CN112615870A - Method and device for detecting attack behavior based on NTP message data - Google Patents
Method and device for detecting attack behavior based on NTP message data Download PDFInfo
- Publication number
- CN112615870A CN112615870A CN202011531760.7A CN202011531760A CN112615870A CN 112615870 A CN112615870 A CN 112615870A CN 202011531760 A CN202011531760 A CN 202011531760A CN 112615870 A CN112615870 A CN 112615870A
- Authority
- CN
- China
- Prior art keywords
- field
- data
- extended
- attack behavior
- filling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 41
- 238000007637 random forest analysis Methods 0.000 claims abstract description 38
- 238000001514 detection method Methods 0.000 claims abstract description 28
- 239000013598 vector Substances 0.000 claims description 36
- 238000007781 pre-processing Methods 0.000 claims description 20
- 238000007635 classification algorithm Methods 0.000 claims description 15
- 230000006399 behavior Effects 0.000 abstract description 73
- 238000010586 diagram Methods 0.000 description 7
- 230000007704 transition Effects 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012549 training Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000000739 chaotic effect Effects 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013079 data visualisation Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses an attack behavior detection method and device based on NTP message data, which are used for detecting whether large-data-volume attack behaviors exist in NTP message data or not and improving the safety of equipment. The method comprises the following steps: acquiring NTP message data; judging whether an extended field filling field exists in the NTP message data or not; when an extended domain filling field exists, judging whether an attack behavior exists in the extended domain filling field based on a random forest algorithm model; and outputting information corresponding to the judgment result of the random forest algorithm model. Adopt the scheme that this application provided: by detecting the filling field of the extended domain capable of bearing the large-data-volume attack behavior, the detection of the large-data-volume attack behavior in the NTP message data is realized, and the safety of the equipment for receiving the NTP message data is improved.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method and an apparatus for detecting an attack behavior based on NTP message data.
Background
The NTP is a Network Time Protocol (Network Time Protocol), a large number of open distributed NTP servers exist in the Network, a highly open NTP Protocol 123 port, and the NTP message is transmitted based on unreliable UDP, so that the NTP Protocol is very easy to be used by hackers to implement hidden channel attack. Therefore, the research on the secret channel attack behavior detection method based on the NTP protocol has an important effect on network security protection.
In the existing attack behavior detection mode for the NTP protocol, the least significant bit of the NTP protocol is detected through a Bayesian classification model to judge the secret data in the NTP protocol. However, covert tunneling behavior based on the least significant bits of the timestamp essentially transforms the timestamp information slightly so that it still conforms to the temporal signature, while allowing transmission of confidential data. Because the least significant bit of the timestamp is only the 0 th bit in the binary digits and therefore cannot carry more data, only a few small-data-volume attack behaviors can be detected by using a detection mode based on the least significant bit of the timestamp, the large-data-volume attack behaviors such as file transfer, remote desktop control and the like existing in NTP message data are difficult to detect and discover, and great hidden danger exists in the safety of equipment for receiving TNP data.
Therefore, how to provide an attack behavior detection method based on NTP message data to detect whether there is a large amount of data attack behavior in the NTP message data, so as to improve the security of the device, is a technical problem to be solved urgently.
Disclosure of Invention
An object of the embodiments of the present application is to provide an attack behavior detection method and apparatus based on NTP message data, so as to detect whether there is a large amount of data attack behavior in the NTP message data, and improve the security of the device.
In order to solve the technical problem, the embodiment of the application adopts the following technical scheme: an attack behavior detection method based on NTP message data comprises the following steps:
acquiring NTP message data;
judging whether an extended field filling field exists in the NTP message data or not;
when an extended domain filling field exists, judging whether an attack behavior exists in the extended domain filling field based on a random forest algorithm model;
and outputting information corresponding to the judgment result of the random forest algorithm model.
The beneficial effects of the embodiment of the application are that: after NTP message data are obtained, whether an expanded domain filling field capable of bearing a large data volume attack behavior exists in the NTP message data is judged, if yes, whether the attack behavior exists in the expanded domain filling field is judged, therefore, the expanded domain filling field capable of bearing the large data volume attack behavior is detected, the detection of the large data volume attack behavior in the NTP message data is achieved, and the safety of equipment for receiving the NTP message data is improved.
In one embodiment, the judging whether there is an attack behavior in the extended domain fill field based on a random forest algorithm model includes:
preprocessing the extended field filling field;
and inputting the preprocessed expanded domain filling field into a random forest algorithm model.
In one embodiment, the preprocessing the extended field padding field includes:
judging the integrity of the data in the filling field of the extended domain;
and when the data in the filling field of the extended field is complete, generating a feature vector corresponding to the data.
In one embodiment, the method further comprises:
after generating the feature vectors corresponding to the data, judging whether the number of the feature vectors is in a first range;
when the number of the feature vectors is in a first range, inputting the feature vectors into a classification algorithm model;
when the number of feature vectors is outside the first range, NTP data is re-extracted.
In one embodiment, the determining the integrity of the data in the extended field padding field includes:
judging whether the byte number of the extended field filling field is in a second range or not;
when the byte number of the extended field filling field is in a second range, judging whether the preset characteristics of the extended field filling field are missing;
and when the preset characteristics of the extended field filling field are not lost, determining that the data in the extended field filling field is complete.
In one embodiment, the method further comprises:
acquiring a least significant bit field in the NTP message data;
and judging whether the attack behavior exists in the least significant bit field based on a random forest algorithm model.
In one embodiment, the outputting information corresponding to the judgment result of the random forest algorithm model includes:
when the attack behavior does not exist in the extended field filling field, displaying the legal prompt information of the NTP message;
and when the attack behavior exists in the extended field filling field, displaying prompt information of the attack behavior existing in the NTP message data, and sending alarm information.
The present application further provides an attack behavior detection apparatus based on NTP message data, including:
the acquisition module is used for acquiring NTP message data;
the first judging module is used for judging whether the extension field filling field exists in the NTP message data or not;
the second judgment module is used for judging whether the expanded domain filling field has an attack behavior or not based on the random forest algorithm model when the expanded domain filling field exists;
and the output module is used for outputting information corresponding to the judgment result of the random forest algorithm model.
In one embodiment, the second determining module includes:
the preprocessing submodule is used for preprocessing the filling field of the extended domain;
and the input submodule is used for inputting the preprocessed expanded domain filling field into the random forest algorithm model.
In one embodiment, the preprocessing submodule is specifically configured to:
judging the integrity of the data in the filling field of the extended domain;
and when the data in the filling field of the extended field is complete, generating a feature vector corresponding to the data.
Drawings
Fig. 1 is a flowchart of an attack behavior detection method based on NTP message data in an embodiment of the present application;
fig. 2 is a flowchart of an attack behavior detection method based on NTP message data in an embodiment of the present application;
FIG. 3 is a schematic diagram illustrating a data flow when a random forest algorithm model is trained according to an embodiment of the present application;
FIG. 4 is a schematic data flow diagram illustrating detection of an attack behavior by a trained classification algorithm model module according to an embodiment of the present application;
fig. 5 is a flowchart of an attack behavior detection method based on NTP message data in an embodiment of the present application;
fig. 6 is a flowchart of an attack behavior detection method based on NTP message data in an embodiment of the present application;
fig. 7 is a flowchart of an attack behavior detection method based on NTP message data in a general embodiment of the present application;
fig. 8 is a block diagram of an attack behavior detection apparatus based on NTP message data according to an embodiment of the present application;
fig. 9 is a block diagram of an attack behavior detection apparatus based on NTP message data in an embodiment of the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the present application. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the application and, together with a general description of the application given above and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the present application will become apparent from the following description of preferred forms of embodiment, given as non-limiting examples, with reference to the attached drawings.
It is also to be understood that although the present application has been described with reference to some specific examples, those skilled in the art are able to ascertain many other equivalents to the practice of the present application.
The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application of unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
Fig. 1 is a flowchart of an attack behavior detection method based on NTP message data according to an embodiment of the present application, where the method includes the following steps S11-S14:
in step S11, NTP message data is acquired;
in step S12, it is determined whether an extended field padding field exists in the NTP message data;
in step S13, when an extended field padding field exists, determining whether an attack behavior exists in the extended field padding field based on a random forest algorithm model;
in step S14, information corresponding to the judgment result of the random forest algorithm model is output.
The NTP is a Network Time Protocol (Network Time Protocol) and is a Network clock synchronization Protocol NTP designed to implement high-precision Time synchronization, and the NTP uses a hierarchical Time distribution model, has high flexibility, can adapt to various internet environments, and is a recognized Time synchronization tool on the internet.
There are four timestamp fields in the NTP message: reference timestamp, original timestamp, accept timestamp, transmit timestamp. The timestamp field is coded in a two's complement mode. The prior art mainly detects the confidential data transmitted by using the least significant bit of the data packet time stamp for confidential information. The least significant bit refers to the 0 th bit (i.e., the least significant bit) in a binary digit. By extracting the following three features of the timestamp least significant bits: the information entropy, the average value and the transition probability, wherein the information entropy is the occurrence probability of certain specific information (the occurrence probability of discrete random events), and the more ordered a system is, the lower the information entropy is; on the contrary, the more chaotic a system is, the higher the information entropy is; the average value is the sum of a group of data divided by the number of the group of data; the transition probability means: a sequence of m states starts from any state and passes through any transition, and the point of arrival of the result is necessarily one of states 1, 2, …, m, and the transition between these states is called transition probability. And a Bayesian classifier algorithm model is used, and the Bayesian classifier firstly calculates the prior probability of a certain event (which means the probability of the event occurring at the time is obtained according to experience and time analysis) according to the statistical principle, and then obtains the posterior probability (which category the event occurs to) through a Bayesian formula, thereby realizing the detection of the secret data in the NTP protocol.
The extended field padding field is comprised of one or more extended fields added after the protocol header and before the MAC check field in the latest version of the NTP protocol, NTPV 4. The contents of the extension field are not well defined but are constrained to require a minimum of padding to 16 bytes, with no requirement for the maximum padding length. Therefore, according to the maximum length of 512 bytes of the UDP protocol packet, 8 bytes of the UDP message header and 48 bytes of the NTP message header are removed, the padding field can be expanded to a considerable length of 456 bytes, and the requirements of large data attack behaviors such as file transmission, remote desktop control and the like can be basically met. Therefore, the extended field padding field in the NTPV4 protocol is likely to be utilized by illegal users to carry large data volume attack behaviors.
In view of the above problems, in this embodiment, NTP message data is acquired; in the NTP message protocol, only the NTPV4 protocol has an extended field padding field, so it is necessary to determine whether the NTP message data has an extended field padding field; when the extended field filling field exists, judging whether an attack behavior exists in the extended field filling field based on a random forest algorithm model; and outputting information corresponding to the judgment result of the random forest algorithm model.
Specifically, the judging whether the attack behavior exists in the extended domain filling field based on the random forest algorithm model may include: preprocessing the filling field of the extended domain; and inputting the preprocessed expanded domain filling field into a random forest algorithm model.
Preprocessing the extended field padding field may include: judging the integrity of the data in the filling field of the extended domain; and when the data in the extended field filling field is complete, generating a feature vector corresponding to the data.
After generating the feature vectors corresponding to the data, judging whether the number of the feature vectors is in a first range or not before preprocessing the filling fields of the extended domain; specifically, whether the number of the feature vectors is in a first range or not is judged, if yes, the feature vectors are input into a classification algorithm model, and if the number of the data is insufficient or excessive, the data is considered to be illegal, NTP data is re-extracted.
The above determining the integrity of the data in the extended field filling field includes:
judging whether the byte number of the extended field filling field is in a second range or not; in particular, in the foregoing, mention is made of: the contents of the extension field are not well defined but are constrained to require a minimum of padding to 16 bytes, with no requirement for the maximum padding length. Thus, according to the maximum length of 512 bytes of the UDP protocol packet, by removing 8 bytes of the UDP message header and 48 bytes of the NTP message header, the padding field can be expanded to a considerable length of 456 bytes, so that the second range can be [16, 456], whether the number of bytes of the extracted extension field is in the first range [16, 456] or not is judged, if the number of bytes is not in the second range, the data is considered to be incomplete, NTP data is re-extracted, if the number is in the second range, the data is considered to be complete, and whether the preset characteristic of the extension field padding field is lost or not is judged; for example, the preset feature may refer to a field length, a field information entropy, and a field markov following probability, and then, the determination of whether the preset feature of the extended field padding field is missing may be specifically performed by the following formula:
the field length calculation formula is as follows:
L(X)=count(x)
wherein X is represented as a character in X.
The information entropy calculation formula is as follows:
wherein, X is represented as field information, X is represented as a certain character in the field information of X, and p (X) is the probability of the character.
The Markov following probability formula is:
from the hidden markov model, a joint probability distribution of the observation sequence can be calculated:
wherein xi, yi is a combination in the character information, yi is the first character, xi is the second character.
The ratio of letters to numbers is given by the formula:
wherein z is represented by a letter in X, s is represented by a number in X, and L (X) is represented by an X field length.
When the preset feature of the extended field padding field is missing, the feature is recalculated.
And when the preset characteristic of the extended field filling field is not lost, determining that the data in the extended field filling field is complete.
In addition, on the basis of realizing the detection of the attack behavior of a large data volume in the NTP message data, the condition that an illegal user carries the hidden tunnel attack behavior by using the lowest significant bit is not excluded, and in addition, no extension field filling field exists for the messages under other NTP protocols except NTPV4, so that the only field which possibly carries the hidden tunnel attack behavior is the lowest significant bit field, and therefore, in the application, the lowest significant bit field in the NTP message data can be obtained; and judging whether the attack behavior exists in the least significant bit field based on a random forest algorithm model.
In addition, the above step S14 may be implemented as the following steps:
when the attack behavior does not exist in the extended field filling field, displaying the legal prompt information of the NTP message; when the attack behavior exists in the extended field filling field, the prompt information of the attack behavior existing in the NTP message data is displayed, and alarm information is sent out.
The beneficial effects of the embodiment of the application are that: after NTP message data are obtained, whether an expanded domain filling field capable of bearing a large data volume attack behavior exists in the NTP message data or not is judged, if yes, whether the attack behavior exists in the expanded domain filling field or not is judged, and therefore the expanded domain filling field capable of bearing the large data volume attack behavior is detected, the large data volume attack behavior in the NTP message data is detected, and the safety of equipment for receiving the NTP message data is improved.
In one embodiment, as shown in FIG. 2, the above step S13 can be implemented as the following steps S21-S22:
in step S21, the extended field padding field is preprocessed;
in step S22, the preprocessed extended field fill field is input to the random forest algorithm model.
In the present application, the extended field padding field needs to be preprocessed first, so that the processed extended field padding field can be applied to a random forest algorithm model, before that, the random forest algorithm model needs to be trained, fig. 3 is a schematic diagram of a data flow direction when the random forest algorithm model is trained, as shown in fig. 3, a required field (such as the extended field padding field) is extracted from NTP message data first, then the field padding field is preprocessed by a data preprocessing module, after preprocessing, a vectorization data set (i.e. a feature vector corresponding to data in the extended field padding field) is formed, then the vectorization data set is used as a training sample to be trained by a classification algorithm model module in an algorithm model training module (specifically, the algorithm model training module may continuously train data into the classification algorithm model module, and continuously calculating the model, and finally outputting a result with an error smaller than a fixed value, and considering that the training of the classification algorithm model module is completed), and finally obtaining the trained classification algorithm model module.
Fig. 4 is a schematic data flow diagram illustrating the detection of an attack behavior by a trained classification algorithm model module according to the present application, as shown in fig. 4, a required field (e.g., an extended field padding field) is first extracted from NTP message data, then, a preprocessor is carried out through a data preprocessing module, after preprocessing, a vectorization data set (namely a characteristic vector corresponding to the data in the extended field filling field) is formed, then inputting the vectorized data set into a trained classification algorithm model module, outputting a specific detection result after the model detection, wherein the detection result is divided into two types, if the hidden tunnel attack behavior does not exist, the NTP message data is considered to be a legal request (namely the legal request output by the classifier in the figure 4), and if the hidden tunnel attack behavior exists, a prompt (namely the hidden tunnel output by the classifier in the figure 4) is output.
It should be noted that, in the present application, all types of attack behaviors in NTP message data can be detected, and the hidden tunnel attack behavior mentioned in the present application is only an example.
In one embodiment, the above step A1 may be implemented as the following steps B1-B2:
in step B1, the integrity of the data in the extended field padding field is determined;
in step B2, when the data in the extended field padding field is complete, a feature vector corresponding to the data is generated.
In this embodiment, after the feature vector corresponding to the data is generated, before the extended field padding field is preprocessed, the integrity of the data in the extended field padding field is judged; and when the data in the extended field filling field is complete, generating a feature vector corresponding to the data.
In one embodiment, as shown in FIG. 5, the method may also be implemented as steps S51-S53 as follows:
in step S51, after the feature vectors corresponding to the data are generated, it is determined whether the number of feature vectors is within a first range;
in step S52, when the number of the feature vectors is within the first range, inputting the feature vectors into the classification algorithm model;
in step S53, when the number of feature vectors is outside the first range, the NTP data is re-extracted.
Judging whether the quantity of the feature vectors is in a first range or not; specifically, whether the quantity of the feature vectors is within a first range or not is judged, if yes, the feature vectors are input into a classification algorithm model, the feature vectors are calculated through the classification algorithm model, a classification result is output, the classification result is used for representing whether the NTP data are normal data or not, and if the quantity of the data is insufficient or excessive, the NTP data are extracted again if the data are judged to be illegal.
In one embodiment, as shown in FIG. 6, the above step B1 can be implemented as the following steps S61-S63:
in step S61, it is determined whether the number of bytes of the extended field padding field is within a second range;
in step S62, when the number of bytes of the extended field padding field is within the second range, determining whether the preset feature of the extended field padding field is missing;
in step S63, when the preset feature of the extended field padding field is not missing, it is determined that the data in the extended field padding field is complete.
The above determining the integrity of the data in the extended field filling field includes: judging whether the byte number of the extended field filling field is in a second range or not; in particular, in the foregoing, mention is made of: the contents of the extension field are not well defined but are constrained to require a minimum of padding to 16 bytes, with no requirement for the maximum padding length. Thus, according to the maximum length of 512 bytes of the UDP protocol packet, by removing 8 bytes of the UDP message header and 48 bytes of the NTP message header, the padding field can be expanded to a considerable length of 456 bytes, so that the second range can be [16, 456], whether the number of bytes of the extracted extension field is in the second range [16, 456] or not is judged, if the number of bytes of the extracted extension field is not in the second range, the data is considered to be incomplete, NTP data is re-extracted, and if the number of bytes of the extracted extension field is in the second range, the data is considered to be complete, and whether the preset characteristic of the extension field padding field is lost or not is judged; for example, the preset feature may refer to a field length, a field information entropy, and a field markov following probability, and then, the determination of whether the preset feature of the extended field padding field is missing may be specifically performed by the following formula:
the field length calculation formula is as follows:
L(X)=count(x)
wherein X is represented as a character in X.
The information entropy calculation formula is as follows:
wherein, X is represented as field information, X is represented as a certain character in the field information of X, and p (X) is the probability of the character.
The Markov following probability formula is:
from the hidden markov model, a joint probability distribution of the observation sequence can be calculated:
wherein xi, yi is a combination in the character information, yi is the first character, xi is the second character.
The ratio of letters to numbers is given by the formula:
wherein z is represented by a letter in X, s is represented by a number in X, and L (X) is represented by an X field length.
When the preset feature of the extended field padding field is missing, the feature is recalculated.
And when the preset characteristic of the extended field filling field is not lost, determining that the data in the extended field filling field is complete.
In one embodiment, the method may also be implemented as steps C1-C2:
in step C1, the least significant bit field in the NTP message data is acquired;
in step C2, it is determined whether there is an attack behavior in the least significant bit field based on the random forest algorithm model.
On the basis of realizing the detection of the large-data-volume attack behavior in the NTP message data, illegal users are not excluded to carry the hidden tunnel attack behavior by using the lowest significant bit, and in addition, no extension field filling field exists for the messages under other NTP protocols except NTPV4, so that the only field which possibly carries the hidden tunnel attack behavior is the lowest significant bit field, and therefore, in the embodiment, the lowest significant bit field in the NTP message data can be obtained; and judging whether the attack behavior exists in the least significant bit field based on a random forest algorithm model.
In one embodiment, the above step S14 can also be implemented as the following steps D1-D2:
in step D1, when there is no attack behavior in the extended field filling field, displaying the legal prompt information of the NTP message;
in step D2, when there is an attack behavior in the extended field padding field, displaying a prompt message that there is an attack behavior in the NTP message data, and sending an alarm message.
Fig. 7 is a flowchart of an attack behavior detection method based on NTP message data in a general embodiment of the present application, including the following steps:
extracting NTP message data from the data flow, judging whether the data is complete (namely judging whether the byte number of an extended field filling field in the NPT message data is in a second range), if the data is incomplete, continuing to extract the data, if the data is complete, calculating the characteristics of the NTP message data (namely the preset characteristics of the extended field filling field mentioned above), judging whether the characteristics are missing (namely judging whether the preset characteristics of the extended field filling field mentioned above are missing), if the characteristics are missing, continuing to calculate the characteristics, if the characteristics are not missing, merging the characteristic sets, carrying out characteristic data vectorization (namely generating a characteristic vector corresponding to the data when the data in the extended field filling field mentioned above is complete), and then judging whether the metadata is legal (namely judging whether the number of the characteristic vectors is in a first range), if the NTP message is legal (namely when the quantity of the eigenvectors is within the first range), executing a classification algorithm (namely, inputting the eigenvectors into a classification algorithm model), outputting a classification result, wherein the classification result is divided into two types, namely normal data and tunnel data, and carrying out data visualization and warning based on the classification result (namely, outputting information corresponding to the judgment result of the random forest algorithm model, specifically, displaying the prompt information of the NTP message legality when the expanded domain filling field does not have the attack behavior, and displaying the prompt information of the NTP message data having the attack behavior when the expanded domain filling field has the attack behavior, and sending alarm information).
Fig. 8 is a block diagram of an attack behavior detection apparatus based on NTP message data according to an embodiment of the present application, and as shown in fig. 8, the apparatus includes the following modules:
an obtaining module 81, configured to obtain NTP message data;
a first judging module 82, configured to judge whether an extended field padding field exists in the NTP message data;
the second judging module 83 is configured to, when an extended domain padding field exists, judge whether an attack behavior exists in the extended domain padding field based on the random forest algorithm model;
and the output module 84 is used for outputting information corresponding to the judgment result of the random forest algorithm model.
In one embodiment, as shown in fig. 9, the second determining module 83 includes:
the preprocessing submodule 91 is used for preprocessing the filling field of the extended domain;
and the input submodule 92 is used for inputting the preprocessed expanded domain filling field into the random forest algorithm model.
In one embodiment, the preprocessing submodule is specifically configured to:
judging the integrity of the data in the filling field of the extended domain;
and when the data in the extended field filling field is complete, generating a feature vector corresponding to the data.
The above embodiments are only exemplary embodiments of the present application, and are not intended to limit the present application, and the protection scope of the present application is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present application and such modifications and equivalents should also be considered to be within the scope of the present application.
Claims (10)
1. A method for detecting an attack behavior based on NTP message data is characterized by comprising the following steps:
acquiring NTP message data;
judging whether an extended field filling field exists in the NTP message data or not;
when an extended domain filling field exists, judging whether an attack behavior exists in the extended domain filling field based on a random forest algorithm model;
and outputting information corresponding to the judgment result of the random forest algorithm model.
2. The method of claim 1, wherein determining whether there is an attack behavior in the extended field padding field based on a random forest algorithm model comprises:
preprocessing the extended field filling field;
and inputting the preprocessed expanded domain filling field into a random forest algorithm model.
3. The method of claim 2, wherein the pre-processing the extended field padding field comprises:
judging the integrity of the data in the filling field of the extended domain;
and when the data in the filling field of the extended field is complete, generating a feature vector corresponding to the data.
4. The method of claim 3, wherein the method further comprises:
after generating the feature vectors corresponding to the data, judging whether the number of the feature vectors is in a first range;
when the number of the feature vectors is in a first range, inputting the feature vectors into a classification algorithm model;
when the number of feature vectors is outside the first range, NTP data is re-extracted.
5. The method of claim 3, wherein the determining the integrity of the data in the extended field padding field comprises:
judging whether the byte number of the extended field filling field is in a second range or not;
when the byte number of the extended field filling field is in a second range, judging whether the preset characteristics of the extended field filling field are missing;
and when the preset characteristics of the extended field filling field are not lost, determining that the data in the extended field filling field is complete.
6. The method of claim 1, wherein the method further comprises:
acquiring a least significant bit field in the NTP message data;
and judging whether the attack behavior exists in the least significant bit field based on a random forest algorithm model.
7. The method as claimed in any one of claims 1-6, wherein said outputting information corresponding to the determination result of the random forest algorithm model comprises:
when the attack behavior does not exist in the extended field filling field, displaying the legal prompt information of the NTP message;
and when the attack behavior exists in the extended field filling field, displaying prompt information of the attack behavior existing in the NTP message data, and sending alarm information.
8. An attack behavior detection device based on NTP message data is characterized by comprising:
the acquisition module is used for acquiring NTP message data;
the first judging module is used for judging whether the extension field filling field exists in the NTP message data or not;
the second judgment module is used for judging whether the expanded domain filling field has an attack behavior or not based on the random forest algorithm model when the expanded domain filling field exists;
and the output module is used for outputting information corresponding to the judgment result of the random forest algorithm model.
9. The apparatus of claim 8, wherein the second determination module comprises:
the preprocessing submodule is used for preprocessing the filling field of the extended domain;
and the input submodule is used for inputting the preprocessed expanded domain filling field into the random forest algorithm model.
10. The apparatus of claim 9, wherein the pre-processing submodule is specifically configured to:
judging the integrity of the data in the filling field of the extended domain;
and when the data in the filling field of the extended field is complete, generating a feature vector corresponding to the data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011531760.7A CN112615870A (en) | 2020-12-22 | 2020-12-22 | Method and device for detecting attack behavior based on NTP message data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011531760.7A CN112615870A (en) | 2020-12-22 | 2020-12-22 | Method and device for detecting attack behavior based on NTP message data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112615870A true CN112615870A (en) | 2021-04-06 |
Family
ID=75245546
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011531760.7A Pending CN112615870A (en) | 2020-12-22 | 2020-12-22 | Method and device for detecting attack behavior based on NTP message data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112615870A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101383694A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | Defense method and system rejecting service attack based on data mining technology |
| CN105791307A (en) * | 2016-04-06 | 2016-07-20 | 杭州华三通信技术有限公司 | Network time protocol message security authentication method and network time protocol message security authentication device |
| CN106453225A (en) * | 2016-07-18 | 2017-02-22 | 北龙中网(北京)科技有限责任公司 | Method and client for realizing covert communication, and server |
| WO2018040793A1 (en) * | 2016-08-30 | 2018-03-08 | 中兴通讯股份有限公司 | Method and apparatus for defending distributed reflection denial of service, and switch |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| US20190289032A1 (en) * | 2018-03-19 | 2019-09-19 | Fortinet, Inc. | Mitigation of ntp amplification and reflection based ddos attacks |
| CN110611640A (en) * | 2018-06-15 | 2019-12-24 | 成都蓝盾网信科技有限公司 | DNS protocol hidden channel detection method based on random forest |
| US20200137112A1 (en) * | 2018-10-30 | 2020-04-30 | Charter Communications Operating, Llc | Detection and mitigation solution using honeypots |
| CN111371727A (en) * | 2018-12-25 | 2020-07-03 | 南京知常容信息技术有限公司 | Detection method for NTP protocol covert communication |
| US20200379868A1 (en) * | 2019-05-31 | 2020-12-03 | Gurucul Solutions, Llc | Anomaly detection using deep learning models |
-
2020
- 2020-12-22 CN CN202011531760.7A patent/CN112615870A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101383694A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | Defense method and system rejecting service attack based on data mining technology |
| CN105791307A (en) * | 2016-04-06 | 2016-07-20 | 杭州华三通信技术有限公司 | Network time protocol message security authentication method and network time protocol message security authentication device |
| CN106453225A (en) * | 2016-07-18 | 2017-02-22 | 北龙中网(北京)科技有限责任公司 | Method and client for realizing covert communication, and server |
| WO2018040793A1 (en) * | 2016-08-30 | 2018-03-08 | 中兴通讯股份有限公司 | Method and apparatus for defending distributed reflection denial of service, and switch |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| US20190289032A1 (en) * | 2018-03-19 | 2019-09-19 | Fortinet, Inc. | Mitigation of ntp amplification and reflection based ddos attacks |
| CN110611640A (en) * | 2018-06-15 | 2019-12-24 | 成都蓝盾网信科技有限公司 | DNS protocol hidden channel detection method based on random forest |
| US20200137112A1 (en) * | 2018-10-30 | 2020-04-30 | Charter Communications Operating, Llc | Detection and mitigation solution using honeypots |
| CN111371727A (en) * | 2018-12-25 | 2020-07-03 | 南京知常容信息技术有限公司 | Detection method for NTP protocol covert communication |
| US20200379868A1 (en) * | 2019-05-31 | 2020-12-03 | Gurucul Solutions, Llc | Anomaly detection using deep learning models |
Non-Patent Citations (1)
| Title |
|---|
| 朱越凡 等: "一种NTP协议隐蔽通道", 《计算机系统应用》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108768986B (en) | Encrypted traffic classification method, server and computer readable storage medium | |
| CN109067586B (en) | DDoS attack detection method and device | |
| US20150358339A1 (en) | Detection of intrusion in a wireless network | |
| US7596810B2 (en) | Apparatus and method of detecting network attack situation | |
| CN112804253B (en) | Network flow classification detection method, system and storage medium | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN114021168B (en) | Subway foundation pit excavation risk identification method and device based on federal learning | |
| CN114205133B (en) | Information security enhancement method for vehicle-mounted CAN network and electronic equipment | |
| CN110113338A (en) | A kind of encryption traffic characteristic extracting method based on Fusion Features | |
| CN114900480A (en) | Communication safety management and control system based on data platform | |
| CN112765324A (en) | Concept drift detection method and device | |
| CN112261063A (en) | Network malicious traffic detection method combined with deep hierarchical network | |
| CN112615870A (en) | Method and device for detecting attack behavior based on NTP message data | |
| Zhi-li et al. | A statistical algorithm for linguistic steganography detection based on distribution of words | |
| CN114444096A (en) | Network data storage encryption detection system based on data analysis | |
| CN113541945A (en) | Electronic information encryption transmission system | |
| Li et al. | Protocol reverse engineering using LDA and association analysis | |
| CN111371727A (en) | Detection method for NTP protocol covert communication | |
| CN109858510A (en) | A kind of detection method for http protocol ETag value covert communications | |
| CN115987599A (en) | Malicious encrypted flow detection method and system based on multi-level attention mechanism | |
| CN113746804B (en) | DNS hidden channel detection method, device, equipment and storage medium | |
| Banerjee et al. | Study and analysis of text steganography tools | |
| CN112867002B (en) | Wireless sensor network data authentication method based on reversible watermarks | |
| CN114928498A (en) | Fraud information identification method and device and computer readable storage medium | |
| CN114124834A (en) | Integrated learning device and method for ICMP (information control network protocol) hidden tunnel detection in industrial control network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210406 |