CN112565290B - Intrusion prevention method, system and related equipment - Google Patents
Intrusion prevention method, system and related equipment Download PDFInfo
- Publication number
- CN112565290B CN112565290B CN202011528024.6A CN202011528024A CN112565290B CN 112565290 B CN112565290 B CN 112565290B CN 202011528024 A CN202011528024 A CN 202011528024A CN 112565290 B CN112565290 B CN 112565290B
- Authority
- CN
- China
- Prior art keywords
- communication protocol
- detected
- data
- protocol layer
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The embodiment of the invention provides an intrusion prevention method, an intrusion prevention system and relevant equipment, which are used for realizing multi-dimensional detection of flow data to be detected and improving the safety of a network. The method comprises the following steps: analyzing flow data to be detected based on at least two layers of communication protocols to obtain message data corresponding to each communication protocol layer; respectively matching the analyzed message data with the weak characteristic databases corresponding to the communication protocol layers to which the message data belong; calculating the risk value of each communication protocol layer according to the matching result; and judging whether the flow data to be detected has safety risks or not according to the risk values of all communication protocol layers.
Description
Technical Field
The present invention relates to the field of intrusion prevention technologies, and in particular, to an intrusion prevention method, system and related device.
Background
Currently, an IPS (Intrusion Prevention System) engine in the industry has a single detection mode for network communication protocol data, and often customizes Snort (Intrusion detection) rules for interception by extracting a single-dimensional attack feature corresponding to a network communication protocol.
Generally, one Snort rule is only analyzed from a vulnerability of a single dimension, the characteristics of network communication protocol data are often distributed in multiple dimensions, and if the characteristics of a certain dimension of a malicious message are subjected to bypassing deformation, snort rule interception is easily bypassed.
In order to improve the detection accuracy of network communication protocol data, it is necessary to provide a new intrusion prevention method.
Disclosure of Invention
The embodiment of the invention provides an intrusion prevention method, an intrusion prevention system and related equipment, which are used for realizing multi-dimensional detection of flow data to be detected and improving the safety of a network.
A first aspect of an embodiment of the present invention provides an intrusion prevention method, which may include:
analyzing flow data to be detected based on at least two layers of communication protocols to obtain message data corresponding to each communication protocol layer;
respectively matching the analyzed message data with the weak characteristic databases corresponding to the communication protocol layers to which the message data belong;
calculating the risk value of each communication protocol layer according to the matching result;
and judging whether the flow data to be detected has safety risks or not according to the risk values of all the communication protocol layers.
Optionally, as a possible implementation manner, in the embodiment of the present invention, the calculating the risk value of each communication protocol layer according to the matching result may include:
and calculating the weight accumulated value of all weak features successfully matched with the message data corresponding to each communication protocol layer as a risk value.
Optionally, as a possible implementation manner, in the embodiment of the present invention, the determining whether the traffic data to be detected has a security risk according to the detection result corresponding to each communication protocol layer may include:
judging whether a target communication protocol layer exists or not, wherein the risk value of message data corresponding to the target communication protocol layer exceeds a detection threshold value;
and if the target communication protocol layer exists, judging that the safety risk exists in the flow data to be detected.
Optionally, as a possible implementation manner, the intrusion prevention method in the embodiment of the present invention may further include:
and judging whether the weak features successfully matched with the flow data to be detected contain a preset combination or not, and if so, judging that the flow data to be detected has a safety risk.
Optionally, as a possible implementation manner, the intrusion prevention method in the embodiment of the present invention may further include:
and judging whether the risk values of the message data corresponding to each communication protocol layer are all larger than respective preset threshold values, and if so, judging that the flow data to be detected has safety risks.
Optionally, as a possible implementation manner, in the embodiment of the present invention, the at least two layers of communication protocols include two or three of an internet protocol IP protocol, a transmission control protocol TCP protocol, and an application protocol.
Optionally, as a possible implementation manner, in the embodiment of the present invention, the analyzing the flow data to be detected based on at least two layers of communication protocols may include:
and sequentially analyzing the IP protocol layer data message, the TCP protocol layer data message, the HTTP protocol header data message and the HTTP protocol payload.
A second aspect of an embodiment of the present invention provides an intrusion prevention system, which may include:
the analysis module is used for analyzing the flow data to be detected based on at least two layers of communication protocols to obtain message data corresponding to each communication protocol layer;
the matching module is used for respectively matching the analyzed message data with the weak characteristic databases corresponding to the communication protocol layers of the message data;
the calculation module is used for calculating the risk value of each communication protocol layer according to the matching result;
and the first processing module is used for judging whether the safety risk exists in the flow data to be detected according to the risk value of each communication protocol layer.
Optionally, as a possible implementation manner, the computing module in the embodiment of the present invention may include:
and the calculating unit is used for calculating the weight accumulated value of all weak features successfully matched with the message data corresponding to each communication protocol layer as a risk value.
Optionally, as a possible implementation manner, the processing module in the embodiment of the present invention may include:
the judging unit judges whether a target communication protocol layer exists or not, and the risk value of the message data corresponding to the target communication protocol layer exceeds a detection threshold value;
and the output unit is used for judging that the safety risk exists in the flow data to be detected if a target communication protocol layer exists.
Optionally, as a possible implementation manner, the intrusion prevention system in the embodiment of the present invention may further include:
and the second processing module is used for judging whether the weak features successfully matched with the flow data to be detected contain a preset combination or not, and if so, judging that the safety risk exists in the flow data to be detected.
Optionally, as a possible implementation manner, the intrusion prevention system in the embodiment of the present invention may further include:
and the third processing module is used for judging whether the risk values of the message data corresponding to each communication protocol layer are all larger than respective preset threshold values, and if so, judging that the flow data to be detected has safety risks.
Optionally, as a possible implementation manner, in the embodiment of the present invention, the at least two layers of communication protocols include two or three of an internet protocol IP protocol, a transmission control protocol TCP protocol, and an application protocol.
Optionally, as a possible implementation manner, the parsing module in the embodiment of the present invention may include:
and the analysis unit is used for sequentially analyzing the IP protocol layer data message, the TCP protocol layer data message, the HTTP protocol header data message and the HTTP protocol payload.
A third aspect of embodiments of the present invention provides a computer apparatus, which includes a processor, and the processor is configured to implement the steps in any one of the possible implementation manners of the first aspect and the first aspect when executing a computer program stored in a memory.
A fourth aspect of the embodiments of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in any one of the possible implementations of the first aspect and the first aspect.
According to the technical scheme, the embodiment of the invention has the following advantages:
in the embodiment of the invention, the flow data to be detected is analyzed based on a multilayer communication protocol, and the analyzed message data is respectively matched with the weak characteristic databases corresponding to the communication protocol layers to which the message data belongs; and judging whether the flow data to be detected has safety risks or not according to the matching result. Compared with the prior art, the method and the device for detecting the data flow have the advantages that the data flow to be detected can be analyzed from the plurality of communication protocol layers, multi-dimensional detection of the data flow to be detected is achieved, accordingly, the interception rate of an IPS engine is improved, meanwhile, weak features carried in the data messages can be detected, the detection accuracy rate is improved, and the network safety is improved.
Drawings
FIG. 1 is a diagram of an intrusion prevention method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of another embodiment of an intrusion prevention method according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating an embodiment of an intrusion prevention method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an embodiment of an intrusion prevention system according to an embodiment of the invention;
FIG. 5 is a diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides an intrusion prevention method, an intrusion prevention system and relevant equipment, which are used for realizing multi-dimensional detection of flow data to be detected and improving the safety of a network.
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiment of the invention provides an intrusion prevention method, which analyzes flow data to be detected from a multi-layer communication protocol for detection and improves the detection accuracy of network communication protocol data.
