteristic information of the session to be analyzed by adopting the standard format of the IPFIX protocol.

With reference to the third aspect to the second possible implementation manner of the third aspect of the embodiment of the present invention, in a third possible implementation manner, the first obtaining unit includes:

the first obtaining subunit is configured to obtain five-tuple information of each data packet from all received data packets;

and the second obtaining subunit is configured to obtain, based on the quintuple information of each data packet, the data packet of the session to be analyzed from all the received data packets.

With reference to the third aspect to the second possible implementation manner of the third aspect of the embodiment of the present invention, in a fourth possible implementation manner, the apparatus further includes:

a sampling unit, which is used for sampling all the received data messages on the basis of sessions to obtain data messages of a plurality of sampling sessions;

the first obtaining unit is specifically configured to obtain the multiple data packets of the session to be analyzed from the data packets of the multiple sampling sessions.

With reference to the fourth possible implementation manner of the embodiment of the present invention, in a fifth possible implementation manner, the first obtaining unit includes:

a third obtaining subunit, configured to obtain five-tuple information of each data packet from the data packets of the multiple sampling sessions, respectively;

and a fourth obtaining subunit, configured to obtain, based on the quintuple information of each data packet, the data packet of the session to be analyzed from the data packets of the multiple sampling sessions.

With reference to the fourth possible implementation manner of the embodiment of the present invention, in a sixth possible implementation manner, the sampling unit includes:

the analysis subunit is used for analyzing the quintuple information of each received data message;

a first calculating subunit, configured to calculate a positive hash value and a negative hash value of the received data packet by using the quintuple information, where the positive hash value is a hash value calculated by taking the quintuple information of the received data packet as an input, the negative hash value is a hash value calculated by taking a source IP address and a destination IP address in the quintuple information of the received data packet as inputs, and a source port number and a destination port number are transposed and then taken as inputs;

the second calculating subunit is configured to calculate a first remainder obtained by dividing the positive hash value by a preset sampling parameter in a preset session sampling template, and calculate a second remainder obtained by dividing the inverse hash value by a preset sampling parameter in the session sampling template, where the preset sampling parameter is a denominator of a sampling ratio in the session sampling template;

the judging subunit is used for judging whether the first remainder or the second remainder is a preset sampling remainder in the session sampling template;

and the sampling subunit is used for sampling the received data message when the first remainder or the second remainder is a preset sampling remainder in the session sampling template.

A fourth aspect of the embodiments of the present invention provides a network attack detection system, where the system includes:

the feature information analysis device according to the third aspect to the sixth possible implementation manner of the third aspect of the embodiments of the present invention is configured to analyze session feature information of all sessions to be analyzed, which is acquired within a preset time interval;

and the detection device is used for detecting the network session attack in the preset time interval according to the session characteristic information.

In a first possible implementation manner of the fourth aspect of the embodiment of the present invention, the detection apparatus includes:

the first counting unit is used for counting a first proportion of incomplete sessions in all sessions to be analyzed, which are acquired within the preset time interval, according to the session characteristic information;

the first judging unit is used for judging whether the first proportion exceeds a first preset threshold value or not;

the first identification unit is used for identifying the network session attack in the preset time interval when the first proportion occupied by the incomplete session exceeds a first preset threshold value.

With reference to the first possible implementation manner of the fourth aspect of the embodiment of the present invention, in a second possible implementation manner, the session feature information includes the number of bytes of an uplink message and the number of bytes of a downlink message;

With reference to the first possible implementation manner of the fourth aspect of the embodiment of the present invention, in a third possible implementation manner, the session feature information includes a TCP flag bit; the incomplete session is a to-be-analyzed session with the incomplete TCP zone bits.

In a fourth possible implementation manner of the fourth aspect of the embodiment of the present invention, the session feature information includes echo message number and echo reply message number in a network control message protocol ICMP session;

the detection device includes:

a second counting unit, configured to count a second ratio of an echo message to an echo reply message in the ICMP session, where the second ratio is obtained within a preset time interval, according to the session feature information;

a second judging unit, configured to judge whether the second ratio is within a preset value range;

and the second identification unit is used for identifying the ICMP session attack in the preset time interval when the second proportion is not in a preset numerical range.

In a fifth possible implementation manner of the embodiment of the present invention, the detection device includes:

a third counting unit, configured to count, according to session feature information, the number of service-refusing sessions in the preset time interval, where the service-refusing sessions are the sessions to be analyzed, where the session feature information includes HTTP error code information;

a third judging unit, configured to judge whether the number of the denial of service sessions exceeds a second preset threshold;

and a third identifying unit, configured to identify a CC session attack within the preset event interval when the number of the denial of service sessions exceeds a second preset threshold.

In a sixth possible implementation manner of the embodiment of the present invention, the detection device includes:

a fourth judging unit, configured to judge whether session feature information of each session to be analyzed, which is acquired within the preset time interval, includes session fragment exception information, where the session fragment exception information includes any one or more of incomplete fragments, overlapping fragments, and an error in a fragment flag bit;

and the fourth identification unit is used for identifying the session to be analyzed as a fragment attack session within the preset time interval when the session characteristic information of the session to be analyzed contains session fragment abnormal information.

With reference to the third aspect to the sixth possible implementation manner of the third aspect of the embodiment of the present invention, in a seventh possible implementation manner, the system further includes:

the defense device is used for generating an attack event according to the session characteristic information of the session to be analyzed when the network session attack within the preset time interval is detected; and generating an attack suppression strategy according to the attack event.

With reference to the seventh possible implementation manner of the third aspect of the embodiment of the present invention, in an eighth possible implementation manner, the system further includes:

and the attack identification device is used for identifying the attack source equipment, the attack service and the attacked equipment according to the attack event.

With reference to the third aspect to the eighth possible implementation manner of the third aspect of the embodiment of the present invention, in a ninth possible implementation manner, the session feature information uses a standard output format of an IPFIX protocol.

According to the technical scheme, the invention has the following beneficial effects:

the embodiment of the invention creatively provides a method and a device for analyzing characteristic information, which are used for acquiring a plurality of data messages in a session to be analyzed; extracting a characteristic value of preset session characteristics from each data message; in the embodiment of the invention, the session is taken as a basic analysis unit, so that the session is integrally analyzed, and the session characteristic information capable of comprehensively reflecting the session is obtained;

the embodiment of the invention also provides a network attack detection method and a network attack detection system, which are used for detecting the network session attack in the preset time interval according to the session characteristic information of the session to be analyzed, which is acquired in the preset time interval, so that the problem that the session attack in the network cannot be detected based on the characteristic information of the data stream in the prior art is solved, the effective detection of the session attack in the network is realized, and the completeness of the network attack detection is improved.

Drawings

Fig. 1 is a flowchart of a method for analyzing feature information according to an embodiment of the present invention;

fig. 2 is a schematic diagram of an IPFIX protocol message format according to an embodiment of the present invention;

fig. 3 is a flowchart of a network attack detection method according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a characteristic information analysis apparatus according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a network attack detection system according to an embodiment of the present invention;

fig. 6 is a schematic diagram of a hardware structure of a feature information analysis apparatus according to an embodiment of the present invention;

fig. 7 is a schematic diagram of a hardware structure of a network attack detection system according to an embodiment of the present invention.

Detailed Description

In the prior art, when analyzing the operation status of a certain network, a plurality of data streams transmitted in the network are mainly obtained by using the data streams as a basic unit, and the obtained characteristic information of the plurality of data streams is comprehensively analyzed to obtain the operation status of the network. The analysis is performed based on the data flow, the connection probability of the network cannot be analyzed, the session attack of the network cannot be detected, the abnormal session of the network cannot be analyzed, and the like.

In order to solve the above technical problems, embodiments of the present invention provide a method and an apparatus for analyzing session characteristic information creatively, which use a session as a basic analysis unit and provide important data information for implementing a comprehensive analysis of a network operation status, especially a comprehensive analysis of a session attack in a network.

In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are described in detail below with reference to the accompanying drawings.

Fig. 1 is a flowchart of a method for analyzing feature information according to an embodiment of the present invention, where the method includes:

s101: and acquiring a plurality of data messages in the session to be analyzed.

In network applications, a session refers to a communication interaction between two network devices during a certain operation time without interruption. A session may be established between a first network device and a second network device to transfer a plurality of data packets between the first network device and the second device. The quintuple information of a plurality of data messages of the same session has the following characteristics: the source IP addresses of a plurality of data messages of the same session are the IP addresses of first network equipment or the IP addresses of second network equipment, the destination IP addresses of a plurality of data messages of the same session are the IP addresses of the first network equipment or the IP addresses of the second network equipment, the source port numbers of a plurality of data messages of the same session are the port numbers of the first network equipment or the port numbers of the second network equipment, the destination port numbers of a plurality of data messages of the same session are the port numbers of the first network equipment or the port numbers of the second network equipment, and the adopted transport layer protocol numbers of a plurality of data messages of the same session are the same.

That is, the quintuple information of the data packet sent from the first network device to the second network device is (the IP address of the first network device, the port number of the first network device, the IP address of the second network device, the port number of the second network device, the transport layer protocol number), that is, the source IP address of the data packet sent from the first network device to the second network device is the IP address of the first network device, the source port number of the data packet sent from the first network device to the second network device is the port number of the first network device, the destination IP address of the data packet sent from the first network device to the second network device is the IP address of the second network device, and the destination port number of the data packet sent from the first network device to the second network device is the port number of the second network device, the transport layer protocol number of the data packet sent from the first network device to the second network device is the number of the transport layer protocol used for transmitting the data packet between the first network device and the second network device. Quintuple information of a data packet sent from the second network device to the first network device is (an IP address of the second network device, a port number of the second network device, an IP address of the first network device, a port number of the first network device, a transport layer protocol number), that is, a source IP address of the data packet sent from the second network device to the first network device is the IP address of the second network device, a source port number of the data packet sent from the second network device to the first network device is the port number of the second network device, a destination IP address of the data packet sent from the second network device to the first network device is the IP address of the first network device, a destination port number of the data packet sent from the second network device to the first network device is the port number of the first network device, the transport layer protocol number of the data packet sent from the second network device to the first network device is the number of the transport layer protocol used for transmitting the data packet between the first network device and the second network device. The data message sent from the first network device to the second network device is the same as the transport layer protocol number carried in the data message sent from the second network device to the first network device.

In the embodiment of the present invention, there are at least two possible implementation manners for obtaining the plurality of data packets in the session to be analyzed:

in a first possible implementation manner, five-tuple information of each data packet is respectively obtained from all received data packets; and acquiring a plurality of data messages of the session to be analyzed from all the received data messages based on the five-tuple information of each data message.

Analyzing quintuple information of each data message for all received data messages, grouping all the received data messages based on the quintuple information, dividing a plurality of data messages sent from a first network device to a second network device and a plurality of data messages sent from the second network device to the first network device into one group, wherein the plurality of data messages in each group belong to the same session, and finally obtaining a plurality of sessions, wherein each session refers to communication between two network devices. In practical application, at least one obtained conversation can be selected as a conversation to be analyzed for analysis, and conversation characteristic information of the conversation to be analyzed is obtained.

When a plurality of data messages of a session to be analyzed are acquired, for one session to be analyzed, two communication parties of the session are a first network device and a second network device, and when one data message uses the IP address of the first network device as a source IP address, the IP address of the second network device as a destination IP address, the port number of the first network device as a source port number, and the port number of the second network device as a destination port number, the data message belongs to the session to be analyzed. And obtaining the data message of the session to be analyzed based on the received quintuple information of the data message.

In a second possible embodiment of the method according to the invention,

Generally, a great number of received data messages are received, and all received data message samples are generally analyzed, and because the embodiment of the invention provides a session characteristic information analysis method, all received data messages are sampled based on a session, so that all data messages belonging to a sampling session can be sampled in all received data messages, and thus, the session-based characteristic information analysis can be realized.

Similar to the first possible implementation manner, the obtaining the data packets of the session to be analyzed from the data packets of the multiple sampling sessions includes:

In a first possible implementation manner, the data packets of the session to be analyzed are obtained from all received data packets, and in a second possible implementation manner, the data packets of the session to be analyzed are obtained from data packets of the multiple sampling sessions.

Analyzing quintuple information of each sampled data message for all sampled data messages, grouping all sampled data messages based on the quintuple information, and dividing a plurality of data messages sent from a first network device to a second network device and a plurality of data messages sent from the second network device to the first network device into a group, wherein the plurality of data messages in each group belong to the same session, and each session refers to communication between two network devices. In practical application, at least one obtained sampling session can be selected as a session to be analyzed for analysis, and session characteristic information of the session to be analyzed is obtained.

In one embodiment, in order to ensure that all data packets belonging to a sampled session can be sampled, the sampling all received data packets based on the session comprises:

analyzing quintuple information of each received data message;

Analyzing each received data message, obtaining five-tuple information of the received data message, arranging a source IP address, a destination IP address, a source port number, a destination port number and a transport layer protocol number into a character string according to a preset sequence to form an input value of a hash function, and calculating to obtain a positive hash value; and interchanging the positions of the source IP address and the destination IP address, interchanging the positions of the source port number and the destination port number, keeping the position of the transport layer protocol number unchanged, arranging to obtain another character string to form another input of the hash function, and calculating to obtain the inverse hash value. The method comprises the steps of obtaining a sampling proportion m/n in a preset session sampling template, calculating a first remainder of a positive hash value divided by a denominator m of the sampling proportion, calculating a second remainder of a negative hash value divided by the denominator m of the sampling proportion, judging whether the first remainder or the second remainder is the sampling remainder in the session sampling template, and sampling the data message when the first remainder or the second remainder is the sampling remainder. The preset session sampling template comprises a sampling proportion m/n and m sampling remainders. The sampling proportion determines the proportion of data messages collected from a large number of received data messages, and the sampling remainder determines the sampling based on the session.

For example, the following steps are carried out: if the sampling proportion in the session sampling template is 3/1000, the denominator of the sampling proportion is 1000, a first remainder obtained by dividing the positive hash value by 1000 is calculated, and a second remainder obtained by dividing the inverse hash value by 1000 is calculated, so that the values of the first remainder and the second remainder range from 0 to 999. At a sampling ratio of 3/1000, three numbers are selected from 0 to 999 as the sampling remainder in the session sampling template. Assuming that 3 digits 5, 386, 857 are selected as the sampling remainder, the data message is sampled when the first remainder is the sampling remainder or the second predetermined sampling remainder is the sampling remainder. Of course, more than 3 numbers may be selected as the sample remainder.

It can be understood that a plurality of data packets sent from a first network device to a second network device and a plurality of data packets sent from the second network device to the first network device are divided into a group, the plurality of data packets in each group belong to the same session, and each session refers to communication between two network devices. For different data messages in the same session, the hash value is calculated based on the quintuple information, the same group of hash values can be obtained, and the same group of remainders can also be obtained through calculation. Therefore, all data messages in one session can be extracted.

For example, the following steps are carried out: if the positive hash value calculated according to the quintuple information of the data message in one session is A, the negative hash value is B, the first remainder obtained by dividing the denominator of the sampling proportion is C, and the second remainder is D. The hash values obtained by calculating the quintuple information of other data packets in the session are both a and B, except that the positive hash value of some data packets is a, the negative hash value of some data packets is B, the positive hash value of some data packets is B, the negative hash value of some data packets is a, and the remainders obtained by dividing the sampling ratio by the denominator are both C and D. When C or D is the sampling remainder in the preset session sampling template, sampling the data message, so that other data messages in the session can be sampled; when neither C nor D is the sampling remainder in the preset session sampling template, the data packet will not be sampled, and thus the other data packets in the session will not be sampled.

Because the quintuple information of the data message is distributed very unevenly in different regions, the input character strings of the hash function consisting of the several groups distributed evenly in different regions can be selected from the quintuple information respectively, and uniform session sampling is realized as much as possible. For example: and selecting a character string with M bits connected in the IP address, a character string with N bits connected in the port number and a character string combination with P bits connected in the transport layer protocol number from the quintuple information to obtain an M + N + P bit character string as an input character string of a hash function, wherein M, N and P are integers more than 0. In practical applications, a CRC16 hash function may be selected to calculate the hash value.

S102: and extracting a characteristic value of preset session characteristics from each data message.

And analyzing the plurality of data messages of the session to be analyzed, and extracting the characteristic value of the preset session characteristic. And extracting a characteristic value of the preset session characteristic from each data message in one session, and analyzing the characteristic values of the preset session characteristic extracted from all the data messages to obtain the session characteristic information of the preset session characteristic of the session. When analyzing the session feature analysis of the preset session feature of a session, it is necessary to use the feature values of the preset session feature extracted from all data packets in the session as an analysis basis, and use the feature values of the preset session feature carried in all data packets in the session as a whole. Only analyzing the characteristic value of the preset session characteristic carried in a part of data messages in one session, the session characteristic information of the preset session characteristic of the session cannot be obtained.

For example, the preset session features may include one or more of the following: the number of uplink data packets of the session, the number of downlink data packets of the session, the number of flag bits of each transmission control protocol TCP session, the reason of session termination, the length of the maximum data message, the length of the minimum data message, the transmission speed of the session uplink message, the transmission speed of the downlink message, the number of echo messages and echo response messages in the Internet control message protocol ICMP session, and the like. It should be noted here that besides the preset session features described above, there are also many preset session features using a session as a basic analysis unit, where the preset session features may be session feature indexes selected from session feature indexes extended from an IPFIX protocol according to actual needs, or may be features set by a user according to actual needs, and details are not described here.

In one embodiment, before extracting the feature value of the preset session feature from each data packet, the method includes:

The preset session feature is a session feature configured in an IP Flow Information Export (IPFIX) protocol. IPFIX is a standard protocol published by The Internet Engineering Task Force (IETF) for flow information measurement in networks. The IPFIX protocol provides an output standard for data stream characteristic information, and the original IPFIX protocol index is used for describing the data stream. In the embodiment of the invention, in order to output the session characteristic information by adopting the IPFIX protocol, the indexes in the original IPFIX protocol are expanded, and a plurality of session characteristic indexes for describing the session are added. Configuring the session features to be counted in the IPFIX protocol as preset session features. When the session characteristic indexes are extended to the IPFIX protocol, the session characteristic indexes used for analyzing the following session states are mainly extended: session server latency, session anomalies, incomplete sessions, hypertext transfer protocol HTTP session errors, and the like.

As shown in table 1, a plurality of session characteristic indicators for describing a session extended in IPFIX protocol are illustrated:

TABLE 1 Session feature indicators extended in IPFIX protocol

Table 1 only illustrates session characteristic indicators expanded in several IPFIX protocols, and other session characteristic indicators describing sessions may also be expanded in the IPFIX protocols according to actual needs, and the session characteristic indicators may be selected as preset session characteristics, which is not described in detail herein.

Besides the several session characteristic indicators shown in table 1, which are extended in the IPFIX protocol, there are also session characteristic indicators in the original IPFIX protocol that can be used to describe the session. As shown in table 2.

TABLE 2 original Session feature indicators in IPFIX protocol

Table 1 only exemplifies the original session characteristic indexes in several IPFIX protocols, and may also analyze the original session characteristic indexes of other description sessions in the IPFIX protocols according to actual needs, which is not described in detail here.

And analyzing each data message in the session to be analyzed according to preset session characteristics, and extracting a characteristic value of the preset session characteristics from information carried by each data message. For example, the following steps are carried out: when the preset session characteristics are the uplink byte number and the downlink byte number of the session, extracting the byte number of each data message in the session to be analyzed; and when the preset session features are the number of the TCP session zone bits, extracting the TCP zone bits carried in the data messages in the session to be analyzed. Extracting the feature values of other preset session features from each data packet of the session to be analyzed is similar to the above example, and is specifically executed according to the actual situation, which is not described in detail herein.

When extracting the feature value of the preset session feature from each data packet, according to the number of the preset session features, when extracting the feature value from each data packet of the session to be analyzed, only one feature value of the preset session feature may be extracted, or feature values of a plurality of preset session features may be extracted at the same time, which is not specifically limited herein.

S103: and counting the characteristic values to obtain the session characteristic information of the session to be analyzed.

And after the characteristic value of the preset session characteristic is extracted from each data packet of the session to be analyzed, counting the characteristic value to obtain the session characteristic information of the preset session characteristic of the session to be analyzed.

For example, the following steps are carried out: when the preset session characteristics are the uplink byte number and the downlink byte number of the session, summing the byte number of each uplink data message to obtain the uplink byte number, and summing the byte number of each downlink data message to obtain the downlink byte number; and when the preset session features are the number of the TCP session flag bits, counting each TCP session flag bit extracted from the data message respectively to obtain the number of each TCP session flag bit. In addition, the preset session features can also be the number of session uplink data messages and the number of session downlink data messages, and the number of the session uplink data messages and the number of the session downlink data messages to be analyzed are respectively counted according to the source IP address and the destination IP address; the preset session feature may also be the number of TCP flag bits, and the number of each TCP flag bit is counted according to the flag bits carried by the data packet.

It should be noted that, in addition to the above example, the feature values of other preset session features may be counted to obtain session feature information of other preset session features, which is not described in detail herein.

In one embodiment, before extracting the feature value of the preset session feature from each data packet, the method includes: and acquiring a session characteristic index configured in an IP data flow information output IPFIX protocol as a preset session characteristic.

I.e. the preset session feature is a session feature configured in the IPFIX protocol, the method further comprises:

The standard output format of the session characteristic information is defined in the IPFIX protocol, and technical personnel can conveniently extract and check the session characteristic information. In the embodiment of the present invention, Cisco Netflow Version 9 is used as an example, and standard output formats of other versions may also be used, which are not described in detail herein. FIG. 2 is a diagram illustrating an IPFIX protocol packet format according to an embodiment of the present invention; table 3 shows one of the output templates of the data standard output format Netflow V9 version of the IPFIX protocol.

TABLE 3 output template of data Standard output Format Netflow V9 version of IPFIX protocol

When the session feature information is output, standard output formats of other versions in the IPFIX protocol can be adopted, other output templates in the Cisco Netflow Version 9 Version can be adopted, and the standard output formats are selected according to actual conditions, and are not described herein again.

As can be seen from the above, the embodiments of the present invention have the following advantages:

the embodiment of the invention creatively provides a characteristic information analysis method, which is used for acquiring a plurality of data messages in a session to be analyzed; extracting a characteristic value of preset session characteristics from each data message; in the embodiment of the invention, the conversation is taken as a basic analysis unit, so that the integral analysis of the conversation is realized, and the conversation characteristic information capable of comprehensively reflecting the conversation is obtained

Fig. 3 is a flowchart of a network attack detection method provided in an embodiment of the present invention, where the method includes:

s301: and analyzing the session characteristic information of all sessions to be analyzed, which is acquired within a preset time interval.

The session feature information is obtained by analyzing the feature information analysis method provided by the embodiment of the present invention shown in fig. 1, and reference is made to the detailed description of the feature information analysis method shown in fig. 1, which is not repeated here.

S302: and detecting the network session attack in the preset time interval according to the session characteristic information.

The session characteristic information of all sessions to be analyzed obtained by analyzing within the preset time interval is acquired in S301, and whether a network session attack exists within the preset time interval can be detected by comprehensively analyzing the session characteristic information of all sessions to be analyzed. It will be appreciated that different kinds of network session attacks may be detected by analyzing different session characteristics.

There are at least four possible implementation manners for detecting the network session attack within the preset time interval according to the session feature information, and the four possible implementation manners are described below.

In a first possible implementation manner, the detecting, according to the session feature information, a network session attack within the preset time interval includes:

And counting the number of incomplete sessions according to the session characteristic information, and when a large number of incomplete sessions appear in a preset time interval, indicating that network session attack appears in the preset time interval. The first preset threshold may be set according to an actual situation, for example, the first preset threshold may be set to 60%, and when the incomplete session exceeds 60% in the first preset time interval, it indicates that the network session attack occurs. At this time, the attack type, the attack source device, the attack target device, and the like of the network session attack may be analyzed according to the session feature information.

In a first possible implementation manner, the definition of incomplete sessions is different and the type of identified session attack is different according to different types of session feature information of the acquired sessions to be analyzed.

In a first scenario, the session feature information includes an uplink data message number and a downlink data message number;

When a large number of incomplete sessions only with the uplink data messages and without the downlink data messages exist in the preset time interval, the incomplete sessions are likely to be attacked by the DNS session in the preset time interval.

Scene two, the session characteristic information comprises a Transmission Control Protocol (TCP) zone bit;

When a large number of to-be-analyzed sessions with incomplete TCP zone bits exist in a preset time interval, the to-be-analyzed sessions are likely to be attacked by TCP Flood in the preset time interval.

Besides the two implementation scenarios, other session characteristic information may also describe the incomplete session, and the types of the session attacks received according to the session characteristic information are analyzed, which is not described herein again.

In a second possible implementation manner, the session feature information includes an echo message number and an echo reply message number in a network control message protocol ICMP session;

judging whether the second proportion is within a preset numerical range;

and when the second proportion is not in a preset value range, identifying the ICMP protocol session attack in the preset time interval.

For a network Control Message Protocol (ICMP) session, an echo Message and an echo reply Message in the session should be theoretically the same, and if there is one echo Message, there should be one echo reply Message. In practical application, the proportion of the echo message and the echo reply message in the ICMP session should be approximately 1, that is, the preset value range may be set to 0.8-1.2. Of course, the preset value range may also be set to other ranges, so as to ensure that the number difference between the echo message and the echo reply message in the ICMP session is not large.

When the second ratio of the echo messages to the echo reply messages exceeds the preset numerical range, the number of the echo messages is far larger than the number of the echo reply messages, or the number of the echo reply messages is far larger than the number of the echo messages. And identifying the ICMP network attack in the network within the preset time interval.

In a third possible implementation manner, the detecting, according to the session feature information, a network session attack within the preset time interval includes:

counting the number of service session refusals in the preset time interval according to the session characteristic information, wherein the service session refusals are the sessions to be analyzed, which contain HTTP error code information, in the session characteristic information;

When the session to be analyzed contains the HTTP error code information, the session to be analyzed is an HTTP denial of service session. Counting the number of HTTP denial of service sessions according to the session feature Application Error Code, and identifying that CC (challenge collapsar) session attack may exist in the network when a large number of denial of service sessions appear in a preset time interval.

In a fourth possible implementation manner, the detecting, according to the session feature information, a network session attack within the preset time interval includes:

judging whether the session characteristic information of each session to be analyzed collected in the preset time interval contains any one or more of the following conditions: the session fragmentation abnormal information comprises fragmentation incompleteness, fragmentation overlap and fragmentation zone bit error;

When the session characteristic information of the session to be analyzed contains the fragment abnormal information, the session to be analyzed is a fragment abnormal session. And when a large number of fragment abnormal sessions occur in a preset time interval, recognizing that fragment attacks may exist in the network.

The fragment exception information includes:

fragment Incomplete, the Fragment is Incomplete, namely a certain Fragment is lacked in the conversation;

fragment Offset Error, where the fragments overlap, that is, there is overlapping data information in the previous Fragment and the next Fragment;

fragment Flag Error, i.e. Flag bits in different fragments are set to 1 at the same time.

In addition, the fragmentation exception information further includes: the first fragment is too short, i.e. the first fragment is smaller than 1400 bytes; the fragment is very long, i.e. the fragment carrying the fragment identifier exceeds 1500 bytes. Other fragmentation exception information may also be present, and is not described in detail here.

Detecting the network session attack in the preset time interval according to the session characteristic information, counting the reason of session termination besides the four possible implementation modes, and identifying that the network session attack may exist if a large number of session terminations appear in the preset time interval; the maximum message length and the minimum message length can be counted, and when the maximum message length and the minimum message length of a large number of sessions to be analyzed are basically the same, the network session attack is identified to possibly exist; or counting the transmission rate of the uplink data and the transmission rate of the downlink data of the session to be analyzed, and assisting in identifying the network session attack.

Optionally, the session feature information in the embodiment of the present invention may be output information in a standard output format in the IPFIX protocol. It should be noted that there are many types of session feature information, which are not listed here, and different types of session feature information can identify different types of network session attacks.

In one embodiment, the method further comprises:

and generating an attack suppression strategy according to the attack event.

When a network session attack is identified, an attack event may be generated based on the session characteristic information. The attack event is analyzed, an attack suppression strategy can be generated, and information such as attack source equipment, attack service, attacked equipment and the like can be identified.

An application scenario of the network attack detection method provided by the embodiment of the present invention shown in fig. 3 is illustrated below.

Application scenario one, attack detection in Software Defined Network (SDN):

switches in an SDN network: sampling all received data messages on a session basis to obtain data messages of a plurality of sampling sessions; acquiring a plurality of data messages of the session to be analyzed from the data messages of the sampling sessions; extracting a characteristic value of preset session characteristics from each data message; and counting the characteristic value to obtain session characteristic information of the session to be analyzed, and outputting the session characteristic information to attack detection equipment in an SDN network by using a standard format in an IPFIX protocol.

Attack detection equipment in an SDN network: analyzing session characteristic information of all sessions to be analyzed acquired within a preset time interval, detecting network session attacks within the preset time interval according to the session characteristic information, generating an attack event when the network session attacks are identified, and sending the attack event to an SDN network controller.

An SDN network controller: and generating an attack suppression strategy according to the received attack event, and issuing the strategy to a switch in the SND network to suppress the session attack in the SDN network.

Application scenario two:

receiving a large amount of session characteristic information output by the standard format of the IPFIX protocol;

counting a large amount of session characteristic information by using distributed equipment and adopting a CUSUM algorithm;

analyzing the statistical result to detect the session attack.

When the session characteristic information is counted, network concurrent sessions, session server delay, session call completing rate and abnormal sessions can be counted. When detecting session attack, the method can also identify information such as an attack original device, an attack agent device, an attack service type, an attacked device and the like. It should be noted that, when a large amount of session feature information is counted, other statistical methods may also be used, and are not described herein again.

From the above, the embodiments of the present invention have the following advantages:

Fig. 4 is a schematic structural diagram of a feature information analysis apparatus according to an embodiment of the present invention, where the apparatus includes:

a first obtaining unit 401, configured to obtain multiple data packets in a session to be analyzed.

In one embodiment, the first obtaining unit 401 includes:

In another embodiment, the apparatus further comprises:

the first obtaining unit 401 is specifically configured to obtain multiple data packets of the session to be analyzed from the data packets of the multiple sampling sessions.

The first acquisition unit 401 includes:

The sampling unit includes:

An extracting unit 402, configured to extract a feature value of a preset session feature from each data packet.

A statistic unit 403, configured to count the feature values to obtain session feature information of the session to be analyzed.

In a specific embodiment, the apparatus further comprises:

The characteristic information analysis apparatus shown in fig. 4 is an apparatus corresponding to the characteristic information analysis method shown in fig. 1, and is described with reference to the characteristic analysis method described in fig. 1, and will not be described again here.

Fig. 5 is a schematic structural diagram of a network attack detection system provided in an embodiment of the present invention, where the system includes:

the feature analysis device 501 shown in fig. 4 is configured to analyze session feature information of all sessions to be analyzed, which is acquired within a preset time interval.

A detecting device 502, configured to detect a network session attack within the preset time interval according to the session feature information.

A first possible structure of the detecting device 502 includes:

In a first possible configuration, scenario one:

the session characteristic information comprises the byte number of an uplink message and the byte number of a downlink message;

In a first possible configuration, scenario two:

The second possible structure of the detecting device 502 includes:

the session characteristic information comprises echo message number and echo reply message number in the network control message ICMP session;

A third possible structure of the detecting device 502 includes:

A fourth possible structure of the detecting device 502 includes:

In one embodiment, the system further comprises:

The system further comprises:

In practical application, the session feature information adopts a standard output format of an IPFIX protocol.

The network attack detection system shown in fig. 5 is a system corresponding to the network attack detection method shown in fig. 2, and reference is made to the description in the network attack detection method described in fig. 2, which is not described herein again.

Referring to fig. 6, fig. 6 is a schematic diagram of a hardware structure of a feature information analysis apparatus according to an embodiment of the present invention, where the feature information analysis apparatus includes a memory 601, and a processor 602 connected to the memory 601, where the memory 601 is used to store a set of program instructions, and the processor 602 is used to call the program instructions stored in the memory 601 to perform the following operations:

acquiring a plurality of data messages in a session to be analyzed;

counting the characteristic value to obtain session characteristic information of the session to be analyzed;

optionally, before extracting the feature value of the preset session feature from each data packet, the method includes:

acquiring a session characteristic index configured in an IP data stream information output IPFIX protocol as a preset session characteristic;

optionally, the method further includes:

outputting the characteristic information of the session to be analyzed by adopting the standard format of the IPFIX protocol;

alternatively to this, the first and second parts may,

acquiring a plurality of data messages of the session to be analyzed from all received data messages based on the quintuple information of each data message;

optionally, before acquiring the plurality of data packets in the session to be analyzed, the method further includes:

acquiring a plurality of data messages of the session to be analyzed from the data messages of the sampling sessions;

optionally, the obtaining the data packets of the session to be analyzed from the data packets of the multiple sampling sessions includes:

acquiring the data messages of the session to be analyzed from the data messages of the multiple sessions based on the quintuple information of each data message;

optionally, the sampling all the received data packets based on the session includes:

analyzing quintuple information of each received data message;

Referring to fig. 7, fig. 7 is a schematic diagram of a hardware structure of a network attack detection system according to an embodiment of the present invention, where the network attack detection system is located in a network, the network further includes a plurality of routers, adjacent routers in the plurality of routers are connected through a link with a certain bandwidth, the plurality of routers form a network topology through the link, the network attack detection system includes a memory 701 and a processor 702 connected to the memory 701, the memory 701 is used to store a set of program instructions, and the processor 702 is used to call the program instructions stored in the memory 701 to perform the following operations:

analyzing session characteristic information of all sessions to be analyzed acquired within a preset time interval,

detecting the network session attack in the preset time interval according to the session characteristic information;

optionally, the detecting, according to the session feature information, a network session attack within the preset time interval includes:

when the first proportion occupied by the incomplete session exceeds a first preset threshold value, identifying the network session attack in the preset time interval;

the incomplete session is a to-be-analyzed session with the number of the uplink data messages being greater than 1 and the number of the downlink data messages being 0;

wherein the session characteristic information comprises a Transmission Control Protocol (TCP) flag bit;

the incomplete session is a to-be-analyzed session with the incomplete TCP zone bits;

optionally, the session feature information includes an echo message number and an echo message number in a network control message protocol ICMP session;

judging whether the second proportion is within a preset numerical range;

when the second proportion is not within a preset value range, identifying ICMP session attack within the preset time interval;

identifying CC session attacks within the preset event interval when the number of the service denial sessions exceeds a second preset threshold;

judging whether the session characteristic information of each session to be analyzed collected in the preset time interval contains session fragment abnormal information or not, wherein the session fragment abnormal information comprises incomplete fragments,

any one or more of fragment overlapping and fragment flag bit errors;

when the session characteristic information of the session to be analyzed contains session fragment abnormal information, identifying the session to be analyzed as a fragment attack session within the preset time interval;

optionally, the method further includes:

generating an attack suppression strategy according to the attack event;

optionally, the method further includes:

Wherein, the session characteristic information adopts a standard output format of IPFIX protocol.

It should be noted that, in the embodiment of the present invention, the processor may be a Central Processing Unit (CPU), the Memory may be an internal Memory of a Random Access Memory (RAM), and the processor and the Memory may be integrated into one or more independent circuits or hardware, such as: application Specific Integrated Circuit (ASIC).

The first host device and the "first" of the first interface mentioned in the embodiments of the present invention are only used for name identification, and do not represent the first in sequence. The rule applies equally to "second" and "third".

Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium may be at least one of the following media: various media that can store program codes, such as Read-Only Memory (ROM), RAM, magnetic disk, or optical disk.

It should be noted that, in the present specification, all the embodiments are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

The above description is only for the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principle of the present invention, and such improvements and modifications should be considered as the protection scope of the present invention.

Claims

1. A method for detecting a network session attack, the method comprising:

the method comprises the steps that a conversation is used as a basic analysis unit, conversation characteristic information of each conversation to be analyzed is obtained, wherein one conversation refers to communication interaction established between two network devices within certain uninterrupted operation time, and all messages interacted between the two network devices belong to the conversation within the certain operation time;

according to session characteristic information of all sessions to be analyzed acquired within a preset time interval, detecting a network session attack within the preset time interval, wherein all sessions to be analyzed comprise at least one session to be analyzed.

2. The method of claim 1, wherein prior to the obtaining session feature information for each session to be analyzed, the method further comprises:

and acquiring a plurality of messages included in each session to be analyzed.

3. The method according to claim 2, wherein the obtaining the plurality of packets included in each session to be analyzed includes:

respectively acquiring quintuple information of each message from all received messages;

and acquiring a plurality of messages included in each session to be analyzed from all the received messages based on the five-tuple information of each message.

4. The method according to claim 2, wherein the obtaining the plurality of packets included in each session to be analyzed includes:

all the received messages are sampled based on the session, and all the sampled messages of all the sampling sessions are obtained;

and acquiring a plurality of messages included in each session to be analyzed from all sampled messages of all sampling sessions.

5. The method according to claim 4, wherein the obtaining the plurality of packets included in each session to be analyzed from all sampled packets of all sampling sessions comprises:

respectively acquiring quintuple information of each sampled message from all the sampled messages;

and acquiring a plurality of messages included in each session to be analyzed from all the sampled messages based on the quintuple information of each sampled message.

6. The method according to claim 4 or 5, wherein sampling all received messages on a session basis comprises:

analyzing quintuple information of each received message;

calculating a positive hash value and a negative hash value of the received message by using the quintuple information, wherein the positive hash value is a hash value calculated by taking the quintuple information of the received message as input, the negative hash value is a hash value calculated by taking a source IP address and a destination IP address in the quintuple information of the received message as input, and a source port number and a destination port number are transposed and then taken as input;

and when the first remainder or the second remainder is a preset sampling remainder in the session sampling template, sampling the received message.

7. The method according to any of claims 1-6, wherein the session feature information comprises any one or more of:

the number of uplink messages and the number of downlink messages;

the number of uplink bytes and the number of downlink bytes;

the protocol state machine exception causes the session to be terminated;

the number of TCP zone bits;

the number of echo messages and the number of echo reply messages in the session of the network control message protocol ICMP;

the number of service session refusal;

abnormal information of session fragmentation;

the length of the message; or

The session terminates.

8. The method according to any of claims 1-7, wherein the session characteristic information of each session to be analyzed is output in a standard format of an internet protocol, IP, data flow information output, IPFIX, protocol.

9. The method according to any one of claims 1 to 8, wherein the detecting a network session attack within a preset time interval according to the session feature information of each session to be analyzed comprises:

counting a first proportion of incomplete sessions in all sessions to be analyzed, which are acquired within the preset time interval;

and in response to the first ratio exceeding a first preset threshold, identifying the existence of the network session attack within the preset time interval.

10. The method according to any one of claims 1-9, wherein the detecting the network session attack within the preset time interval comprises:

counting a second proportion of echo messages and echo reply messages in all the sessions to be analyzed, which are acquired within the preset time interval;

and when the second proportion is not in a preset numerical range, identifying that the network session attack exists in the preset time interval.

11. The method according to any one of claims 1-10, wherein the detecting the network session attack within the preset time interval comprises:

counting the number of the service refusal sessions in all the sessions to be analyzed, which are acquired within the preset time interval, wherein the service refusal sessions are sessions of which the session characteristic information contains HTTP error code information;

and when the number of the service denial sessions exceeds a second preset threshold value, identifying that the network session attack exists in the preset time interval.

12. The method according to any one of claims 1-11, wherein the detecting the network session attack within the preset time interval comprises:

and identifying that the network session attack exists in the preset time interval in response to the detection that a plurality of fragment abnormal sessions exist in the preset time interval.

13. The method of claim 12, wherein when the session characteristic information of a session to be analyzed includes slice exception information, the session to be analyzed is a slice exception session.

14. The method according to claim 13, wherein the fragmentation exception information comprises any one or more of:

the fragmentation is incomplete;

overlapping the fragments;

the zone bit of the fragment is in error;

the length of the first segment is less than or equal to a first preset length; or

The length of the sub-slice is larger than or equal to a second preset length.

15. The method according to any one of claims 1-14, further comprising:

when detecting that the network session attack exists in the preset time interval, generating an attack event according to the session characteristic information of each session to be analyzed;

and generating an attack suppression strategy according to the attack event.

16. The method of claim 15, further comprising:

and identifying attack source equipment, attack service or attacked equipment according to the attack event.

17. A method for obtaining session feature information, the method comprising:

the method comprises the steps that a conversation is used as a basic analysis unit, a plurality of messages included in each conversation to be analyzed are obtained, wherein one conversation refers to communication interaction established between two network devices within certain uninterrupted operation time, and all messages interacted between the two network devices belong to the conversation within the certain operation time;

obtaining all messages included in each session to be analyzed

Session characteristic information for each session to be analyzed.

18. The method according to claim 17, wherein the obtaining the plurality of messages included in each session to be analyzed comprises:

19. The method according to claim 17, wherein the obtaining the plurality of messages included in each session to be analyzed comprises:

20. The method according to claim 19, wherein said obtaining the plurality of packets included in each session to be analyzed from all sampled packets of all sampling sessions comprises:

21. The method according to claim 19 or 20, wherein sampling all received messages on a session basis comprises:

analyzing quintuple information of each received message;

22. The method according to any of claims 17-21, wherein the session feature information comprises any one or more of:

the number of uplink data messages and the number of downlink data messages;

the number of uplink bytes and the number of downlink bytes;

the protocol state machine exception causes the session to be terminated;

the number of TCP zone bits;

the number of service session refusal;

abnormal information of session fragmentation;

the length of the message; or

The session terminates.

23. The method according to any of claims 17-22, wherein the session characteristic information of each session to be analyzed is output in a standard format of an internet protocol, IP, data flow information output, IPFIX, protocol.

24. A cyber attack detecting apparatus, the apparatus comprising:

a memory for storing a set of program instructions, and a processor coupled to the memory for invoking the program instructions stored by the memory to cause the characteristic information analysis device to perform the method of any one of claims 1-16.

25. A feature information analysis apparatus, characterized in that the apparatus comprises:

a memory for storing a set of program instructions, and a processor coupled to the memory for invoking the program instructions stored by the memory to cause the feature information analysis device to perform the method of any one of claims 17-23. .

26. A network system, characterized in that the system comprises: a first network device, a second network device and the cyber attack detection apparatus of claim 24.

27. A network system, characterized in that the system comprises: the first network device, the second network device, and the characteristic information analysis apparatus of claim 25.

28. A network system comprising the cyber attack detecting apparatus according to claim 24 and the characteristic information analyzing apparatus according to claim 25.

29. A computer readable storage medium comprising computer instructions which, when executed on a computer, cause the computer to perform the method of any of claims 1-23.