CN113839912A - Method, apparatus, medium, and device for performing abnormal host analysis by active and passive combination - Google Patents
Method, apparatus, medium, and device for performing abnormal host analysis by active and passive combination Download PDFInfo
- Publication number
- CN113839912A CN113839912A CN202010587801.8A CN202010587801A CN113839912A CN 113839912 A CN113839912 A CN 113839912A CN 202010587801 A CN202010587801 A CN 202010587801A CN 113839912 A CN113839912 A CN 113839912A
- Authority
- CN
- China
- Prior art keywords
- host
- abnormal
- suspicious
- active
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method, a device, a medium and equipment for carrying out abnormal host analysis by active and passive combination, which comprises the following steps: continuously caching network flow logs in a first set time period, detecting data flow passing through a network boundary based on a passive rule detection method, and recording data flow characteristic information of a suspicious host IP (Internet protocol) with abnormal behavior; collecting data flow information related to the suspicious host IP through the data flow characteristic information of the suspicious host IP; collecting backtracking flow and constructing an active detection rule; carrying out active scanning analysis on the IP of the suspicious host, and judging whether the suspicious host is abnormal or not; and comparing and analyzing the active scanning result and the passive detection result to determine whether the suspicious host is an abnormal host. The passive detection is taken as a preliminary basis, so that the cost of active scanning is reduced; active scanning performed by a suspicious host based on passive detection is more purposeful, and the analysis efficiency and accuracy are improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method, a device, a medium and equipment for analyzing an abnormal host by active and passive combination.
Background
In the field of network security, the abnormal behavior of a host generally includes two situations, one is that the host actively implements malicious behavior, namely, the host controlled by an attacker; and the other is some abnormal response information generated by the attack of the host, such as information leakage, unnecessary port opening and the like. Discovering abnormal behavior (malicious behavior) of the host and analyzing and locating possible reasons are necessary steps that need to be implemented in the field of network security. At the network level, the conventional abnormal host discovery and analysis is usually implemented by adopting a passive traffic detection or active scanning method.
The passive flow detection method obtains a small amount of information in a short time, and can not quickly and comprehensively find the abnormality of the host;
the active scanning method is often effective for the intranet, because the number of intranet hosts is limited, targets are easy to determine, but scanning targets are difficult to determine for the extranet hosts, and the method cannot be effectively implemented.
Disclosure of Invention
The present invention is directed to a method, an apparatus, a medium, and a device for performing abnormal host analysis by active and passive combination, which can solve at least one of the above-mentioned problems. The specific scheme is as follows:
according to a specific embodiment of the present invention, in a first aspect, the present invention provides a method for performing abnormal host analysis by active and passive combination, including:
continuously caching network flow logs in a first set time period, detecting data flow passing through a network boundary based on a passive rule detection method, and recording data flow characteristic information of a suspicious host IP (Internet protocol) with abnormal behavior; wherein, the data flow characteristic information refers to all relevant protocol field characteristics of abnormal behavior data, including: a source IP address, a destination IP address, a source port, a destination port, a transport layer protocol type, an application layer protocol type, application layer protocol key protocol field content and application layer load data;
collecting data flow information related to the suspicious host IP through the data flow characteristic information of the suspicious host IP;
collecting backtracking flow and constructing an active detection rule, wherein the backtracking flow refers to partial flow before and after the alarm is searched in cache flow based on the basic content of the current alarm information;
carrying out active scanning analysis on the IP of the suspicious host, and judging whether the suspicious host is abnormal or not;
and comparing and analyzing the active scanning result and the passive detection result to determine whether the suspicious host is an abnormal host.
Optionally, the collecting, by using the suspicious host IP data flow feature, data flow information related to the suspicious host IP includes:
and collecting data flow characteristic information related to the IP address of the suspicious host with the abnormal behavior in the network flow log in the second set time period of the cache by finding the data flow characteristic of the suspicious host with the abnormal behavior.
Optionally, the collecting backtracking traffic includes:
and collecting data flow characteristic information related to the IP address of the suspicious host with the abnormal behavior before the alarm information occurs and after the alarm in the network flow log in the second set time period of the cache.
Optionally, the constructing an active probing rule includes: scanning detection, script detection and security detection;
the scanning detection means that when the alarm information can correspond to corresponding vulnerability information, various vulnerability scanning scripts pre-built in the scanner are used as scanning strategies;
the script detection means that the content of triggering the alarm in the alarm information is used as the script of active detection to be detected to form a series of detection scripts;
the security detection refers to security detection of an association protocol found by backtracking.
Optionally, the performing active scanning analysis on the IP of the suspicious host to determine whether the suspicious host is abnormal includes:
and actively scanning the suspicious host IP of the abnormal behavior through the active detection rules, and judging whether the suspicious host IP is abnormal or not according to the information obtained by the active scanning.
Optionally, the comparing and analyzing the active scanning and the passive detection result to determine whether the suspicious host is an abnormal host includes:
and comparing the suspicious abnormal behaviors discovered passively with the abnormal behaviors discovered by active scanning, and determining whether the suspicious host is an abnormal host or not according to the comparison result.
Optionally, the comparison result includes:
if the data flow characteristics of the suspicious abnormal behaviors discovered passively are the same as the data flow characteristics of the abnormal behaviors discovered by the active scanning, the suspicious host is judged to be an abnormal host, and otherwise, the suspicious host is judged to be a non-abnormal host.
According to a second aspect of the present invention, there is provided an apparatus for performing abnormal host analysis by active and passive combination, comprising: the device comprises a recording unit 201, a collecting unit 202, a backtracking unit 203, an analyzing unit 204 and a comparing unit 205;
the recording unit 201 is configured to continuously cache a network traffic log within a first set time period, detect a data stream passing through a network boundary based on a passive rule detection method, and record data stream feature information of a suspicious host IP in which an abnormal behavior is found;
the collecting unit 202 is configured to collect data flow information related to the suspicious host IP according to the data flow feature information of the suspicious host IP;
the backtracking unit 203 is configured to collect backtracking traffic and construct an active detection rule, where the backtracking traffic refers to a part of traffic before and after the alarm, which is found in cache traffic based on the basic content of the current alarm information;
the analysis unit 204 is configured to perform active scanning analysis on the suspicious host IP, and determine whether the suspicious host is abnormal;
the comparing unit 205 is configured to compare and analyze the active scanning result and the passive detection result, and determine whether the suspicious host is an abnormal host.
Optionally, the collecting, by using the suspicious host IP data flow feature, data flow information related to the suspicious host IP includes:
and collecting data flow characteristic information related to the IP address of the suspicious host with the abnormal behavior in the network flow log in the second set time period of the cache by finding the data flow characteristic of the suspicious host with the abnormal behavior.
Optionally, the collecting backtracking traffic includes:
and collecting data flow characteristic information related to the IP address of the suspicious host with the abnormal behavior before the alarm information occurs and after the alarm in the network flow log in the second set time period of the cache.
Optionally, the constructing an active probing rule includes: scanning probes, scripts and security probes;
the scanning detection means that when the alarm information can correspond to corresponding vulnerability information, various vulnerability scanning scripts pre-built in the scanner are used as scanning strategies;
the script detection means that the content of triggering the alarm in the alarm information is used as the script of active detection to be detected to form a series of detection scripts;
the security detection refers to security detection of an association protocol found by backtracking.
Optionally, the performing active scanning analysis on the IP of the suspicious host to determine whether the suspicious host is abnormal includes:
and actively scanning the suspicious host IP of the abnormal behavior through the active detection rules, and judging whether the suspicious host IP is abnormal or not according to the information obtained by the active scanning.
Optionally, the comparing and analyzing the active scanning and the passive detection result to determine whether the suspicious host is an abnormal host includes:
and comparing the suspicious abnormal behaviors discovered passively with the abnormal behaviors discovered by active scanning, and determining whether the suspicious host is an abnormal host or not according to the comparison result.
Optionally, the comparison result includes:
if the data flow characteristics of the suspicious abnormal behaviors discovered passively are the same as the data flow characteristics of the abnormal behaviors discovered by the active scanning, the suspicious host is judged to be an abnormal host, and otherwise, the suspicious host is judged to be a non-abnormal host.
According to a third aspect, the present invention provides an apparatus comprising: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a method of editing content in a document as claimed in any preceding claim.
According to a fourth aspect, the present invention provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements a method of editing content in a document as described in any one of the above.
Compared with the prior art, the scheme of the embodiment of the invention at least has the following beneficial effects:
the invention provides a method for analyzing an abnormal host by combining active and passive modes, which comprises the steps of carrying out active scanning on a suspicious host detected based on a passive rule, and comparing the results of the active and passive scanning to determine whether the suspicious host is the abnormal host; passive detection is taken as a preliminary basis, so that the cost of active scanning is reduced; the problem needing to be scanned is more targeted, certain abnormal clues are displayed in passive detection, and the rule used for scanning is reduced;
the active scanning adopted by the invention has more purposiveness, and the suspicious host is found based on passive detection, so that the analysis efficiency is improved;
the invention carries out secondary analysis and confirmation on the abnormal behaviors discovered by passive detection in an active scanning mode, and can improve the accuracy of analysis.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:
FIG. 1 is a flow chart of a method for performing abnormal host analysis with active and passive integration according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an apparatus for performing abnormal host analysis with active and passive integration according to an embodiment of the present invention;
fig. 3 shows a schematic diagram of a device connection structure according to an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and "a plurality" typically includes at least two.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
It should be understood that although the terms first, second, third, etc. may be used to describe … … in embodiments of the present invention, these … … should not be limited to these terms. These terms are used only to distinguish … …. For example, the first … … can also be referred to as the second … … and similarly the second … … can also be referred to as the first … … without departing from the scope of embodiments of the present invention.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that an article or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such article or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in the article or device in which the element is included.
Alternative embodiments of the present invention are described in detail below with reference to the accompanying drawings.
Example 1
As shown in fig. 1, according to a specific embodiment of the present invention, in a first aspect, the present invention provides a method for performing abnormal host analysis by active-passive combination, including:
step S101, continuously caching the network flow log in a first set time period, detecting the data flow passing through the network boundary based on a passive rule detection method, and recording the data flow characteristic information of the suspicious host IP of abnormal behavior;
for example, if the first 10-minute network traffic log is collected and cached within one hour and 10 minutes is taken as a set time, the second 10-minute network traffic log is collected and cached, and so on, when the one hour is over, the sixth 10-minute network traffic log is collected and cached.
The passive rule detection method is a detection method based on a rule or a model commonly used for passive detection, performs abnormal detection on data flow passing through a network boundary, and records all information of the data flow characteristics if the data flow characteristics of abnormal behaviors are found. Wherein, the data flow characteristics include: source IP address, destination IP address, source port, destination port, transport layer protocol type, application layer protocol key protocol field content, application layer load data, etc.
Step S102, collecting data flow information related to the suspicious host IP according to the data flow characteristics of the suspicious host IP;
and collecting data flow characteristic information related to the IP address of the suspicious host with the abnormal behavior in the network flow log in the second set time period of the cache by finding the data flow characteristic of the suspicious host with the abnormal behavior.
Wherein, the second setting time quantum and the first setting time quantum are all set in advance, and the difference is: the second set time period starts to collect after the data flow characteristics of the suspicious host IP with abnormal behavior are found, and the first set time period starts to collect before the data flow characteristics of the suspicious host IP with abnormal behavior are found; thus, the first set period of time is a passive collection and the second set period of time is an active collection.
S103, collecting backtracking flow and constructing an active detection rule;
wherein, the backtracking refers to collecting partial traffic before and after the alarm in the cache traffic based on the basic content of the current alarm information, and the specific backtracking rule is as follows:
a. should be the same as the host IP address associated with the alarm traffic;
b. the application layer protocol has relevance, such as HTTP protocol warning needs to obtain HTTP protocol flow of related IP and DNS interactive flow of the same IP address;
c. the backtracking time should occur a period of time, such as 5 minutes, before and after the alarm occurs.
The basic content of the current alarm information refers to the suspicious host IP related data of the abnormal behavior found in step S1021 and the alarm information.
Wherein, the two time periods before and after the alarm are the second set time period.
And collecting the backtracking flow refers to collecting data flow characteristic information related to the IP address of the suspicious host with the abnormal behavior before and after the alarm information appears in the network flow log in the second set time period of the cache.
The active detection rule is constructed based on the passive alarm information, and a strategy required by active detection is constructed.
Constructing an active probing rule, comprising: scanning detection, script detection and security detection;
the scanning detection means that when the alarm information can correspond to corresponding vulnerability information, various vulnerability scanning scripts pre-built in the scanner are used as scanning strategies;
wherein, the alarm information, such as the CVE number, is called "Common Vulnerabilities & Exposures" in all english.
The script detection means that the content of triggering the alarm in the alarm information is used as the script of active detection to be detected to form a series of detection scripts;
wherein, the alarm information triggers the content of the alarm, such as SQL injection, XSS attack, etc.
The security detection refers to security detection of an association protocol found by backtracking.
The security detection refers to performing security detection on the associated protocol found by the traffic information collected in step S103.
Step S104, the active scanning analysis is carried out on the IP of the suspicious host, and whether the suspicious host is abnormal or not is judged, which comprises the following steps:
and actively scanning the suspicious host IP of the abnormal behavior through the active detection rules, and judging whether the suspicious host IP is abnormal or not according to the information obtained by the active scanning.
The active scanning analysis is carried out on the host, and according to scanning of scanning detection, script detection and safety detection, active scanning is carried out on the IP of the suspicious host to obtain more comprehensive and detailed host information for judging whether abnormal behaviors exist.
Step S105, comparing and analyzing the active scanning result and the passive detection result to determine whether the suspicious host is an abnormal host or not, wherein the step comprises the following steps:
and comparing the suspicious abnormal behaviors discovered passively with the abnormal behaviors discovered by active scanning, and determining whether the suspicious host is an abnormal host or not according to the comparison result.
And comparing the data flow characteristics according to the suspicious abnormal behavior passively found in the step S101 and the abnormal behavior actively detected and found in the step S105, and determining whether the suspicious host is an abnormal host according to the comparison result. The comparison result comprises: if the data flow characteristics of the suspicious abnormal behaviors discovered passively are the same as the data flow characteristics of the abnormal behaviors discovered by the active scanning, the suspicious host is judged to be an abnormal host, and otherwise, the suspicious host is judged to be a non-abnormal host.
The passive detection is taken as a preliminary basis, so that the cost of active scanning is reduced; the problem needing to be scanned is more targeted, certain abnormal clues are displayed in passive detection, and the rule used for scanning is reduced;
the active scanning adopted by the invention has more purposiveness, and based on the host discovered by passive detection, the analysis task can be completed by only scanning one host or even one port corresponding to the host, so that the analysis efficiency is improved;
the invention carries out secondary analysis and confirmation on the abnormal behaviors discovered by passive detection in an active scanning mode, and can improve the accuracy of analysis.
Example 2
The invention provides a device for analyzing an abnormal host by active and passive combination, as shown in fig. 2, comprising: the device comprises a recording unit 201, a collecting unit 202, a backtracking unit 203, an analyzing unit 204 and a comparing unit 205;
the recording unit 201 is configured to continuously cache a network traffic log within a first set time period, detect a data stream passing through a network boundary based on a passive rule detection method, and record data stream feature information of a suspicious host IP in which an abnormal behavior is found;
the collecting unit 202 is configured to collect data flow information related to the suspicious host IP according to the data flow feature information of the suspicious host IP;
the backtracking unit 203 is configured to collect backtracking traffic and construct an active detection rule, where the backtracking traffic refers to a part of traffic before and after the alarm, which is found in cache traffic based on the basic content of the current alarm information;
the analysis unit 204 is configured to perform active scanning analysis on the suspicious host IP, and determine whether the suspicious host is abnormal;
the comparing unit 205 is configured to compare and analyze the active scanning result and the passive detection result, and determine whether the suspicious host is an abnormal host.
Optionally, the collecting, by using the suspicious host IP data flow feature, data flow information related to the suspicious host IP includes:
and collecting data flow characteristic information related to the IP address of the suspicious host with the abnormal behavior in the network flow log in the second set time period of the cache by finding the data flow characteristic of the suspicious host with the abnormal behavior.
Optionally, the collecting backtracking traffic includes:
and collecting data flow characteristic information related to the IP address of the suspicious host with the abnormal behavior before the alarm information occurs and after the alarm in the network flow log in the second set time period of the cache.
Optionally, the constructing an active probing rule includes: scanning detection, script detection and security detection;
the scanning detection means that when the alarm information can correspond to corresponding vulnerability information, various vulnerability scanning scripts pre-built in the scanner are used as scanning strategies;
the script detection means that the content of triggering the alarm in the alarm information is used as the script of active detection to be detected to form a series of detection scripts;
the security detection refers to security detection of an association protocol found by backtracking.
Optionally, the performing active scanning analysis on the IP of the suspicious host to determine whether the suspicious host is abnormal includes:
and actively scanning the suspicious host IP of the abnormal behavior through the active detection rules, and judging whether the suspicious host IP is abnormal or not according to the information obtained by the active scanning.
Optionally, the comparing and analyzing the active scanning and the passive detection result to determine whether the suspicious host is an abnormal host includes:
and comparing the suspicious abnormal behaviors discovered passively with the abnormal behaviors discovered by active scanning, and determining whether the suspicious host is an abnormal host or not according to the comparison result.
Optionally, the comparison result includes:
if the data flow characteristics of the suspicious abnormal behaviors discovered passively are the same as the data flow characteristics of the abnormal behaviors discovered by the active scanning, the suspicious host is judged to be an abnormal host, and otherwise, the suspicious host is judged to be a non-abnormal host.
The passive detection is taken as a preliminary basis, so that the cost of active scanning is reduced; the problem needing to be scanned is more targeted, certain abnormal clues are displayed in passive detection, and the rule used for scanning is reduced;
the active scanning adopted by the invention has more purposiveness, and based on the host discovered by passive detection, the analysis task can be completed by only scanning one host or even one port corresponding to the host, so that the analysis efficiency is improved;
the invention carries out secondary analysis and confirmation on the abnormal behaviors discovered by passive detection in an active scanning mode, and can improve the accuracy of analysis.
Example 3
As shown in fig. 3, the present embodiment provides an apparatus for performing abnormal host analysis by active-passive combination, the apparatus comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to process an active-passive binding exception host analysis.
Referring now to FIG. 3, shown is a schematic block diagram of an apparatus suitable for use in implementing embodiments of the present disclosure. The terminal device in the embodiments of the present disclosure may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a vehicle terminal (e.g., a car navigation terminal), and the like, and a stationary terminal such as a digital TV, a desktop computer, and the like. The device shown in fig. 3 is only an example and should not bring any limitation to the function and use range of the embodiments of the present disclosure.
As shown in fig. 3, the apparatus may include a processing device (e.g., central processing unit, graphics processor, etc.) 301 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)302 or a program loaded from a storage device 308 into a Random Access Memory (RAM) 303. In the RAM 303, various programs and data necessary for the operation of the apparatus are also stored. The processing device 301, the ROM 302, and the RAM 303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
Generally, the following devices may be connected to the I/O interface 305: input devices 306 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 307 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage devices 308 including, for example, magnetic tape, hard disk, etc.; and a communication device 309. The communication means 309 may allow the device to communicate wirelessly or by wire with other devices to exchange data. While fig. 3 illustrates an apparatus having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication means 309, or installed from the storage means 308, or installed from the ROM 302. The computer program, when executed by the processing device 301, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
Example 4
The embodiment of the present disclosure provides a non-volatile computer storage medium, where a computer executable instruction is stored, and the computer executable instruction can perform the active and passive combination for abnormal host analysis in any of the above method embodiments.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the apparatus; or may be separate and not incorporated into the device.
Computer program code for carrying out operations for aspects of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Claims (10)
1. A method for performing abnormal host analysis by active and passive combination is characterized by comprising the following steps:
continuously caching network flow logs in a first set time period, detecting data flow passing through a network boundary based on a passive rule detection method, and recording data flow characteristic information of a suspicious host IP (Internet protocol) with abnormal behavior; wherein, the data flow characteristic information refers to all relevant protocol field characteristics of abnormal behavior data, including: a source IP address, a destination IP address, a source port, a destination port, a transport layer protocol type, an application layer protocol type, application layer protocol key protocol field content and application layer load data;
collecting data flow information related to the suspicious host IP through the data flow characteristic information of the suspicious host IP;
collecting backtracking flow and constructing an active detection rule, wherein the backtracking flow refers to partial flow before and after the alarm is searched in cache flow based on the basic content of the current alarm information;
carrying out active scanning analysis on the IP of the suspicious host, and judging whether the suspicious host is abnormal or not;
and comparing and analyzing the active scanning result and the passive detection result to determine whether the suspicious host is an abnormal host.
2. The method of claim 1, wherein collecting data flow information associated with the suspected host IP by the suspected host IP data flow feature comprises:
and collecting data flow characteristic information related to the IP address of the suspicious host with the abnormal behavior in the network flow log in the second set time period of the cache by finding the data flow characteristic of the suspicious host with the abnormal behavior.
3. The method of claim 2, wherein the collecting backtracking traffic comprises:
and collecting data flow characteristic information related to the IP address of the suspicious host with the abnormal behavior before the alarm information occurs and after the alarm in the network flow log in the second set time period of the cache.
4. The method of claim 1, wherein the constructing active probing rules comprises: scanning detection, script detection and security detection;
the scanning detection means that when the alarm information can correspond to corresponding vulnerability information, various vulnerability scanning scripts pre-built in the scanner are used as scanning strategies;
the script detection means that the content of triggering the alarm in the alarm information is used as the script of active detection to be detected to form a series of detection scripts;
the security detection refers to security detection of an association protocol found by backtracking.
5. The method according to claim 4, wherein the performing active scan analysis on the suspected host IP to determine whether the suspected host has an exception comprises:
and actively scanning the suspicious host IP of the abnormal behavior through the active detection rules, and judging whether the suspicious host IP is abnormal or not according to the information obtained by the active scanning.
6. The method of claim 1, wherein comparing the active scan with the passive detection result to determine whether the suspicious host is an abnormal host comprises:
and comparing the suspicious abnormal behaviors discovered passively with the abnormal behaviors discovered by active scanning, and determining whether the suspicious host is an abnormal host or not according to the comparison result.
7. The method of claim 6, wherein the comparing comprises:
if the data flow characteristics of the suspicious abnormal behaviors discovered passively are the same as the data flow characteristics of the abnormal behaviors discovered by the active scanning, the suspicious host is judged to be an abnormal host, and otherwise, the suspicious host is judged to be a non-abnormal host.
8. An apparatus for performing abnormal host analysis by active and passive combination, comprising: the device comprises a recording unit, a collecting unit, a backtracking unit, an analyzing unit and a comparing unit;
the recording unit is used for continuously caching the network flow logs in a first set time period, detecting the data flow passing through the network boundary based on a passive rule detection method, and recording the data flow characteristic information of the suspicious host IP with abnormal behavior;
the collecting unit is used for collecting data flow information related to the suspicious host IP through the data flow characteristic information of the suspicious host IP;
the backtracking unit is used for collecting backtracking flow and constructing an active detection rule, wherein the backtracking flow refers to partial flow before and after the alarm is searched in cache flow based on the basic content of the current alarm information;
the analysis unit is used for carrying out active scanning analysis on the IP of the suspicious host and judging whether the suspicious host is abnormal or not;
and the comparison unit is used for comparing and analyzing the active scanning result and the passive detection result to determine whether the suspicious host is an abnormal host.
9. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the method according to any one of claims 1 to 7.
10. An apparatus, comprising:
one or more processors;
storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to carry out the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010587801.8A CN113839912B (en) | 2020-06-24 | 2020-06-24 | Method, device, medium and equipment for analyzing abnormal host by active and passive combination |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010587801.8A CN113839912B (en) | 2020-06-24 | 2020-06-24 | Method, device, medium and equipment for analyzing abnormal host by active and passive combination |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113839912A true CN113839912A (en) | 2021-12-24 |
| CN113839912B CN113839912B (en) | 2023-08-22 |
Family
ID=78964502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010587801.8A Active CN113839912B (en) | 2020-06-24 | 2020-06-24 | Method, device, medium and equipment for analyzing abnormal host by active and passive combination |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113839912B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115550068A (en) * | 2022-11-28 | 2022-12-30 | 天津安华易科技发展有限公司 | Host log information security audit method |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2408116A1 (en) * | 2002-03-29 | 2003-09-29 | Nec Infrontia Corporation | Wireless lan system, host apparatus and wireless lan base station |
| US20080080518A1 (en) * | 2006-09-29 | 2008-04-03 | Hoeflin David A | Method and apparatus for detecting compromised host computers |
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| US20120090027A1 (en) * | 2010-10-12 | 2012-04-12 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting abnormal host based on session monitoring |
| CN103595569A (en) * | 2013-11-15 | 2014-02-19 | 南京云川信息技术有限公司 | Method for handling database storage of alarm information of network management system |
| CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
| CN105933186A (en) * | 2016-06-30 | 2016-09-07 | 北京奇虎科技有限公司 | Security detection method, device and system |
| CN110138745A (en) * | 2019-04-23 | 2019-08-16 | 极客信安(北京)科技有限公司 | Abnormal host detection method, device, equipment and medium based on data stream sequences |
-
2020
- 2020-06-24 CN CN202010587801.8A patent/CN113839912B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2408116A1 (en) * | 2002-03-29 | 2003-09-29 | Nec Infrontia Corporation | Wireless lan system, host apparatus and wireless lan base station |
| US20080080518A1 (en) * | 2006-09-29 | 2008-04-03 | Hoeflin David A | Method and apparatus for detecting compromised host computers |
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| US20120090027A1 (en) * | 2010-10-12 | 2012-04-12 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting abnormal host based on session monitoring |
| CN103595569A (en) * | 2013-11-15 | 2014-02-19 | 南京云川信息技术有限公司 | Method for handling database storage of alarm information of network management system |
| CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
| CN105933186A (en) * | 2016-06-30 | 2016-09-07 | 北京奇虎科技有限公司 | Security detection method, device and system |
| CN110138745A (en) * | 2019-04-23 | 2019-08-16 | 极客信安(北京)科技有限公司 | Abnormal host detection method, device, equipment and medium based on data stream sequences |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115550068A (en) * | 2022-11-28 | 2022-12-30 | 天津安华易科技发展有限公司 | Host log information security audit method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113839912B (en) | 2023-08-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11687653B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| Schmidt et al. | Monitoring smartphones for anomaly detection | |
| US9953162B2 (en) | Rapid malware inspection of mobile applications | |
| US9832217B2 (en) | Computer implemented techniques for detecting, investigating and remediating security violations to IT infrastructure | |
| JP5852676B2 (en) | Method, computer program, and system for determining vulnerability of a computer software application to an elevation of privilege attack | |
| US20110307956A1 (en) | System and method for analyzing malicious code using a static analyzer | |
| US9584541B1 (en) | Cyber threat identification and analytics apparatuses, methods and systems | |
| US8474040B2 (en) | Environmental imaging | |
| RU2634177C1 (en) | System and method for unwanted software detection | |
| CN114124552A (en) | Network attack threat level obtaining method, device and storage medium | |
| JPWO2016121348A1 (en) | Anti-malware device, anti-malware system, anti-malware method, and anti-malware program | |
| CN109818972B (en) | Information security management method and device for industrial control system and electronic equipment | |
| Daghmehchi Firoozjaei et al. | Memory forensics tools: a comparative analysis | |
| CN113839912B (en) | Method, device, medium and equipment for analyzing abnormal host by active and passive combination | |
| CN112134870B (en) | Network security threat blocking method, device, equipment and storage medium | |
| CN110808997B (en) | Method and device for remotely obtaining evidence of server, electronic equipment and storage medium | |
| CN112685255A (en) | Interface monitoring method and device, electronic equipment and storage medium | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| CN117032894A (en) | Container security state detection method and device, electronic equipment and storage medium | |
| CN113596044B (en) | Network protection method and device, electronic equipment and storage medium | |
| CN109714371B (en) | Industrial control network safety detection system | |
| US10819730B2 (en) | Automatic user session profiling system for detecting malicious intent | |
| CN117786692A (en) | Method, equipment and storage medium for detecting malicious program | |
| CN115801447B (en) | Industrial safety-based flow analysis method and device and electronic equipment | |
| CN117240629B (en) | Prediction method and prediction system based on network security intrusion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |