CN113765846B - Intelligent detection and response method and device for network abnormal behaviors and electronic equipment - Google Patents

Intelligent detection and response method and device for network abnormal behaviors and electronic equipment Download PDF

Info

Publication number
CN113765846B
CN113765846B CN202010486208.4A CN202010486208A CN113765846B CN 113765846 B CN113765846 B CN 113765846B CN 202010486208 A CN202010486208 A CN 202010486208A CN 113765846 B CN113765846 B CN 113765846B
Authority
CN
China
Prior art keywords
network
request
host
data
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010486208.4A
Other languages
Chinese (zh)
Other versions
CN113765846A (en
Inventor
请求不公布姓名
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jike Xin'an Beijing Technology Co ltd
Original Assignee
Jike Xin'an Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jike Xin'an Beijing Technology Co ltd filed Critical Jike Xin'an Beijing Technology Co ltd
Priority to CN202010486208.4A priority Critical patent/CN113765846B/en
Publication of CN113765846A publication Critical patent/CN113765846A/en
Application granted granted Critical
Publication of CN113765846B publication Critical patent/CN113765846B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the disclosure provides a network abnormal behavior intelligent detection and response method, a device and electronic equipment, wherein the method comprises the following steps: collecting mirror image flow of a session layer through a switch, and extracting flow characteristics from the mirror image flow; training checking rules based on the flow characteristics, wherein the checking rules comprise an internal and external network checking rule, a survival host checking rule, an existing network service checking rule and an existing operating system network fingerprint generating rule; marking each network request according to the verification rule to form a request log; and making a basic response to each network request according to the request log. The embodiment of the disclosure realizes network spoofing defense by adopting a bypass network data detection method, realizes network application at a session layer and improves network defense efficiency.

Description

Intelligent detection and response method and device for network abnormal behaviors and electronic equipment
Technical Field
The disclosure relates to the technical field of computer networks, in particular to a network abnormal behavior intelligent detection and response method, a device and electronic equipment.
Background
Network spoofing prevention technology is a new concept in recent years, namely, a attacker is deceived into thinking that a large number of stock hosts, services and active users exist in a protected network by forging various false hosts, false services and even false users in the protected network, so that the attacker cannot accurately locate an effective attack target. On the one hand, the technology can delay the attack speed, increase the time cost of an attacker and reduce the attack accuracy; on the other hand, the attack behavior and the flow content of the attacker can be effectively captured, and an important clue is provided for the follow-up investigation evidence collection.
At present, network spoofing defending technology is often expanded based on a honeypot technology, and a typical honeypot technology adopts a plurality of honeypot nodes to simulate real network services.
On the basis of the honeypot technology, a technical scheme is expanded, such as a traffic redirection method, namely serial detection equipment is added at an access link of a subnet switch for detecting scanning attack traffic. And redirecting the traffic which is found to be the attack attempt to the honey nodes to perform interactive simulation, so that the deployment number of the honey can be reduced, and one honey can simulate to answer all responses facing the non-real host.
However, the existing solution has technical problems, such as great inconvenience to the number and management of honeypots for a typical honeypot deployment solution, and network spoofing is easily identified by attackers due to the restriction of honeypot entities. The traffic redirection-based method can effectively reduce the number of honeypots, but the serial deployment mode easily brings single-point failure risk to the network, and all access requests can be forwarded after being analyzed by serial equipment, so that the normal access delay of the network is increased.
Disclosure of Invention
The disclosure aims to provide a network abnormal behavior intelligent detection and response method, a device and electronic equipment, which can interfere with malicious attacks at a session layer and improve network security.
In a first aspect, the present disclosure provides a method for intelligently detecting and responding to abnormal network behavior, including:
collecting mirror image flow of a session layer through a switch, and extracting flow characteristics from the mirror image flow;
training checking rules based on the flow characteristics, wherein the checking rules comprise an internal and external network checking rule, a survival host checking rule, an existing network service checking rule and an existing operating system network fingerprint generating rule;
Marking each network request according to the verification rule to form a request log;
and making a basic response to each network request according to the request log.
Optionally, the flow characteristics include:
IP/MAC address distribution of data packets, comprising at least one of: source/destination IP, source/destination MAC for all interaction data;
the port-IP correspondence includes at least one of: service port, service IP, upstream and downstream flow count of service port, head packet identification bit of each direction of TCP;
responsive to the data network layer and transport layer fingerprints, comprising at least one of: TTL value of IP data packet, IP service type value and TCP window size.
Alternatively to this, the method may comprise,
the internal and external network checking rule comprises: calculating entropy values of MAC of all interactive source data based on IP addresses, and judging that the IP of the external network and the corresponding host MAC are the same when the entropy values are larger than a preset threshold value; when the entropy value is smaller than the preset threshold value, judging that the IP of the intranet and the corresponding host MAC are the same;
the surviving host checking rule comprises: when there is an external payload communication by the intranet IP, the IP is a surviving host IP.
The existing network service checking rule includes: when the IP is in a survival state and has uplink and downlink interactive traffic, the service port is judged to be valid; when only SYN/RST identification bits exist, judging that the service port is invalid;
The operating system network fingerprint generation rule includes: and acquiring an IP data packet header and a TCP data packet header of each host IP, and generating a data response aiming at the IP according to TTL, service type or window size in the IP data packet header and the TCP data packet header.
Optionally, the request log includes: source IP, destination IP, source port, destination port, protocol type, whether the destination host IP survives or not, and whether the destination port is open or not.
Optionally, said making a basic answer to each of said network requests according to said request log includes:
for TCP detection of the non-survival host IP, randomly selecting a network fingerprint generation rule of an operating system to generate response data, and returning through a communication interface; and/or the number of the groups of groups,
aiming at the detection of the Internet packet explorer of the non-survival host IP, constructing response data according to the specific instruction content of the Internet packet explorer, and returning through a communication interface; and/or the number of the groups of groups,
for TCP detection of a non-open port of a surviving host IP, generating response data according to an operating system network fingerprint generation rule of the host IP, and returning through a communication interface; and/or the number of the groups of groups,
when the host IP survives and the target port is opened, aiming at unknown IP detection, simultaneously sending corresponding RST data packets to the detector and the real service host port; or alternatively, the first and second heat exchangers may be,
When the host IP survives and the target port is opened, after monitoring that the real service has responded to the SYN+ACK data packet, generating a RST data packet according to the network fingerprint generation rule of the operating system of the host IP, and randomly transmitting the RST data packet to the detector.
Optionally, the method further comprises: sending an application data request to the honeypot; the honeypot returns corresponding application data according to the application data request; and sending the application data to each network request through the switch.
Optionally, the sending the application data request to the honeypot includes: and converting the source IP and the destination IP of the detector, converting the source IP into the honeypot communication IP, and converting the destination IP into the honeypot IP.
Optionally, the sending the application data request to the honeypot includes: analyzing the application data request through a network honey switch, and sending the application data request to at least one honey pot according to the type of the application data request.
In a second aspect, the present disclosure provides a network abnormal behavior intelligent detection and response device, including:
the extraction unit is used for collecting mirror image flow of the session layer through the exchanger and extracting flow characteristics from the mirror image flow;
The training unit is used for training checking rules based on the flow characteristics, wherein the checking rules comprise an internal and external network checking rule, a survival host checking rule, an existing network service checking rule and an existing operating system network fingerprint generating rule;
the forming unit is used for marking each network request according to the verification rule to form a request log;
and the response unit is used for making basic response to each network request according to the request log.
In a third aspect, the present disclosure provides an electronic device comprising a processor and a memory storing computer program instructions executable by the processor, the processor implementing the method steps of any of the first aspects when the computer program instructions are executed.
In a fourth aspect, the present disclosure provides a computer-readable storage medium storing computer program instructions which, when invoked and executed by a processor, implement the method steps of any one of the first aspects.
Compared with the prior art, the beneficial effects of the embodiment of the disclosure are as follows:
according to the embodiment of the disclosure, network spoofing defense is realized by adopting a bypass network data detection method, the single point failure problem possibly occurring in a serial method is avoided, even if a network spoofing defense system implemented based on the scheme malfunctions, normal network service is not influenced, and the deployment mode has little influence on actual network operation;
The self-learning rule generation method provided by the embodiment of the disclosure can effectively find the existing hosts of the internal and external networks and the local network segment and the services of the existing hosts, and also comprises rule features of IP and TCP layer data encapsulation in each host and service, so that self-adaptive configuration can be completed without or with less manual participation, and the convenience and accuracy of detection are improved;
the embodiment of the disclosure provides a session-based maintenance method aiming at a bypass flow detection scheme, and on the premise that deep response to access content is not needed, response is firstly made to network access, so that the response speed is improved, and the attack process is delayed while attack access is confused. The real host is prevented from interrupting communication through the RST packet by fast responding to the SYN+ACK packet, and the similarity between the data packet and the fingerprint of the real host is fully considered by packet returning. This effectively implements session maintenance and network spoofing for network scanning and probing. In addition, aiming at methods such as detection of an Internet packet explorer, fake response of a real existing service and the like, network behavior difference between the real existing service and the fake service can be effectively confused.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, a brief description will be given below of the drawings required for the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a network abnormal behavior intelligent detection and response method provided by an embodiment of the disclosure;
fig. 2 is a schematic structural diagram of a network abnormal behavior intelligent detection and response system according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of an internal structure of a network abnormal behavior intelligent detection and response system according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a network abnormal behavior intelligent detection and response system according to another embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a network abnormal behavior intelligent detection and response system according to another embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a network abnormal behavior intelligent detection and response system according to another embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of a network abnormal behavior intelligent detection and response device according to an embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
The terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure of embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, the "plurality" generally includes at least two, but does not exclude the case of at least one.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
It should be understood that although the terms first, second, third, etc. may be used in describing the technical names in the embodiments of the present disclosure, the technical names should not be limited to the terms. These terms are only used to distinguish technical names. For example, a first check signature may also be referred to as a second check signature, and similarly, a second check signature may also be referred to as a first check signature, without departing from the scope of embodiments of the present disclosure.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a product or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such product or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a commodity or system comprising such elements.
In addition, the sequence of steps in the method embodiments described below is only an example and is not strictly limited.
Example 1
Referring to fig. 1, the disclosure provides a method for intelligently detecting and responding abnormal network behaviors, which specifically includes the following steps:
step S102: and acquiring mirror image traffic of a session layer through the switch, and extracting traffic characteristics from the mirror image traffic.
As shown in fig. 2, the network abnormal behavior intelligent detection and response system is connected to the mirror image flow interface of the target network, the mirror image flow data of the key session layer in communication with the network is collected through the subnet switch, the mirror image flow data is identical to the data received by each server in the normal network service, and the mirror image flow data is used for generating a subsequent detection rule on one hand and is used for performing abnormal detection on the other hand.
Wherein the flow characteristics include, but are not limited to, the following:
(1) IP/MAC address distribution of data packets: source/destination IP including all interactive data and source/destination MAC;
(2) Port to IP correspondence: the service port and service IP of the interactive data and the up-down flow count of the port, if no flow exists, the first packet identification bit of each direction of TCP is recorded;
(3) The reply data network layer and the transmission layer fingerprint, specifically, refer to the fingerprint feature of the network data sent by the local network, and distinguish by using the ip+ port as the identifier, including: TTL value of IP data packet, IP service type value (TOS), TCP window size, etc.;
The overall logic structure of the network anomaly detection and response system is shown in fig. 3. For the subnet to be protected, all the mirror image flow of the subnet is obtained through the bypass, and the IP/MAC address of the existing running host of the subnet, the network protocol fingerprint characteristics of the existing host and the existing service list of each running host are automatically learned based on the mirror image flow to form a white list detection rule.
And detecting subsequent traffic based on the rule, and generating rule fake response data based on the rule session to interact with an attacker to maintain the attack attempt session under the condition that the abnormal scanning attempt is found based on the detection rule.
Meanwhile, the response system can interact with the honey pot accessed by the background to obtain more real interaction flow, and the interaction flow is used for further carrying out subsequent interaction with an attacker, so that network spoofing of the attacker is realized.
Step S104: and training checking rules based on the flow characteristics, wherein the checking rules comprise an internal and external network checking rule, a survival host checking rule, an existing network service checking rule and an existing operating system network fingerprint generating rule.
Specifically, the checking rule includes:
(1) And (3) an intranet and extranet judgment rule: and judging the IP/MAC of the internal and external networks based on the convergent association relation of the MAC/IP data for a period of time. Namely, the IP/MAC with extremely high aggregation degree is the IP and the corresponding host MAC in the network, and the data with obviously low aggregation degree is the external network IP and the switch MAC forwarded by the switch. On this basis, for the data identifying the source MAC as the switch MAC address, the corresponding destination IP address is also the intranet IP. For example, the entropy can be evaluated by calculating the entropy of the IP address distribution corresponding to the MAC, the larger the entropy value of the MAC is, the more likely the corresponding IP is the external network IP, otherwise, the internal network IP is used, a threshold is obtained based on the entropy, the entropy value is obviously different between the internal network MAC and the external network MAC, and the threshold can be obtained easily.
(2) Survival host decision rule: based on the determination of the internal and external networks, it can further confirm which IP has the corresponding survival host computer in real existence based on the flow data, namely, the IP address with tight binding relation between the IP and the MAC, which indicates that the IP is the survival host computer IP of the network; for the IP which is not closely related with the MAC, the IP is expressed as an external network IP; for the case that the IP address corresponds only to the broadcast MAC, this indicates that the IP address is an address where the network does not survive. A specific intranet IP address corresponds to only one MAC address in a period of traffic, or only one MAC address (non-broadcast address) in most data, then the IP may be considered as the IP of a surviving host, i.e., when there is communication of an external payload by the intranet IP, the IP is a surviving host, otherwise the IP is a non-surviving host.
(3) Existing network service decision rules: in the known surviving IP, based on the port information obtained in the traffic and whether there is an uplink and downlink interaction traffic, it can be determined which ports are open, and for the IP/port record with only identification bits such as SYN/RST, it indicates that the port is not open.
(4) Operating system network fingerprint generation rules: according to the characteristics of the IP data packet header and the TCP data packet header of each IP obtained for a long time, the average value, the median value and the like of various values such as TTL, service Type (TOS), window size and the like in the data packet are summarized as a data packet generation rule for carrying out data response on the IP.
In addition, the rules generated by automatic learning can be continuously adjusted and updated based on the network condition, and various rules can be further adjusted in a manual labeling mode if necessary.
Step S106: and marking each network request according to the verification rule to form a request log.
The request log includes: source IP, destination IP, source port, destination port, protocol type, whether the destination host IP survives or not, and whether the destination port is open or not.
Each network request can be marked, so that not only an abnormal request but also a normal request can be marked, and a request log is formed as an information basis for the next operation, and specific information includes, for example:
< source IP, destination IP, source Port, destination Port, protocol type (TCP/UDP/ICMP), whether target host IP survives, whether destination Port is open >)
Step S108: and making a basic response to each network request according to the request log.
The network abnormal behavior intelligent detection and response system carries out different responses according to different characteristics aiming at an IP which is judged to be not present or a service which is judged to be not present and the IP and the service which are present, and in order to simulate the real response effect, all responses aiming at TCP are required to be the sequence number +1 of a request packet, and the network abnormal behavior intelligent detection and response system specifically comprises:
(1) For TCP detection without IP, randomly selecting a network fingerprint generation rule of an operating system to generate response data and returning the response data through a communication interface;
(2) Aiming at the detection of the PING (Packet Internet Grope) internet packet explorer without the IP, constructing a response data packet according to the specific instruction content of the internet packet explorer to respond;
(3) Aiming at TCP detection of an unopened port of a host, generating a data packet according to the network fingerprint of an operating system of the host, and returning through a communication interface;
(4) For the case where a host is present and there is real service, bypass blocking may be implemented for unknown IP probing, i.e., the connection is blocked by sending corresponding RST packets to both the attacker (probe) and the real service host port.
After the bypass monitors that the real service has responded to the SYN+ACK data packet, RST data packets are generated according to the fingerprint template of the host computer network, and a plurality of RST data packets are randomly sent to the detector. This can confuse the counterfeit data with the genuine service.
According to the response mode, the network attack is responded rapidly at the session layer, so that the network attack is effectively and timely confused, the network attack cannot be judged to be a real server, the time for the network attacker to recognize and judge the real server is effectively slowed down, the efficiency of the network attack is reduced, and the response time is increased for network maintenance; meanwhile, the purpose of confusing the network attack is further increased by simulating the service content of the network attack request.
As an alternative embodiment, the intelligent detection and response system for network abnormal behaviors can further increase honeypots, and further start the aim of confusing network attacks. Specifically, an external honeypot mode shown in fig. 4 and an internal honeypot mode shown in fig. 5 can be adopted, the external honeypot has the advantages of being capable of replacing the honeypot at any time, convenient to operate, quick in response speed of the system and convenient in hardware maintenance. For the case of external multiple honeypots, the multiple honeypots can be managed by connecting an external network honey switch in a manner as shown in fig. 6, and request response contents are distributed to be acquired from one or multiple honeypots according to different network request contents.
Specifically, the network abnormal behavior intelligent detection and response method further comprises the following steps: sending an application data request to the honeypot; the honeypot returns corresponding application data according to the application data request; and sending the application data to each network request through the switch.
The time of sending the application data request to the honeypot may be before or after the base answer is made, depending on the response policy selection whether or not to initiate an interactive request to the honeypot. If the honeypot does not support various services, the service does not need to be sent to the honeypot.
If the request is sent to the honeypot, the specific time sequence is consistent with the time sequence of the request sent to the exchanger by the attacker, namely, the system only converts the source IP and the destination IP of the attacker, the source IP is converted into the honeypot communication IP of the detection and response system, the destination IP is converted into the honeypot IP, then the checksum in various data packets is recalculated, and the data is forwarded to the honeypot system to obtain the response information of the honeypot.
If the honey pot is not accessed, for TCP detection, the unloaded AKC response data can be continuously returned to the attacker on the basis of the step S108, and the detection efficiency of the attacker is slowed down by maintaining the connection.
On the basis of receiving the honey response data, certain data processing is needed to be carried out, and then the data is returned to an attacker, and the specific method is as follows:
the source/destination IP of the honey response data is replaced by the target IP detected by the attacker and the IP of the attacker, various checksums are recalculated, and the modified data packet is sent to the attacker.
Optionally, the sending the application data request to the honeypot includes: and converting the source IP and the destination IP of the detector, converting the source IP into the honeypot communication IP, and converting the destination IP into the honeypot IP.
Optionally, the sending the application data request to the honeypot includes: analyzing the application data request through a network honey switch, and sending the application data request to at least one honey pot according to the type of the application data request.
According to the embodiment of the disclosure, network spoofing defense is realized by adopting a bypass network data detection method, the single point failure problem possibly occurring in a serial method is avoided, even if a network spoofing defense system implemented based on the scheme malfunctions, normal network service is not influenced, and the deployment mode has little influence on actual network operation;
the self-learning rule generation method provided by the embodiment of the disclosure can effectively find the existing hosts of the internal and external networks and the local network segment and the services of the existing hosts, and also comprises rule features of IP and TCP layer data encapsulation in each host and service, so that self-adaptive configuration can be completed without or with less manual participation, and the convenience and accuracy of detection are improved;
the embodiment of the disclosure provides a session maintaining method aiming at a bypass flow detection scheme, namely a real host is prevented from interrupting communication through a RST packet by fast responding to a SYN+ACK packet, and the similarity of a data packet and a real host fingerprint is fully considered by packet returning. This effectively implements session maintenance and network spoofing for network scanning and probing. In addition, aiming at methods such as detection of an Internet packet explorer, fake response of a real existing service and the like, network behavior difference between the real existing service and the fake service can be effectively confused.
Example two
Referring to fig. 7, the disclosure provides a network abnormal behavior intelligent detection and response system, the detection and response system is nested in the whole network interaction system in a form of hardware or a software module, as shown in fig. 2, a network access device obtains network data from a public network, forwards the network data to a server through a subnet switch, and shunts the data to the network abnormal behavior intelligent detection and response system, the network abnormal behavior intelligent detection and response system is implemented by an internal module of the network abnormal behavior intelligent detection and response system in a mode of software or hardware, and the same functional module has the same technical effect as the first embodiment, which is not described in detail herein, and the network abnormal behavior intelligent detection and response system specifically includes:
and the extracting unit 702 is used for collecting the mirror traffic of the session layer through the switch and extracting the traffic characteristics from the mirror traffic.
Wherein the flow characteristics include, but are not limited to, the following:
(1) IP/MAC address distribution of data packets: source/destination IP including all interactive data and source/destination MAC;
(2) Port to IP correspondence: the service port and service IP of the interactive data and the up-down flow count of the port, if no flow exists, the first packet identification bit of each direction of TCP is recorded;
(3) The reply data network layer and the transmission layer fingerprint, specifically, refer to the fingerprint feature of the network data sent by the local network, and distinguish by using the ip+ port as the identifier, including: TTL value of IP data packet, IP service type value (TOS), TCP window size, etc.;
verification unit 704: the method is used for training checking rules based on the flow characteristics, wherein the checking rules comprise an internal network checking rule, an external network checking rule, a survival host checking rule, an existing network service checking rule and an existing operating system network fingerprint generating rule.
Specifically, the checking rule includes:
(1) And (3) an intranet and extranet judgment rule: and judging the IP/MAC of the internal and external networks based on the convergent association relation of the MAC/IP data for a period of time. Namely, the IP/MAC with extremely high aggregation degree is the IP and the corresponding host MAC in the network, and the data with obviously low aggregation degree is the external network IP and the switch MAC forwarded by the switch. On this basis, for the data identifying the source MAC as the switch MAC address, the corresponding destination IP address is also the intranet IP.
(2) Survival host decision rule: based on the determination of the internal and external networks, it can further confirm which IP has the corresponding survival host computer in real existence based on the flow data, namely, the IP address with tight binding relation between the IP and the MAC, which indicates that the IP is the survival host computer IP of the network; for the IP which is not closely related with the MAC, the IP is expressed as an external network IP; for the case that the IP address corresponds only to the broadcast MAC, this indicates that the IP address is an address where the network does not survive.
(3) Existing network service decision rules: in the known surviving IP, based on the port information obtained in the traffic and whether there is an uplink and downlink interaction traffic, it can be determined which ports are open, and for the IP/port record with only identification bits such as SYN/RST, it indicates that the port is not open.
(4) Operating system network fingerprint generation rules: according to the characteristics of the IP data packet header and the TCP data packet header of each IP obtained for a long time, the average value, the median value and the like of various values such as TTL, service Type (TOS), window size and the like in the data packet are summarized as a data packet generation rule for carrying out data response on the IP.
In addition, the rules generated by automatic learning can be continuously adjusted and updated based on the network condition, and various rules can be further adjusted in a manual labeling mode if necessary.
The forming unit 706: and the system is used for marking each network request according to the verification rule to form a request log.
The request log includes: source IP, destination IP, source port, destination port, protocol type, whether the destination host IP survives or not, and whether the destination port is open or not.
Response unit 708: and the base response is used for responding to each network request according to the request log.
The network abnormal behavior intelligent detection and response system carries out different responses according to different characteristics aiming at an IP which is judged to be not present or a service which is judged to be not present and the IP and the service which are present, and in order to simulate the real response effect, all responses aiming at TCP are required to be the sequence number +1 of a request packet, and the network abnormal behavior intelligent detection and response system specifically comprises:
(1) For TCP detection without IP, randomly selecting a network fingerprint generation rule of an operating system to generate response data and returning the response data through a communication interface;
(2) Aiming at the detection of the Internet packet explorer without the IP, constructing a response data packet according to the specific instruction content of the Internet packet explorer to respond;
(3) Aiming at TCP detection of an unopened port of a host, generating a data packet according to the network fingerprint of an operating system of the host, and returning through a communication interface;
(4) For the case where a host is present and there is real service, bypass blocking may be implemented for unknown IP probing, i.e., the connection is blocked by sending corresponding RST packets to both the attacker (probe) and the real service host port.
After the bypass monitors that the real service has responded to the SYN+ACK data packet, RST data packets are generated according to the fingerprint template of the host computer network, and a plurality of RST data packets are randomly sent to the detector. This can confuse the counterfeit data with the genuine service.
According to the response mode, the network attack is responded rapidly at the session layer, so that the network attack is effectively and timely confused, the network attack cannot be judged to be a real server, the time for the network attacker to recognize and judge the real server is effectively slowed down, the efficiency of the network attack is reduced, and the response time is increased for network maintenance; meanwhile, the purpose of confusing the network attack is further increased by simulating the service content of the network attack request.
As an alternative embodiment, the intelligent detection and response system for network abnormal behaviors can further increase honeypots, and further start the aim of confusing network attacks. Specifically, an external honeypot mode shown in fig. 4 and an internal honeypot mode shown in fig. 5 can be adopted, the external honeypot has the advantages of being capable of replacing the honeypot at any time, convenient to operate, quick in response speed of the system and convenient in hardware maintenance. For the case of external multiple honeypots, the multiple honeypots can be managed by connecting an external network honey switch in a manner as shown in fig. 6, and request response contents are distributed to be acquired from one or multiple honeypots according to different network request contents.
According to the embodiment of the disclosure, network spoofing defense is realized by adopting a bypass network data detection method, the single point failure problem possibly occurring in a serial method is avoided, even if a network spoofing defense system implemented based on the scheme malfunctions, normal network service is not influenced, and the deployment mode has little influence on actual network operation;
the self-learning rule generating unit provided by the embodiment of the disclosure can effectively find the existing hosts of the internal and external networks and the local network segment and the services of the existing hosts, and also comprises rule features of IP and TCP layer data encapsulation in each host and service, so that self-adaptive configuration can be completed without or with less manual participation, and the convenience and accuracy of detection are improved;
the embodiment of the disclosure provides a session maintaining unit aiming at a bypass flow detection scheme, namely a real host is prevented from interrupting communication through a RST packet by fast responding to a SYN+ACK packet, and the similarity between a data packet and a fingerprint of the real host is fully considered by packet returning. This effectively implements session maintenance and network spoofing for network scanning and probing. In addition, aiming at methods such as detection of an Internet packet explorer, fake response of a real existing service and the like, network behavior difference between the real existing service and the fake service can be effectively confused.
Example III
The present disclosure provides an electronic device comprising a processor and a memory storing computer program instructions executable by the processor, the processor implementing the method steps of any of the first aspects when executing the computer program instructions.
Example IV
The present disclosure provides a computer readable storage medium storing computer program instructions which, when invoked and executed by a processor, implement the method steps of any one of the first aspects.
Referring now to fig. 8, a schematic diagram of an electronic device suitable for use in implementing the present disclosure is shown. The terminal devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 8 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.
As shown in fig. 8, the electronic device may include a processing means (e.g., a central processor, a graphics processor, etc.) 801 that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage means 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data required for the operation of the electronic device are also stored. The processing device 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to the bus 804.
In general, the following devices may be connected to the I/O interface 805: input devices 806 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, and the like; an output device 807 including, for example, a Liquid Crystal Display (LCD), speakers, vibrators, etc.; storage 808 including, for example, magnetic tape, hard disk, etc.; communication means 809. The communication means 809 may allow the electronic device to communicate wirelessly or by wire with other devices to exchange data. While fig. 8 shows an electronic device having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via communication device 809, or installed from storage device 808, or installed from ROM 802. The above-described functions defined in the methods of the embodiments of the present disclosure are performed when the computer program is executed by the processing device 801.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
In some implementations, the clients, servers may communicate using any currently known or future developed network protocol, such as HTTP (HyperText Transfer Protocol ), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the internet (e.g., the internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed networks.
The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including, but not limited to, an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.
The functions described above herein may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a Complex Programmable Logic Device (CPLD), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing description is only of the preferred embodiments of the present disclosure and description of the principles of the technology being employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this disclosure is not limited to the specific combinations of features described above, but also covers other embodiments which may be formed by any combination of features described above or equivalents thereof without departing from the spirit of the disclosure. Such as those described above, are mutually substituted with the technical features having similar functions disclosed in the present disclosure (but not limited thereto).
Moreover, although operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the present disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are example forms of implementing the claims.

Claims (10)

1. The intelligent detection and response method for the network abnormal behavior is characterized by comprising the following steps:
collecting mirror image flow of a session layer through a switch, and extracting flow characteristics from the mirror image flow;
training a verification rule based on the flow characteristics, wherein the verification rule comprises an internal and external network verification rule, a survival host verification rule, an existing network service verification rule and an existing operating system network fingerprint generation rule;
marking each network request according to the verification rule to form a request log;
making a basic response to each network request according to the request log;
wherein said responding to each of said network requests based on said request log comprises:
and continuously returning non-load AKC response data to each network request according to the request log aiming at TCP detection under the condition that the honeypot is not accessed, so as to maintain the detection efficiency of the connection slow down attacker.
2. The method of claim 1, wherein the flow characteristic comprises:
IP/MAC address distribution of data packets, comprising at least one of: source/destination IP, source/destination MAC for all interaction data;
the port-IP correspondence includes at least one of: service port, service IP, upstream and downstream flow count of service port, head packet identification bit of each direction of TCP;
responsive to the data network layer and transport layer fingerprints, comprising at least one of: TTL value of IP data packet, IP service type value and TCP window size.
3. The method of claim 2, wherein the step of determining the position of the substrate comprises,
the internal and external network verification rule comprises: calculating entropy values of MAC of all interactive source data based on IP addresses, and judging that the IP of the external network and the corresponding host MAC are the same when the entropy values are larger than a preset threshold value; when the entropy value is smaller than the preset threshold value, judging that the IP of the intranet and the corresponding host MAC are the same;
the surviving host verification rule comprises: when the intranet IP has external payload communication, the IP is a surviving host IP;
the existing network service check rule includes: when the IP is in a survival state and has uplink and downlink interactive traffic, the service port is judged to be valid; when only SYN/RST identification bits exist, judging that the service port is invalid;
The operating system network fingerprint generation rule includes: and acquiring an IP data packet header and a TCP data packet header of each host IP, and generating a data response aiming at the IP according to TTL, service type or window size in the IP data packet header and the TCP data packet header.
4. The method of claim 1, wherein the request log comprises:
source IP, destination IP, source port, destination port, protocol type, whether the destination host IP survives or not, and whether the destination port is open or not.
5. The method of claim 4, wherein said responding to each of said network requests on a basis from said request log comprises:
for TCP detection of the non-survival host IP, randomly selecting a network fingerprint generation rule of an operating system to generate response data, and returning through a communication interface; and/or the number of the groups of groups,
aiming at the detection of the Internet packet explorer of the non-survival host IP, constructing response data according to the specific instruction content of the Internet packet explorer, and returning through a communication interface; and/or the number of the groups of groups,
for TCP detection of a non-open port of a surviving host IP, generating response data according to an operating system network fingerprint generation rule of the host IP, and returning through a communication interface; and/or the number of the groups of groups,
When the host IP survives and the target port is opened, aiming at unknown IP detection, simultaneously sending corresponding RST data packets to the detector and the real service host port; or alternatively, the first and second heat exchangers may be,
when the host IP survives and the target port is opened, after monitoring that the real service has responded to the SYN+ACK data packet, generating a RST data packet according to the network fingerprint generation rule of the operating system of the host IP, and randomly transmitting the RST data packet to the detector.
6. The method as recited in claim 5, further comprising:
sending an application data request to the honeypot;
the honeypot returns corresponding application data according to the application data request;
and sending the application data to each network request through the switch.
7. The method of claim 6, wherein the sending an application data request to the honeypot comprises:
and converting the source IP and the destination IP of the detector, converting the source IP into the honeypot communication IP, and converting the destination IP into the honeypot IP.
8. The method of claim 6, wherein the sending an application data request to the honeypot comprises:
analyzing the application data request through a network honey switch, and sending the application data request to at least one honey pot according to the type of the application data request.
9. An intelligent network abnormal behavior detection and response device is characterized by comprising:
the extraction unit is used for collecting mirror image flow of the session layer through the exchanger and extracting flow characteristics from the mirror image flow;
the training unit is used for training a verification rule based on the flow characteristics, wherein the verification rule comprises an internal and external network verification rule, a survival host verification rule, an existing network service verification rule and an existing operating system network fingerprint generation rule;
the forming unit is used for marking each network request according to the verification rule to form a request log;
the response unit is used for making basic response to each network request according to the request log;
wherein said responding to each of said network requests based on said request log comprises:
and continuously returning non-load AKC response data to each network request according to the request log aiming at TCP detection under the condition that the honeypot is not accessed, so as to maintain the detection efficiency of the connection slow down attacker.
10. An electronic device comprising a processor and a memory, the memory storing computer program instructions executable by the processor, the processor implementing the method steps of any one of claims 1-8 when the computer program instructions are executed.
CN202010486208.4A 2020-06-01 2020-06-01 Intelligent detection and response method and device for network abnormal behaviors and electronic equipment Active CN113765846B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010486208.4A CN113765846B (en) 2020-06-01 2020-06-01 Intelligent detection and response method and device for network abnormal behaviors and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010486208.4A CN113765846B (en) 2020-06-01 2020-06-01 Intelligent detection and response method and device for network abnormal behaviors and electronic equipment

Publications (2)

Publication Number Publication Date
CN113765846A CN113765846A (en) 2021-12-07
CN113765846B true CN113765846B (en) 2023-08-04

Family

ID=78782670

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010486208.4A Active CN113765846B (en) 2020-06-01 2020-06-01 Intelligent detection and response method and device for network abnormal behaviors and electronic equipment

Country Status (1)

Country Link
CN (1) CN113765846B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363041B (en) * 2021-12-31 2023-08-11 河南信大网御科技有限公司 Intranet protection method and system based on dynamic operating system fingerprint and protocol fingerprint
CN114363087B (en) * 2022-01-27 2024-05-14 杭州默安科技有限公司 Scanner countermeasure method and system based on bypass interference
CN114928638A (en) * 2022-06-16 2022-08-19 上海斗象信息科技有限公司 Network behavior analysis method and device and monitoring equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110351237A (en) * 2019-05-23 2019-10-18 中国科学院信息工程研究所 Honey jar method and device for numerically-controlled machine tool
EP3621265A1 (en) * 2018-09-04 2020-03-11 Nokia Technologies Oy Method and apparatus for detecting and mitigating information security threats in the internet

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2351296A4 (en) * 2008-10-31 2015-01-07 Hewlett Packard Development Co Method and apparatus for network intrusion detection
CN107623661B (en) * 2016-07-15 2020-12-08 阿里巴巴集团控股有限公司 System, method and device for blocking access request and server
CN110049022B (en) * 2019-03-27 2021-10-08 深圳市腾讯计算机系统有限公司 Domain name access control method and device and computer readable storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3621265A1 (en) * 2018-09-04 2020-03-11 Nokia Technologies Oy Method and apparatus for detecting and mitigating information security threats in the internet
CN110351237A (en) * 2019-05-23 2019-10-18 中国科学院信息工程研究所 Honey jar method and device for numerically-controlled machine tool

Also Published As

Publication number Publication date
CN113765846A (en) 2021-12-07

Similar Documents

Publication Publication Date Title
Lima Filho et al. Smart detection: an online approach for DoS/DDoS attack detection using machine learning
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
US10721243B2 (en) Apparatus, system and method for identifying and mitigating malicious network threats
CN113765846B (en) Intelligent detection and response method and device for network abnormal behaviors and electronic equipment
KR102135024B1 (en) Method and apparatus for identifying category of cyber attack aiming iot devices
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
CN112019574B (en) Abnormal network data detection method and device, computer equipment and storage medium
CN109660539B (en) Method and device for identifying defect-losing equipment, electronic equipment and storage medium
CN109194684B (en) Method and device for simulating denial of service attack and computing equipment
KR20130068631A (en) Two-stage intrusion detection system for high speed packet process using network processor and method thereof
US11258812B2 (en) Automatic characterization of malicious data flows
CN105430011A (en) Method and device for detecting distributed denial of service attack
CN111314328A (en) Network attack protection method and device, storage medium and electronic equipment
Manna et al. Review of syn-flooding attack detection mechanism
Fei et al. The abnormal detection for network traffic of power iot based on device portrait
US20220263846A1 (en) METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
KR101488271B1 (en) Apparatus and method for ids false positive detection
KR20200109875A (en) Harmful ip determining method
US10237287B1 (en) System and method for detecting a malicious activity in a computing environment
CN115102781B (en) Network attack processing method, device, electronic equipment and medium
RU2531878C1 (en) Method of detection of computer attacks in information and telecommunication network
CN116055092A (en) Hidden tunnel attack behavior detection method and device
CN113824730A (en) Attack analysis method, device, equipment and storage medium
Bojjagani et al. Early DDoS Detection and Prevention with Traced-Back Blocking in SDN Environment.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant