CN113037689A - Log-based virus discovery method and device, computing equipment and storage medium - Google Patents

Log-based virus discovery method and device, computing equipment and storage medium Download PDF

Info

Publication number
CN113037689A
CN113037689A CN201911349533.XA CN201911349533A CN113037689A CN 113037689 A CN113037689 A CN 113037689A CN 201911349533 A CN201911349533 A CN 201911349533A CN 113037689 A CN113037689 A CN 113037689A
Authority
CN
China
Prior art keywords
virus
frequency
destination
address
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911349533.XA
Other languages
Chinese (zh)
Inventor
李秀清
李佩瑞
王森
陈�峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Hebei Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Hebei Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Hebei Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201911349533.XA priority Critical patent/CN113037689A/en
Publication of CN113037689A publication Critical patent/CN113037689A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention relates to the technical field of network security, and discloses a log-based virus discovery method, a log-based virus discovery device, a computing device and a storage medium, wherein the method comprises the following steps: acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected to be the virus according to the virus quantization weight index. By the mode, the embodiment of the invention can timely discover computer viruses in the network, reduce the spread infection of the viruses, and furthest ensure the usability of the network environment and the integrity and confidentiality of user data information.

Description

Log-based virus discovery method and device, computing equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a log-based virus discovery method and device, computing equipment and a storage medium.
Background
Personal PCs and office terminals need to install antivirus software to deal with computer viruses, and enterprises may purchase network antivirus walls, terminal antivirus software, and the like to deal with daily viruses. Both the network anti-virus wall and the terminal antivirus software need to depend on the virus library, the update of the virus library depends on the virus sample, and certain time delay is provided for the discovery of the virus.
Most current methods for detecting viruses are based on viral characteristics. The antivirus software divides the virus family according to the family characteristics of the viruses, and often extracts the characteristic information of the family of viruses as the judgment basis of the viruses, so that one piece of record information in the virus library can hit all the viruses of the family. The existing computer virus inspection method analyzes the binary data of the virus file to be divided statically, analyzes the portable and executable PE structure data of the virus file, compares the PE structure data of the virus file to be divided, and divides the virus file with the PE structure data conforming to the designated similarity into the same category.
The existing computer virus inspection method needs a large number of virus samples as supports, and PE structure data of virus files needs to be extracted from the large number of virus samples. For enterprises, if a set of virus sample PE structure library is built, a large amount of manpower and financial resources are consumed for purchasing and researching virus samples. This is a process from 0 to 1, which may lead to failure of the task in the middle due to the technical skill of the technician failing to meet the needs of studying the virus sample. Or spend a certain amount of money each year from other security companies for purchasing the virus sample PE structure library. Either method requires a certain investment of manpower and financial resources. In addition, the discovery of the virus depends on the PE structure data of the virus sample, which causes that if the virus is to be discovered in the existing network, the virus sample needs to be obtained from other channels or a new virus PE structure library needs to be obtained from other security companies at a certain time after the virus outbreak, and certain time delay exists.
Disclosure of Invention
In view of the above problems, embodiments of the present invention provide a log-based virus discovery method, apparatus, computing device and storage medium, which overcome or at least partially solve the above problems.
According to an aspect of an embodiment of the present invention, there is provided a log-based virus discovery method, including: acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
In an optional manner, the obtaining an access log generated by the network security device within a preset time includes: recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device; and collecting the access log recorded by the transmission layer equipment.
In an optional manner, the obtaining an access log generated by the network security device within a preset time further includes: and generalizing the acquired access log to form the access log with a uniform format.
In an optional manner, the obtaining the frequency of the destination port and the frequency of the destination IP according to the access log includes: storing the access log after generalization processing, and establishing an index; calculating a total number of the access logs; counting the access log according to the destination port and the destination IP address; and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
In an optional manner, the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relation is satisfied:
Figure BDA0002334320450000021
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distincti,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
In an optional manner, the calculating a virus quantization weight index according to the frequency of the target port and the frequency of the destination IP address includes: and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
In an optional manner, the determining whether the virus is a suspected virus according to the virus quantization weight index includes: comparing the virus quantization weight index with a preset value; and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
According to another aspect of the embodiments of the present invention, there is provided a log-based virus discovery apparatus, including: the device comprises a log obtaining unit and a processing unit, wherein the log obtaining unit is used for obtaining access logs in preset time from a transmission layer device, and each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; the frequency calculation unit is used for acquiring the frequency of the target port and the frequency of the destination IP address according to the access log; the index calculation unit is used for calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and the judging unit is used for determining whether the virus is suspected virus according to the virus quantization weight index.
According to another aspect of embodiments of the present invention, there is provided a computing device including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the steps of the log-based virus discovery method described above.
According to yet another aspect of the embodiments of the present invention, there is provided a computer storage medium having at least one executable instruction stored therein, the executable instruction causing the processor to perform the steps of the log-based virus discovery method described above.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a discovery diagram illustrating a log-based virus discovery method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a log-based virus discovery method according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a log-based virus discovery apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computing device provided in an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 shows a discovery diagram of a log-based virus discovery method according to an embodiment of the present invention. As shown in fig. 1, the log area is a main area where the log is generated. The local device includes Personal Computers (PCs) in a personal terminal area, application servers and database servers in a server area, and security devices such as a transport layer device. Wherein the transport layer device comprises: a Firewall, an Intrusion Prevention System (IPS), an Intrusion Detection System (IDS), a Web Application level Intrusion Prevention System (WAF), and other gateway devices.
The logs of the log area mainly refer to: an access log, including logs of allowed and denied communications, etc., such as a firewall access log. The access log is basic data for virus discovery in the embodiment of the invention, and provides a basis for subsequent virus discovery, particularly a firewall log for isolation use between areas. The firewall is used as equipment for isolating different security domains, and records mutual access logs among the security domains. However, since the virus propagation has a certain randomness, the boundary of the network is not clear, a large number of tentative access requests are generated for the firewall, and the sources of the viruses can be counted by using the tentative access requests.
The access logs generated by different devices are different, and the access log forms are also different. Even if the same kind of safety equipment of different producers, the access log that produces is different. The log collection area is used for collecting the access logs through the platform and generalizing the access logs according to the commonality and the individuality of the access logs so that all the access logs form a uniform format.
The log storage area stores the access log after generalization processing, and the elastic search server is applied to index the log. The ElasticSearch is a search server based on Lucene and provides a full text search engine with distributed multi-user capability.
The access log includes a source IP address, a source Port, a destination IP address (IP Target), a destination Port (Port Target), and a transport layer protocol five-tuple. And the log analysis area analyzes the access log by using a Kibaba server, and analyzes and processes the behavior of the host in the network through modeling and slicing according to the five-tuple of the stored access log to find the abnormal host in the network environment. If a destination port appears in the access log more frequently and the destination IP appears less frequently, then the access log should be distinguished, and the traffic may be virus propagation behavior.
Fig. 2 is a flowchart illustrating a log-based virus discovery method according to an embodiment of the present invention. As shown in fig. 2, the log-based virus discovery method includes:
step S11: the method comprises the steps of obtaining access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol.
In the embodiment of the present invention, a Personal Computer (PC) in the personal terminal area communicates with an application server and a database server in the server area through a transport layer device, and generates an access log, and the transport layer device records the access log. In step S11, the access log generated by the personal terminal area device and/or the server area device within a preset time is recorded by the transport layer device; and collecting the access log recorded by the transmission layer equipment. The preset time may be 1 hour, one day, and the like, and may be specifically set according to needs, which is not limited herein. The embodiment of the invention also carries out generalization processing on the acquired access log to form the access log with a uniform format.
The computer virus of the embodiment of the invention aims at the virus which depends on the network or is harmful to the network environment. This class of viruses has a common trait: data exchange is performed in a network environment, and the data exchange process involves quintuple comprising: source IP address, source port, destination IP address, destination port, and transport layer protocol.
Step S12: and acquiring the frequency of the target port and the frequency of the destination IP address according to the access log.
In the embodiment of the invention, the behavior of the host in the network is analyzed and processed through modeling and slicing according to the quintuple group of the storage access log, and the abnormal host in the network environment is discovered. If a destination port appears in the access log more frequently and the destination IP appears less frequently, then the access log should be distinguished, and the traffic may be virus propagation behavior.
In step S12, storing the access log after generalization, and creating an index; calculating a total number of the access logs; counting the access log according to the destination port and the destination IP address; and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
The frequency of the target port is the ratio of the number of the logs of the target port to the total number of the logs, and the following relation is satisfied:
Figure BDA0002334320450000061
wherein, FptiFor the frequency of i, n, of the target portijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs. FptiThe larger the value of (b), the higher the frequency of occurrence of the destination port i in the access log.
The frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinctni,j))
wherein, FIPiThe frequency of the destination IP address of which the destination port is i. The distint is a parallel deduplication function, and is used for deduplication of a destination port and a destination IP address, that is, the number of the distint is 1 for the same pair of the destination port and the destination IP address. The count is used for calculating the number of destination IP addresses with the same destination port. FIPiThe larger the value of (d), i.e., the larger the number of destination IP addresses having the same destination port, the lower the frequency of destination IP addresses, and the more the destination IP addresses are dispersed to the destination ports.
Step S13: and calculating virus quantization weight indexes according to the frequency of the target port and the frequency of the target IP address.
And calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index. The virus quantization weight index w satisfies the following relational expression:
w=Fpti*FIPi
wherein w is a virus quantization weight index, FptiFor a frequency of i for the destination port, FIPiThe frequency of destination IP addresses with destination port i. The more frequent the destination port isThe higher the frequency of high and/or destination IP addresses, the greater the value of the virus quantization weight index w.
Step S14: and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
In the embodiment of the invention, a preset value W is set as a virus judgment threshold value, and the virus quantization weight index is compared with the preset value; and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm. The virus quantization weight index is larger than a preset value, which indicates that the frequency of the target port appearing in the access log is high but the frequency of the target IP address appearing is low, the access may be a virus propagation behavior, a suspected virus alarm is generated, and the host which alarms that the IP address corresponding to the target port is the source IP address is likely to be infected with the virus.
The embodiment of the invention adopts a behavior analysis method, overcomes the defects of the traditional computer virus detection according to a virus library and a PE structure, and can detect the computer virus subjected to killing-free treatment. By performing behavior analysis, computer viruses in the network can be found in time, and isolation, response and early warning can be performed quickly after a certain host computer is infected with the computer viruses, so that spread infection of the viruses is reduced as much as possible, the usability of the network environment is ensured to the greatest extent, and the integrity and confidentiality of user data information are ensured.
In the embodiment of the invention, after suspected virus alarm, whether virus propagation exists can be further determined through manual investigation, the suspected machine is isolated and investigated, abnormal reasons are analyzed, and the virus type and the damage are analyzed. If the virus propagation is determined, the computer virus is cleaned, the causes of computer infection are analyzed, and a threat model is optimized and perfected.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
Fig. 3 is a schematic structural diagram of a log-based virus discovery apparatus according to an embodiment of the present invention. As shown in fig. 3, the log-based virus discovery apparatus includes: a log acquisition unit 301, a frequency calculation unit 302, an index calculation unit 303, and a determination unit 304. Wherein:
the log obtaining unit 301 is configured to obtain access logs within a preset time from a transport layer device, where each access log records an active IP address, a source port, a destination IP address, a destination port, and a transport layer protocol; the frequency calculation unit 302 is configured to obtain a frequency of the target port and a frequency of the destination IP address according to the access log; the index calculation unit 303 is configured to calculate a virus quantization weight index according to the frequency of the target port and the frequency of the destination IP address; the judging unit 304 is configured to determine whether the virus is a suspected virus according to the virus quantization weight index.
In an alternative manner, the log obtaining unit 301 is configured to: recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device; and collecting the access log recorded by the transmission layer equipment.
In an optional manner, the log obtaining unit 301 is further configured to: and generalizing the acquired access log to form the access log with a uniform format.
In an alternative manner, the frequency calculation unit 302 is configured to: storing the access log after generalization processing, and establishing an index; calculating a total number of the access logs; counting the access log according to the destination port and the destination IP address; and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
In an optional manner, the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relation is satisfied:
Figure BDA0002334320450000081
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinctni,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
In an optional manner, the index calculating unit 303 is configured to: and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
In an alternative manner, the determining unit 304 is configured to: comparing the virus quantization weight index with a preset value; and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
An embodiment of the present invention provides a non-volatile computer storage medium, where at least one executable instruction is stored in the computer storage medium, and the computer executable instruction may execute the log-based virus discovery method in any of the above method embodiments.
The executable instructions may be specifically configured to cause the processor to:
acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol;
acquiring the frequency of the target port and the frequency of the target IP address according to the access log;
calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address;
and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
In an alternative, the executable instructions cause the processor to:
recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device;
and collecting the access log recorded by the transmission layer equipment.
In an alternative, the executable instructions cause the processor to:
and generalizing the acquired access log to form the access log with a uniform format.
In an alternative, the executable instructions cause the processor to:
storing the access log after generalization processing, and establishing an index;
calculating a total number of the access logs;
counting the access log according to the destination port and the destination IP address;
and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
In an optional manner, the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relation is satisfied:
Figure BDA0002334320450000101
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinctni,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
In an alternative, the executable instructions cause the processor to:
and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
In an alternative, the executable instructions cause the processor to:
comparing the virus quantization weight index with a preset value;
and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
Embodiments of the present invention provide a computer program product comprising a computer program stored on a computer storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform a log-based virus discovery method in any of the above-mentioned method embodiments.
The executable instructions may be specifically configured to cause the processor to:
acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol;
acquiring the frequency of the target port and the frequency of the target IP address according to the access log;
calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address;
and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
In an alternative, the executable instructions cause the processor to:
recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device;
and collecting the access log recorded by the transmission layer equipment.
In an alternative, the executable instructions cause the processor to:
and generalizing the acquired access log to form the access log with a uniform format.
In an alternative, the executable instructions cause the processor to:
storing the access log after generalization processing, and establishing an index;
calculating a total number of the access logs;
counting the access log according to the destination port and the destination IP address;
and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
In an optional manner, the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relation is satisfied:
Figure BDA0002334320450000121
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinctni,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
In an alternative, the executable instructions cause the processor to:
and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
In an alternative, the executable instructions cause the processor to:
comparing the virus quantization weight index with a preset value;
and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
Fig. 4 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the device.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein: the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408. A communication interface 404 for communicating with network elements of other devices, such as clients or other servers. The processor 402 is configured to execute the program 410, and may specifically perform relevant steps in the log-based virus discovery method embodiment described above.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or an Integrated circuit or Integrated circuits configured to implement embodiments of the present invention. The one or each processor included in the device may be the same type of processor, such as one or each CPU; or may be different types of processors such as one or each CPU and one or each ASIC.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may specifically be configured to cause the processor 402 to perform the following operations:
acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol;
acquiring the frequency of the target port and the frequency of the target IP address according to the access log;
calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address;
and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
In an alternative, the program 410 causes the processor to:
recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device;
and collecting the access log recorded by the transmission layer equipment.
In an alternative, the program 410 causes the processor to:
and generalizing the acquired access log to form the access log with a uniform format.
In an alternative, the program 410 causes the processor to:
storing the access log after generalization processing, and establishing an index;
calculating a total number of the access logs;
counting the access log according to the destination port and the destination IP address;
and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
In an optional manner, the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relation is satisfied:
Figure BDA0002334320450000141
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinctni,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
In an alternative, the program 410 causes the processor to:
and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
In an alternative, the program 410 causes the processor to:
comparing the virus quantization weight index with a preset value;
and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.

Claims (10)

1. A log-based virus discovery method, the method comprising:
acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol;
acquiring the frequency of the target port and the frequency of the target IP address according to the access log;
calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address;
and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
2. The method according to claim 1, wherein the obtaining of the access log generated by the network security device within the preset time comprises:
recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device;
and collecting the access log recorded by the transmission layer equipment.
3. The method according to claim 2, wherein the obtaining of the access log generated by the network security device within the preset time further comprises:
and generalizing the acquired access log to form the access log with a uniform format.
4. The method of claim 1, wherein the obtaining the frequency of the target port and the frequency of the destination IP according to the access log comprises:
storing the access log after generalization processing, and establishing an index;
calculating a total number of the access logs;
counting the access log according to the destination port and the destination IP address;
and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
5. The method of claim 4, wherein the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relationship is satisfied:
Figure FDA0002334320440000011
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinct ni,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
6. The method of claim 1, wherein the calculating a virus quantization weight index according to the frequency of the target port and the frequency of the destination IP address comprises:
and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
7. The method of claim 1, wherein the determining whether the virus is suspected to be a virus according to the virus quantification weight index comprises:
comparing the virus quantization weight index with a preset value;
and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
8. An apparatus for log-based virus discovery, the apparatus comprising:
the device comprises a log obtaining unit and a processing unit, wherein the log obtaining unit is used for obtaining access logs in preset time from a transmission layer device, and each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol;
the frequency calculation unit is used for acquiring the frequency of the target port and the frequency of the destination IP address according to the access log;
the index calculation unit is used for calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address;
and the judging unit is used for determining whether the virus is suspected virus according to the virus quantization weight index.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the steps of the log-based virus discovery method of any of claims 1-7.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform the steps of the log-based virus discovery method of any one of claims 1-7.
CN201911349533.XA 2019-12-24 2019-12-24 Log-based virus discovery method and device, computing equipment and storage medium Pending CN113037689A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911349533.XA CN113037689A (en) 2019-12-24 2019-12-24 Log-based virus discovery method and device, computing equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911349533.XA CN113037689A (en) 2019-12-24 2019-12-24 Log-based virus discovery method and device, computing equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113037689A true CN113037689A (en) 2021-06-25

Family

ID=76451922

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911349533.XA Pending CN113037689A (en) 2019-12-24 2019-12-24 Log-based virus discovery method and device, computing equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113037689A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801305A (en) * 2022-09-08 2023-03-14 武汉思普崚技术有限公司 Network attack detection and identification method and related equipment
CN116089961A (en) * 2023-02-14 2023-05-09 哈尔滨晨亿科技有限公司 Big data-based computer intelligent image management system and method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107707545A (en) * 2017-09-29 2018-02-16 深信服科技股份有限公司 A kind of abnormal web page access fragment detection method, device, equipment and storage medium
CN109688097A (en) * 2018-09-07 2019-04-26 平安科技(深圳)有限公司 Website protection method, website protective device, website safeguard and storage medium
CN110351280A (en) * 2019-07-15 2019-10-18 杭州安恒信息技术股份有限公司 A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107707545A (en) * 2017-09-29 2018-02-16 深信服科技股份有限公司 A kind of abnormal web page access fragment detection method, device, equipment and storage medium
CN109688097A (en) * 2018-09-07 2019-04-26 平安科技(深圳)有限公司 Website protection method, website protective device, website safeguard and storage medium
CN110351280A (en) * 2019-07-15 2019-10-18 杭州安恒信息技术股份有限公司 A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801305A (en) * 2022-09-08 2023-03-14 武汉思普崚技术有限公司 Network attack detection and identification method and related equipment
CN115801305B (en) * 2022-09-08 2023-11-07 武汉思普崚技术有限公司 Network attack detection and identification method and related equipment
CN116089961A (en) * 2023-02-14 2023-05-09 哈尔滨晨亿科技有限公司 Big data-based computer intelligent image management system and method
CN116089961B (en) * 2023-02-14 2023-07-21 河南省中视新科文化产业有限公司 Big data-based computer intelligent image management system and method

Similar Documents

Publication Publication Date Title
US10972493B2 (en) Automatically grouping malware based on artifacts
US10200390B2 (en) Automatically determining whether malware samples are similar
US10728264B2 (en) Characterizing behavior anomaly analysis performance based on threat intelligence
US9323928B2 (en) System and method for non-signature based detection of malicious processes
US7260844B1 (en) Threat detection in a network security system
US20150172303A1 (en) Malware Detection and Identification
US10505986B1 (en) Sensor based rules for responding to malicious activity
CN111460445A (en) Method and device for automatically identifying malicious degree of sample program
WO2017151515A1 (en) Automatically grouping malware based on artifacts
WO2022021977A1 (en) Underground industry account detection method and apparatus, computer device, and medium
CN106534146A (en) Safety monitoring system and method
EP3884413A1 (en) Method and system for remediating cybersecurity vulnerabilities based on utilization
CN112784281A (en) Safety assessment method, device, equipment and storage medium for industrial internet
CN116451215A (en) Correlation analysis method and related equipment
CN113037689A (en) Log-based virus discovery method and device, computing equipment and storage medium
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN116827697B (en) Push method of network attack event, electronic equipment and storage medium
CN116938600B (en) Threat event analysis method, electronic device and storage medium
US9239907B1 (en) Techniques for identifying misleading applications
US20200334353A1 (en) Method and system for detecting and classifying malware based on families
WO2022156293A1 (en) Method and apparatus for processing alert log, and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
Groff et al. Data preprocessing and feature selection for an intrusion detection system dataset
US11770388B1 (en) Network infrastructure detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210625