CN113839912B - Method, device, medium and equipment for analyzing abnormal host by active and passive combination - Google Patents
Method, device, medium and equipment for analyzing abnormal host by active and passive combination Download PDFInfo
- Publication number
- CN113839912B CN113839912B CN202010587801.8A CN202010587801A CN113839912B CN 113839912 B CN113839912 B CN 113839912B CN 202010587801 A CN202010587801 A CN 202010587801A CN 113839912 B CN113839912 B CN 113839912B
- Authority
- CN
- China
- Prior art keywords
- host
- suspicious
- detection
- abnormal
- active
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 54
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000001514 detection method Methods 0.000 claims abstract description 100
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 57
- 238000013515 script Methods 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 9
- 230000005856 abnormality Effects 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000004044 response Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000012790 confirmation Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method, a device, a medium and equipment for analyzing an abnormal host by combining active and passive, which comprise the following steps: continuously caching network flow logs in a first set time period, detecting data flows passing through a network boundary based on a passive rule detection method, and recording data flow characteristic information of a suspicious host IP which finds abnormal behaviors; collecting data flow information related to the suspicious host IP through the data flow characteristic information of the suspicious host IP; collecting backtracking flow and constructing an active detection rule; performing active scanning analysis on the suspicious host IP to judge whether the suspicious host is abnormal or not; and comparing and analyzing the active scanning and the passive detection result to determine whether the suspicious host is an abnormal host. The invention takes passive detection as a preliminary basis, so that the cost of active scanning is reduced; the active scanning based on the suspicious host is found to be more purposeful, and the analysis efficiency and accuracy are improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method, a device, a medium and equipment for analyzing an abnormal host by active and passive combination.
Background
In the field of network security, the abnormal behavior of a host generally includes two situations, namely, the host actively implements malicious behavior, namely, the host controlled by an attacker; and secondly, some abnormal response information generated by the attack of the host, such as information leakage, opening unnecessary ports and the like. Finding out the abnormal behavior (malicious behavior) of the host and analyzing the possible cause of the localization is a necessary step to be implemented in the field of network security. At the network level, conventional abnormal host discovery and analysis are often implemented by passive traffic detection or active scanning.
The passive flow detection method has less information quantity obtained in a short time, and can not quickly and comprehensively discover host abnormality;
the active scanning method is often effective for an intranet, because the number of intranet hosts is limited, and targets are easy to determine, but for an extranet host, scanning targets are difficult to determine, and cannot be effectively implemented.
Disclosure of Invention
The invention aims to provide a method, a device, a medium and equipment for analyzing an abnormal host by combining active and passive, which can solve at least one technical problem. The specific scheme is as follows:
according to a first aspect of the present invention, there is provided a method for performing abnormal host analysis by active-passive combination, including:
continuously caching network flow logs in a first set time period, detecting data flows passing through a network boundary based on a passive rule detection method, and recording data flow characteristic information of a suspicious host IP which finds abnormal behaviors; the data flow characteristic information refers to all relevant protocol field characteristics of abnormal behavior data, and comprises the following steps: source IP address, destination IP address, source port, destination port, transport layer protocol type, application layer protocol key protocol field content and application layer load data;
collecting data flow information related to the suspicious host IP through the data flow characteristic information of the suspicious host IP;
collecting backtracking flow, and constructing an active detection rule, wherein the backtracking flow is partial flow before and after searching the alarm in the cache flow based on the basic content of the current alarm information;
performing active scanning analysis on the suspicious host IP to judge whether the suspicious host is abnormal or not;
and comparing and analyzing the active scanning and the passive detection result to determine whether the suspicious host is an abnormal host.
Optionally, the collecting, by the suspicious host IP data flow feature, data flow information related to the suspicious host IP includes:
and collecting data flow characteristic information related to the suspicious host IP address of the abnormal behavior in the network flow log in the second set time period of the cache through finding the data flow characteristic of the suspicious host IP of the abnormal behavior.
Optionally, the collecting backtracking traffic includes:
and collecting data flow characteristic information related to the suspicious host IP address of the abnormal behavior before and after the occurrence of the alarm information in the network flow log in the second set time period of the cache.
Optionally, the constructing an active probing rule includes: scanning detection, script detection and security detection;
the scanning detection means that when corresponding vulnerability information can be corresponding to the alarm information, various vulnerability scanning scripts which are built in advance based on a scanner are used as a scanning strategy;
the script detection refers to detecting the content triggering the alarm in the alarm information as an active detection script to form a series of detection scripts;
the security detection refers to performing security detection on the association protocol discovered by backtracking.
Optionally, the performing active scanning analysis on the suspicious host IP to determine whether the suspicious host has an abnormality includes:
and actively scanning the suspicious host IP of the abnormal behavior according to each active detection rule, and judging whether the suspicious host IP is abnormal or not according to the information obtained by the active scanning.
Optionally, the comparing and analyzing the active scan with the passive detection result to determine whether the suspicious host is an abnormal host includes:
and comparing the suspicious abnormal behavior discovered by the passive scanning with the abnormal behavior discovered by the active scanning, and confirming whether the suspicious host is an abnormal host or not according to a comparison result.
Optionally, the comparison result includes:
if the data flow characteristics of the suspicious abnormal behavior found passively are the same as those found by active scanning, judging that the suspicious host is an abnormal host, otherwise, judging that the suspicious host is a non-abnormal host.
According to a second aspect of the present invention, there is provided an apparatus for performing an abnormal host analysis in combination with active and passive, comprising: a recording unit 201, a collecting unit 202, a backtracking unit 203, an analyzing unit 204, and a comparing unit 205;
the recording unit 201 is configured to continuously cache a network traffic log in a first set period, detect a data flow passing through a network boundary based on a passive rule detection method, and record data flow characteristic information of a suspicious host IP that finds abnormal behavior;
the collecting unit 202 is configured to collect, through the data flow characteristic information of the suspicious host IP, data flow information related to the suspicious host IP;
the backtracking unit 203 is configured to collect backtracking traffic, and construct an active detection rule, where the backtracking traffic refers to a part of traffic before and after searching the alarm in the cache traffic based on the basic content of the current alarm information;
the analysis unit 204 is configured to perform active scanning analysis on the suspicious host IP, and determine whether the suspicious host has an abnormality;
the comparing unit 205 is configured to compare and analyze the active scanning and the passive detection result, and determine whether the suspicious host is an abnormal host.
Optionally, the collecting, by the suspicious host IP data flow feature, data flow information related to the suspicious host IP includes:
and collecting data flow characteristic information related to the suspicious host IP address of the abnormal behavior in the network flow log in the second set time period of the cache through finding the data flow characteristic of the suspicious host IP of the abnormal behavior.
Optionally, the collecting backtracking traffic includes:
and collecting data flow characteristic information related to the suspicious host IP address of the abnormal behavior before and after the occurrence of the alarm information in the network flow log in the second set time period of the cache.
Optionally, the constructing an active probing rule includes: scanning detection, script and security detection;
the scanning detection means that when corresponding vulnerability information can be corresponding to the alarm information, various vulnerability scanning scripts which are built in advance based on a scanner are used as a scanning strategy;
the script detection refers to detecting the content triggering the alarm in the alarm information as an active detection script to form a series of detection scripts;
the security detection refers to performing security detection on the association protocol discovered by backtracking.
Optionally, the performing active scanning analysis on the suspicious host IP to determine whether the suspicious host has an abnormality includes:
and actively scanning the suspicious host IP of the abnormal behavior according to each active detection rule, and judging whether the suspicious host IP is abnormal or not according to the information obtained by the active scanning.
Optionally, the comparing and analyzing the active scan with the passive detection result to determine whether the suspicious host is an abnormal host includes:
and comparing the suspicious abnormal behavior discovered by the passive scanning with the abnormal behavior discovered by the active scanning, and confirming whether the suspicious host is an abnormal host or not according to a comparison result.
Optionally, the comparison result includes:
if the data flow characteristics of the suspicious abnormal behavior found passively are the same as those found by active scanning, judging that the suspicious host is an abnormal host, otherwise, judging that the suspicious host is a non-abnormal host.
According to a third aspect of the present invention, there is provided an apparatus comprising: one or more processors; storage means for storing one or more programs that when executed by the one or more processors cause the one or more processors to implement a method of editing content in a document as claimed in any of the preceding claims.
According to a fourth aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program which when executed by a processor implements a method of editing content in a document as claimed in any of the preceding claims.
Compared with the prior art, the scheme provided by the embodiment of the invention has at least the following beneficial effects:
the invention provides a method for analyzing an abnormal host by combining active and passive, which comprises the steps of actively scanning a suspicious host detected on the basis of a passive rule, and comparing the active and passive scanning results to determine whether the suspicious host is the abnormal host or not; passive detection is taken as a preliminary basis, so that the cost of active scanning is reduced; the method has the advantages that the method has more pertinence to the problem needing scanning, a certain abnormal clue is displayed in the passive detection, and the rule to be utilized in scanning is reduced;
the active scanning adopted by the invention has more purposefulness, and suspicious hosts are found based on passive detection, so that the analysis efficiency is improved;
the invention carries out secondary analysis and confirmation on the abnormal behavior found by passive detection in an active scanning mode, and can improve the analysis accuracy.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention. It is evident that the drawings in the following description are only some embodiments of the present invention and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art. In the drawings:
FIG. 1 is a flow chart of a method for active-passive combination exception-host analysis in accordance with an embodiment of the present invention;
FIG. 2 is a schematic diagram of an apparatus for performing an anomaly host analysis in combination with active and passive operations according to an embodiment of the present invention;
fig. 3 shows a schematic diagram of a device connection structure according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, the "plurality" generally includes at least two.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
It should be understood that although the terms first, second, third, etc. may be used to describe … … in embodiments of the present invention, these … … should not be limited to these terms. These terms are only used to distinguish … …. For example, the first … … may also be referred to as the second … …, and similarly the second … … may also be referred to as the first … …, without departing from the scope of embodiments of the present invention.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a product or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such product or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a commodity or device comprising such element.
Alternative embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Example 1
As shown in fig. 1, according to a specific embodiment of the present invention, in a first aspect, the present invention provides a method for performing abnormal host analysis by active-passive combination, including:
step S101, continuously caching a network flow log in a first set time period, detecting a data flow passing through a network boundary based on a passive rule detection method, and recording data flow characteristic information of a suspicious host IP which finds abnormal behaviors;
wherein, the network traffic log is cached for a period of time, for example, if the first 10 minutes of network traffic log is cached in one hour, the second 10 minutes of network traffic log is cached after the first 10 minutes of network traffic log is cached, and so on, at the end of one hour, the sixth 10 minutes of network traffic log is cached.
The passive rule detection method is a detection method based on a rule or model commonly used for passive detection, and is used for detecting abnormality of a data stream passing through a network boundary, and if the data stream feature with abnormal behavior is found, all information of the data stream feature is recorded. Wherein the data flow characteristics include: source IP address, destination IP address, source port, destination port, transport layer protocol type, application layer protocol key protocol field content, application layer payload data, etc.
Step S102, collecting data flow information related to the suspicious host IP through the data flow characteristics of the suspicious host IP;
and collecting data flow characteristic information related to the suspicious host IP address of the abnormal behavior in the network flow log in the second set time period of the cache through finding the data flow characteristic of the suspicious host IP of the abnormal behavior.
The second set time period and the first set time period are set in advance, and the difference is that: the second set period of time is to begin collecting after the suspicious host IP data flow characteristics of the abnormal behavior are found, and the first set period of time is to begin collecting before the suspicious host IP data flow characteristics of the abnormal behavior are found; thus, the first set period of time is passive collection and the second set period of time is active collection.
Step 103, collecting backtracking flow and constructing an active detection rule;
the backtracking refers to collecting partial traffic before and after the alarm in the cache traffic based on the basic content of the current alarm information, and specific backtracking rules are as follows:
a. the host IP address should be the same as that associated with the alert traffic;
b. the application layer protocol has relevance, such as HTTP protocol alarm needs to obtain HTTP protocol flow of related IP and DNS interaction flow of the same IP address;
c. the backtracking time should occur for a period of time, such as 5 minutes, before and after the alarm occurs.
The basic content of the current alarm information refers to suspicious host IP related data of the abnormal behavior found in step S1021 and the alarm information.
Wherein the two time periods before and after the alarm, i.e. the second set time period.
And collecting backtracking traffic, namely collecting data flow characteristic information related to the suspicious host IP address of the abnormal behavior before and after the occurrence of the alarm information in the network traffic log in the second set period of time of the cache.
The construction of the active detection rule refers to the construction of a strategy required by active detection based on passive alarm information.
Constructing an active probing rule, comprising: scanning detection, script detection and security detection;
the scanning detection means that when corresponding vulnerability information can be corresponding to the alarm information, various vulnerability scanning scripts which are built in advance based on a scanner are used as a scanning strategy;
the warning information, such as a CVE number, is commonly known as "Common Vulnerabilities & Exposures" universal vulnerability disclosure.
The script detection refers to detecting the content triggering the alarm in the alarm information as an active detection script to form a series of detection scripts;
the content of triggering the alarm in the alarm information, such as SQL injection, XSS attack, etc.
The security detection refers to performing security detection on the association protocol discovered by backtracking.
The security detection refers to performing security detection on the association protocol of the traffic information discovery collected in step S103.
Step S104, the step of actively scanning and analyzing the suspicious host IP to judge whether the suspicious host is abnormal or not comprises the following steps:
and actively scanning the suspicious host IP of the abnormal behavior according to each active detection rule, and judging whether the suspicious host IP is abnormal or not according to the information obtained by the active scanning.
The active scanning analysis is performed on the host, and the active scanning is performed on the suspicious host IP according to scanning detection, script detection and security detection, so as to obtain more comprehensive and detailed host information, and the method is used for judging whether abnormal behaviors exist or not.
Step 105, comparing and analyzing the active scanning and the passive detection result to determine whether the suspicious host is an abnormal host, including:
and comparing the suspicious abnormal behavior discovered by the passive scanning with the abnormal behavior discovered by the active scanning, and confirming whether the suspicious host is an abnormal host or not according to a comparison result.
And comparing the data flow characteristics of the suspicious abnormal behavior passively found in the step S101 with those of the suspicious abnormal behavior actively detected in the step S105, and determining whether the suspicious host is an abnormal host or not according to the comparison result. The comparison result comprises: if the data flow characteristics of the suspicious abnormal behavior found passively are the same as those found by active scanning, judging that the suspicious host is an abnormal host, otherwise, judging that the suspicious host is a non-abnormal host.
The invention takes passive detection as a preliminary basis, so that the cost of active scanning is reduced; the method has the advantages that the method has more pertinence to the problem needing scanning, a certain abnormal clue is displayed in the passive detection, and the rule to be utilized in scanning is reduced;
the active scanning adopted by the invention has more purposefulness, and based on the host found by passive detection, the analysis task can be completed by only scanning one host and even one port corresponding to the host, thereby improving the analysis efficiency;
the invention carries out secondary analysis and confirmation on the abnormal behavior found by passive detection in an active scanning mode, and can improve the analysis accuracy.
Example 2
The invention provides a device for analyzing an abnormal host by combining active and passive, as shown in fig. 2, comprising: a recording unit 201, a collecting unit 202, a backtracking unit 203, an analyzing unit 204, and a comparing unit 205;
the recording unit 201 is configured to continuously cache a network traffic log in a first set period, detect a data flow passing through a network boundary based on a passive rule detection method, and record data flow characteristic information of a suspicious host IP that finds abnormal behavior;
the collecting unit 202 is configured to collect, through the data flow characteristic information of the suspicious host IP, data flow information related to the suspicious host IP;
the backtracking unit 203 is configured to collect backtracking traffic, and construct an active detection rule, where the backtracking traffic refers to a part of traffic before and after searching the alarm in the cache traffic based on the basic content of the current alarm information;
the analysis unit 204 is configured to perform active scanning analysis on the suspicious host IP, and determine whether the suspicious host has an abnormality;
the comparing unit 205 is configured to compare and analyze the active scanning and the passive detection result, and determine whether the suspicious host is an abnormal host.
Optionally, the collecting, by the suspicious host IP data flow feature, data flow information related to the suspicious host IP includes:
and collecting data flow characteristic information related to the suspicious host IP address of the abnormal behavior in the network flow log in the second set time period of the cache through finding the data flow characteristic of the suspicious host IP of the abnormal behavior.
Optionally, the collecting backtracking traffic includes:
and collecting data flow characteristic information related to the suspicious host IP address of the abnormal behavior before and after the occurrence of the alarm information in the network flow log in the second set time period of the cache.
Optionally, the constructing an active probing rule includes: scanning detection, script detection and security detection;
the scanning detection means that when corresponding vulnerability information can be corresponding to the alarm information, various vulnerability scanning scripts which are built in advance based on a scanner are used as a scanning strategy;
the script detection refers to detecting the content triggering the alarm in the alarm information as an active detection script to form a series of detection scripts;
the security detection refers to performing security detection on the association protocol discovered by backtracking.
Optionally, the performing active scanning analysis on the suspicious host IP to determine whether the suspicious host has an abnormality includes:
and actively scanning the suspicious host IP of the abnormal behavior according to each active detection rule, and judging whether the suspicious host IP is abnormal or not according to the information obtained by the active scanning.
Optionally, the comparing and analyzing the active scan with the passive detection result to determine whether the suspicious host is an abnormal host includes:
and comparing the suspicious abnormal behavior discovered by the passive scanning with the abnormal behavior discovered by the active scanning, and confirming whether the suspicious host is an abnormal host or not according to a comparison result.
Optionally, the comparison result includes:
if the data flow characteristics of the suspicious abnormal behavior found passively are the same as those found by active scanning, judging that the suspicious host is an abnormal host, otherwise, judging that the suspicious host is a non-abnormal host.
The invention takes passive detection as a preliminary basis, so that the cost of active scanning is reduced; the method has the advantages that the method has more pertinence to the problem needing scanning, a certain abnormal clue is displayed in the passive detection, and the rule to be utilized in scanning is reduced;
the active scanning adopted by the invention has more purposefulness, and based on the host found by passive detection, the analysis task can be completed by only scanning one host and even one port corresponding to the host, thereby improving the analysis efficiency;
the invention carries out secondary analysis and confirmation on the abnormal behavior found by passive detection in an active scanning mode, and can improve the analysis accuracy.
Example 3
As shown in fig. 3, the present embodiment provides an apparatus for performing abnormal host analysis in combination with active and passive, the apparatus including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the one processor to enable the at least one processor to process an active-passive combination of abnormal host analysis.
Referring now to fig. 3, a schematic diagram of a device suitable for use in implementing embodiments of the present disclosure is shown. The terminal devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The apparatus shown in fig. 3 is merely an example, and should not be construed as limiting the functionality and scope of use of the embodiments of the present disclosure.
As shown in fig. 3, the apparatus may include a processing device (e.g., a central processing unit, a graphics processor, etc.) 301 that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 302 or a program loaded from a storage device 308 into a Random Access Memory (RAM) 303. In the RAM 303, various programs and data required for device operation are also stored. The processing device 301, the ROM 302, and the RAM 303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
In general, the following devices may be connected to the I/O interface 305: input devices 306 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 307 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 308 including, for example, magnetic tape, hard disk, etc.; and communication means 309. The communication means 309 may allow the device to communicate wirelessly or by wire with other devices to exchange data. While fig. 3 shows an apparatus having various devices, it is to be understood that not all illustrated devices are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via a communication device 309, or installed from a storage device 308, or installed from a ROM 302. The above-described functions defined in the methods of the embodiments of the present disclosure are performed when the computer program is executed by the processing means 301.
Example 4
The disclosed embodiments provide a non-volatile computer storage medium storing computer executable instructions that can perform the active-passive combination of any of the method embodiments described above for abnormal host analysis.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
The computer readable medium may be embodied in the apparatus; or may be present alone without being fitted into the device.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Claims (6)
1. A method for performing an exception-host analysis in combination with active and passive, comprising:
continuously caching network traffic logs within a first set period of time, and detecting a party based on passive rules
Detecting a data flow passing through a network boundary, and recording the data flow characteristic information of a suspicious host IP which finds abnormal behaviors; the data flow characteristic information refers to all relevant protocol field characteristics of abnormal behavior data, and comprises the following steps: source IP address, destination IP address, source port, destination port, transport layer protocol type, application layer protocol key protocol field content and application layer load data;
collecting data flow information related to the suspicious host IP through the data flow characteristic information of the suspicious host IP;
collecting backtracking flow, and constructing an active detection rule, wherein the backtracking flow is the flow before and after searching the alarm in the cache flow based on the content of the current alarm information;
performing active scanning analysis on the suspicious host IP to judge whether the suspicious host is abnormal or not;
comparing and analyzing the active scanning and the passive detection result to determine whether the suspicious host is an abnormal host;
the collecting data flow information related to the suspicious host IP through the suspicious host IP data flow characteristics comprises the following steps:
collecting data flow characteristic information related to the suspicious host IP address of the abnormal behavior in a network flow log in a second set time period by finding the data flow characteristic of the suspicious host IP of the abnormal behavior;
the collecting backtracking traffic includes:
collecting data flow characteristic information related to the suspicious host IP address of the abnormal behavior before and after the occurrence of the alarm information in the network flow log in the second set time period;
the constructing the active detection rule comprises the following steps: scanning detection, script detection and security detection;
the scanning detection refers to that when corresponding vulnerability information in the alarm information is corresponding, various vulnerability scanning scripts which are built in advance based on a scanner are used as a scanning strategy;
the script detection refers to detecting the content triggering the alarm in the alarm information as an active detection script to form a series of detection scripts;
the security detection refers to performing security detection on the association protocol discovered by backtracking;
the passive rule detection method refers to detection based on rules or models commonly used for passive detection
The method comprises the steps of detecting abnormality of a data stream passing through a network boundary;
the second set time period and the first set time period are set in advance, and the difference is that: the second set period of time is to begin collecting after the suspicious host IP data flow characteristics of the abnormal behavior are found, and the first set period of time is to begin collecting before the suspicious host IP data flow characteristics of the abnormal behavior are found; thus, the first set period of time is passive collection and the second set period of time is active collection.
2. The method of claim 1, wherein the performing active scan analysis on the suspicious host IP to determine whether an anomaly exists in the suspicious host comprises:
and actively scanning the suspicious host IP of the abnormal behavior according to each active detection rule, and judging whether the suspicious host IP is abnormal or not according to the information obtained by the active scanning.
3. The method of claim 1, wherein comparing the active scan with the passive test results to determine if the suspicious host is an abnormal host comprises:
and comparing the suspicious abnormal behavior discovered by the passive scanning with the abnormal behavior discovered by the active scanning, and confirming whether the suspicious host is an abnormal host or not according to a comparison result.
4. A method according to claim 3, wherein the comparison comprises:
if the data flow characteristics of the suspicious abnormal behavior found passively are the same as those found by active scanning, judging that the suspicious host is an abnormal host, otherwise, judging that the suspicious host is a non-abnormal host.
5. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any one of claims 1 to 4.
6. An apparatus, comprising:
one or more processors;
storage means for storing one or more programs which when executed by the one or more processors cause the one or more processors to implement the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010587801.8A CN113839912B (en) | 2020-06-24 | 2020-06-24 | Method, device, medium and equipment for analyzing abnormal host by active and passive combination |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010587801.8A CN113839912B (en) | 2020-06-24 | 2020-06-24 | Method, device, medium and equipment for analyzing abnormal host by active and passive combination |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113839912A CN113839912A (en) | 2021-12-24 |
| CN113839912B true CN113839912B (en) | 2023-08-22 |
Family
ID=78964502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010587801.8A Active CN113839912B (en) | 2020-06-24 | 2020-06-24 | Method, device, medium and equipment for analyzing abnormal host by active and passive combination |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113839912B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115550068B (en) * | 2022-11-28 | 2023-03-10 | 天津安华易科技发展有限公司 | Safety auditing method for log information of host |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2408116A1 (en) * | 2002-03-29 | 2003-09-29 | Nec Infrontia Corporation | Wireless lan system, host apparatus and wireless lan base station |
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN103595569A (en) * | 2013-11-15 | 2014-02-19 | 南京云川信息技术有限公司 | Method for handling database storage of alarm information of network management system |
| CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
| CN105933186A (en) * | 2016-06-30 | 2016-09-07 | 北京奇虎科技有限公司 | Security detection method, device and system |
| CN110138745A (en) * | 2019-04-23 | 2019-08-16 | 极客信安(北京)科技有限公司 | Abnormal host detection method, device, equipment and medium based on data stream sequences |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8533819B2 (en) * | 2006-09-29 | 2013-09-10 | At&T Intellectual Property Ii, L.P. | Method and apparatus for detecting compromised host computers |
| US20120090027A1 (en) * | 2010-10-12 | 2012-04-12 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting abnormal host based on session monitoring |
-
2020
- 2020-06-24 CN CN202010587801.8A patent/CN113839912B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2408116A1 (en) * | 2002-03-29 | 2003-09-29 | Nec Infrontia Corporation | Wireless lan system, host apparatus and wireless lan base station |
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN103595569A (en) * | 2013-11-15 | 2014-02-19 | 南京云川信息技术有限公司 | Method for handling database storage of alarm information of network management system |
| CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
| CN105933186A (en) * | 2016-06-30 | 2016-09-07 | 北京奇虎科技有限公司 | Security detection method, device and system |
| CN110138745A (en) * | 2019-04-23 | 2019-08-16 | 极客信安(北京)科技有限公司 | Abnormal host detection method, device, equipment and medium based on data stream sequences |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113839912A (en) | 2021-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9081961B2 (en) | System and method for analyzing malicious code using a static analyzer | |
| US10505960B2 (en) | Malware detection by exploiting malware re-composition variations using feature evolutions and confusions | |
| US9584541B1 (en) | Cyber threat identification and analytics apparatuses, methods and systems | |
| CN114124552B (en) | Threat level acquisition method, device and storage medium for network attack | |
| JP2014507718A (en) | Method, computer program, and system for determining vulnerability of a computer software application to an elevation of privilege attack | |
| US11593478B2 (en) | Malware collusion detection | |
| US20190215333A1 (en) | Persistent cross-site scripting vulnerability detection | |
| CN109818972B (en) | Information security management method and device for industrial control system and electronic equipment | |
| CN113448795A (en) | Method, apparatus and computer program product for obtaining system diagnostic information | |
| CN113839912B (en) | Method, device, medium and equipment for analyzing abnormal host by active and passive combination | |
| CN112134870B (en) | Network security threat blocking method, device, equipment and storage medium | |
| CN110808997B (en) | Method and device for remotely obtaining evidence of server, electronic equipment and storage medium | |
| CN116450533B (en) | Security detection method and device for application program, electronic equipment and medium | |
| CN109586788B (en) | Monitoring system fault diagnosis method and device, computer equipment and storage medium | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| CN113839948B (en) | DNS tunnel traffic detection method and device, electronic equipment and storage medium | |
| CN110868410B (en) | Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium | |
| CN109714371B (en) | Industrial control network safety detection system | |
| CN115801447B (en) | Industrial safety-based flow analysis method and device and electronic equipment | |
| CN110633566A (en) | Intrusion detection method, device, terminal equipment and medium | |
| CN110166421B (en) | Intrusion control method and device based on log monitoring and terminal equipment | |
| CN118764310A (en) | Attack detection method and device for container, readable medium and electronic equipment | |
| CN117786692A (en) | Method, equipment and storage medium for detecting malicious program | |
| CN109918913A (en) | A kind of leak detection method and device | |
| CN118432928A (en) | Intrusion detection method, intrusion detection device, intrusion detection equipment, storage medium and intrusion detection product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |