CN113037689A - Log-based virus discovery method and device, computing equipment and storage medium - Google Patents
Log-based virus discovery method and device, computing equipment and storage medium Download PDFInfo
- Publication number
- CN113037689A CN113037689A CN201911349533.XA CN201911349533A CN113037689A CN 113037689 A CN113037689 A CN 113037689A CN 201911349533 A CN201911349533 A CN 201911349533A CN 113037689 A CN113037689 A CN 113037689A
- Authority
- CN
- China
- Prior art keywords
- virus
- frequency
- destination
- address
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 193
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000013139 quantization Methods 0.000 claims abstract description 60
- 230000005540 biological transmission Effects 0.000 claims abstract description 43
- 238000004891 communication Methods 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 9
- 238000011002 quantification Methods 0.000 claims 1
- 208000015181 infectious disease Diseases 0.000 abstract description 9
- 230000006399 behavior Effects 0.000 description 7
- 230000002155 anti-virotic effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000000547 structure data Methods 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention relates to the technical field of network security, and discloses a log-based virus discovery method, a log-based virus discovery device, a computing device and a storage medium, wherein the method comprises the following steps: acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected to be the virus according to the virus quantization weight index. By the mode, the embodiment of the invention can timely discover computer viruses in the network, reduce the spread infection of the viruses, and furthest ensure the usability of the network environment and the integrity and confidentiality of user data information.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a log-based virus discovery method and device, computing equipment and a storage medium.
Background
Personal PCs and office terminals need to install antivirus software to deal with computer viruses, and enterprises may purchase network antivirus walls, terminal antivirus software, and the like to deal with daily viruses. Both the network anti-virus wall and the terminal antivirus software need to depend on the virus library, the update of the virus library depends on the virus sample, and certain time delay is provided for the discovery of the virus.
Most current methods for detecting viruses are based on viral characteristics. The antivirus software divides the virus family according to the family characteristics of the viruses, and often extracts the characteristic information of the family of viruses as the judgment basis of the viruses, so that one piece of record information in the virus library can hit all the viruses of the family. The existing computer virus inspection method analyzes the binary data of the virus file to be divided statically, analyzes the portable and executable PE structure data of the virus file, compares the PE structure data of the virus file to be divided, and divides the virus file with the PE structure data conforming to the designated similarity into the same category.
The existing computer virus inspection method needs a large number of virus samples as supports, and PE structure data of virus files needs to be extracted from the large number of virus samples. For enterprises, if a set of virus sample PE structure library is built, a large amount of manpower and financial resources are consumed for purchasing and researching virus samples. This is a process from 0 to 1, which may lead to failure of the task in the middle due to the technical skill of the technician failing to meet the needs of studying the virus sample. Or spend a certain amount of money each year from other security companies for purchasing the virus sample PE structure library. Either method requires a certain investment of manpower and financial resources. In addition, the discovery of the virus depends on the PE structure data of the virus sample, which causes that if the virus is to be discovered in the existing network, the virus sample needs to be obtained from other channels or a new virus PE structure library needs to be obtained from other security companies at a certain time after the virus outbreak, and certain time delay exists.
Disclosure of Invention
In view of the above problems, embodiments of the present invention provide a log-based virus discovery method, apparatus, computing device and storage medium, which overcome or at least partially solve the above problems.
According to an aspect of an embodiment of the present invention, there is provided a log-based virus discovery method, including: acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
In an optional manner, the obtaining an access log generated by the network security device within a preset time includes: recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device; and collecting the access log recorded by the transmission layer equipment.
In an optional manner, the obtaining an access log generated by the network security device within a preset time further includes: and generalizing the acquired access log to form the access log with a uniform format.
In an optional manner, the obtaining the frequency of the destination port and the frequency of the destination IP according to the access log includes: storing the access log after generalization processing, and establishing an index; calculating a total number of the access logs; counting the access log according to the destination port and the destination IP address; and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
In an optional manner, the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relation is satisfied:
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distincti,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
In an optional manner, the calculating a virus quantization weight index according to the frequency of the target port and the frequency of the destination IP address includes: and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
In an optional manner, the determining whether the virus is a suspected virus according to the virus quantization weight index includes: comparing the virus quantization weight index with a preset value; and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
According to another aspect of the embodiments of the present invention, there is provided a log-based virus discovery apparatus, including: the device comprises a log obtaining unit and a processing unit, wherein the log obtaining unit is used for obtaining access logs in preset time from a transmission layer device, and each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; the frequency calculation unit is used for acquiring the frequency of the target port and the frequency of the destination IP address according to the access log; the index calculation unit is used for calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and the judging unit is used for determining whether the virus is suspected virus according to the virus quantization weight index.
According to another aspect of embodiments of the present invention, there is provided a computing device including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the steps of the log-based virus discovery method described above.
According to yet another aspect of the embodiments of the present invention, there is provided a computer storage medium having at least one executable instruction stored therein, the executable instruction causing the processor to perform the steps of the log-based virus discovery method described above.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a discovery diagram illustrating a log-based virus discovery method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a log-based virus discovery method according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a log-based virus discovery apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computing device provided in an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 shows a discovery diagram of a log-based virus discovery method according to an embodiment of the present invention. As shown in fig. 1, the log area is a main area where the log is generated. The local device includes Personal Computers (PCs) in a personal terminal area, application servers and database servers in a server area, and security devices such as a transport layer device. Wherein the transport layer device comprises: a Firewall, an Intrusion Prevention System (IPS), an Intrusion Detection System (IDS), a Web Application level Intrusion Prevention System (WAF), and other gateway devices.
The logs of the log area mainly refer to: an access log, including logs of allowed and denied communications, etc., such as a firewall access log. The access log is basic data for virus discovery in the embodiment of the invention, and provides a basis for subsequent virus discovery, particularly a firewall log for isolation use between areas. The firewall is used as equipment for isolating different security domains, and records mutual access logs among the security domains. However, since the virus propagation has a certain randomness, the boundary of the network is not clear, a large number of tentative access requests are generated for the firewall, and the sources of the viruses can be counted by using the tentative access requests.
The access logs generated by different devices are different, and the access log forms are also different. Even if the same kind of safety equipment of different producers, the access log that produces is different. The log collection area is used for collecting the access logs through the platform and generalizing the access logs according to the commonality and the individuality of the access logs so that all the access logs form a uniform format.
The log storage area stores the access log after generalization processing, and the elastic search server is applied to index the log. The ElasticSearch is a search server based on Lucene and provides a full text search engine with distributed multi-user capability.
The access log includes a source IP address, a source Port, a destination IP address (IP Target), a destination Port (Port Target), and a transport layer protocol five-tuple. And the log analysis area analyzes the access log by using a Kibaba server, and analyzes and processes the behavior of the host in the network through modeling and slicing according to the five-tuple of the stored access log to find the abnormal host in the network environment. If a destination port appears in the access log more frequently and the destination IP appears less frequently, then the access log should be distinguished, and the traffic may be virus propagation behavior.
Fig. 2 is a flowchart illustrating a log-based virus discovery method according to an embodiment of the present invention. As shown in fig. 2, the log-based virus discovery method includes:
step S11: the method comprises the steps of obtaining access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol.
In the embodiment of the present invention, a Personal Computer (PC) in the personal terminal area communicates with an application server and a database server in the server area through a transport layer device, and generates an access log, and the transport layer device records the access log. In step S11, the access log generated by the personal terminal area device and/or the server area device within a preset time is recorded by the transport layer device; and collecting the access log recorded by the transmission layer equipment. The preset time may be 1 hour, one day, and the like, and may be specifically set according to needs, which is not limited herein. The embodiment of the invention also carries out generalization processing on the acquired access log to form the access log with a uniform format.
The computer virus of the embodiment of the invention aims at the virus which depends on the network or is harmful to the network environment. This class of viruses has a common trait: data exchange is performed in a network environment, and the data exchange process involves quintuple comprising: source IP address, source port, destination IP address, destination port, and transport layer protocol.
Step S12: and acquiring the frequency of the target port and the frequency of the destination IP address according to the access log.
In the embodiment of the invention, the behavior of the host in the network is analyzed and processed through modeling and slicing according to the quintuple group of the storage access log, and the abnormal host in the network environment is discovered. If a destination port appears in the access log more frequently and the destination IP appears less frequently, then the access log should be distinguished, and the traffic may be virus propagation behavior.
In step S12, storing the access log after generalization, and creating an index; calculating a total number of the access logs; counting the access log according to the destination port and the destination IP address; and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
The frequency of the target port is the ratio of the number of the logs of the target port to the total number of the logs, and the following relation is satisfied:
wherein, FptiFor the frequency of i, n, of the target portijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs. FptiThe larger the value of (b), the higher the frequency of occurrence of the destination port i in the access log.
The frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinctni,j))
wherein, FIPiThe frequency of the destination IP address of which the destination port is i. The distint is a parallel deduplication function, and is used for deduplication of a destination port and a destination IP address, that is, the number of the distint is 1 for the same pair of the destination port and the destination IP address. The count is used for calculating the number of destination IP addresses with the same destination port. FIPiThe larger the value of (d), i.e., the larger the number of destination IP addresses having the same destination port, the lower the frequency of destination IP addresses, and the more the destination IP addresses are dispersed to the destination ports.
Step S13: and calculating virus quantization weight indexes according to the frequency of the target port and the frequency of the target IP address.
And calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index. The virus quantization weight index w satisfies the following relational expression:
w=Fpti*FIPi
wherein w is a virus quantization weight index, FptiFor a frequency of i for the destination port, FIPiThe frequency of destination IP addresses with destination port i. The more frequent the destination port isThe higher the frequency of high and/or destination IP addresses, the greater the value of the virus quantization weight index w.
Step S14: and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
In the embodiment of the invention, a preset value W is set as a virus judgment threshold value, and the virus quantization weight index is compared with the preset value; and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm. The virus quantization weight index is larger than a preset value, which indicates that the frequency of the target port appearing in the access log is high but the frequency of the target IP address appearing is low, the access may be a virus propagation behavior, a suspected virus alarm is generated, and the host which alarms that the IP address corresponding to the target port is the source IP address is likely to be infected with the virus.
The embodiment of the invention adopts a behavior analysis method, overcomes the defects of the traditional computer virus detection according to a virus library and a PE structure, and can detect the computer virus subjected to killing-free treatment. By performing behavior analysis, computer viruses in the network can be found in time, and isolation, response and early warning can be performed quickly after a certain host computer is infected with the computer viruses, so that spread infection of the viruses is reduced as much as possible, the usability of the network environment is ensured to the greatest extent, and the integrity and confidentiality of user data information are ensured.
In the embodiment of the invention, after suspected virus alarm, whether virus propagation exists can be further determined through manual investigation, the suspected machine is isolated and investigated, abnormal reasons are analyzed, and the virus type and the damage are analyzed. If the virus propagation is determined, the computer virus is cleaned, the causes of computer infection are analyzed, and a threat model is optimized and perfected.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
Fig. 3 is a schematic structural diagram of a log-based virus discovery apparatus according to an embodiment of the present invention. As shown in fig. 3, the log-based virus discovery apparatus includes: a log acquisition unit 301, a frequency calculation unit 302, an index calculation unit 303, and a determination unit 304. Wherein:
the log obtaining unit 301 is configured to obtain access logs within a preset time from a transport layer device, where each access log records an active IP address, a source port, a destination IP address, a destination port, and a transport layer protocol; the frequency calculation unit 302 is configured to obtain a frequency of the target port and a frequency of the destination IP address according to the access log; the index calculation unit 303 is configured to calculate a virus quantization weight index according to the frequency of the target port and the frequency of the destination IP address; the judging unit 304 is configured to determine whether the virus is a suspected virus according to the virus quantization weight index.
In an alternative manner, the log obtaining unit 301 is configured to: recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device; and collecting the access log recorded by the transmission layer equipment.
In an optional manner, the log obtaining unit 301 is further configured to: and generalizing the acquired access log to form the access log with a uniform format.
In an alternative manner, the frequency calculation unit 302 is configured to: storing the access log after generalization processing, and establishing an index; calculating a total number of the access logs; counting the access log according to the destination port and the destination IP address; and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
In an optional manner, the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relation is satisfied:
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinctni,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
In an optional manner, the index calculating unit 303 is configured to: and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
In an alternative manner, the determining unit 304 is configured to: comparing the virus quantization weight index with a preset value; and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
An embodiment of the present invention provides a non-volatile computer storage medium, where at least one executable instruction is stored in the computer storage medium, and the computer executable instruction may execute the log-based virus discovery method in any of the above method embodiments.
The executable instructions may be specifically configured to cause the processor to:
acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol;
acquiring the frequency of the target port and the frequency of the target IP address according to the access log;
calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address;
and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
In an alternative, the executable instructions cause the processor to:
recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device;
and collecting the access log recorded by the transmission layer equipment.
In an alternative, the executable instructions cause the processor to:
and generalizing the acquired access log to form the access log with a uniform format.
In an alternative, the executable instructions cause the processor to:
storing the access log after generalization processing, and establishing an index;
calculating a total number of the access logs;
counting the access log according to the destination port and the destination IP address;
and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
In an optional manner, the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relation is satisfied:
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinctni,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
In an alternative, the executable instructions cause the processor to:
and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
In an alternative, the executable instructions cause the processor to:
comparing the virus quantization weight index with a preset value;
and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
Embodiments of the present invention provide a computer program product comprising a computer program stored on a computer storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform a log-based virus discovery method in any of the above-mentioned method embodiments.
The executable instructions may be specifically configured to cause the processor to:
acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol;
acquiring the frequency of the target port and the frequency of the target IP address according to the access log;
calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address;
and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
In an alternative, the executable instructions cause the processor to:
recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device;
and collecting the access log recorded by the transmission layer equipment.
In an alternative, the executable instructions cause the processor to:
and generalizing the acquired access log to form the access log with a uniform format.
In an alternative, the executable instructions cause the processor to:
storing the access log after generalization processing, and establishing an index;
calculating a total number of the access logs;
counting the access log according to the destination port and the destination IP address;
and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
In an optional manner, the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relation is satisfied:
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinctni,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
In an alternative, the executable instructions cause the processor to:
and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
In an alternative, the executable instructions cause the processor to:
comparing the virus quantization weight index with a preset value;
and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
Fig. 4 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the device.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein: the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408. A communication interface 404 for communicating with network elements of other devices, such as clients or other servers. The processor 402 is configured to execute the program 410, and may specifically perform relevant steps in the log-based virus discovery method embodiment described above.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or an Integrated circuit or Integrated circuits configured to implement embodiments of the present invention. The one or each processor included in the device may be the same type of processor, such as one or each CPU; or may be different types of processors such as one or each CPU and one or each ASIC.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may specifically be configured to cause the processor 402 to perform the following operations:
acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol;
acquiring the frequency of the target port and the frequency of the target IP address according to the access log;
calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address;
and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
In an alternative, the program 410 causes the processor to:
recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device;
and collecting the access log recorded by the transmission layer equipment.
In an alternative, the program 410 causes the processor to:
and generalizing the acquired access log to form the access log with a uniform format.
In an alternative, the program 410 causes the processor to:
storing the access log after generalization processing, and establishing an index;
calculating a total number of the access logs;
counting the access log according to the destination port and the destination IP address;
and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
In an optional manner, the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relation is satisfied:
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinctni,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
In an alternative, the program 410 causes the processor to:
and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
In an alternative, the program 410 causes the processor to:
comparing the virus quantization weight index with a preset value;
and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
The embodiment of the invention obtains access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol; acquiring the frequency of the target port and the frequency of the target IP address according to the access log; calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address; and determining whether the virus is suspected according to the virus quantization weight index, so that computer viruses in the network can be found in time, the spread infection of the viruses is reduced, the usability of the network environment is ensured to the maximum extent, and the integrity and confidentiality of user data information are ensured.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.
Claims (10)
1. A log-based virus discovery method, the method comprising:
acquiring access logs in preset time from a transmission layer device, wherein each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol;
acquiring the frequency of the target port and the frequency of the target IP address according to the access log;
calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address;
and determining whether the virus is suspected to be the virus according to the virus quantization weight index.
2. The method according to claim 1, wherein the obtaining of the access log generated by the network security device within the preset time comprises:
recording the access log generated by the personal terminal area device and/or the server area device through the transmission layer device;
and collecting the access log recorded by the transmission layer equipment.
3. The method according to claim 2, wherein the obtaining of the access log generated by the network security device within the preset time further comprises:
and generalizing the acquired access log to form the access log with a uniform format.
4. The method of claim 1, wherein the obtaining the frequency of the target port and the frequency of the destination IP according to the access log comprises:
storing the access log after generalization processing, and establishing an index;
calculating a total number of the access logs;
counting the access log according to the destination port and the destination IP address;
and calculating the frequency of the target port and the frequency of the destination IP address according to the total number and the access log counted by the destination port and the destination IP address.
5. The method of claim 4, wherein the frequency of the target port is a ratio of the number of access logs of the destination port to the total number of access logs, and the following relationship is satisfied:
the frequency of the destination IP address is a logarithmic value of the number of the destination IP addresses of the same destination port in the access log, and the following relational expression is satisfied:
FIPi=log(count(Distinct ni,j))
wherein, FptiFor the frequency of i of the target port, FIPiFrequency, n, of the destination IP address for the destination port iijAnd if the destination port is i, the destination IP address is j, and N is the total number of the access logs.
6. The method of claim 1, wherein the calculating a virus quantization weight index according to the frequency of the target port and the frequency of the destination IP address comprises:
and calculating the product of the frequency of the target port and the frequency of the target IP address to obtain the virus quantization weight index.
7. The method of claim 1, wherein the determining whether the virus is suspected to be a virus according to the virus quantification weight index comprises:
comparing the virus quantization weight index with a preset value;
and if the virus quantization weight index is larger than the preset value, performing suspected virus alarm.
8. An apparatus for log-based virus discovery, the apparatus comprising:
the device comprises a log obtaining unit and a processing unit, wherein the log obtaining unit is used for obtaining access logs in preset time from a transmission layer device, and each access log records an active IP address, a source port, a destination IP address, a destination port and a transmission layer protocol;
the frequency calculation unit is used for acquiring the frequency of the target port and the frequency of the destination IP address according to the access log;
the index calculation unit is used for calculating a virus quantization weight index according to the frequency of the target port and the frequency of the target IP address;
and the judging unit is used for determining whether the virus is suspected virus according to the virus quantization weight index.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the steps of the log-based virus discovery method of any of claims 1-7.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform the steps of the log-based virus discovery method of any one of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911349533.XA CN113037689A (en) | 2019-12-24 | 2019-12-24 | Log-based virus discovery method and device, computing equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911349533.XA CN113037689A (en) | 2019-12-24 | 2019-12-24 | Log-based virus discovery method and device, computing equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113037689A true CN113037689A (en) | 2021-06-25 |
Family
ID=76451922
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911349533.XA Pending CN113037689A (en) | 2019-12-24 | 2019-12-24 | Log-based virus discovery method and device, computing equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113037689A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115801305A (en) * | 2022-09-08 | 2023-03-14 | 武汉思普崚技术有限公司 | Network attack detection and identification method and related equipment |
CN116089961A (en) * | 2023-02-14 | 2023-05-09 | 哈尔滨晨亿科技有限公司 | Big data-based computer intelligent image management system and method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107707545A (en) * | 2017-09-29 | 2018-02-16 | 深信服科技股份有限公司 | A kind of abnormal web page access fragment detection method, device, equipment and storage medium |
CN109688097A (en) * | 2018-09-07 | 2019-04-26 | 平安科技(深圳)有限公司 | Website protection method, website protective device, website safeguard and storage medium |
CN110351280A (en) * | 2019-07-15 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract |
-
2019
- 2019-12-24 CN CN201911349533.XA patent/CN113037689A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107707545A (en) * | 2017-09-29 | 2018-02-16 | 深信服科技股份有限公司 | A kind of abnormal web page access fragment detection method, device, equipment and storage medium |
CN109688097A (en) * | 2018-09-07 | 2019-04-26 | 平安科技(深圳)有限公司 | Website protection method, website protective device, website safeguard and storage medium |
CN110351280A (en) * | 2019-07-15 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115801305A (en) * | 2022-09-08 | 2023-03-14 | 武汉思普崚技术有限公司 | Network attack detection and identification method and related equipment |
CN115801305B (en) * | 2022-09-08 | 2023-11-07 | 武汉思普崚技术有限公司 | Network attack detection and identification method and related equipment |
CN116089961A (en) * | 2023-02-14 | 2023-05-09 | 哈尔滨晨亿科技有限公司 | Big data-based computer intelligent image management system and method |
CN116089961B (en) * | 2023-02-14 | 2023-07-21 | 河南省中视新科文化产业有限公司 | Big data-based computer intelligent image management system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10972493B2 (en) | Automatically grouping malware based on artifacts | |
US10200390B2 (en) | Automatically determining whether malware samples are similar | |
US10728264B2 (en) | Characterizing behavior anomaly analysis performance based on threat intelligence | |
US9323928B2 (en) | System and method for non-signature based detection of malicious processes | |
US7260844B1 (en) | Threat detection in a network security system | |
US20150172303A1 (en) | Malware Detection and Identification | |
US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
WO2017151515A1 (en) | Automatically grouping malware based on artifacts | |
WO2022021977A1 (en) | Underground industry account detection method and apparatus, computer device, and medium | |
CN106534146A (en) | Safety monitoring system and method | |
EP3884413A1 (en) | Method and system for remediating cybersecurity vulnerabilities based on utilization | |
CN112784281A (en) | Safety assessment method, device, equipment and storage medium for industrial internet | |
CN116451215A (en) | Correlation analysis method and related equipment | |
CN113037689A (en) | Log-based virus discovery method and device, computing equipment and storage medium | |
CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
CN116827697B (en) | Push method of network attack event, electronic equipment and storage medium | |
CN116938600B (en) | Threat event analysis method, electronic device and storage medium | |
US9239907B1 (en) | Techniques for identifying misleading applications | |
US20200334353A1 (en) | Method and system for detecting and classifying malware based on families | |
WO2022156293A1 (en) | Method and apparatus for processing alert log, and storage medium | |
CN115643044A (en) | Data processing method, device, server and storage medium | |
Groff et al. | Data preprocessing and feature selection for an intrusion detection system dataset | |
US11770388B1 (en) | Network infrastructure detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210625 |