CN113542253A - Network flow detection method, device, equipment and medium - Google Patents
Network flow detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN113542253A CN113542253A CN202110783925.8A CN202110783925A CN113542253A CN 113542253 A CN113542253 A CN 113542253A CN 202110783925 A CN202110783925 A CN 202110783925A CN 113542253 A CN113542253 A CN 113542253A
- Authority
- CN
- China
- Prior art keywords
- alarm data
- data
- target alarm
- matching
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method, a device, equipment and a medium for detecting network flow, which comprise the following steps: matching network flow data to be detected by using a flow detection engine based on a first preset matching rule to obtain alarm data corresponding to the flow data to be detected; screening the alarm data based on a preset screening rule to obtain target alarm data; sending the target alarm data to a post-detection engine; matching the target alarm data by using the rear detection engine based on a second preset matching rule to match corresponding optimization processing logics for different target alarm data; and optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data, and effectively optimizing the alarm data generated by the flow detection engine, thereby improving the accuracy of network flow detection.
Description
Technical Field
The present application relates to the field of network traffic detection technologies, and in particular, to a method, an apparatus, a device, and a medium for network traffic detection.
Background
In the cloud internet era, attackers such as hackers and the like usually attack enterprise websites and business systems on a traffic level by using threat means such as vulnerability attack and the like, and the current network traffic threat detection scheme mainly adopts a traffic detection engine to match mirror traffic on a common rule level and sends matched threat information to a platform side. The current flow detection engine outputs the alarm information only by performing single matching on the flow, the alarm information cannot be effectively utilized on the flow engine level, false alarm or missing alarm and the like often exist, and the accuracy is low.
Disclosure of Invention
In view of this, an object of the present application is to provide a method, an apparatus, a device, and a medium for detecting network traffic, which can effectively optimize alarm data generated by a traffic detection engine, so as to improve accuracy of network traffic detection. The specific scheme is as follows:
in a first aspect, the present application discloses a network traffic detection method, including:
matching network flow data to be detected by using a flow detection engine based on a first preset matching rule to obtain alarm data corresponding to the flow data to be detected;
screening the alarm data based on a preset screening rule to obtain target alarm data;
sending the target alarm data to a post-detection engine;
matching the target alarm data by using the rear detection engine based on a second preset matching rule to match corresponding optimization processing logics for different target alarm data;
and optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data.
Optionally, the screening the alarm data based on a preset screening rule to obtain target alarm data includes:
and matching specific fields in the alarm data based on a preset screening rule, and taking the matched alarm data as target alarm data.
Optionally, the screening the alarm data based on a preset screening rule to obtain target alarm data includes:
loading a configuration file in a yaml format by utilizing the flow detection engine;
and screening the alarm data by using a preset screening rule in the configuration file to obtain target alarm data.
Optionally, the optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data includes:
decrypting the encrypted flow data in the corresponding target alarm data to obtain decrypted data;
extracting the characteristics of the decrypted data, and judging whether the attack is successful or not based on the extraction result to obtain attack success and failure information;
and screening the attack success or failure information as successfully attacked decrypted data to obtain optimized alarm data.
Optionally, the decrypting the encrypted traffic data in the corresponding target alarm data to obtain decrypted data includes:
decrypting the encrypted flow data in the corresponding target alarm data by using the built-in key of the post-detection engine to obtain decrypted data;
or, the encrypted flow data in the corresponding target alarm data is decrypted by using the key extracted from the historical target alarm data to obtain decrypted data.
Optionally, the optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data includes:
and counting the number of corresponding target alarm data, and generating new alarm data based on the number to obtain optimized alarm data.
Optionally, the method further includes:
and placing the optimized alarm data in an outgoing queue, and sending the optimized alarm data to a preset server by using the outgoing queue so that the preset server can display the optimized alarm data.
In a second aspect, the present application discloses a network traffic detection apparatus, including:
the alarm data generation module is used for matching network flow data to be detected by using a flow detection engine based on a first preset matching rule to obtain alarm data corresponding to the flow data to be detected;
the target alarm data screening module is used for screening the alarm data based on a preset screening rule to obtain target alarm data;
the target alarm data sending module is used for sending the target alarm data to a post-detection engine;
the optimization processing logic matching module is used for matching the target alarm data based on a second preset matching rule by utilizing the rear detection engine so as to match corresponding optimization processing logic for different target alarm data;
and the alarm data optimization processing module is used for optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the network flow detection method.
In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program, which when executed by a processor implements the aforementioned network traffic detection method.
It is thus clear that this application utilizes flow detection engine earlier to treat to detect network flow data and match based on first preset matching rule, obtain treat the alarm data that the flow data that detects correspond, later on it is right to predetermine the screening rule based on alarm data screens, obtains the target alarm data, and will the target alarm data sends to rearmounted detection engine, then utilizes rearmounted detection engine, and predetermine the matching rule based on the second and right the target alarm data matches, for the difference the optimization logic that the target alarm data matches corresponds utilizes at last the optimization logic is corresponding the target alarm data carries out optimization, obtains optimizing back alarm data. That is, the flow detection engine is firstly utilized to match the network flow data to obtain the corresponding alarm data, then the alarm data is screened to obtain the target alarm data, and the post detection engine is utilized to match and optimize different target alarm data, so that the alarm data generated by the flow detection engine can be effectively optimized, and the accuracy of network flow detection is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flow chart of a network traffic detection method disclosed in the present application;
fig. 2 is a flow chart of a specific network traffic detection method disclosed in the present application;
fig. 3 is a flow chart of a specific network traffic detection method disclosed in the present application;
FIG. 4 is a system framework diagram for a specific network traffic detection scheme disclosed herein;
fig. 5 is a schematic structural diagram of a network traffic detection apparatus disclosed in the present application;
fig. 6 is a block diagram of an electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The current flow detection engine outputs the alarm information only by performing single matching on the flow, the alarm information cannot be effectively utilized on the flow engine level, and the accuracy is low. Therefore, the network flow detection scheme is provided, and the alarm data generated by the flow detection engine can be effectively optimized, so that the accuracy of network flow detection is improved.
Referring to fig. 1, an embodiment of the present application discloses a network traffic detection method, including:
step S11: and matching the network flow data to be detected by using a flow detection engine based on a first preset matching rule to obtain alarm data corresponding to the flow data to be detected.
It should be noted that the alarm data refers to that after the traffic data is accessed through the capturing network and detected, the alarm data is extracted by analyzing according to a certain rule. The alarm data comprises the flow data matched by the flow detection engine and the generated corresponding alarm information. Such as alarm name, type, rule ID, etc.
Step S12: and screening the alarm data based on a preset screening rule to obtain target alarm data.
In a specific embodiment, a specific field in the alarm data may be matched based on a preset filtering rule, and the matched alarm data may be used as target alarm data.
In addition, the embodiment of the application can load a configuration file in a yaml format by using the flow detection engine; and screening the alarm data by using a preset screening rule in the configuration file to obtain target alarm data.
Step S13: and sending the target alarm data to a post detection engine.
In a specific embodiment, the target alarm data is sent to a post detection engine by using a traffic detection engine.
The traffic detection engine is a reconstructed traffic engine (suricata), and can completely send out original traffic information carried by original alarm data.
Step S14: and matching the target alarm data by utilizing the rear detection engine based on a second preset matching rule to match corresponding optimization processing logics for different target alarm data.
That is, the post detection engine includes optimization processing logic for different target alarm data.
Step S15: and optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data.
In a specific implementation manner, the optimization processing logic may decrypt encrypted traffic data in corresponding target alarm data to obtain decrypted data; extracting the characteristics of the decrypted data, and judging whether the attack is successful or not based on the extraction result to obtain attack success and failure information; and screening the attack success or failure information as successfully attacked decrypted data to obtain optimized alarm data.
Further, the internal key of the post-detection engine can be used for decrypting the encrypted flow data in the corresponding target alarm data to obtain decrypted data; or, the encrypted flow data in the corresponding target alarm data is decrypted by using the key extracted from the historical target alarm data to obtain decrypted data.
Accordingly, the optimized alarm data may further include a key extracted from the historical target alarm data for decrypting the encrypted traffic data.
It should be noted that, in the embodiment of the present application, a commonly used key may be first stored in a configuration file corresponding to a post-detection engine, when decryption is performed, a corresponding key is matched from a plurality of keys of the configuration file, decryption is performed, if no key is matched, a corresponding decryption key is matched from keys extracted from historical target alarm data, and encrypted traffic data in corresponding target alarm data is decrypted by using the matched decryption key, so as to obtain decrypted data. Wherein the key extracted from the historical target alarm data is stored in a file or database.
It can be understood that encrypted traffic data exists in the alarm data, on one hand, decryption is convenient for subsequent analysis, on the other hand, non-professional network security personnel can understand the alarm data, and therefore user experience is improved.
In a specific embodiment, the optimization processing logic may count the number of corresponding target alarm data, and generate new alarm data based on the number to obtain optimized alarm data. In this way, potential threats may be detected.
That is, the embodiment of the present application may perform corresponding optimization processing, such as decryption, statistics, and the like, on different target alarm data, and effectively utilize alarm information in multiple dimensions, including analyzing and then residing the alarm content, the alarm frequency, and the information carried by the alarm, and facilitating the subsequent matching analysis.
It is thus clear that this application embodiment utilizes flow detection engine earlier to treat to detect network flow data and match based on first preset matching rule, obtain treat the alarm data that the flow data that detects correspond, later on it is right to predetermine the screening rule based on alarm data filters, obtains the target alarm data, and will the target alarm data sends to rearmounted detection engine, then utilizes rearmounted detection engine, and predetermine the matching rule based on the second and right the target alarm data matches, for the difference the optimization processing logic that the target alarm data matches corresponds utilizes at last the optimization processing logic is corresponding the target alarm data carries out optimization processing, obtains the optimization back alarm data. That is, the flow detection engine is firstly utilized to match the network flow data to obtain the corresponding alarm data, then the alarm data is screened to obtain the target alarm data, and the post detection engine is utilized to match and optimize different target alarm data, so that the alarm data generated by the flow detection engine can be effectively optimized, and the accuracy of network flow detection is improved.
Referring to fig. 2, an embodiment of the present application discloses a specific network traffic detection method, which is characterized by including:
step S21: and matching the network flow data to be detected by using a flow detection engine based on a first preset matching rule to obtain alarm data corresponding to the flow data to be detected.
Step S22: and screening the alarm data based on a preset screening rule to obtain target alarm data.
Step S23: and sending the target alarm data to a post detection engine.
Step S24: matching the target alarm data by using the rear detection engine based on a second preset matching rule to match corresponding optimization processing logics for different target alarm data;
step S25: and optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data.
As to the specific implementation of the above steps S21 to S25, reference may be made to the disclosure of the foregoing embodiments, which are not shown here.
Step S26: and placing the optimized alarm data in an outgoing queue, and sending the optimized alarm data to a preset server by using the outgoing queue so that the preset server can display the optimized alarm data.
In a specific embodiment, it may be preset that ELK (namely, Elasticsearch, Logstash, Kibana) is installed on the server for alarm display and analysis
For example, referring to fig. 3, fig. 3 is a flowchart of a specific network traffic detection method disclosed in the embodiment of the present application. The method comprises the steps of obtaining a real network flow mirror image through a flow mirror image means, generating alarm data by utilizing a flow detection engine, screening target alarm data, sending the target alarm data to a rear matching engine, matching and optimizing, placing the optimized alarm data in an outgoing queue, sending the optimized alarm data, and directly placing the alarm data which are not screened in the outgoing queue.
Referring to fig. 4, an embodiment of the present application discloses a system framework diagram adopted by a specific network traffic detection scheme. Firstly, preparing a basic environment, including real network traffic, a server A, a post matching engine and a server B, and mirroring the real network traffic to the server A by a traffic mirroring means. The method comprises the steps of installing a flow detection engine (suricata), namely a flow probe, on a server A, loading basic rules, including a first preset matching rule and a screening rule, including an open source detection rule and a self-defined adding rule (a non-open source rule written for security personnel based on certain vulnerability characteristics), deploying a post-matching engine on the server A, and installing an ELK on a server B for alarm display and analysis. In a specific embodiment, a specific filtering rule can be prepared and placed in/etc/eng/match.yaml of server a. An example of a screening rule is as follows:
signature _ id # matching based on rule SID
-1000001# ice scorpion detection rule
-1000002# File upload detection rules
category # matching based on rule classification
-webAttack
In a specific embodiment, the/etc/eng/match.yaml configuration file is loaded by the traffic detection engine. The method includes that original complete alarm data hitting screening rules in the configuration file are sent to a post-matching engine, and the post-matching engine comprises but is not limited to an alarm receiving module, an alarm matching module, an optimization processing module and an alarm sending module.
In a specific implementation manner, target alarm data sent to a post-detection engine are transmitted to a matched optimization processing module for optimization processing based on post-matching engine configuration. The post-matching engine configuration may be in the yaml configuration format, for example:
signature _ id # matching based on rule SID
1000001: # rule SID
Name ice scorpion 3.0 matching detection module # called module Name
That is, in this embodiment, the second preset matching rule may be a rule matching based on the rule SID, the matching optimization processing module is the ice scorpion 3.0 matching detection module, and the optimization processing logic in the module performs optimization processing on the alarm data to implement optimization measures such as alarm optimization and false alarm rejection
For example: the alarm is transmitted into a signature _ id which is 1000001, namely, the signature _ id is matched with an optimization processing module, namely an ice scorpion 3.0 matching detection module, and after secondary detection and optimization are carried out by the module, the following functions can be realized and are not limited: 1. the request packet and the response packet are decrypted and output; 2. outputting a corresponding key used by an attacker; 3. and judging whether the attack is successful or not. 4. And storing the related information of the alarm. It should be noted that, when the matching is performed to the scorpions 3.0, the communication traffic adopts a mechanism of removing the dynamic key negotiation, and adopts a pre-shared key, and there is no plaintext interaction in the whole process, so that decryption processing needs to be performed on the communication traffic, firstly, the internal key is used to decode the encrypted communication traffic (according to the AES encryption algorithm and the internal key), then, the data after AES decryption is subjected to base64 decoding to obtain the attack statement adopted by the attacker, and the returned specific information, and if the internal key cannot be matched, the key extracted from the previous alarm data is matched. After decryption is finished, the features of the attack statement are extracted, for example, when whoami is executed and the return value has specific contents such as www or root, the attack can be directly marked as success. And the key is output together, so that security personnel can conveniently carry out deep analysis and study and judgment, and finally send the key into an outgoing queue based on a specific judgment logic, and the module can discard the alarm or send the alarm into the outgoing queue through the specific logic. For example, the alarm data which fails to attack is discarded, and the alarm data which succeeds in attacking is sent into an outgoing queue. And sending the alarm information in the post matching engine outgoing queue to a server B for receiving, and providing the alarm information for network management personnel to carry out operations such as study and judgment treatment and the like.
Referring to fig. 5, an embodiment of the present application discloses a network traffic detection apparatus, including:
the alarm data generating module 11 is configured to match network traffic data to be detected by using a traffic detection engine based on a first preset matching rule to obtain alarm data corresponding to the traffic data to be detected;
the target alarm data screening module 12 is configured to screen the alarm data based on a preset screening rule to obtain target alarm data;
a target alarm data sending module 13, configured to send the target alarm data to a post-detection engine;
the optimization processing logic matching module 14 is configured to match the target alarm data based on a second preset matching rule by using the post-detection engine, so as to match corresponding optimization processing logic with different target alarm data;
and the alarm data optimization processing module 15 is configured to perform optimization processing on the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data.
It is thus clear that this application embodiment utilizes flow detection engine earlier to treat to detect network flow data and match based on first preset matching rule, obtain treat the alarm data that the flow data that detects correspond, later on it is right to predetermine the screening rule based on alarm data filters, obtains the target alarm data, and will the target alarm data sends to rearmounted detection engine, then utilizes rearmounted detection engine, and predetermine the matching rule based on the second and right the target alarm data matches, for the difference the optimization processing logic that the target alarm data matches corresponds utilizes at last the optimization processing logic is corresponding the target alarm data carries out optimization processing, obtains the optimization back alarm data. That is, the flow detection engine is firstly utilized to match the network flow data to obtain the corresponding alarm data, then the alarm data is screened to obtain the target alarm data, and the post detection engine is utilized to match and optimize different target alarm data, so that the alarm data generated by the flow detection engine can be effectively optimized, and the accuracy of network flow detection is improved.
The target alarm data screening module 12 is specifically configured to match a specific field in the alarm data based on a preset screening rule, and use the matched alarm data as the target alarm data.
Further, the target alarm data screening module 12 is specifically configured to load a configuration file in a yaml format by using the flow detection engine; and screening the alarm data by using a preset screening rule in the configuration file to obtain target alarm data.
In a specific embodiment, the alarm data optimization processing module 15 is specifically configured to decrypt encrypted flow data in corresponding target alarm data to obtain decrypted data; extracting the characteristics of the decrypted data, and judging whether the attack is successful or not based on the extraction result to obtain attack success and failure information; and screening the attack success or failure information as successfully attacked decrypted data to obtain optimized alarm data.
Further, the alarm data optimization processing module 15 is specifically configured to decrypt the encrypted traffic data in the corresponding target alarm data by using the internal key of the post-detection engine to obtain decrypted data; or, the encrypted flow data in the corresponding target alarm data is decrypted by using the key extracted from the historical target alarm data to obtain decrypted data.
In a specific embodiment, the alarm data optimization processing module 15 is specifically configured to count the number of corresponding target alarm data, generate new alarm data based on the number, and obtain optimized alarm data.
The device also comprises an alarm data sending module which is used for placing the optimized alarm data in an outgoing queue and sending the optimized alarm data to a preset server by using the outgoing queue so that the preset server can display the optimized alarm data.
Referring to fig. 6, an embodiment of the present application discloses an electronic device 20, which includes a processor 21 and a memory 22; wherein, the memory 22 is used for saving computer programs; the processor 21 is configured to execute the computer program, and the network traffic detection method disclosed in the foregoing embodiment.
For the specific process of the network traffic detection method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
The memory 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, and the storage mode may be a transient storage mode or a permanent storage mode.
In addition, the electronic device 20 further includes a power supply 23, a communication interface 24, an input-output interface 25, and a communication bus 26; the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to a specific application requirement, which is not specifically limited herein.
Further, an embodiment of the present application also discloses a computer-readable storage medium for storing a computer program, where the computer program is executed by a processor to implement the network traffic detection method disclosed in the foregoing embodiment.
For the specific process of the network traffic detection method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The method, the device, the equipment and the medium for detecting the network traffic provided by the application are introduced in detail, a specific example is applied in the description to explain the principle and the implementation of the application, and the description of the embodiment is only used for helping to understand the method and the core idea of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A network traffic detection method is characterized by comprising the following steps:
matching network flow data to be detected by using a flow detection engine based on a first preset matching rule to obtain alarm data corresponding to the flow data to be detected;
screening the alarm data based on a preset screening rule to obtain target alarm data;
sending the target alarm data to a post-detection engine;
matching the target alarm data by using the rear detection engine based on a second preset matching rule to match corresponding optimization processing logics for different target alarm data;
and optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data.
2. The method according to claim 1, wherein the screening the alarm data based on a preset screening rule to obtain target alarm data includes:
and matching specific fields in the alarm data based on a preset screening rule, and taking the matched alarm data as target alarm data.
3. The method according to claim 1, wherein the screening the alarm data based on a preset screening rule to obtain target alarm data includes:
loading a configuration file in a yaml format by utilizing the flow detection engine;
and screening the alarm data by using a preset screening rule in the configuration file to obtain target alarm data.
4. The method according to claim 1, wherein the optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data includes:
decrypting the encrypted flow data in the corresponding target alarm data to obtain decrypted data;
extracting the characteristics of the decrypted data, and judging whether the attack is successful or not based on the extraction result to obtain attack success and failure information;
and screening the attack success or failure information as successfully attacked decrypted data to obtain optimized alarm data.
5. The method for detecting network traffic according to claim 4, wherein the decrypting the encrypted traffic data in the corresponding target alarm data to obtain decrypted data includes:
decrypting the encrypted flow data in the corresponding target alarm data by using the built-in key of the post-detection engine to obtain decrypted data;
or, the encrypted flow data in the corresponding target alarm data is decrypted by using the key extracted from the historical target alarm data to obtain decrypted data.
6. The method according to claim 1, wherein the optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data includes:
and counting the number of corresponding target alarm data, and generating new alarm data based on the number to obtain optimized alarm data.
7. The network traffic detection method according to any one of claims 1 to 6, characterized by further comprising:
and placing the optimized alarm data in an outgoing queue, and sending the optimized alarm data to a preset server by using the outgoing queue so that the preset server can display the optimized alarm data.
8. A network traffic detection device, comprising:
the alarm data generation module is used for matching network flow data to be detected by using a flow detection engine based on a first preset matching rule to obtain alarm data corresponding to the flow data to be detected;
the target alarm data screening module is used for screening the alarm data based on a preset screening rule to obtain target alarm data;
the target alarm data sending module is used for sending the target alarm data to a post-detection engine;
the optimization processing logic matching module is used for matching the target alarm data based on a second preset matching rule by utilizing the rear detection engine so as to match corresponding optimization processing logic for different target alarm data;
and the alarm data optimization processing module is used for optimizing the corresponding target alarm data by using the optimization processing logic to obtain optimized alarm data.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the network traffic detection method according to any of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program which, when executed by a processor, implements the network traffic detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110783925.8A CN113542253B (en) | 2021-07-12 | 2021-07-12 | Network flow detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110783925.8A CN113542253B (en) | 2021-07-12 | 2021-07-12 | Network flow detection method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113542253A true CN113542253A (en) | 2021-10-22 |
| CN113542253B CN113542253B (en) | 2023-04-07 |
Family
ID=78127424
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110783925.8A Active CN113542253B (en) | 2021-07-12 | 2021-07-12 | Network flow detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113542253B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114050935A (en) * | 2021-11-16 | 2022-02-15 | 北京网深科技有限公司 | Method and device for monitoring and analyzing encrypted flow in real time |
| CN114143173A (en) * | 2022-01-30 | 2022-03-04 | 奇安信科技集团股份有限公司 | Data processing method, device, equipment and storage medium |
| CN114172720A (en) * | 2021-12-03 | 2022-03-11 | 杭州安恒信息技术股份有限公司 | Ciphertext attack flow detection method and related device |
| CN114826753A (en) * | 2022-04-28 | 2022-07-29 | 武汉思普崚技术有限公司 | Full-flow intrusion detection method, device, equipment and medium based on rule features |
| CN115766079A (en) * | 2022-10-10 | 2023-03-07 | 北京明朝万达科技股份有限公司 | Flow data processing method and device, electronic equipment and readable storage medium |
| CN116055170A (en) * | 2023-01-10 | 2023-05-02 | 北京微步在线科技有限公司 | Flow data detection method and device |
| CN117061249A (en) * | 2023-10-12 | 2023-11-14 | 明阳时创(北京)科技有限公司 | Intrusion monitoring method and system based on network traffic |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN107302546A (en) * | 2017-08-16 | 2017-10-27 | 北京奇虎科技有限公司 | Big data platform safety accesses system, method and electronic equipment |
| CN109450955A (en) * | 2018-12-30 | 2019-03-08 | 北京世纪互联宽带数据中心有限公司 | A kind of flow processing method and device based on network attack |
| WO2020029407A1 (en) * | 2018-08-08 | 2020-02-13 | 平安科技(深圳)有限公司 | Alarm data management method and apparatus, and computer device and storage medium |
| CN111082966A (en) * | 2019-11-01 | 2020-04-28 | 平安科技(深圳)有限公司 | Positioning method and device based on batch alarm events, electronic equipment and medium |
| CN111786833A (en) * | 2020-07-01 | 2020-10-16 | 浪潮云信息技术股份公司 | Alarm matching processing implementation method based on cloud service platform |
| CN111800395A (en) * | 2020-06-18 | 2020-10-20 | 云南电网有限责任公司信息中心 | Threat information defense method and system |
| CN111835760A (en) * | 2020-07-10 | 2020-10-27 | 广州博冠信息科技有限公司 | Alarm information processing method and device, computer storage medium and electronic equipment |
| CN112463553A (en) * | 2020-12-18 | 2021-03-09 | 杭州立思辰安科科技有限公司 | System and method for analyzing intelligent alarm based on common alarm correlation |
| CN112559569A (en) * | 2020-12-11 | 2021-03-26 | 广东电力通信科技有限公司 | Alarm rule processing method for composite condition |
| CN112699008A (en) * | 2021-01-05 | 2021-04-23 | 上海中通吉网络技术有限公司 | Method and engine for automatically processing alarm by matching multi-dimensional rules |
-
2021
- 2021-07-12 CN CN202110783925.8A patent/CN113542253B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN107302546A (en) * | 2017-08-16 | 2017-10-27 | 北京奇虎科技有限公司 | Big data platform safety accesses system, method and electronic equipment |
| WO2020029407A1 (en) * | 2018-08-08 | 2020-02-13 | 平安科技(深圳)有限公司 | Alarm data management method and apparatus, and computer device and storage medium |
| CN109450955A (en) * | 2018-12-30 | 2019-03-08 | 北京世纪互联宽带数据中心有限公司 | A kind of flow processing method and device based on network attack |
| CN111082966A (en) * | 2019-11-01 | 2020-04-28 | 平安科技(深圳)有限公司 | Positioning method and device based on batch alarm events, electronic equipment and medium |
| CN111800395A (en) * | 2020-06-18 | 2020-10-20 | 云南电网有限责任公司信息中心 | Threat information defense method and system |
| CN111786833A (en) * | 2020-07-01 | 2020-10-16 | 浪潮云信息技术股份公司 | Alarm matching processing implementation method based on cloud service platform |
| CN111835760A (en) * | 2020-07-10 | 2020-10-27 | 广州博冠信息科技有限公司 | Alarm information processing method and device, computer storage medium and electronic equipment |
| CN112559569A (en) * | 2020-12-11 | 2021-03-26 | 广东电力通信科技有限公司 | Alarm rule processing method for composite condition |
| CN112463553A (en) * | 2020-12-18 | 2021-03-09 | 杭州立思辰安科科技有限公司 | System and method for analyzing intelligent alarm based on common alarm correlation |
| CN112699008A (en) * | 2021-01-05 | 2021-04-23 | 上海中通吉网络技术有限公司 | Method and engine for automatically processing alarm by matching multi-dimensional rules |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114050935A (en) * | 2021-11-16 | 2022-02-15 | 北京网深科技有限公司 | Method and device for monitoring and analyzing encrypted flow in real time |
| CN114172720A (en) * | 2021-12-03 | 2022-03-11 | 杭州安恒信息技术股份有限公司 | Ciphertext attack flow detection method and related device |
| CN114143173A (en) * | 2022-01-30 | 2022-03-04 | 奇安信科技集团股份有限公司 | Data processing method, device, equipment and storage medium |
| CN114143173B (en) * | 2022-01-30 | 2022-07-15 | 奇安信科技集团股份有限公司 | Data processing method, device, equipment and storage medium |
| CN114826753A (en) * | 2022-04-28 | 2022-07-29 | 武汉思普崚技术有限公司 | Full-flow intrusion detection method, device, equipment and medium based on rule features |
| CN114826753B (en) * | 2022-04-28 | 2024-05-03 | 武汉思普崚技术有限公司 | Full-flow intrusion detection method, device, equipment and medium based on rule characteristics |
| CN115766079A (en) * | 2022-10-10 | 2023-03-07 | 北京明朝万达科技股份有限公司 | Flow data processing method and device, electronic equipment and readable storage medium |
| CN115766079B (en) * | 2022-10-10 | 2023-12-05 | 北京明朝万达科技股份有限公司 | Traffic data processing method and device, electronic equipment and readable storage medium |
| CN116055170A (en) * | 2023-01-10 | 2023-05-02 | 北京微步在线科技有限公司 | Flow data detection method and device |
| CN116055170B (en) * | 2023-01-10 | 2024-01-23 | 北京微步在线科技有限公司 | Flow data detection method and device |
| CN117061249A (en) * | 2023-10-12 | 2023-11-14 | 明阳时创(北京)科技有限公司 | Intrusion monitoring method and system based on network traffic |
| CN117061249B (en) * | 2023-10-12 | 2024-04-26 | 明阳时创(北京)科技有限公司 | Intrusion monitoring method and system based on network traffic |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113542253B (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113542253B (en) | Network flow detection method, device, equipment and medium | |
| US9832213B2 (en) | System and method for network intrusion detection of covert channels based on off-line network traffic | |
| JP5886422B2 (en) | System, apparatus, program, and method for protocol fingerprint acquisition and evaluation correlation | |
| US10069809B2 (en) | System and method for secure transmission of web pages using encryption of their content | |
| US20170034189A1 (en) | Remediating ransomware | |
| Khan et al. | A comprehensive review on adaptability of network forensics frameworks for mobile cloud computing | |
| US11108803B2 (en) | Determining security vulnerabilities in application programming interfaces | |
| Al-Jaberi et al. | Data integrity and privacy model in cloud computing | |
| Merget et al. | Scalable scanning and automatic classification of {TLS} padding oracle vulnerabilities | |
| CN112511512A (en) | Vulnerability scanning engine and risk management system of threat detection engine | |
| Razaque et al. | Efficient and reliable forensics using intelligent edge computing | |
| US20230116838A1 (en) | Advanced detection of identity-based attacks to assure identity fidelity in information technology environments | |
| US20140344931A1 (en) | Systems and methods for extracting cryptographic keys from malware | |
| CN113518042B (en) | Data processing method, device, equipment and storage medium | |
| CN111756702A (en) | Data security protection method, device, equipment and storage medium | |
| Guo et al. | Enabling privacy-preserving header matching for outsourced middleboxes | |
| US11757915B2 (en) | Exercising security control point (SCP) capabilities on live systems based on internal validation processing | |
| US11233703B2 (en) | Extending encrypted traffic analytics with traffic flow data | |
| US20230113332A1 (en) | Advanced detection of identity-based attacks to assure identity fidelity in information technology environments | |
| CN112968891B (en) | Network attack defense method and device and computer readable storage medium | |
| Ucci et al. | Near-real-time anomaly detection in encrypted traffic using machine learning techniques | |
| US11038844B2 (en) | System and method of analyzing the content of encrypted network traffic | |
| CN113965366B (en) | Method, system and computer equipment for defending reverse proxy phishing attack | |
| CN114826729B (en) | Data processing method, page updating method and related hardware | |
| CN110661766B (en) | System and method for analyzing content of encrypted network traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |