CN112887333A - Abnormal equipment detection method and device, electronic equipment and readable storage medium - Google Patents

Abnormal equipment detection method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN112887333A
CN112887333A CN202110229398.6A CN202110229398A CN112887333A CN 112887333 A CN112887333 A CN 112887333A CN 202110229398 A CN202110229398 A CN 202110229398A CN 112887333 A CN112887333 A CN 112887333A
Authority
CN
China
Prior art keywords
information
flow
abnormal
traffic
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110229398.6A
Other languages
Chinese (zh)
Inventor
张斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202110229398.6A priority Critical patent/CN112887333A/en
Publication of CN112887333A publication Critical patent/CN112887333A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application discloses an abnormal equipment detection method, an abnormal equipment detection device, electronic equipment and a computer readable storage medium, wherein the method comprises the following steps: acquiring abnormal flow and extracting a sender identifier corresponding to the abnormal flow; screening flow equipment information by using a sender identifier to obtain target flow forwarding equipment information, and determining target flow forwarding equipment according to the target flow forwarding equipment information; acquiring a traffic forwarding log corresponding to target traffic forwarding equipment, and acquiring abnormal equipment information from the traffic forwarding log; according to the method, abnormal flow is not required to have an effective Forwarded-For field, and the abnormal equipment information can be determined by using the log of the target flow forwarding equipment; meanwhile, whether the abnormal flow adopts the HTTP or not can be detected, so that the detection capability of the abnormal equipment is improved, and the detection effect of the abnormal equipment is improved.

Description

Abnormal equipment detection method and device, electronic equipment and readable storage medium
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to an abnormal device detection method, an abnormal device detection apparatus, an electronic device, and a computer-readable storage medium.
Background
When the network security device performs security detection or detects a failing host, it needs to acquire abnormal device information to detect the abnormal device. Because the network environment is complex, various gateway devices, proxy devices, DNS (Domain Name System) servers, etc. exist in the intranet, and these devices can forward the received traffic, which results in that only the traffic forwarding device can be located when the abnormal device is detected, and the host with a real problem cannot be found. In order to solve the above problem, the related art usually detects whether a Forwarded-For field exists in the traffic, however, in practical use, most devices do not set the Forwarded-For field, so that an effective Forwarded-For field does not exist in the Forwarded traffic, and an IP address of a lost host or an attacking host cannot be obtained. Therefore, the abnormal equipment in the related art has weak detection capability and poor effect.
Disclosure of Invention
In view of this, an object of the present application is to provide an abnormal device detecting method, an abnormal device detecting apparatus, an electronic device, and a computer-readable storage medium, which do not require that abnormal traffic has an effective Forwarded-For field, and can detect the abnormal traffic regardless of whether the abnormal traffic adopts an HTTP protocol, thereby improving the abnormal device detecting capability and improving the abnormal device detecting effect.
In order to solve the above technical problem, the present application provides an abnormal device detection method, which specifically includes:
acquiring abnormal flow and extracting a sender identifier corresponding to the abnormal flow;
screening the flow equipment information by using the sender identification to obtain target flow forwarding equipment information, and determining target flow forwarding equipment according to the target flow forwarding equipment information;
and acquiring a traffic forwarding log corresponding to the target traffic forwarding device, and acquiring abnormal device information from the traffic forwarding log.
Optionally, the sender identifier is a network address to be tested; the screening the traffic device information by using the sender identifier to obtain target traffic forwarding device information includes:
determining a network address field to which the network address to be tested belongs;
filtering the flow equipment information according to the network address field to obtain primarily selected flow equipment information;
and screening the primarily selected flow equipment information by using the network address to be tested to obtain the target flow forwarding equipment information.
Optionally, the screening the information of the primarily selected traffic device by using the network address to be tested to obtain the information of the target traffic forwarding device includes:
determining a detection direction according to the position of the network address to be detected in the network address section;
matching detection is carried out on the primary selection flow equipment information according to the detection direction, and whether the network address to be detected exists in the primary selection flow equipment information is judged;
and if so, determining the traffic equipment forwarding information corresponding to the network address to be tested as the target traffic forwarding equipment information.
And if the abnormal flow does not exist, extracting quintuple information from the abnormal flow, and obtaining the abnormal equipment information by using the quintuple information.
Optionally, the sender identifier is a sending device number; the generating process of the flow device information comprises the following steps:
acquiring and analyzing an information generation instruction to obtain a corresponding relation between the number of the flow forwarding equipment and the information of the flow forwarding equipment;
and generating the flow equipment information by utilizing the corresponding relation.
Optionally, the generating process of the traffic device information includes:
acquiring device flow corresponding to each candidate device, and inputting the device flow into a classification model to obtain a classification result;
determining the candidate device corresponding to the device traffic of the traffic forwarding device as the traffic forwarding device according to the classification result;
and acquiring an equipment identifier corresponding to the flow forwarding equipment, and generating the flow equipment information by using the equipment identifier and the flow forwarding equipment information.
Optionally, after obtaining the classification result, the method further includes:
outputting the classification result and acquiring correction information responding to the classification result;
adjusting the classification result by using the correction information to obtain a final classification result;
correspondingly, the determining, as the traffic forwarding device, the candidate device corresponding to the device traffic whose classification result is the traffic forwarding device includes:
and determining the candidate equipment corresponding to the equipment flow of the flow forwarding equipment as the final classification result as the flow forwarding equipment.
Optionally, the obtaining of abnormal device information from the traffic forwarding log includes:
extracting quintuple information from the abnormal flow;
and screening the flow forwarding log by using the five-tuple information to obtain the abnormal equipment information.
The present application further provides an abnormal device detecting apparatus, including:
the network address extraction module is used for acquiring abnormal flow and extracting a sender identifier corresponding to the abnormal flow;
the target equipment determining module is used for screening the flow equipment information by using the sender identifier to obtain target flow forwarding equipment information and determining target flow forwarding equipment according to the target flow forwarding equipment information;
and the attack information acquisition module is used for acquiring a traffic forwarding log corresponding to the target traffic forwarding device and acquiring abnormal device information from the traffic forwarding log.
The present application further provides an electronic device comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the abnormal device detection method.
The present application also provides a computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the abnormal device detecting method described above.
The abnormal equipment detection method provided by the application obtains the abnormal flow and extracts the sender identification corresponding to the abnormal flow; screening flow equipment information by using a sender identifier to obtain target flow forwarding equipment information, and determining target flow forwarding equipment according to the target flow forwarding equipment information; and acquiring a traffic forwarding log corresponding to the target traffic forwarding equipment, and acquiring abnormal equipment information from the traffic forwarding log.
Therefore, after the abnormal traffic is obtained, the corresponding sender identification is extracted. If the abnormal traffic is forwarded by the traffic forwarding device, the sender identifier in the abnormal traffic is the network address set for traffic forwarding. After the sender identifier is obtained, the sender identifier is utilized to screen flow equipment information, network addresses of all flow forwarding equipment in the network are recorded in the flow equipment information, and target flow forwarding equipment for forwarding abnormal flow can be determined through screening. Because the target traffic forwarding device will generate a corresponding log during operation, it can record the forwarding condition of each traffic, including the information of the traffic sender corresponding to the traffic. Therefore, by obtaining the traffic forwarding log corresponding to the target traffic forwarding device, sender information corresponding to the abnormal traffic, that is, abnormal device information, can be extracted therefrom. The method does not need the abnormal flow to have an effective Forwarded-For field, and can detect the abnormal flow no matter whether the abnormal flow adopts an HTTP protocol, so that the detection capability of the abnormal equipment is improved, the detection effect of the abnormal equipment is improved, and the problems of weaker detection capability and poorer effect of the abnormal equipment in the related technology are solved.
In addition, the application also provides an abnormal device detection device, an electronic device and a computer readable storage medium, and the beneficial effects are also achieved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an abnormal device detection method according to an embodiment of the present disclosure;
fig. 2 is a structural diagram of a network topology according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an abnormal device detection apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram of a hardware composition framework to which an abnormal device detection method according to an embodiment of the present disclosure is applied;
fig. 5 is a schematic diagram of a hardware composition framework applicable to another abnormal device detection method provided in the embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
An X-Forwarded-For (XFF) is an HTTP request header field, also called a Forwarded-For field, For recording the most primitive IP Address (Internet Protocol Address) owned by a client connected to a Web server by an HTTP (HyperText Transfer Protocol) proxy or load balancing. When the traffic forwarding device is set to record the Forwarded-For field, the traffic forwarding device records the IP address of the original sender of a traffic in the Forwarded-For field, so as to utilize the IP address to trace the source subsequently. Therefore, when the related technology detects abnormal flow, the IP of an attacking host or a failing host can be determined by using a Forwarded-For field in the abnormal flow, and the abnormal equipment detection is completed.
However, in practical applications, most traffic forwarding devices do not set the Forwarded-For field in the traffic Forwarded by them, and the Forwarded-For field exists only in HTTP protocol traffic, such as DNS protocol traffic or TCP protocol traffic, where the field does not exist, so that the method cannot be used For abnormal device detection. Therefore, the related technology cannot effectively trace the source of the abnormal traffic, and the abnormal equipment has weak detection capability and poor effect.
In order to solve the above problems, the present application records the network address of each traffic forwarding device in the network, and extracts a corresponding traffic forwarding log after determining that the abnormal traffic is forwarded by the traffic forwarding device. The flow forwarding log records the processing condition of the flow forwarding device on the acquired network flow, wherein the original sender information of the flow is recorded, so that the sender information corresponding to the most original sender of the abnormal flow, namely the abnormal device information, can be determined by using the flow forwarding log, and the abnormal device detection is completed.
Specifically, please refer to fig. 1, in which fig. 1 is a flowchart illustrating an abnormal device detecting method according to an embodiment of the present disclosure. The method comprises the following steps:
s101: and acquiring abnormal flow, and extracting a sender identifier corresponding to the abnormal flow.
The abnormal flow rate is a flow rate different from the normal flow rate, and the specific content, type and number thereof are not limited. The embodiment does not limit the specific obtaining manner of the abnormal traffic, for example, an attack specification instruction may be obtained, and the attack specification instruction may specify which traffic is the abnormal traffic; in another embodiment, a plurality of abnormal matching rules may be preset, each acquired network traffic is respectively matched with each abnormal matching rule, and any network traffic meeting any one abnormal matching rule is determined as an abnormal traffic; in another embodiment, the network traffic may be identified by using a network model, and the network traffic with an abnormal identification result may be determined as abnormal traffic. It can be understood that the abnormal traffic is necessarily different from the normal traffic in order to achieve the attack purpose, so that the initial network model can be iteratively trained for multiple times by using the known abnormal traffic and the known normal network traffic as training data, and the parameters of the initial network model are adjusted after each training to obtain the network model.
Any network flow has information for displaying a sender, namely a sender identifier, and abnormal flow is not an exception. In this embodiment, the network address of the sender in the abnormal traffic may be determined as the sender identifier, and is referred to as a network address to be tested. In this case, the network address to be detected may be a network address of an attacking host, a failing host, or a traffic forwarding device, where the attacking host is a host used by an attacker, the failing host is a host controlled by the attacker due to a network attack, and the traffic forwarding device is a device for forwarding traffic generated by other devices, and specifically may be a gateway, a proxy device, a DNS (Domain Name System) server, or the like. The present embodiment does not limit the processing method for normal traffic, and since normal traffic is not used for network attack and has no value of tracing, in an embodiment, normal traffic can be released.
S102: and screening the flow equipment information by using the sender identifier to obtain target flow forwarding equipment information, and determining the target flow forwarding equipment according to the target flow forwarding equipment information.
The traffic device information is used for recording the corresponding relationship between each traffic forwarding device and the device identifier thereof, and is used for judging whether the sender identifier is the device identifier corresponding to the traffic forwarding device, and further judging whether the abnormal traffic is forwarded by the traffic forwarding device. The embodiment does not limit the specific obtaining manner of the flow device information, and for example, the flow device information may be input by a user or other electronic devices, or may be locally generated.
After screening the traffic device information by using the sender identifier, target traffic forwarding device information can be obtained, and the target traffic forwarding device information is the traffic forwarding device information corresponding to the sender identifier. The traffic forwarding device information is identification information of the traffic forwarding device, and a specific form of the traffic forwarding device information is not limited, and for example, the traffic forwarding device information may be a device number of the traffic forwarding device, or may be a physical address of the traffic forwarding device. By determining the target traffic forwarding device information, the target traffic forwarding device can be determined according to the target traffic forwarding device information, that is, by which traffic forwarding device the abnormal traffic is forwarded.
It should be noted that, this embodiment does not limit a specific processing manner of the abnormal traffic that is not forwarded by the traffic forwarding device, that is, does not limit the steps executed when the traffic forwarding device information cannot be obtained by screening the traffic device information with the sender identifier. It can be understood that, if the abnormal traffic is not forwarded by the traffic forwarding device, the abnormal traffic itself, namely with the abnormal device information, can be directly extracted. In a possible embodiment, the sender identification can therefore be determined directly as the abnormal device information in this case, or the abnormal device information can be generated using the sender identification.
S103: and acquiring a traffic forwarding log corresponding to the target traffic forwarding equipment, and acquiring abnormal equipment information from the traffic forwarding log.
The traffic forwarding log is used for recording the working process of the traffic forwarding device in the aspect of traffic forwarding, and since the abnormal traffic is sent to the target traffic forwarding device by other electronic devices for forwarding, the information of the most original sender of the abnormal traffic is inevitably recorded in the traffic forwarding log corresponding to the target traffic forwarding device, and the information is the abnormal device information. In one embodiment, the traffic forwarding logs may be stored locally, that is, logs sent by each traffic forwarding log in real time or according to a preset period are obtained, and the logs are directly read from the local when abnormal device information needs to be obtained; in another embodiment, the traffic forwarding log may be stored in the traffic forwarding device, and when the traffic forwarding log is obtained, the traffic forwarding log communicates with the traffic forwarding device to obtain a corresponding traffic forwarding log; in another embodiment, the traffic forwarding log may be stored in the cloud and communicated with the cloud when it needs to be obtained. It should be noted that, the specific execution time for acquiring the traffic forwarding log is not limited in this embodiment, and the execution time may be executed when the abnormal device information needs to be acquired, or may be executed at any other time.
It should be noted that the present embodiment does not limit the specific number of the traffic forwarding logs. In a possible implementation manner, the number of the traffic forwarding logs is one, and specifically, the number of the traffic forwarding logs is a log of the target traffic forwarding device, that is, the first traffic forwarding log, in this case, it indicates that the abnormal traffic is generated by the attacking host or the failing host and then is only forwarded by the target traffic forwarding device. In another possible implementation manner, the number of the traffic forwarding logs is multiple, and besides the first traffic forwarding log, a plurality of second traffic forwarding logs may be included. The second traffic forwarding log is a log corresponding to a plurality of superior traffic forwarding devices in front of the target traffic forwarding device. In this case, it is indicated that the abnormal traffic is forwarded at least twice after being generated by the attacking host or the failing host. Therefore, in order to perform overall and accurate abnormal device detection, the following steps may be performed to acquire abnormal device information:
acquiring a first traffic forwarding log of a target traffic forwarding device, and acquiring first sender information from the first traffic forwarding log;
matching the first sender information with the flow equipment information, and judging whether superior flow forwarding equipment information corresponding to the first sender information exists or not;
if the superior flow forwarding equipment information does not exist, determining the first sender information as abnormal equipment information;
if the information of the superior traffic forwarding equipment exists, determining the superior traffic forwarding equipment, and acquiring a second traffic forwarding log corresponding to the superior traffic forwarding equipment;
and screening the second traffic forwarding log by using the first sender information to obtain second sender information, and updating the first sender information by using the second sender information.
It can be understood that if there is the upper level traffic forwarding device information, it indicates that the first sender information corresponds to a certain traffic forwarding device, so that it may also be used to determine the upper level traffic forwarding device, obtain the second traffic forwarding log, and determine the second sender information. By updating the first sender information with the second sender information, the first sender information can be reused to match with the traffic device information, and whether the traffic forwarding device exists last time is judged again until the abnormal device information is obtained. After the abnormal equipment information is obtained, a security log can be generated by using the abnormal equipment information, or an attack alarm is carried out.
By applying the abnormal equipment detection method provided by the embodiment of the application, after the abnormal flow is obtained, the corresponding sender identification is extracted. If the abnormal traffic is forwarded by the traffic forwarding device, the sender identifier in the abnormal traffic is the network address set for traffic forwarding. After the sender identifier is obtained, the sender identifier is utilized to screen flow equipment information, network addresses of all flow forwarding equipment in the network are recorded in the flow equipment information, and target flow forwarding equipment for forwarding abnormal flow can be determined through screening. Because the target traffic forwarding device will generate a corresponding log during operation, it can record the forwarding condition of each traffic, including the information of the traffic sender corresponding to the traffic. Therefore, by obtaining the traffic forwarding log corresponding to the target traffic forwarding device, sender information corresponding to the abnormal traffic, that is, abnormal device information, can be extracted therefrom. The method does not need the abnormal flow to have an effective Forwarded-For field, and can detect the abnormal flow no matter whether the abnormal flow adopts an HTTP protocol, so that the detection capability of the abnormal equipment is improved, the detection effect of the abnormal equipment is improved, and the problems of weaker detection capability and poorer effect of the abnormal equipment in the related technology are solved.
Based on the above embodiments, the present embodiment will specifically describe several steps in the above embodiments. It will be appreciated that traffic device information needs to be obtained before abnormal traffic is handled. In order to ensure the accuracy of the traffic device information and further ensure the accuracy of the supply tracing, the traffic device information may be generated according to the actually obtained traffic. Specifically, before obtaining the abnormal traffic, the method further includes:
step 11: and acquiring the equipment flow corresponding to each candidate equipment, and inputting the equipment flow into the classification model to obtain a classification result.
The device traffic is traffic directly sent by the candidate device, and the specific content is not limited. The candidate devices may be individual devices within security detection range in the network. The classification model is trained for classifying the device traffic, and it can be understood that the device traffic corresponding to the general host and the traffic forwarding device and the traffic forwarding devices are different in working content, for example, a DNS server generates a large amount of 53-port communication traffic corresponding to the DNS protocol, and the traffic corresponding to other TCP protocols is small, so that the device traffic is input into the classification model to obtain a corresponding classification result.
Further, before the classification model is used for classification, the initial classification model can be trained locally to obtain the classification model. Specifically, a first training flow corresponding to the common host and a second training flow corresponding to the traffic forwarding device may be obtained, and traffic behavior feature extraction may be performed on the first training flow and the second training flow. The flow behavior characteristics are not related to the specific content of the training flow, but related to the specific behavior of the flow, and may include a timing characteristic, an uplink and downlink proportion characteristic, a flow rate characteristic, a flow size characteristic, a connection number characteristic, a quintuple characteristic, and the like, so the flow behavior characteristics may be multidimensional characteristics. And after the first flow behavior characteristic corresponding to the first training flow and the second flow behavior characteristic corresponding to the second training flow are obtained, forming a training set by using the first flow behavior characteristic and the second flow behavior characteristic, performing multiple times of iterative training on the initial classification model by using the training set, and adjusting the parameters of the initial classification model after each training until the classification model is obtained.
Step 12: and determining the candidate equipment corresponding to the equipment flow of the traffic forwarding equipment as the traffic forwarding equipment according to the classification result.
Step 13: and acquiring a device identifier corresponding to the traffic forwarding device, and generating traffic device information by using the device identifier and the traffic forwarding device information.
In this embodiment, when the classification result is the traffic forwarding device, it may be determined that the candidate device corresponding to the classification result is the traffic forwarding device, and traffic device information is generated by using the device identifier and the traffic forwarding device. The embodiment does not limit the specific content of the device identifier, and may be, for example, a device number or a network address. By identifying the class of the candidate device based on the device traffic, accurate traffic device information may be obtained.
Further, in order to further improve the accuracy of the traffic device information, after obtaining the classification result, the method may further include:
step 21: and outputting the classification result and acquiring correction information responding to the classification result.
Step 22: and adjusting the classification result by using the correction information to obtain a final classification result.
In order to avoid that the accuracy of the classification network is insufficient to cause an error in the classification result and further cause an insufficient accuracy of the traffic device information, in the embodiment, the classification result is output after being obtained, and the correction information input in response to the classification result is acquired after being output. The correction information is used for adjusting the classification result and correcting errors in the classification result. And (3) adjusting the classification result to obtain a final classification result with higher accuracy, and replacing the classification result with the final classification result to execute the steps 12 to 13. Correspondingly, the device traffic of the traffic forwarding device as the classification result is the device traffic of the traffic forwarding device as the final classification result. By acquiring the correction information, the classification result directly obtained by the classification network can be adjusted to obtain a final classification result with higher accuracy, and the traffic equipment information generated based on the final classification result has higher reliability and accuracy.
Based on the foregoing embodiment, in another possible implementation manner, before processing the abnormal traffic, the traffic device information may be generated according to the obtained information. Specifically, the method may further include:
step 61: and acquiring and analyzing the information generation instruction to obtain the corresponding relation between the flow forwarding equipment number and the flow forwarding equipment information.
Step 62: and generating the flow equipment information by utilizing the corresponding relation.
The information generation instruction may be manually input by a user, or may be transmitted by other electronic devices. The information generation instruction includes traffic forwarding device information required for generating the traffic device information and a corresponding device identifier, in this embodiment, the device identifier is specifically a traffic forwarding device number, and therefore, correspondingly, the sender identifier is a sending device number. The information generation instruction records the corresponding relationship between the two, and based on the corresponding relationship, the corresponding flow equipment information can be generated. The method allows the configuration of the flow equipment information through the information generation instruction, and improves the flexibility of generating the flow equipment information.
Based on the above embodiments, in a possible implementation manner, the sender identifier may be a network address of the sender, that is, a network address to be tested. In order to increase the speed of acquiring the target traffic forwarding device information and further increase the speed of detecting the abnormal device, the step of screening the traffic device information by using the sender identifier to obtain the target traffic forwarding device information may include:
step 31: and determining the network address field to which the network address to be tested belongs.
In order to increase the speed of determining the target traffic forwarding device, the network address range covered by all the traffic forwarding devices may be divided into a plurality of network address segments, the lengths of different network address segments may be the same or different, and the number of network addresses corresponding to the traffic forwarding devices in each network address segment may also be the same or different. After the network address to be tested is obtained, the network address section to which the network address belongs is determined, and the traffic equipment information is filtered by utilizing the network address section.
Step 32: and filtering the flow equipment information according to the network address segment to obtain the primarily selected flow equipment information.
Specifically, the traffic device information may also be pre-divided based on the network address segment to obtain a plurality of traffic device sub-information. After the network address section to which the network address to be detected belongs is determined, corresponding flow equipment sub-information is selected according to the network address section, filtering of the flow equipment information is completed, and the flow equipment sub-information is determined as primarily selected flow equipment information.
It should be noted that the above process is only a specific initially selected method for determining the traffic device information, and other methods may be selected to filter the traffic device information.
Step 33: and screening the information of the primarily selected flow equipment by using the network address to be tested to obtain the information of the target flow forwarding equipment.
By screening the target flow forwarding device information in the primarily selected flow device information, the screening range can be reduced, the determination speed of the target flow forwarding device information is improved, and the attack tracing speed is further improved.
Further, in order to further increase the speed of determining the target traffic forwarding device information, the step of screening the primarily selected traffic device information by using the network address to be tested to obtain the target traffic forwarding device information may include:
step 41: and determining the detection direction according to the position of the network address to be detected in the network address field.
Since the network addresses corresponding to the traffic forwarding devices are uniformly distributed in the network address segment with a high probability, in order to determine the target traffic forwarding device information corresponding to the network address to be detected, the network address to be detected needs to be respectively matched with each network address in the initially selected traffic device information, and whether the network address to be detected and the initially selected traffic device information are the same or not is determined, so that in order to reduce the number of matching, the detection direction can be determined according to the positions of the network addresses to be detected in the network address segment. For example, when the network address to be detected is in the first half of the network address segment, the detection direction may be set from the small address to the large address; or when the network address to be detected is in the second half of the network address field, the detection direction can be set from the large address to the small address. According to the detection direction set by the position, the detection of the network to be detected can be completed through less times of matching under the condition that the network address to be detected exists in the initially selected flow equipment information, and the acquisition speed of the target flow forwarding equipment information is improved.
Step 42: and matching and detecting the primarily selected flow equipment information according to the detection direction, and judging whether the primarily selected flow equipment information has the network address to be detected.
Step 43: and if so, determining the flow equipment forwarding information corresponding to the network address to be tested as the target flow forwarding equipment information.
And during matching detection, sequentially acquiring each network address in the primarily selected flow equipment according to the detection direction, and judging whether the network address is the same as the network address to be detected, namely judging whether the network address to be detected exists in the primarily selected flow equipment information. And if so, determining the corresponding traffic equipment forwarding information as the target traffic forwarding equipment information.
It can be understood that, if the network address to be tested does not exist in the initially selected traffic device information, it indicates that the attack traffic is not forwarded by the traffic forwarding device, and the attacker information can be directly determined by using the attack traffic. Therefore, if the network address to be tested does not exist in the initially selected traffic device information, the following steps can be executed:
step 44: and extracting quintuple information from the attack traffic, and obtaining attacker information by using the quintuple information.
Quintuple information can be directly extracted from the attack traffic, the quintuple information comprises sender information, and the sender information is the attacker information because the attacker traffic is not forwarded. By the method, the attack tracing can be carried out on the attack traffic which is not forwarded.
It should be noted that steps 41 to 44 are not performed based on steps 31 to 33, that is, may be performed independently, and the speed of determining the target traffic forwarding apparatus information is increased without dividing the network address segment.
Based on the foregoing embodiment, there are various ways to obtain the abnormal device information from the traffic forwarding log, for example, in a feasible implementation manner, since the content of the traffic itself is not modified by the traffic forwarding, if the traffic forwarding log records the specific content of the network traffic forwarded each time, the content of the abnormal traffic can be used to match with the traffic forwarding log, so as to obtain the abnormal device information. In another embodiment, the exception device information may be derived using quintuple information. The step of obtaining the abnormal device information from the traffic forwarding log may include:
step 51: quintuple information is extracted from the abnormal traffic.
Step 52: and screening the flow forwarding log by utilizing the quintuple information to obtain abnormal equipment information.
The flow forwarding may cause the quintuple information of the abnormal flow to change, so the flow forwarding log must record the quintuple information before and after the abnormal flow forwarding. The quintuple information has small data volume and no repetition, and is favorable for quickly and accurately screening the flow forwarding log, so that the flow forwarding log can be screened by using the quintuple information after the quintuple information is obtained, and the abnormal equipment information can be obtained.
Referring to fig. 2, fig. 2 is a structural diagram of a network topology according to an embodiment of the present disclosure. Wherein, A and E are virus hosts in the intranet, namely the lost host, which is controlled by an attacker to generate abnormal traffic. And B is a DNS server of the intranet, which is used as a traffic forwarding device to forward the abnormal traffic, and the SEC is a security detection device, which may be used to perform all or part of the steps in the abnormal device detection method provided by the present application. C is a DNS server of the public network. Since the DNS protocol has the characteristic of recursive query, when an A, E host wants to initiate DNS requests for different C2 domain names, the intranet DNS server B first checks whether there is a DNS cache record for the domain name designated by A, E, and if not, needs to initiate a DNS request packet to the external DNS server C to request an IP address corresponding to the C2 domain name. When passing through the security detection device SEC, the DNS request packet is detected and discovered by the SEC, and abnormal traffic is determined to be detected. When the related technology is adopted for tracing, because the source IP of the data packet is the IP of the server B, the security detection equipment SEC can only record the virus infected by the server B, but cannot locate the host A and the host E which are really infected with the virus, so that the detection capability of abnormal equipment is weaker, and the effect is poorer.
When the SEC executes the abnormal device detection method provided by the present application, after detecting an abnormal traffic, extracting a sender identifier therein, and determining that a target traffic forwarding device is B by using traffic device information. And acquiring a flow forwarding log corresponding to the B, and screening the flow forwarding log by utilizing quintuple information of abnormal flow, namely determining that the abnormal flow is sent by the A and the E, so that the information corresponding to the A and the E is determined as abnormal equipment information, and the abnormal equipment detection is realized.
In the following, the abnormal device detecting apparatus provided in the embodiment of the present application is introduced, and the abnormal device detecting apparatus described below and the abnormal device detecting method described above may be referred to correspondingly.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an abnormal device detecting apparatus according to an embodiment of the present application, including:
the network address extraction module 110 is configured to obtain an abnormal traffic and extract a sender identifier corresponding to the abnormal traffic;
a target device determining module 120, configured to filter traffic device information by using the sender identifier, obtain target traffic forwarding device information, and determine a target traffic forwarding device according to the target traffic forwarding device information;
the attack information obtaining module 130 is configured to obtain a traffic forwarding log corresponding to the target traffic forwarding device, and obtain abnormal device information from the traffic forwarding log.
By applying the abnormal equipment detection device provided by the embodiment of the application, after the abnormal flow is obtained, the corresponding sender identification is extracted. If the abnormal traffic is forwarded by the traffic forwarding device, the sender identifier in the abnormal traffic is the network address set for traffic forwarding. After the sender identifier is obtained, the sender identifier is utilized to screen flow equipment information, network addresses of all flow forwarding equipment in the network are recorded in the flow equipment information, and target flow forwarding equipment for forwarding abnormal flow can be determined through screening. Because the target traffic forwarding device will generate a corresponding log during operation, it can record the forwarding condition of each traffic, including the information of the traffic sender corresponding to the traffic. Therefore, by obtaining the traffic forwarding log corresponding to the target traffic forwarding device, sender information corresponding to the abnormal traffic, that is, abnormal device information, can be extracted therefrom. The device does not need abnormal flow to have an effective Forwarded-For field, and can detect the abnormal flow no matter whether the abnormal flow adopts an HTTP (hyper text transport protocol) protocol, so that the detection capability of abnormal equipment is improved, the detection effect of the abnormal equipment is improved, and the problems of weaker detection capability and poorer effect of the abnormal equipment in the related technology are solved.
Optionally, the target device determining module 120 includes:
a network address field determining unit, configured to determine a network address field to which the sender identifier belongs;
the filtering unit is used for filtering the traffic equipment information according to the network address section to obtain primarily selected traffic equipment information;
and the screening unit is used for screening the primarily selected flow equipment information by using the sender identifier to obtain the target flow forwarding equipment information.
Optionally, the screening unit comprises:
a detection direction determining subunit, configured to determine a detection direction according to a location of the sender identifier in the network address segment;
the judging subunit is used for performing matching detection on the primarily selected flow equipment information according to the detection direction and judging whether a sender identifier exists in the primarily selected flow equipment information or not;
and the determining subunit is configured to determine, if the traffic device forwarding information exists, the traffic device forwarding information corresponding to the sender identifier as the target traffic forwarding device information.
And the abnormal equipment information determining subunit is used for extracting quintuple information from the abnormal flow if the abnormal equipment information does not exist, and obtaining the abnormal equipment information by using the quintuple information.
Optionally, the method further comprises:
the corresponding relation acquisition module is used for acquiring and analyzing the information generation instruction to obtain the corresponding relation between the number of the flow forwarding equipment and the information of the flow forwarding equipment;
and the information generation module is used for generating the flow equipment information by utilizing the corresponding relation.
Optionally, the method further comprises:
the classification module is used for acquiring the equipment flow corresponding to each candidate equipment and inputting the equipment flow into the classification model to obtain a classification result;
a traffic forwarding device determining module, configured to determine candidate devices corresponding to device traffic of which the classification result is the traffic forwarding device as traffic forwarding devices;
and the generating module is used for acquiring the equipment identifier corresponding to the flow forwarding equipment and generating the flow equipment information by using the equipment identifier and the flow forwarding equipment information.
Optionally, the method further comprises:
a correction information acquisition module for outputting the classification result and acquiring correction information in response to the classification result;
the classification result adjusting module is used for adjusting the classification result by using the correction information to obtain a final classification result;
correspondingly, the traffic forwarding device determining module is configured to determine, as the traffic forwarding device, the candidate device corresponding to the device traffic whose classification result is the traffic forwarding device; and the classification result is the equipment flow of the flow forwarding equipment, and the final classification result is the equipment flow of the flow forwarding equipment.
Optionally, the attack information obtaining module 130 includes:
a quintuple information extraction unit for extracting quintuple information from the abnormal traffic;
and the log screening unit is used for screening the flow forwarding logs by utilizing the quintuple information to obtain abnormal equipment information.
In the following, the electronic device provided by the embodiment of the present application is introduced, and the electronic device described below and the abnormal device detection method described above may be referred to correspondingly.
Referring to fig. 4, fig. 4 is a schematic diagram of a hardware composition framework applicable to the abnormal device detection method according to the embodiment of the present disclosure. Wherein the electronic device 100 may include a processor 101 and a memory 102, and may further include one or more of a multimedia component 103, an information input/information output (I/O) interface 104, and a communication component 105.
The processor 101 is configured to control the overall operation of the electronic device 100 to complete all or part of the steps in the abnormal device detection method; the memory 102 is used to store various types of data to support operation at the electronic device 100, such data may include, for example, instructions for any application or method operating on the electronic device 100, as well as application-related data. The Memory 102 may be implemented by any type or combination of volatile and non-volatile Memory devices, such as one or more of Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic or optical disk. In the present embodiment, the memory 102 stores therein at least programs and/or data for realizing the following functions:
acquiring abnormal flow and extracting a sender identifier corresponding to the abnormal flow;
screening flow equipment information by using a sender identifier to obtain target flow forwarding equipment information, and determining target flow forwarding equipment according to the target flow forwarding equipment information;
and acquiring a traffic forwarding log corresponding to the target traffic forwarding equipment, and acquiring abnormal equipment information from the traffic forwarding log.
The multimedia component 103 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 102 or transmitted through the communication component 105. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 104 provides an interface between the processor 101 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 105 is used for wired or wireless communication between the electronic device 100 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, or 4G, or a combination of one or more of them, so that the corresponding Communication component 105 may include: Wi-Fi part, Bluetooth part, NFC part.
The electronic Device 100 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors or other electronic components, and is configured to perform the abnormal Device detecting method according to the above embodiments.
Of course, the structure of the electronic device 100 shown in fig. 4 does not constitute a limitation of the electronic device in the embodiment of the present application, and in practical applications, the electronic device 100 may include more or less components than those shown in fig. 4, or some components may be combined.
It is to be understood that, in the embodiment of the present application, the number of the electronic devices is not limited, and it may be that a plurality of electronic devices cooperate together to complete the abnormal device detection method. In a possible implementation manner, please refer to fig. 5, and fig. 5 is a schematic diagram of a hardware composition framework applicable to another abnormal device detection method provided in the embodiment of the present application. As can be seen from fig. 5, the hardware composition framework may include: the first electronic device 11 and the second electronic device 12 are connected to each other through a network 13.
In the embodiment of the present application, the hardware structures of the first electronic device 11 and the second electronic device 12 may refer to the electronic device 100 in fig. 4. That is, it can be understood that there are two electronic devices 100 in the present embodiment, and the two devices perform data interaction. Further, in this embodiment of the application, the form of the network 13 is not limited, that is, the network 13 may be a wireless network (e.g., WIFI, bluetooth, etc.), or may be a wired network.
The first electronic device 11 and the second electronic device 12 may be the same electronic device, for example, the first electronic device 11 and the second electronic device 12 are both servers; or may be different types of electronic devices, for example, the first electronic device 11 may be a gateway or a router, and the second electronic device 12 may be a server. In one possible embodiment, a server with high computing power may be utilized as the second electronic device 12 to improve data processing efficiency and reliability. Meanwhile, a gateway or a router with low cost and wide application range is used as the first electronic device 11 to obtain the abnormal traffic. The interaction behavior between the first electronic device 11 and the second electronic device 12 may be: the first electronic device 11 obtains the abnormal traffic and sends the abnormal traffic to the second electronic device through the network 13, and the second electronic device 12 extracts the sender identifier, determines the target traffic forwarding device, and obtains the abnormal device information of the abnormal traffic sent by the first electronic device 11, thereby completing the abnormal device detection.
In the following, a computer-readable storage medium provided by an embodiment of the present application is introduced, and the computer-readable storage medium described below and the abnormal device detection method described above may be referred to correspondingly.
The present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the abnormal device detecting method described above.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relationships such as first and second, etc., are intended only to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms include, or any other variation is intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that includes a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The principle and the implementation of the present application are explained herein by applying specific examples, and the above description of the embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. An abnormal device detection method, comprising:
acquiring abnormal flow and extracting a sender identifier corresponding to the abnormal flow;
screening the flow equipment information by using the sender identification to obtain target flow forwarding equipment information, and determining target flow forwarding equipment according to the target flow forwarding equipment information;
and acquiring a traffic forwarding log corresponding to the target traffic forwarding device, and acquiring abnormal device information from the traffic forwarding log.
2. The abnormal device detection method according to claim 1, wherein the sender identification is a network address to be tested; the screening the traffic device information by using the sender identifier to obtain target traffic forwarding device information includes:
determining a network address field to which the network address to be tested belongs;
filtering the flow equipment information according to the network address field to obtain primarily selected flow equipment information;
and screening the primarily selected flow equipment information by using the network address to be tested to obtain the target flow forwarding equipment information.
3. The attack tracing method according to claim 2, wherein the screening the primarily selected traffic device information by using the network address to be tested to obtain the target traffic forwarding device information comprises:
determining a detection direction according to the position of the network address to be detected in the network address section;
matching detection is carried out on the primary selection flow equipment information according to the detection direction, and whether the network address to be detected exists in the primary selection flow equipment information is judged;
if the target traffic forwarding device information exists, determining the traffic device forwarding information corresponding to the network address to be tested as the target traffic forwarding device information;
and if the abnormal flow does not exist, extracting quintuple information from the abnormal flow, and obtaining the abnormal equipment information by using the quintuple information.
4. The abnormal device detection method according to claim 1, wherein the sender identification is a sending device number; the generating process of the flow device information comprises the following steps:
acquiring and analyzing an information generation instruction to obtain a corresponding relation between the number of the flow forwarding equipment and the information of the flow forwarding equipment;
and generating the flow equipment information by utilizing the corresponding relation.
5. The abnormal device detection method according to claim 1, wherein the generation process of the traffic device information includes:
acquiring device flow corresponding to each candidate device, and inputting the device flow into a classification model to obtain a classification result;
determining the candidate device corresponding to the device traffic of the traffic forwarding device as the traffic forwarding device according to the classification result;
and acquiring an equipment identifier corresponding to the flow forwarding equipment, and generating the flow equipment information by using the equipment identifier and the flow forwarding equipment information.
6. The abnormal apparatus detecting method according to claim 5, further comprising, after obtaining the classification result:
outputting the classification result and acquiring correction information responding to the classification result;
adjusting the classification result by using the correction information to obtain a final classification result;
correspondingly, the determining, as the traffic forwarding device, the candidate device corresponding to the device traffic whose classification result is the traffic forwarding device includes:
and determining the candidate equipment corresponding to the equipment flow of the flow forwarding equipment as the final classification result as the flow forwarding equipment.
7. The abnormal device detection method according to any one of claims 1 to 6, wherein the obtaining abnormal device information from the traffic forwarding log includes:
extracting quintuple information from the abnormal flow;
and screening the flow forwarding log by using the five-tuple information to obtain the abnormal equipment information.
8. An abnormal device detection apparatus, comprising:
the network address extraction module is used for acquiring abnormal flow and extracting a sender identifier corresponding to the abnormal flow;
the target equipment determining module is used for screening the flow equipment information by using the sender identifier to obtain target flow forwarding equipment information and determining target flow forwarding equipment according to the target flow forwarding equipment information;
and the attack information acquisition module is used for acquiring a traffic forwarding log corresponding to the target traffic forwarding device and acquiring abnormal device information from the traffic forwarding log.
9. An electronic device comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor for executing the computer program to implement the abnormal device detecting method according to any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the abnormal apparatus detecting method according to any one of claims 1 to 7.
CN202110229398.6A 2021-03-02 2021-03-02 Abnormal equipment detection method and device, electronic equipment and readable storage medium Pending CN112887333A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110229398.6A CN112887333A (en) 2021-03-02 2021-03-02 Abnormal equipment detection method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110229398.6A CN112887333A (en) 2021-03-02 2021-03-02 Abnormal equipment detection method and device, electronic equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN112887333A true CN112887333A (en) 2021-06-01

Family

ID=76055162

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110229398.6A Pending CN112887333A (en) 2021-03-02 2021-03-02 Abnormal equipment detection method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN112887333A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992341A (en) * 2021-09-09 2022-01-28 新华三信息安全技术有限公司 Message processing method and device
CN114584490A (en) * 2022-03-25 2022-06-03 阿里巴巴(中国)有限公司 Data transmission detection method and device
CN115022155A (en) * 2022-05-24 2022-09-06 深信服科技股份有限公司 Information processing method, device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234480A (en) * 2017-12-29 2018-06-29 北京奇虎科技有限公司 Intrusion detection method and device
CN109962903A (en) * 2017-12-26 2019-07-02 中移(杭州)信息技术有限公司 A kind of home gateway method for safety monitoring, device, system and medium
CN110460593A (en) * 2019-07-29 2019-11-15 腾讯科技(深圳)有限公司 A kind of network address recognition methods, device and the medium of mobile flow gateway
CN110855629A (en) * 2019-10-21 2020-02-28 新华三信息安全技术有限公司 Matching method of IP address, generating method of matching table and related device
WO2021008028A1 (en) * 2019-07-18 2021-01-21 平安科技(深圳)有限公司 Network attack source tracing and protection method, electronic device and computer storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109962903A (en) * 2017-12-26 2019-07-02 中移(杭州)信息技术有限公司 A kind of home gateway method for safety monitoring, device, system and medium
CN108234480A (en) * 2017-12-29 2018-06-29 北京奇虎科技有限公司 Intrusion detection method and device
WO2021008028A1 (en) * 2019-07-18 2021-01-21 平安科技(深圳)有限公司 Network attack source tracing and protection method, electronic device and computer storage medium
CN110460593A (en) * 2019-07-29 2019-11-15 腾讯科技(深圳)有限公司 A kind of network address recognition methods, device and the medium of mobile flow gateway
CN110855629A (en) * 2019-10-21 2020-02-28 新华三信息安全技术有限公司 Matching method of IP address, generating method of matching table and related device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992341A (en) * 2021-09-09 2022-01-28 新华三信息安全技术有限公司 Message processing method and device
CN113992341B (en) * 2021-09-09 2023-09-19 新华三信息安全技术有限公司 Message processing method and device
CN114584490A (en) * 2022-03-25 2022-06-03 阿里巴巴(中国)有限公司 Data transmission detection method and device
CN114584490B (en) * 2022-03-25 2024-04-09 阿里巴巴(中国)有限公司 Data transmission detection method and device
CN115022155A (en) * 2022-05-24 2022-09-06 深信服科技股份有限公司 Information processing method, device and storage medium

Similar Documents

Publication Publication Date Title
US10791131B2 (en) Processing network data using a graph data structure
CN109688202B (en) Interface data processing method and device, computing equipment and storage medium
CN112887333A (en) Abnormal equipment detection method and device, electronic equipment and readable storage medium
US10581908B2 (en) Identifying phishing websites using DOM characteristics
US20220124094A1 (en) Integrated bot and captcha techniques
US9411957B2 (en) Method and device for optimizing and configuring detection rule
US10250629B2 (en) Captcha risk or score techniques
JP6740379B2 (en) Botmaster discovery system and method
CN109495521B (en) Abnormal flow detection method and device
WO2017049042A1 (en) Identifying phishing websites using dom characteristics
CN110768875A (en) Application identification method and system based on DNS learning
US11956261B2 (en) Detection method for malicious domain name in domain name system and detection device
CN116389099A (en) Threat detection method, threat detection device, electronic equipment and storage medium
JPWO2019043804A1 (en) Log analysis device, log analysis method and program
US10360365B2 (en) Client profile and service policy based CAPTCHA techniques
US10419351B1 (en) System and method for extracting signatures from controlled execution of applications and application codes retrieved from an application source
CN114793204B (en) Network asset detection method
TWI640891B (en) Method and apparatus for detecting malware
CN111371917B (en) Domain name detection method and system
US10055336B1 (en) Computer implemented system and method and computer program product for testing a software component by simulating an interface to a computing component using randomized network packet information
CN112702319B (en) Access request port standardization method and device, electronic equipment and storage medium
US20210099429A1 (en) Deep Packet Inspection application classification systems and methods
CN110493224B (en) Sub-domain name hijacking vulnerability detection method, device and equipment
US9049170B2 (en) Building filter through utilization of automated generation of regular expression
CN113079157A (en) Method and device for acquiring network attacker position and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210601