For convenience of understanding, a specific flow in an embodiment of the present invention is described below, and referring to fig. 1, an embodiment of an intrusion prevention method in an embodiment of the present invention may include:
s101, analyzing flow data to be detected based on at least two layers of communication protocols to obtain message data corresponding to each communication protocol layer;
in the related art, snort rules are often customized for interception by extracting a single-dimensional attack feature corresponding to a network communication protocol, and if a strong feature of a certain dimension of a malicious message is deformed to bypass, snort rule detection failure is easily caused to bypass an IPS (Intrusion Prevention System). In view of this, the to-be-detected flow data is analyzed based on at least two layers of communication protocols, so as to obtain message data corresponding to a plurality of corresponding communication protocol layers, so as to perform multidimensional detection.
It can be understood that, in practical applications, the communication protocol layer to be parsed can be adjusted reasonably according to the type of the application layer protocol used by the application program. Taking the data packet corresponding to the HTTP protocol as an example, the IPS can sequentially analyze the IP protocol layer data packet, the TCP protocol layer data packet, the HTTP protocol header data packet, and the HTTP protocol payload. Also, for example, a data packet corresponding to an FTP (File Transfer protocol) may sequentially parse an IP protocol layer data packet, a TCP protocol layer data packet, an FTP protocol header data packet, and an FTP protocol payload.
Optionally, the communication protocol layer to be analyzed may include two or three of an internet protocol IP protocol, a transmission control protocol TCP protocol, and an application program protocol, which is not limited herein.
S102, respectively matching the analyzed message data with weak characteristic databases corresponding to the communication protocol layers to which the message data belong;
in order to realize the multidimensional detection of the flow data to be detected, a weak feature database corresponding to each communication protocol layer can be set in advance according to business requirements, and the IPS can respectively match the message data obtained by analysis with the weak feature databases corresponding to the communication protocol layers to which the IPS belong.
It can be understood that, in practical application, the weak feature database of each communication protocol layer may be set according to an actual service scenario, each weak feature database may include one or more weak features, and a weak feature refers to an attack packet. For example, the corresponding weak features of the IP layer may be: the number of the IP layer message fragments is greater than a threshold value; the fragmentation of the IP layer message has an overlapping phenomenon; the IP layer message carries wrong options (options); the IP layer carries a small TTL feature. The corresponding weak characteristics of the TCP layer may be: a large number of small packets appear in TCP layer messages; TCP layer messages carry wrong options; retransmission and overlapping phenomena occur in TCP layer messages; a random response serial number appears in a TCP layer message; the TCP layer message has out-of-order message.
S103, calculating the risk value of each communication protocol layer according to the matching result;
the number of weak features successfully matched with the data packet of each communication protocol layer can be mapped to a risk value of the corresponding communication protocol layer. For example, in the embodiment of the present invention, a weight may be set for each weak feature, and a cumulative value of weights of all weak features for which matching of message data corresponding to each communication protocol layer is successful is calculated as a risk value. The specific mapping algorithm may be set according to actual requirements, and is not limited herein.
And S104, judging whether the flow data to be detected has safety risks or not according to the risk values of all the communication protocol layers.
After the risk values of the communication protocol layers are determined, whether safety risks exist in the flow data to be detected can be judged according to the risk values of the communication protocol layers. For example, the determination rule may be set as: and if the risk value of the message data corresponding to the target communication protocol layer exceeds the detection threshold value, judging that the flow data to be detected has a safety risk. For example, if the risk value of the packet data corresponding to the IP layer exceeds the detection threshold, it may be directly determined that the traffic data to be detected has a security risk.
For example, the determination rule may also be set as: and judging whether the risk values of the message data corresponding to each communication protocol layer are all larger than respective preset threshold values, and if so, judging that the flow data to be detected has safety risks.
For example, the determination rule may also be set as: and judging whether the accumulated value of the risk values of the message data corresponding to each communication protocol layer is greater than a preset threshold value, and if so, judging that the traffic data to be detected has a safety risk.
In the embodiment of the invention, the flow data to be detected is analyzed based on a multilayer communication protocol, and the analyzed message data is respectively matched with the weak characteristic databases corresponding to the communication protocol layers to which the message data belongs; and judging whether the flow data to be detected has safety risks or not according to the matching result. Compared with the prior art, the method and the device for detecting the data flow have the advantages that the data flow to be detected can be analyzed from the plurality of communication protocol layers, multi-dimensional detection of the data flow to be detected is achieved, accordingly, the interception rate of an IPS engine is improved, meanwhile, weak features carried in the data messages can be detected, the detection accuracy rate is improved, and the network safety is improved.
In practical application, in order to meet the requirements of a wide application scene and improve the compatibility of the network security detection method, the judgment rule can be adjusted according to the practical requirements. Referring to fig. 2, in an embodiment of the present invention, another embodiment of an intrusion prevention method may include:
s201, analyzing flow data to be detected based on at least two layers of communication protocols to obtain message data corresponding to each communication protocol layer;
s202, respectively matching the analyzed message data with weak characteristic databases corresponding to the communication protocol layers to which the message data belong;
s203, calculating the risk value of each communication protocol layer according to the matching result;
the contents described in steps S201 to S203 in this embodiment are similar to the contents described in steps S101 to S103 in the embodiment shown in fig. 1, and are not described herein again.
S204, judging whether a target communication protocol layer exists or not;
in this embodiment, detection threshold values may be set for each communication protocol layer according to requirements of a service scenario, and when a risk value of message data corresponding to a certain communication protocol layer exceeds the detection threshold value, the communication protocol layer may be considered as a target communication protocol layer, and may be directly detected (it is determined that there is a security risk in traffic data to be detected).
S205, judging whether the weak features successfully matched with the flow data to be detected contain a preset combination;
if the target communication protocol layer does not exist, the traffic data to be detected needs to be further detected. Considering that in some service scenes, when the flow data to be detected simultaneously meet the preset combination of some weak features, the existence of the safety risk can be judged. Optionally, the IPS may determine whether the weak features successfully matched with the flow data to be detected include a preset combination, and if the weak features include the preset combination, determine that the flow data to be detected has a safety risk.
S206, judging whether the risk values of the message data corresponding to each communication protocol layer are all larger than respective preset threshold values;
and if the weak features successfully matched with the flow data to be detected contain the preset combination, further detecting the flow data to be detected. Optionally, the IPS may determine whether the risk values of the packet data corresponding to each communication protocol layer are all greater than respective preset thresholds, and if so, determine that the traffic data to be detected has a safety risk. The preset threshold of each communication protocol layer may be reasonably set according to a service requirement, for example, the threshold may be obtained by training in a machine learning manner by using a large number of detected abnormal flows.
For easy understanding, referring to fig. 3, the intrusion prevention method in the embodiment of the present invention will be described below with reference to a specific application embodiment. The method specifically comprises the following steps:
step 1: IP layer protocol analysis and weak feature matching are carried out;
in the intrusion prevention process, the IP layer can be analyzed first, and weak feature matching is carried out. The specific weak features corresponding to the IP layer may be: the number of the IP layer message fragments is greater than a threshold value; the fragmentation of the IP layer message has an overlapping phenomenon; the IP layer message carries wrong options (options); the IP layer carries a small TTL feature.
Step 2: calculating a risk value of an IP layer, and judging whether the risk value exceeds a detection threshold value;
the weight can be set for each weak feature, and the accumulated value of the weights of all weak features, successfully matched with the message data corresponding to each communication protocol layer, is calculated to serve as a risk value. And judging whether the risk value of the IP layer exceeds a detection threshold value. If the number of the detection signals exceeds the preset value, the detection is carried out, otherwise, the next step is carried out.
And 3, step 3: analyzing a TCP layer protocol, and performing weak feature matching;
specifically, the weak features corresponding to the TCP layer may be: a large number of small packets appear in TCP layer messages; TCP layer messages carry wrong options; retransmission and overlapping phenomena occur in TCP layer messages; a random response serial number appears in a TCP layer message; the TCP layer message has out-of-order message.
And 4, step 4: calculating a risk value of a TCP layer, and judging whether the risk value exceeds a detection threshold value;
a weight may be set for each weak feature, and a weight cumulative value of all weak features successfully matched with the packet data corresponding to each communication protocol layer is calculated as a risk value. And judging whether the risk value of the TCP layer exceeds a detection threshold value. If the result exceeds the preset value, the detection is carried out, otherwise, the next step is carried out.
And 5: analyzing the HTTP header data, and performing weak feature matching;
specifically, the weak features corresponding to the HTTP protocol header data may be: transmitting a chunk; a dual field; invisible character insertion and confusion; the encoding declaration does not coincide with the actual transmission; using a non-standard protocol header; invalid header field padding.
Step 6: calculating a risk value of HTTP header data, and judging whether the risk value exceeds a detection threshold value;
a weight may be set for each weak feature, and a weight cumulative value of all weak features successfully matched with the packet data corresponding to each communication protocol layer is calculated as a risk value. And judging whether the risk value of the HTTP header data exceeds a detection threshold value. If the result exceeds the preset value, the detection is carried out, otherwise, the next step is carried out.
And 7: analyzing the HTTP payload, and performing weak feature matching;
specifically, the weak features corresponding to the HTTP protocol payload may be: including encoding class system functions that may cause bypass; contain operations that may cause cross-connection bypass attacks (e.g., cross-text bypass attacks, fragmented transfers); easily cause misjudgment rules.
And 8: calculating a risk value of the HTTP payload, and judging whether the risk value exceeds a detection threshold value;
a weight may be set for each weak feature, and a weight cumulative value of all weak features successfully matched with the packet data corresponding to each communication protocol layer is calculated as a risk value. And judging whether the risk value of the HTTP payload exceeds a detection threshold value. If the result exceeds the preset value, the detection is carried out, otherwise, the next step is carried out.
And step 9: judging whether the flow data to be detected has safety risks or not according to a self-defined algorithm;
the IPS can judge whether the weak features successfully matched with the flow data to be detected contain preset combinations or not, if the weak features contain the preset combinations, the flow data to be detected are judged to have safety risks, the specific preset combinations of the weak features can be self-defined according to business requirements, and the specific preset combinations of the weak features are not limited.
Step 10: and judging whether the flow data to be detected has safety risks or not according to a general template algorithm.
And if the weak features successfully matched with the flow data to be detected contain the preset combination, further detecting the flow data to be detected. Optionally, the IPS may determine whether the risk values of the packet data corresponding to each communication protocol layer are all greater than respective preset thresholds, and if so, determine that the traffic data to be detected has a safety risk.
Compared with the prior art, the method and the device have the advantages that the flow data to be detected can be analyzed from the plurality of communication protocol layers, multi-dimensional detection of the flow data to be detected is achieved, accordingly, the interception rate of an IPS engine is improved, meanwhile, weak features carried in data messages can be detected, the detection accuracy is improved, and the network safety is improved.
Referring to fig. 4, an embodiment of the present invention further provides an intrusion prevention system, which includes:
the analysis module 401 analyzes the flow data to be detected based on at least two layers of communication protocols to obtain message data corresponding to each communication protocol layer;
the matching module 402 is used for respectively matching the analyzed message data with the weak characteristic databases corresponding to the communication protocol layers of the message data;
a calculating module 403, for calculating risk values of each communication protocol layer according to the matching result;
the first processing module 404 determines whether the flow data to be detected has a security risk according to the risk value of each communication protocol layer.
Optionally, as a possible implementation manner, the calculation module in the embodiment of the present invention may include:
and the calculating unit is used for calculating the weight accumulated value of all weak features successfully matched with the message data corresponding to each communication protocol layer as a risk value.
Optionally, as a possible implementation manner, the processing module in the embodiment of the present invention may include:
the judging unit judges whether a target communication protocol layer exists or not, and the risk value of the message data corresponding to the target communication protocol layer exceeds a detection threshold value;
and the output unit judges that the flow data to be detected has safety risk if a target communication protocol layer exists.
Optionally, as a possible implementation manner, the intrusion prevention system in the embodiment of the present invention may further include:
and the second processing module is used for judging whether the weak features successfully matched with the flow data to be detected contain a preset combination or not, and if so, judging that the safety risk exists in the flow data to be detected.
Optionally, as a possible implementation manner, the intrusion prevention system in the embodiment of the present invention may further include:
and the third processing module is used for judging whether the risk values of the message data corresponding to each communication protocol layer are all larger than respective preset threshold values, and if so, judging that the flow data to be detected has safety risks.
Optionally, as a possible implementation manner, in the embodiment of the present invention, the at least two layers of communication protocols include two or three of an internet protocol IP protocol, a transmission control protocol TCP protocol, and an application protocol.
Optionally, as a possible implementation manner, the parsing module in the embodiment of the present invention may include:
and the analysis unit is used for sequentially analyzing the IP protocol layer data message, the TCP protocol layer data message, the HTTP protocol header data message and the HTTP protocol payload.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The intrusion prevention system in the embodiment of the present invention is described above from the perspective of the modular functional entity, please refer to fig. 5, and the computer apparatus in the embodiment of the present invention is described below from the perspective of hardware processing:
the computer apparatus 1 may include a memory 11, a processor 12, and an input output bus 13. The processor 11, when executing the computer program, implements the steps in the embodiment of the intrusion prevention method shown in fig. 1 described above, such as the steps 101 to 103 shown in fig. 1. Alternatively, the processor, when executing the computer program, implements the functions of each module or unit in the above-described apparatus embodiments.
In some embodiments of the present invention, the processor is specifically configured to implement the following steps:
analyzing the flow data to be detected based on at least two layers of communication protocols to obtain message data corresponding to each communication protocol layer;
respectively matching the analyzed message data with the weak characteristic databases corresponding to the communication protocol layers of the message data;
calculating the risk value of each communication protocol layer according to the matching result;
and judging whether the flow data to be detected has safety risks or not according to the risk values of all the communication protocol layers.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
and calculating the weight accumulated value of all weak features successfully matched with the message data corresponding to each communication protocol layer as a risk value.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
judging whether a target communication protocol layer exists or not, wherein the risk value of message data corresponding to the target communication protocol layer exceeds a detection threshold value;
and if the target communication protocol layer exists, judging that the safety risk exists in the flow data to be detected.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
and judging whether the weak features successfully matched with the flow data to be detected contain a preset combination or not, and if so, judging that the safety risk exists in the flow data to be detected.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
and judging whether the risk values of the message data corresponding to each communication protocol layer are all larger than respective preset threshold values, and if so, judging that the flow data to be detected has safety risks.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
and sequentially analyzing the IP protocol layer data message, the TCP protocol layer data message, the HTTP protocol header data message and the HTTP protocol payload.
The memory 11 includes at least one type of readable storage medium, and the readable storage medium includes a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, and the like. The memory 11 may in some embodiments be an internal storage unit of the computer device 1, for example a hard disk of the computer device 1. The memory 11 may also be an external storage device of the computer apparatus 1 in other embodiments, such as a plug-in hard disk provided on the computer apparatus 1, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 11 may also include both an internal storage unit and an external storage device of the computer apparatus 1. The memory 11 may be used not only to store application software installed in the computer device 1 and various types of data, such as codes of the computer program 01, but also to temporarily store data that has been output or is to be output.
The processor 12 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor or other data Processing chip in some embodiments, and is used for executing program codes stored in the memory 11 or Processing data, such as executing the computer program 01.
The input/output bus 13 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industrial Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc.
Further, the computer apparatus may further comprise a wired or wireless network interface 14, and the network interface 14 may optionally comprise a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used for establishing a communication connection between the computer apparatus 1 and other electronic devices.
Optionally, the computer device 1 may further include a user interface, the user interface may include a Display (Display), an input unit such as a Keyboard (Keyboard), and optionally, the user interface may further include a standard wired interface and a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the computer device 1 and for displaying a visualized user interface.
Fig. 5 shows only the computer device 1 with the components 11-14 and the computer program 01, and it will be understood by a person skilled in the art that the structure shown in fig. 5 does not constitute a limitation of the computer device 1, but may comprise fewer or more components than shown in the figures, or a combination of certain components, or a different arrangement of components.
The present invention also provides a computer-readable storage medium having a computer program stored thereon, which when executed by a processor, performs the steps of:
analyzing flow data to be detected based on at least two layers of communication protocols to obtain message data corresponding to each communication protocol layer;
respectively matching the analyzed message data with the weak characteristic databases corresponding to the communication protocol layers to which the message data belong;
calculating the risk value of each communication protocol layer according to the matching result;
and judging whether the flow data to be detected has safety risks or not according to the risk values of all the communication protocol layers.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
and calculating the weight accumulated value of all weak features successfully matched with the message data corresponding to each communication protocol layer as a risk value.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
judging whether a target communication protocol layer exists or not, wherein the risk value of message data corresponding to the target communication protocol layer exceeds a detection threshold value;
and if the target communication protocol layer exists, judging that the safety risk exists in the flow data to be detected.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
and judging whether the weak features successfully matched with the flow data to be detected contain a preset combination or not, and if so, judging that the safety risk exists in the flow data to be detected.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
and judging whether the risk values of the message data corresponding to each communication protocol layer are all larger than respective preset threshold values, and if so, judging that the flow data to be detected has safety risks.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
and sequentially analyzing the IP protocol layer data message, the TCP protocol layer data message, the HTTP protocol header data message and the HTTP protocol payload.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (9)
1. An intrusion prevention method, comprising:
analyzing flow data to be detected based on at least two layers of communication protocols to obtain message data corresponding to each communication protocol layer, wherein the communication protocol layers are determined according to the type of an application layer protocol adopted by an application program;
respectively matching the analyzed message data with the weak characteristic databases corresponding to the communication protocol layers of the message data;
calculating the risk value of each communication protocol layer according to the matching result;
judging whether the flow data to be detected has safety risks or not according to the risk values of all communication protocol layers;
wherein, calculating the risk value of each communication protocol layer according to the matching result comprises:
and calculating the weight accumulated value of all weak features successfully matched with the message data corresponding to each communication protocol layer as a risk value.
2. The method according to claim 1, wherein said determining whether the traffic data to be detected has a security risk according to the risk value of each communication protocol layer comprises:
judging whether a target communication protocol layer exists or not, wherein the risk value of message data corresponding to the target communication protocol layer exceeds a detection threshold value;
and if the target communication protocol layer exists, judging that the safety risk exists in the flow data to be detected.
3. The method of claim 2, further comprising:
and judging whether the weak features successfully matched with the flow data to be detected contain a preset combination or not, and if so, judging that the flow data to be detected has a safety risk.
4. The method of claim 3, further comprising:
and judging whether the risk values of the message data corresponding to each communication protocol layer are all larger than respective preset threshold values, and if so, judging that the flow data to be detected has safety risks.
5. The method according to any of claims 1 to 4, wherein the at least two layers of communication protocols comprise two or three of an Internet protocol, IP, protocol, transmission control protocol, TCP, protocol and an application program protocol.
6. The method according to any one of claims 1 to 4, wherein the parsing the flow data to be detected based on at least two layers of communication protocols comprises:
and sequentially analyzing an IP protocol layer data message, a TCP protocol layer data message, an HTTP protocol header data message and an HTTP protocol payload.
7. An intrusion prevention system, comprising:
the analysis module is used for analyzing the flow data to be detected based on at least two layers of communication protocols to obtain message data corresponding to each communication protocol layer, and the communication protocol layers are determined according to the type of an application layer protocol adopted by an application program;
the matching module is used for respectively matching the analyzed message data with the weak characteristic databases corresponding to the communication protocol layers to which the message data belong;
the calculation module is used for calculating the risk value of each communication protocol layer according to the matching result;
the first processing module is used for judging whether the flow data to be detected has safety risks or not according to the risk values of all communication protocol layers;
the calculation module comprises:
and the calculating unit is used for calculating the weight accumulated value of all weak features successfully matched with the message data corresponding to each communication protocol layer as a risk value.
8. A computer arrangement, characterized in that the computer arrangement comprises a processor for implementing the steps of the method according to any one of claims 1 to 6 when executing a computer program stored in a memory.
9. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when executed by a processor implements the steps of the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011528024.6A CN112565290B (en) | 2020-12-22 | 2020-12-22 | Intrusion prevention method, system and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011528024.6A CN112565290B (en) | 2020-12-22 | 2020-12-22 | Intrusion prevention method, system and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112565290A CN112565290A (en) | 2021-03-26 |
| CN112565290B true CN112565290B (en) | 2022-11-22 |
Family
ID=75031270
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011528024.6A Active CN112565290B (en) | 2020-12-22 | 2020-12-22 | Intrusion prevention method, system and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112565290B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114389837A (en) * | 2021-12-07 | 2022-04-22 | 广东宜通衡睿科技有限公司 | Safety monitoring method, device, medium and equipment for terminal of Internet of things |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106888221A (en) * | 2017-04-15 | 2017-06-23 | 北京科罗菲特科技有限公司 | A kind of Secure Information Tanslation Through Netware method |
| CN107872456A (en) * | 2017-11-09 | 2018-04-03 | 深圳市利谱信息技术有限公司 | Network intrusion prevention method, apparatus, system and computer-readable recording medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1203641C (en) * | 2002-10-11 | 2005-05-25 | 北京启明星辰信息技术有限公司 | Method and system for monitoring network intrusion |
| US8522348B2 (en) * | 2009-07-29 | 2013-08-27 | Northwestern University | Matching with a large vulnerability signature ruleset for high performance network defense |
| CN108632224B (en) * | 2017-03-23 | 2022-03-15 | 中兴通讯股份有限公司 | APT attack detection method and device |
-
2020
- 2020-12-22 CN CN202011528024.6A patent/CN112565290B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106888221A (en) * | 2017-04-15 | 2017-06-23 | 北京科罗菲特科技有限公司 | A kind of Secure Information Tanslation Through Netware method |
| CN107872456A (en) * | 2017-11-09 | 2018-04-03 | 深圳市利谱信息技术有限公司 | Network intrusion prevention method, apparatus, system and computer-readable recording medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112565290A (en) | 2021-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103856470B (en) | Detecting method of distributed denial of service attacking and detection device | |
| CN106416171B (en) | Characteristic information analysis method and device | |
| CN110708215A (en) | Deep packet inspection rule base generation method and device, network equipment and storage medium | |
| CN107786545A (en) | A kind of attack detection method and terminal device | |
| CN108600003B (en) | Intrusion detection method, device and system for video monitoring network | |
| EP2953298A1 (en) | Log analysis device, information processing method and program | |
| CN112887405B (en) | Intrusion prevention method, system and related equipment | |
| CN111600865B (en) | Abnormal communication detection method and device, electronic equipment and storage medium | |
| US10484408B2 (en) | Malicious communication pattern extraction apparatus, malicious communication pattern extraction method, and malicious communication pattern extraction program | |
| CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
| CN107222491A (en) | A kind of inbreak detection rule creation method based on industrial control network mutation attacks | |
| CN105592044B (en) | Message aggression detection method and device | |
| CN112565290B (en) | Intrusion prevention method, system and related equipment | |
| CN105100023B (en) | Data packet feature extracting method and device | |
| CN103067384A (en) | Threat processing method, system, linkage client, safety equipment and host | |
| US9485166B2 (en) | Network abnormality detection system, measurement apparatus, and analysis apparatus | |
| CN108270783A (en) | A kind of data processing method and device | |
| CN111131309A (en) | Distributed denial of service detection method and device and model creation method and device | |
| CN106790175A (en) | The detection method and device of a kind of worm event | |
| CN104184746B (en) | Method and device for processing data by gateway | |
| CN105939321A (en) | DNS (Domain Name System) attack detection method and device | |
| CN112953957B (en) | Intrusion prevention method, system and related equipment | |
| CN115664833B (en) | Network hijacking detection method based on local area network safety equipment | |
| US9794274B2 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| JP2004054330A (en) | Illicit command/data detecting system, illicit command/data detecting method and illicit command/data detecting program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |