CN112543177A - Network attack detection method and device - Google Patents
Network attack detection method and device Download PDFInfo
- Publication number
- CN112543177A CN112543177A CN202011155195.9A CN202011155195A CN112543177A CN 112543177 A CN112543177 A CN 112543177A CN 202011155195 A CN202011155195 A CN 202011155195A CN 112543177 A CN112543177 A CN 112543177A
- Authority
- CN
- China
- Prior art keywords
- attack
- client
- data packet
- type
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network attack detection method and a device, which match an acquired data packet with a preset attack characteristic library, and judge whether the type of attack characteristics successfully matched with the type of a data packet target end and/or a data packet source end is consistent with the type of the data packet target end and/or the data packet source end; and if the data are consistent with the preset data, alarming, and otherwise, filtering and not processing. The method comprises the steps of dividing a client side attack and a non-client side attack, and an attack client side and a non-attack client side according to a source and a target, respectively, judging the type of the source and the type of the target of a data packet successfully matched with the characteristics, comparing the type of the data packet with the type of the data packet, alarming and processing only the attack behavior matched with the type of the data packet, wherein the attack not matched with the type of the data packet does not threaten a target to be protected in the current detection, and belongs to invalid attack.
Description
Technical Field
The invention belongs to the field of network security, and particularly relates to an attack detection method for reducing false alarm and an attack detection device using the same.
Background
With the development of the internet, the number of network users is increasing, the number of host devices invested in the internet is also increasing, and the attack behavior of a host by using a vulnerability is becoming more common. In order to guarantee the safe operation of the host to the maximum extent, the occurrence of host attack behavior needs to be monitored in real time, and the existence of danger is discovered in time.
A method for security check of network data is based on identification of features, i.e. if the attack features of a data packet conform to the feature library, the data packet is judged to be offensive. However, due to technical limitations, a characteristic-based network attack detection means is likely to cause misjudgment, a normal data packet is judged to be an attack data packet conforming to characteristics, in practice, remedial measures are mostly carried out to confirm again after misjudgment, for example, manual analysis is carried out, attack logs are analyzed one by one, normal data is eliminated, and a characteristic library is updated.
The inventor of the application finds that in practice, one situation that more false alarms occur in the existing feature matching is that a data packet to be matched is not distinguished from a target, the data packet successfully matched with the features is sent to an attacker by an attacker, and the data packet successfully matched with the features is sent to an attacker by the attacker. It is therefore necessary to optimize the attack detection, i.e. the alarm, of such situations to reduce false positives.
Disclosure of Invention
In view of this, the present invention is directed to a method and an apparatus for detecting network attack data packets with reduced false alarms. By judging the successfully matched characteristics, the target end and the source section of the successfully matched characteristics, the unmatched alarms are eliminated, and the detection effectiveness is improved.
The specific technical scheme of the invention comprises the following steps:
a network attack detection method matches an acquired data packet with a preset attack feature library, and judges whether the type of attack features successfully matched conforms to the type of a target end and/or a source end of the data packet or not; and if the data are consistent with the preset data, alarming, and otherwise, filtering and not processing.
Preferably, the determining whether the successfully matched attack feature type matches the data packet destination type specifically includes: and after the data packet to be detected is matched with the attack characteristic library, judging whether the successfully matched characteristic belongs to an attack client or a non-attack client, judging whether the target is the client or the non-client according to the flow direction of the data packet, and giving an alarm when the type of the attack characteristic is consistent with the type of the target.
As another preferable example, the determining whether the attack characteristic type successfully matched matches the data packet source type specifically includes: after the data packet to be detected is matched with the attack feature library, judging whether the successfully matched features belong to client side attack or non-client side attack, and judging whether the source is a client side or a non-client side according to the flow direction of the data packet; and when the type of the attack characteristic is consistent with the type of the target end and/or the source end, alarming is carried out.
According to the above detection method, before the determining whether the successfully matched attack feature type matches the data packet destination and/or source type, the method further includes: and dividing attack characteristics into attack clients and non-attack clients according to the attack targets and storing the attack characteristics into a characteristic library, and/or dividing the attack characteristics into client attack and non-client attack according to the attack sources and storing the client attack and non-client attack into the characteristic library.
And when the type of the attack feature is consistent with the type of the target end and/or the source end, determining a hit detection rule according to the attack feature, and executing an alarm processing strategy preset by the detection rule.
Further, creating the detection rule includes: selecting attack characteristics from the characteristic library to establish a detection rule, and adding the detection rule into the rule library; and executing the detection rule, and when the content of the data packet is successfully matched with at least one attack characteristic in the rule, indicating that the detection rule is hit.
As a third preferred implementation manner, the determining whether the type of the attack feature successfully matched matches the type of the data packet destination and/or source specifically includes:
creating detection rules of an attack client, an attack non-client, a client attack and a non-client attack, wherein the detection rules comprise attack characteristics of corresponding types which need to be detected and selected from a characteristic library; dividing the data packet to be detected into a client, a non-client, a client and a non-client according to the message direction; and starting the detection rule, detecting the data packet to be detected of the corresponding type, and when at least one attack characteristic in the detection rule is successfully matched with the corresponding data packet to be detected, indicating that the detection rule is hit, and executing a preset alarm processing strategy.
In a second aspect, the present invention further provides an attack detection apparatus, including:
the data packet receiving module is used for receiving a data packet to be detected in a session;
the characteristic library module is used for storing attack characteristics;
the rule base module is used for storing detection rules including attack characteristics;
the data packet matching module is used for executing the detection rule, matching the data packet to be detected with the attack characteristics and judging whether the data packet is a network attack or not;
and the attack processing module is used for executing a processing strategy preset by the detection rule when the matching is successful.
Preferably, the attack characteristics stored by the characteristic library module are divided into an attack client, an attack non-client, a client attack and a non-client attack; and according to the flow direction, dividing the data packet to be detected into a client and a non-client, and/or from the client and the non-client.
Further, the data packet matching module executes a detection rule, judges whether the category of the attack feature successfully matched is consistent with the target end and/or the client end of the data packet, and alarms and carries out policy processing if the category of the attack feature successfully matched is consistent with the target end and/or the client end of the data packet, otherwise, filtering is not carried out.
By adopting the technical scheme, the attack detection method and the attack detection device have the beneficial effects that: the attack characteristics of the characteristic library are classified, namely, the attack characteristics are respectively classified into client side attack and non-client side attack, attack client side and non-attack client side according to source and purpose, for data packets with successfully matched characteristics, the types of the source and the destination side are judged and compared with the characteristic types, only attack behaviors with the same types are alarmed and processed, attacks with different types do not threaten a target to be protected in current detection, the attack belongs to invalid attack, the attack is eliminated, false alarm can be effectively reduced, and pertinence of attack detection alarm is improved.
Drawings
Fig. 1 is a schematic flow chart of a network attack detection method according to a first embodiment of the present invention;
FIG. 2 is a flowchart illustrating a network attack detection method according to a second embodiment of the present invention;
FIG. 3 is a flowchart illustrating a network attack detection method according to a third embodiment of the present invention;
fig. 4 is a block diagram of a network attack detection apparatus according to an embodiment of the present invention.
Detailed Description
The invention provides a network attack detection method, which comprises the steps of matching an acquired data packet with a preset attack characteristic library, and judging whether the type of attack characteristics successfully matched with the type of a target end and/or a source end of the data packet conforms to the type of the target end and/or the source end of the data packet or not; and if the data are consistent with the preset data, alarming, and otherwise, filtering and not processing. The implementation of the method is explained below by means of specific embodiments, and it should be noted here that the client in the present invention, such as a PC host, and the non-client, such as a server, are described.
Example one
As shown in fig. 1, the attack features are divided into attack clients and non-attack clients according to the attack targets and stored in the feature library.
And selecting attack characteristics from the characteristic library to create a detection rule, and adding the detection rule into the rule library.
And executing a detection rule, matching the data packet to be detected with an attack feature library, judging whether the successfully matched features belong to an attack client or a non-attack client, judging whether the target is the client or the non-client according to the flow direction of the data packet, and giving an alarm if the attack features belong to the type consistent with the type of the target, namely if the attack features are the attack client and the target of the data packet is the client, and if the attack features are the attack non-client and the target of the data packet is the non-client.
Preferably, when the content of the data packet is successfully matched with at least one attack feature in the rule, the hit detection rule can be determined according to the attack feature, and an alarm processing strategy preset by the detection rule is executed.
Example two
As shown in fig. 2, the attack features are classified into client attacks and non-client attacks according to attack sources and stored in a feature library.
And selecting attack characteristics from the characteristic library to create a detection rule, and adding the detection rule into the rule library.
And executing a detection rule, matching the data packet to be detected with an attack feature library, judging whether the successfully matched features belong to client side attack or non-client side attack, judging whether the source is the client side or the non-client side according to the flow direction of the data packet, and when the type of the attack features is consistent with the type of the target side, judging whether the attack features are the client side attack and the source side of the data packet is the client side, and giving an alarm if the attack features are the non-client side attack and the source side of the data packet is the non-client side.
Preferably, when the content of the data packet is successfully matched with at least one attack feature in the rule, the hit detection rule can be determined according to the attack feature, and an alarm processing strategy preset by the detection rule is executed.
EXAMPLE III
As shown in fig. 3, as a third preferred implementation manner, the determining whether the type of the attack feature successfully matched matches the type of the data packet destination and/or source specifically includes:
creating detection rules of an attack client, an attack non-client, a client attack and a non-client attack, wherein the detection rules comprise attack characteristics of corresponding types which need to be detected and selected from a characteristic library; dividing the data packet to be detected into a client, a non-client, a client and a non-client according to the message direction; and starting the detection rule, detecting the data packet to be detected of the corresponding type, and when at least one attack characteristic in the detection rule is successfully matched with the corresponding data packet to be detected, indicating that the detection rule is hit, and executing a preset alarm processing strategy.
Example four
As shown in fig. 4, the present invention also provides an attack detection apparatus, including:
the data packet receiving module is used for receiving a data packet to be detected in a session;
the characteristic library module is used for storing attack characteristics;
the rule base module is used for storing detection rules including attack characteristics;
the data packet matching module is used for executing the detection rule, matching the data packet to be detected with the attack characteristics and judging whether the data packet is a network attack or not;
and the attack processing module is used for executing a processing strategy preset by the detection rule when the matching is successful.
Preferably, the attack characteristics stored by the characteristic library module are divided into an attack client, an attack non-client, a client attack and a non-client attack; and according to the flow direction, dividing the data packet to be detected into a client and a non-client, and/or from the client and the non-client.
Further, the data packet matching module executes a detection rule, judges whether the category of the attack feature successfully matched is consistent with the target end and/or the client end of the data packet, and alarms and carries out policy processing if the category of the attack feature successfully matched is consistent with the target end and/or the client end of the data packet, otherwise, filtering is not carried out.
According to the technical scheme, the attack characteristics of the characteristic library are classified, namely, the attack characteristics are respectively classified into client side attack and non-client side attack, attack client side and non-attack client side according to source and purpose, for the data packet with successfully matched characteristics, the types of the source and the destination side are judged and compared with the characteristic types, only the attack behavior with the same type is alarmed and processed, the attack with the different type does not threaten the target to be protected in the current detection, the attack belongs to invalid attack, the attack is eliminated, the false alarm can be effectively reduced, and the pertinence of the attack detection alarm is improved.
Claims (10)
1. A network attack detection method matches the acquired data packet with a preset attack feature library, which is characterized in that,
judging whether the type of the attack characteristics successfully matched conforms to the type of the data packet target end and/or the source end; and if the data are consistent with the preset data, alarming, and otherwise, filtering and not processing.
2. The attack detection method according to claim 1, wherein the determining whether the successfully matched attack feature type matches the data packet destination type specifically comprises: and after the data packet to be detected is matched with the attack characteristic library, judging whether the successfully matched characteristic belongs to an attack client or a non-attack client, judging whether the target is the client or the non-client according to the flow direction of the data packet, and giving an alarm when the type of the attack characteristic is consistent with the type of the target.
3. The attack detection method according to claim 1, wherein the determining whether the successfully matched attack feature type matches the data packet source type specifically comprises: after the data packet to be detected is matched with the attack feature library, judging whether the successfully matched features belong to client side attack or non-client side attack, and judging whether the source is a client side or a non-client side according to the flow direction of the data packet; and when the type of the attack characteristic is consistent with the type of the target end and/or the source end, alarming is carried out.
4. The attack detection method according to claim 2 or 3, wherein before the determining whether the successfully matched attack signature type matches the packet destination and/or source type, the method further comprises: and dividing attack characteristics into attack clients and non-attack clients according to the attack targets and storing the attack characteristics into a characteristic library, and/or dividing the attack characteristics into client attack and non-client attack according to the attack sources and storing the client attack and non-client attack into the characteristic library.
5. The attack detection method according to claim 4, wherein when the type of the attack feature is consistent with the type of the target terminal and/or the source terminal, the hit detection rule is determined according to the attack feature, and an alarm processing strategy preset by the detection rule is executed.
6. The attack detection method according to claim 5, wherein creating the detection rule comprises: selecting from a library of featuresAttack featuresEstablishing a detection rule, and adding the detection rule into a rule base; executing the detection rule when at least one of the packet content and the ruleAnd the attack characteristic matching is successful, which indicates that the detection rule is hit.
7. The attack detection method according to claim 1, wherein the determining whether the type of the attack feature successfully matched matches the type of the data packet destination and/or source, specifically comprises:
creating detection rules of an attack client, an attack non-client, a client attack and a non-client attack, wherein the detection rules comprise attack characteristics of corresponding types which need to be detected and selected from a characteristic library;
dividing the data packet to be detected into a client, a non-client, a client and a non-client according to the message direction;
and starting the detection rule, detecting the data packet to be detected of the corresponding type, and when at least one attack characteristic in the detection rule is successfully matched with the corresponding data packet to be detected, indicating that the detection rule is hit, and executing a preset alarm processing strategy.
8. An attack detection apparatus, comprising:
the data packet receiving module is used for receiving a data packet to be detected in a session;
the characteristic library module is used for storing attack characteristics;
the rule base module is used for storing detection rules including attack characteristics;
the data packet matching module is used for executing the detection rule, matching the data packet to be detected with the attack characteristics and judging whether the data packet is a network attack or not;
and the attack processing module is used for executing a processing strategy preset by the detection rule when the matching is successful.
9. The attack detection device according to claim 8, wherein the attack features stored in the feature library module are divided into attack client, attack non-client, client attack and non-client attack; and according to the flow direction, dividing the data packet to be detected into a client and a non-client, and/or from the client and the non-client.
10. The attack detection device according to claim 9, wherein the data packet matching module executes a detection rule to determine whether the category of the attack feature successfully matched matches the target end and/or the client end of the data packet, and if so, alarms and performs policy processing, otherwise, filters and does not process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011155195.9A CN112543177A (en) | 2020-10-26 | 2020-10-26 | Network attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011155195.9A CN112543177A (en) | 2020-10-26 | 2020-10-26 | Network attack detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112543177A true CN112543177A (en) | 2021-03-23 |
Family
ID=75013574
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011155195.9A Pending CN112543177A (en) | 2020-10-26 | 2020-10-26 | Network attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112543177A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023216792A1 (en) * | 2022-05-07 | 2023-11-16 | 华为技术有限公司 | Attack detection method, and apparatus |
-
2020
- 2020-10-26 CN CN202011155195.9A patent/CN112543177A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023216792A1 (en) * | 2022-05-07 | 2023-11-16 | 华为技术有限公司 | Attack detection method, and apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109922075B (en) | Network security knowledge graph construction method and device and computer equipment | |
| CN109951500B (en) | Network attack detection method and device | |
| US9860278B2 (en) | Log analyzing device, information processing method, and program | |
| AU2004289001B2 (en) | Method and system for addressing intrusion attacks on a computer system | |
| US8474044B2 (en) | Attack-resistant verification of auto-generated anti-malware signatures | |
| KR100777752B1 (en) | Denial-of-service attack detecting system, and denial-of-service attack detecting method | |
| CN108521408B (en) | Method and device for resisting network attack, computer equipment and storage medium | |
| CN109302426B (en) | Unknown vulnerability attack detection method, device, equipment and storage medium | |
| US20160241574A1 (en) | Systems and methods for determining trustworthiness of the signaling and data exchange between network systems | |
| CN109587179A (en) | A kind of SSH agreement behavior pattern recognition and alarm method based on bypass network full flow | |
| CN108600003B (en) | Intrusion detection method, device and system for video monitoring network | |
| CN113162953B (en) | Network threat message detection and source tracing evidence obtaining method and device | |
| CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
| CN114095258B (en) | Attack defense method, attack defense device, electronic equipment and storage medium | |
| CN112769833B (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
| CN106790189B (en) | intrusion detection method and device based on response message | |
| JP2002007234A (en) | Detection device, countermeasure system, detecting method, and countermeasure method for illegal message, and computer-readable recording medium | |
| Fadhlillah et al. | IDS performance analysis using anomaly-based detection method for DOS attack | |
| CN113037785B (en) | Botnet defense method, device and equipment for multi-layer full-period Internet of things equipment | |
| CN112153062B (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN112543177A (en) | Network attack detection method and device | |
| EP2112800B1 (en) | Method and system for enhanced recognition of attacks to computer systems | |
| KR100772177B1 (en) | Method and apparatus for generating intrusion detection event to test security function | |
| KR101022167B1 (en) | Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices | |
| JP2004030287A (en) | Bi-directional network intrusion detection system and bi-directional intrusion detection program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |