CN113839925A - IPv6 network intrusion detection method and system based on data mining technology - Google Patents
IPv6 network intrusion detection method and system based on data mining technology Download PDFInfo
- Publication number
- CN113839925A CN113839925A CN202111017069.1A CN202111017069A CN113839925A CN 113839925 A CN113839925 A CN 113839925A CN 202111017069 A CN202111017069 A CN 202111017069A CN 113839925 A CN113839925 A CN 113839925A
- Authority
- CN
- China
- Prior art keywords
- ipv6
- data
- network
- intrusion detection
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
Abstract
The invention relates to the technical field of network intrusion detection, in particular to an IPv6 network intrusion detection method and system based on a data mining technology, wherein the method comprises the steps of detecting known attacks of a data network in a plurality of target subsystems and IPv6 data streams which are not encrypted; detecting IPv6 data flow which is transmitted among different host objects and encrypted by an IPSec protocol by utilizing a multi-mode character string matching algorithm; and monitoring all intrusion detection processes, matching host intrusion detection results with network intrusion detection results, and judging attack types. The invention reduces the complexity of the original data packet by using the information entropy protocol analysis algorithm, completes the intrusion detection of the IPv6 data packet header, simplifies the detection complexity, improves the detection efficiency, detects the IPv6 data stream which is transmitted among different host objects and encrypted by the IPSec protocol by using the multi-mode character string matching algorithm, and fully improves the detection efficiency by using the advantages of multi-mode.
Description
Technical Field
The invention relates to the technical field of network intrusion detection, in particular to an IPv6 network intrusion detection method and system based on a data mining technology.
Background
With the limitation of the size of the IPv4 address, the requirement of power Internet of things equipment deployment application cannot be met gradually, the IPv6 address instead of the IPv4 address becomes a network address deployment trend, the large capacity of the IPv6 address can be met for future perspective estimation of new increment of the Internet of things equipment, and therefore the IPv6 is selected as a main address deployment mode of the power Internet of things. The introduction of the IPv6 technology supports the realization of the addition of the power internet of things equipment, and under the function application of the internet of things equipment, diversified and multi-channel service capabilities are developed for power, such as video multimedia, sensor monitoring, WLAN wireless communication and other service networks, the development of service necessarily brings about the blowout of data sets, and a great deal of power data information is exposed in an intricate and complex IP network, so that great potential safety hazards exist; with the deep deployment of wireless communication networks such as 4G in power applications, the attack risk is increased even more by the form of wireless data transmission, and therefore higher protection requirements are put forward on the security performance of the IPv6 network. The IPv6 protocol is characterized in that an IPSec protocol is specially designed on a security side, belongs to the category of encryption and authentication protocols, and mainly aims to improve the data transmission security of a network, solve the problems of identity authentication and the like and adopt an active security prevention and control mode. However, with the diversification and uncertainty of network attack types, the IPSec protocol can only solve part of network security problems, and needs to be matched with other security protection means to enhance the security level of the network.
The conventional detection techniques include the following items: statistical-class-based detection and analysis method: setting a safety threshold value by testing a historical detection experience value, wherein the safety threshold value is regarded as dangerous behaviors, and the larger the deviation is, the larger the risk is; detection and analysis method based on rule trend: setting a dynamic rule base so as to judge the intrusion behavior, wherein the characteristic character strings which are consistent with the characteristic character strings in the rule base are represented as safety data, and the other characteristic character strings are dangerous behaviors; the detection and analysis method based on the artificial neural network algorithm comprises the following steps: by utilizing the self-learning characteristic of the neural network on the rules of the characteristic character strings, the rules of normal events and abnormal events can be classified and judged, and illegal data behavior characteristics are judged; detection and analysis method based on conditional probability: expressing the intrusion as an event sequence, and reasoning intrusion and intrusion behaviors according to Bayesian theorem; detection and analysis method based on immune algorithm: risk events which may attack the network can be detected through an immune protection algorithm, and the immunity of the network can be improved; a detection method based on pattern recognition prediction; the recorded data of the security audit is assumed to conform to a certain pattern, so that the attack behavior is detected by utilizing the correlation of the event sequence.
The current intrusion detection system also has the following problems: the detection speed is lower than the network transmission speed, which easily causes false alarm and false alarm; the combination problem of the intrusion detection system and other network products; the encrypted data packet in the network cannot be detected; intrusion detection architectures have problems; the accuracy of the intrusion detection specific algorithm method is problematic.
Disclosure of Invention
The invention provides an IPv6 network intrusion detection method based on a data mining technology, which overcomes the defects of the prior art, can effectively solve the problem that the prior network intrusion detection method can not detect a host and a network simultaneously, and further solves the problem that the prior network intrusion detection method can not detect encrypted data packets in the network.
One of the technical schemes of the invention is realized by the following measures: an IPv6 network intrusion detection method based on data mining technology comprises the following steps:
detecting known attacks of a data network and unencrypted IPv6 data streams in a plurality of target subsystems to finish host intrusion detection;
presetting a variable characteristic database in which characteristic character strings are stored, calling the variable characteristic database, detecting IPv6 data streams which are transmitted among different host objects and encrypted by an IPSec protocol by using a multi-mode character string matching algorithm, and completing network intrusion detection;
monitoring all intrusion detection processes, presetting a variable characteristic database storing intrusion behavior characteristics, calling the variable characteristic database, matching a host intrusion detection result with a network intrusion detection result, judging an attack type, and outputting alarm information;
and processing and displaying the alarm information.
The following is further optimization or/and improvement of the technical scheme of the invention:
the detecting known attacks of the data network and the unencrypted IPv6 data flow in the target subsystems includes:
carrying out IPSec protocol analysis on the IPv6 data packet header in the target subsystem;
extracting an IPv6 data packet header, judging whether the IPv6 data packet header has intrusion behavior by using an information entropy protocol analysis algorithm, if not, continuing to analyze the IPv6 data packet, and if so, judging that abnormal intrusion behavior data exists;
requesting the key to analyze the IPv6 data packet, calling an application layer rule, matching the analysis result by using a pattern recognition algorithm, judging whether the matching is abnormal or not, and responding to the abnormal intrusion behavior data.
The above-mentioned variable characteristic database storing the characteristic string in advance, call the variable characteristic database, utilize the matching algorithm of the multi-mode character string to detect IPv6 dataflow encrypted by IPSec protocol that is transmitted between different host computer objects, including:
capturing an IPv6 data packet in network data by using a data capturing function, wherein the data capturing function comprises a filtering rule of a data address format;
presetting a variable characteristic database in which characteristic character strings are stored, identifying the characteristic character strings of the IPv6 data packet by using a multi-mode character string matching algorithm, and matching the characteristic character strings with the stored characteristics in the variable characteristic database;
and judging whether the matching is abnormal or not, if not, conforming to the requirement of the security feature, and if so, having abnormal intrusion behavior data.
After all the characteristics in the IPv6 data packet are matched, content probability calculation is carried out on protocol information in a data header by using an information entropy protocol analysis algorithm, and useful fields are detected to find intrusion behaviors.
The capturing of the IPv6 data packet by using the data capture function in the network data includes: capturing an IPv6 data packet by using a data capture function in network data, acquiring network address and mask information from an IPv6 data packet, comparing the network address and mask information with a filtering rule of a data address format, extracting an IPv6 data packet with consistent comparison, and releasing an IPv6 data packet with inconsistent comparison into a network.
The second technical scheme of the invention is realized by the following measures: an IPv6 network intrusion detection system based on data mining technology, comprising:
the host intrusion detection unit is used for detecting known attacks of the data network and unencrypted IPv6 data streams in the target subsystems to finish host intrusion detection;
the network intrusion detection unit presets a variable characteristic database in which characteristic character strings are stored, calls the variable characteristic database, detects IPv6 data streams which are transmitted among different host objects and encrypted by an IPSec protocol by using a multi-mode character string matching algorithm, and completes network intrusion detection;
the system monitoring unit is used for monitoring all intrusion detection processes, presetting a variable characteristic database in which intrusion behavior characteristics are stored, calling the variable characteristic database, matching a host intrusion detection result with a network intrusion detection result, judging an attack type and outputting alarm information;
and the response unit is used for processing and displaying the alarm information.
The following is further optimization or/and improvement of the technical scheme of the invention:
the host intrusion detection unit comprises a plurality of host intrusion detection modules, and each host intrusion detection module comprises an IPSec decryption module, an application layer protection module, an application layer rule base and a system monitor;
the IPSec decryption module is used for carrying out IPSec protocol analysis on the IPv6 data packet header in the target subsystem, extracting the IPv6 data packet header, judging whether the IPv6 data packet header has intrusion behavior by using an information entropy protocol analysis algorithm, and if not, continuing to analyze the IPv6 data packet;
an application layer rule base for storing application layer rules; the application layer rule base is a dynamic database;
the application layer protection module requests the secret key to analyze the IPv6 data packet, calls an application layer rule, matches the analysis result by using a pattern recognition algorithm, judges whether the matching is abnormal or not, and responds to the abnormal matching, so that an intrusion behavior exists;
and the system monitor monitors the detection process.
The network intrusion detection unit comprises a network data packet acquisition module, a rule analysis module, a preprocessing module, a variable characteristic database, a protocol analysis module and an analysis module;
the network data packet acquisition module is used for capturing an IPv6 data packet in network data by using a data capture function;
the rule analysis module is used for setting a data capture function, and the data capture function comprises a filtering rule of a data address format;
the preprocessing module acquires network address and mask information from the IPv6 data packet, compares the network address and mask information with a filtering rule of a data address format, extracts an IPv6 data packet with consistent comparison, and releases an IPv6 data packet with inconsistent comparison to a network;
a variable characteristic database storing characteristic character strings;
and the protocol analysis module performs content probability calculation on the protocol information in the data header by using an information entropy protocol analysis algorithm after all the characteristics in the IPv6 data packet are matched, and detects out useful fields to find intrusion behaviors.
The system monitoring unit comprises an abnormality detection module, a monitoring management module, a self-learning module and a variable characteristic database;
the anomaly detection module calls a variable characteristic database, matches the host intrusion detection result with the network intrusion detection result, judges the attack type and outputs alarm information;
the monitoring management module monitors all intrusion detection processes;
the self-learning module is used for self-learning the abnormal detection result obtained by detection;
and the variable characteristic database stores the intrusion behavior characteristics.
The invention discloses an IPv6 network intrusion detection method and system based on a data mining technology, which have the following advantages:
1. the invention reduces the complexity of the original data packet by using the information entropy protocol analysis algorithm, completes the intrusion detection of the head of the IPv6 data packet, matches the rest analysis contents of the IPv6 data packet by combining the pattern recognition algorithm, judges whether the abnormity exists or not, and simplifies the detection complexity and improves the detection efficiency compared with the existing detection analysis method based on the artificial neural network algorithm.
2. The method presets a variable characteristic database storing characteristic character strings, calls the variable characteristic database, and detects IPv6 data streams which are transmitted among different host objects and encrypted by an IPSec protocol by using a multi-mode character string matching algorithm (AC-BC multi-mode character string matching algorithm).
3. The databases arranged in the invention are all dynamic databases which can be continuously updated, thus improving the intrusion detection capability and ensuring the intrusion detection accuracy.
Drawings
FIG. 1 is a process flow diagram of example 1 of the present invention.
FIG. 2 is a flowchart of the method of example 2 of the present invention.
FIG. 3 is a flowchart of the method of example 3 of the present invention.
Fig. 4 is a schematic diagram of a matching model of the multi-pattern string matching algorithm in embodiment 3 of the present invention.
Fig. 5 is a system configuration diagram of embodiment 4 and embodiment 5 of the present invention.
Detailed Description
The present invention is not limited by the following examples, and specific embodiments may be determined according to the technical solutions and practical situations of the present invention.
The invention is further described with reference to the following examples and figures:
example 1: as shown in fig. 1, an embodiment of the present invention discloses an IPv6 network intrusion detection method based on a data mining technology, including:
s101, detecting known attacks of a data network and IPv6 data streams which are not encrypted in a plurality of target subsystems to finish host intrusion detection;
the host intrusion detection mainly carries out safety detection on log files, misoperation behaviors, redundant data and the like in the IPv6 network, and ensures the function of interconnection and intercommunication of data among hosts.
Step S102, presetting a variable characteristic database storing characteristic character strings, calling the variable characteristic database, detecting IPv6 data streams which are transmitted among different host objects and encrypted by an IPSec protocol by utilizing a multi-mode character string matching algorithm, and completing network intrusion detection;
the IPv6 data stream encrypted by the IPSec protocol and transmitted among different host objects is captured from network data, meanwhile, in order to improve the intrusion behavior detection efficiency, a variable characteristic database is introduced as a matching comparison object, the characteristic matching is carried out on each characteristic of a data packet by utilizing a multi-mode character string matching algorithm, the network intrusion detection is completed, and meanwhile, if a new characteristic character string is found, the variable characteristic database can be recorded, the real-time performance of the variable characteristic database is kept, and the network intrusion detection accuracy is improved. Wherein, the variable characteristic database stores various characteristic character strings (namely character strings).
Step S103, monitoring all intrusion detection processes, presetting a variable characteristic database storing intrusion behavior characteristics, calling the variable characteristic database, matching a host intrusion detection result and a network intrusion detection result, judging an attack type, and outputting alarm information;
monitoring all the intrusion detection processes is completed by collecting and managing information among the hosts; the variable characteristic database stores various intrusion behavior characteristics, calls the intrusion behavior characteristics in the variable characteristic database, matches the host intrusion detection result with the network intrusion detection result, and sends alarm information if the intrusion behavior is found, wherein the alarm information can comprise alarm information, intrusion behavior information and attack type information. Meanwhile, the variable characteristic database can be continuously updated, so that the real-time performance of the variable characteristic database is maintained, and the intrusion detection accuracy is improved.
And step S104, processing and displaying the alarm information.
The embodiment of the invention discloses an IPv6 network intrusion detection method based on a data mining technology, aiming at the problem of security protocol protection vulnerability of an IPv6 network, a novel intrusion detection method is added on the basis of an IPSec security protocol, and an intrusion behavior detection method integrating network detection, host detection, system monitoring and structure response is constructed; the host detection can synchronously detect known attacks of the data network and unencrypted IPv6 data streams in a plurality of target subsystems at the same time, and the requirement of concurrent data access of multiple service paths of the IPv6 network is met; the network detection can capture a large amount of IPv6 data streams which are transmitted among host objects and encrypted by an IPSec protocol for detection, and a multi-mode character string matching algorithm is utilized to perform matching detection on the characteristic character strings of the data packets, so that the process is simple and efficient, and the intrusion monitoring speed is ensured; the two variable characteristic databases can be dynamically updated, so that the real-time performance of the variable characteristic databases is maintained, and the accuracy of intrusion detection is improved. In conclusion, the embodiment of the invention is suitable for mass deployment of future IPv6 networks and can effectively perform security detection on multi-path IPv6 packaged data.
Example 2: as shown in fig. 2, the embodiment of the present invention discloses an IPv6 network intrusion detection method based on a data mining technology, wherein detecting known attacks of a data network and unencrypted IPv6 data streams in a plurality of target subsystems further includes:
step S201, carrying out IPSec protocol analysis on the IPv6 data packet header in the target subsystem; the IPv6 data packet in the target subsystem is a host IPv6 data packet;
step S202, extracting an IPv6 data packet header, judging whether the IPv6 data packet header has intrusion behavior by using an information entropy protocol analysis algorithm, if not, continuing to analyze the IPv6 data packet, and if so, judging that abnormal intrusion behavior data exists;
here, step S202 specifically includes:
1. extracting an IPv6 data packet header;
2. calculating the corresponding information entropy thereof by the following formula (the information entropy is the probability distribution of the occurrence of each random data);
wherein x represents a random data variable, p (x) represents the probability of outputting data, and a represents a logarithmic base parameter;
3. comparing the obtained information entropy with the marked data set, accumulating and formatting the information entropy with large correlation, and discarding the information entropy with small correlation; the larger the uncertainty probability of the data is, the larger the entropy value is, and the purpose of data compression and dimension reduction is achieved by extracting the information of the entropy in the information quantity, so that the complexity of the original data is reduced;
4. comparing the data after dimensionality reduction with a threshold value, judging the data exceeding the threshold value as abnormal intrusion behavior data, and taking the rest data as safety data; the threshold is not a long-time fixed value, and can be adjusted and updated in real time according to the calculation result of each time, so that the accuracy of threshold evaluation is continuously improved.
Step S203, requesting the secret key to analyze the IPv6 data packet, calling an application layer rule, matching the analysis result by using a pattern recognition algorithm, judging whether the matching is abnormal or not, and responding to the abnormal intrusion behavior data. Here, the application layer rules are stored in advance in an application layer rules database, which may be a dynamic database.
Example 3: as shown in fig. 3 and 4, the embodiment of the present invention discloses an IPv6 network intrusion detection method based on a data mining technology, wherein a variable feature database storing feature strings is preset, the variable feature database is called, and a multi-mode string matching algorithm is used to detect IPv6 data streams encrypted by an IPSec protocol and transmitted between different host objects, further comprising:
step S301, capturing an IPv6 data packet in network data by using a data capture function, wherein the data capture function comprises a filtering rule of a data address format;
the method specifically comprises the following steps:
1. capturing an IPv6 data packet by using a data capture function in network data;
2. acquiring network address and mask information from the IPv6 data packet, comparing the network address and mask information with the filtering rule of the data address format, extracting the IPv6 data packet with consistent comparison, and releasing the IPv6 data packet with inconsistent comparison into the network.
Step S302, presetting a variable characteristic database in which characteristic character strings are stored, identifying the characteristic character strings of the IPv6 data packet by using a multi-mode character string matching algorithm, and matching the characteristic character strings with the stored characteristics in the variable characteristic database;
the variable characteristic database is a dynamic variable characteristic database, and characteristic character strings in the variable characteristic database can be continuously updated.
Identifying the characteristic character string of the IPv6 data packet by using a multi-mode character string matching algorithm, and matching the characteristic character string with the stored characteristics in a variable characteristic database; the multi-mode character string matching algorithm can be an AC-BC multi-mode character string matching algorithm, the algorithm combines the joint advantages of a BM algorithm (B.Boyer and JS.Moore) and an AC algorithm (Alfred and Corasick), the BM algorithm is a traditional character string searching single-mode matching algorithm, the BM algorithm has the advantages that content comparison is not carried out on character strings one by one, the dimension reduction advantage of a preprocessing technology is utilized, only good character strings are matched, a certain mode character length is set, a character string shifting matching mode is realized, matching of a plurality of bad characters can be crossed in the middle, content matching of the good characters is only completed through locking of the bad characters until the last character is matched, and the multi-mode character string matching algorithm has the advantage that the efficiency is higher when meeting the requirement of a longer character string. The AC algorithm is a novel multi-mode character string searching algorithm, different states can be marked by the state machine through establishing a tree-type limited state machine, when the character strings are input into the state machine, multi-mode feature locking can be simultaneously carried out, character matching is completed in parallel, the output state identification of the locked state characters is 1, otherwise, the identification is 0, the algorithm has the advantages of high parallel matching, but the characteristic of state transfer is lacked. Therefore, the AC algorithm and the BM algorithm are combined, the advantages of the two algorithms are gathered, and the pattern matching is completed more efficiently. The specific matching identification process comprises the following steps:
1. reading a characteristic character string of the IPv6 data packet;
2. constructing a characteristic storage structure of a mode character string according to the AC model, and forming finite-state machine models in a positive direction and a negative direction by utilizing a movement jumping idea of a BM algorithm;
3. setting a pattern character length and an initial matching position;
4. constructing a failure function;
5. taking the initial matching position as a starting point, calling a failure function to match and detect the content one by one, and simultaneously performing mode matching from the positive direction and the negative direction respectively; the matching rules are defined as follows: the forward direction is from right to left, and when the characteristic character strings are not matched, the forward direction moves to the right; similarly, the reverse direction is matching from left to right, when the characteristic character strings are not matched, the characteristic character strings move to left, and after the bad characters are positioned, the character contents are matched until the detection of all the character strings is finished, and the algorithm is finished. And a failure function is constructed in the character matching and detecting system, the failure function is called to complete content matching and detection of the characters one by one, and matching judgment is carried out.
Step S303, judging whether the matching is abnormal or not, if not, conforming to the requirement of the security feature, and if so, having abnormal intrusion behavior data.
Step S304, after all the characteristics in the IPv6 data packet are matched, performing content probability calculation on protocol information in a data header by using an information entropy protocol analysis algorithm, and detecting useful fields to find intrusion behaviors; here, the same procedure as that of the intrusion behavior analysis using the entropy analysis algorithm in embodiment 2 is used.
The embodiment 2 of the invention fully exerts the advantages of data mining processing large data volume, fully utilizes the advantages of multi-state parallel matching of the AC model and multi-string mobile matching of BM, and improves the efficiency and accuracy of detection.
Example 4: as shown in fig. 5, an embodiment of the present invention discloses an IPv6 network intrusion detection system based on a data mining technology, including:
the host intrusion detection unit is used for detecting known attacks of the data network and unencrypted IPv6 data streams in the target subsystems to finish host intrusion detection;
the network intrusion detection unit presets a variable characteristic database in which characteristic character strings are stored, calls the variable characteristic database, detects IPv6 data streams which are transmitted among different host objects and encrypted by an IPSec protocol by using a multi-mode character string matching algorithm, and completes network intrusion detection;
the system monitoring unit is used for monitoring all intrusion detection processes, presetting a variable characteristic database in which intrusion behavior characteristics are stored, calling the variable characteristic database, matching a host intrusion detection result with a network intrusion detection result, judging an attack type and outputting alarm information;
and the response unit is used for processing and displaying the alarm information.
Example 5: as shown in fig. 5, an embodiment of the present invention discloses an IPv6 network intrusion detection system based on a data mining technology, including:
the host intrusion detection unit comprises a plurality of host intrusion detection modules, and each host intrusion detection module comprises an IPSec decryption module, an application layer protection module, an application layer rule base and a system monitor;
the IPSec decryption module is used for carrying out IPSec protocol analysis on the IPv6 data packet header in the target subsystem, extracting the IPv6 data packet header, judging whether the IPv6 data packet header has intrusion behavior by using an information entropy protocol analysis algorithm, and if not, continuing to analyze the IPv6 data packet;
an application layer rule base for storing application layer rules; the application layer rule base is a dynamic database;
the application layer protection module requests the secret key to analyze the IPv6 data packet, calls an application layer rule, matches the analysis result by using a pattern recognition algorithm, judges whether the matching is abnormal or not, and responds to the abnormal matching, so that an intrusion behavior exists;
and the system monitor monitors the detection process.
The network intrusion detection unit comprises a network data packet acquisition module, a rule analysis module, a preprocessing module, a variable characteristic database, a protocol analysis module and an analysis module;
the network data packet acquisition module is used for capturing an IPv6 data packet in network data by using a data capture function;
the rule analysis module is used for setting a data capture function, and the data capture function comprises a filtering rule of a data address format;
the preprocessing module acquires network address and mask information from the IPv6 data packet, compares the network address and mask information with a filtering rule of a data address format, extracts an IPv6 data packet with consistent comparison, and releases an IPv6 data packet with inconsistent comparison to a network;
a variable characteristic database storing characteristic character strings; the variable characteristic database is a dynamic database; identifying the characteristic character string of the newly-put IPv6 data packet by using a multi-mode joint matching algorithm, and matching the characteristic character string with the stored characteristics in the variable characteristic database;
and the protocol analysis module performs content probability calculation on the protocol information in the data header by using an information entropy protocol analysis algorithm after all the characteristics in the IPv6 data packet are matched, and detects out useful fields to find intrusion behaviors.
The system monitoring unit comprises an abnormality detection module, a monitoring management module, a self-learning module and a variable characteristic database;
the anomaly detection module calls a variable characteristic database, matches the host intrusion detection result with the network intrusion detection result, judges the attack type and outputs alarm information;
the monitoring management module monitors all intrusion detection processes;
the self-learning module is used for self-learning the abnormal detection result obtained by detection;
and the variable characteristic database stores the intrusion behavior characteristics.
The response unit comprises an alarm response module and a data display module;
the alarm response module is used for responding and processing the received alarm information and feeding the alarm information back to the IPv6 network management system to prevent the next invasion of similar attacks;
and the data display module is used for displaying the received alarm information.
Embodiment 6, the present invention discloses a storage medium, on which a computer program readable by a computer is stored, and the computer program is configured to execute an IPv6 network intrusion detection method based on a data mining technology when the computer program runs.
The storage medium may include, but is not limited to: u disk, read-only memory, removable hard disk, magnetic or optical disk, etc. various media capable of storing computer programs.
Embodiment 7, the embodiment of the present invention discloses an electronic device, which includes a processor and a memory, where the memory stores a computer program, and the computer program is loaded and executed by the processor to implement an IPv6 network intrusion detection method based on a data mining technology.
The electronic equipment further comprises transmission equipment and input and output equipment, wherein the transmission equipment and the input and output equipment are both connected with the processor.
The above technical features constitute the best embodiment of the present invention, which has strong adaptability and best implementation effect, and unnecessary technical features can be increased or decreased according to actual needs to meet the requirements of different situations.
Claims (10)
1. An IPv6 network intrusion detection method based on data mining technology is characterized by comprising the following steps:
detecting known attacks of a data network and unencrypted IPv6 data streams in a plurality of target subsystems to finish host intrusion detection;
presetting a variable characteristic database in which characteristic character strings are stored, calling the variable characteristic database, detecting IPv6 data streams which are transmitted among different host objects and encrypted by an IPSec protocol by using a multi-mode character string matching algorithm, and completing network intrusion detection;
monitoring all intrusion detection processes, presetting a variable characteristic database storing intrusion behavior characteristics, calling the variable characteristic database, matching a host intrusion detection result with a network intrusion detection result, judging an attack type, and outputting alarm information;
and processing and displaying the alarm information.
2. The IPv6 network intrusion detection method based on data mining technology of claim 1, wherein the detecting known attacks of data network and unencrypted IPv6 data flows in multiple target subsystems comprises:
carrying out IPSec protocol analysis on the IPv6 data packet header in the target subsystem;
extracting an IPv6 data packet header, judging whether the IPv6 data packet header has intrusion behavior by using an information entropy protocol analysis algorithm, if not, continuing to analyze the IPv6 data packet, and if so, judging that abnormal intrusion behavior data exists;
requesting the key to analyze the IPv6 data packet, calling an application layer rule, matching the analysis result by using a pattern recognition algorithm, judging whether the matching is abnormal or not, and responding to the abnormal intrusion behavior data.
3. The IPv6 network intrusion detection method based on data mining technology as claimed in claim 1 or 2, wherein the presetting of the variable characteristic database storing the characteristic character strings calls the variable characteristic database to detect IPv6 data stream encrypted by IPSec protocol and transmitted between different host objects by using a multi-mode character string matching algorithm, comprises:
capturing an IPv6 data packet in network data by using a data capturing function, wherein the data capturing function comprises a filtering rule of a data address format;
presetting a variable characteristic database in which characteristic character strings are stored, identifying the characteristic character strings of the IPv6 data packet by using a multi-mode character string matching algorithm, and matching the characteristic character strings with the stored characteristics in the variable characteristic database;
and judging whether the matching is abnormal or not, if not, conforming to the requirement of the security feature, and if so, having abnormal intrusion behavior data.
4. The IPv6 network intrusion detection method based on data mining technology of claim 3, wherein after matching of all features in IPv6 data packets is completed, content probability calculation is performed on protocol information in data headers by using an information entropy protocol analysis algorithm, and useful fields are detected to find intrusion behavior; or/and capturing the IPv6 data packet by using a data capture function in the network data, wherein the data capture function comprises the following steps: capturing an IPv6 data packet by using a data capture function in network data, acquiring network address and mask information from an IPv6 data packet, comparing the network address and mask information with a filtering rule of a data address format, extracting an IPv6 data packet with consistent comparison, and releasing an IPv6 data packet with inconsistent comparison into a network.
5. An IPv6 network intrusion detection system based on data mining technology, comprising:
the host intrusion detection unit is used for detecting known attacks of the data network and unencrypted IPv6 data streams in the target subsystems to finish host intrusion detection;
the network intrusion detection unit presets a variable characteristic database in which characteristic character strings are stored, calls the variable characteristic database, detects IPv6 data streams which are transmitted among different host objects and encrypted by an IPSec protocol by using a multi-mode character string matching algorithm, and completes network intrusion detection;
the system monitoring unit is used for monitoring all intrusion detection processes, presetting a variable characteristic database in which intrusion behavior characteristics are stored, calling the variable characteristic database, matching a host intrusion detection result with a network intrusion detection result, judging an attack type and outputting alarm information;
and the response unit is used for processing and displaying the alarm information.
6. The IPv6 network intrusion detection system based on data mining technology of claim 5, wherein the host intrusion detection unit includes a plurality of host intrusion detection modules, each of which includes an IPSec decryption module, an application layer protection module, an application layer rule base and a system monitor;
the IPSec decryption module is used for carrying out IPSec protocol analysis on the IPv6 data packet header in the target subsystem, extracting the IPv6 data packet header, judging whether the IPv6 data packet header has intrusion behavior by using an information entropy protocol analysis algorithm, and if not, continuing to analyze the IPv6 data packet;
an application layer rule base for storing application layer rules; the application layer rule base is a dynamic database;
the application layer protection module requests the secret key to analyze the IPv6 data packet, calls an application layer rule, matches the analysis result by using a pattern recognition algorithm, judges whether the matching is abnormal or not, and responds to the abnormal matching, so that an intrusion behavior exists;
and the system monitor monitors the detection process.
7. The IPv6 network intrusion detection system based on data mining technology of claim 5 or 6, wherein the network intrusion detection unit comprises a network data packet acquisition module, a rule analysis module, a preprocessing module, a variable characteristic database, a protocol analysis module, and an analysis module;
the network data packet acquisition module is used for capturing an IPv6 data packet in network data by using a data capture function;
the rule analysis module is used for setting a data capture function, and the data capture function comprises a filtering rule of a data address format;
the preprocessing module acquires network address and mask information from the IPv6 data packet, compares the network address and mask information with a filtering rule of a data address format, extracts an IPv6 data packet with consistent comparison, and releases an IPv6 data packet with inconsistent comparison to a network;
a variable characteristic database storing characteristic character strings;
and the protocol analysis module performs content probability calculation on the protocol information in the data header by using an information entropy protocol analysis algorithm after all the characteristics in the IPv6 data packet are matched, and detects out useful fields to find intrusion behaviors.
8. The IPv6 network intrusion detection system based on data mining technology of claim 5 or 6, wherein the system monitoring unit comprises an anomaly detection module, a monitoring management module, a self-learning module and a variable characteristic database;
the anomaly detection module calls a variable characteristic database, matches the host intrusion detection result with the network intrusion detection result, judges the attack type and outputs alarm information;
the monitoring management module monitors all intrusion detection processes;
the self-learning module is used for self-learning the abnormal detection result obtained by detection;
and the variable characteristic database stores the intrusion behavior characteristics.
9. A storage medium having stored thereon a computer program readable by a computer, the computer program being arranged to execute the IPv6 network intrusion detection method according to any one of claims 1 to 4 when running.
10. An electronic device, comprising a processor and a memory, wherein a computer program is stored in the memory, and the computer program is loaded by the processor and executed to implement the IPv6 network intrusion detection method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111017069.1A CN113839925A (en) | 2021-08-31 | 2021-08-31 | IPv6 network intrusion detection method and system based on data mining technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111017069.1A CN113839925A (en) | 2021-08-31 | 2021-08-31 | IPv6 network intrusion detection method and system based on data mining technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113839925A true CN113839925A (en) | 2021-12-24 |
Family
ID=78961701
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111017069.1A Pending CN113839925A (en) | 2021-08-31 | 2021-08-31 | IPv6 network intrusion detection method and system based on data mining technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113839925A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208682A (en) * | 2022-07-26 | 2022-10-18 | 上海欣诺通信技术股份有限公司 | High-performance network attack feature detection method and device based on snort |
| CN117176469A (en) * | 2023-09-28 | 2023-12-05 | 四川音乐学院 | Abnormal data monitoring method, equipment and medium for IPv6 campus network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364981A (en) * | 2008-06-27 | 2009-02-11 | 南京邮电大学 | Hybrid intrusion detection method based on Internet protocol version 6 |
| CN101656634A (en) * | 2008-12-31 | 2010-02-24 | 暨南大学 | Intrusion detection system and method based on IPv6 network environment |
| CN102938771A (en) * | 2012-12-05 | 2013-02-20 | 山东中创软件商用中间件股份有限公司 | Network application fire wall method and system |
-
2021
- 2021-08-31 CN CN202111017069.1A patent/CN113839925A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364981A (en) * | 2008-06-27 | 2009-02-11 | 南京邮电大学 | Hybrid intrusion detection method based on Internet protocol version 6 |
| CN101656634A (en) * | 2008-12-31 | 2010-02-24 | 暨南大学 | Intrusion detection system and method based on IPv6 network environment |
| CN102938771A (en) * | 2012-12-05 | 2013-02-20 | 山东中创软件商用中间件股份有限公司 | Network application fire wall method and system |
Non-Patent Citations (1)
| Title |
|---|
| 张莹等: "一种基于信息熵的协议分析算法", 《电脑知识与技术》, pages 208 - 209 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208682A (en) * | 2022-07-26 | 2022-10-18 | 上海欣诺通信技术股份有限公司 | High-performance network attack feature detection method and device based on snort |
| CN115208682B (en) * | 2022-07-26 | 2023-12-12 | 上海欣诺通信技术股份有限公司 | High-performance network attack feature detection method and device based on snort |
| CN117176469A (en) * | 2023-09-28 | 2023-12-05 | 四川音乐学院 | Abnormal data monitoring method, equipment and medium for IPv6 campus network |
| CN117176469B (en) * | 2023-09-28 | 2024-03-08 | 四川音乐学院 | Abnormal data monitoring method, equipment and medium for IPv6 campus network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| Shahid et al. | IoT devices recognition through network traffic analysis | |
| CN112738039B (en) | Malicious encrypted flow detection method, system and equipment based on flow behavior | |
| CN111147504B (en) | Threat detection method, apparatus, device and storage medium | |
| CN107135093B (en) | Internet of things intrusion detection method and detection system based on finite automaton | |
| CN108429651B (en) | Flow data detection method and device, electronic equipment and computer readable medium | |
| CN111277570A (en) | Data security monitoring method and device, electronic equipment and readable medium | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| CN111866024B (en) | Network encryption traffic identification method and device | |
| CN114143037B (en) | Malicious encrypted channel detection method based on process behavior analysis | |
| CN113839925A (en) | IPv6 network intrusion detection method and system based on data mining technology | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| Kuznetsov et al. | Malware correlation monitoring in computer networks of promising smart grids | |
| CN111049680A (en) | Intranet transverse movement detection system and method based on graph representation learning | |
| Deorankar et al. | Survey on anomaly detection of (iot)-internet of things cyberattacks using machine learning | |
| Ferrando et al. | Classification of device behaviour in internet of things infrastructures: towards distinguishing the abnormal from security threats | |
| KR20210115991A (en) | Method and apparatus for detecting network anomaly using analyzing time-series data | |
| CN112839017A (en) | Network attack detection method and device, equipment and storage medium thereof | |
| CN115426137A (en) | Malicious encrypted network flow detection tracing method and system | |
| CN116668152A (en) | Anonymous network flow correlation method and device based on confusion execution feature recognition | |
| CN115865526A (en) | Industrial internet security detection method and system based on cloud edge cooperation | |
| Chen et al. | Distributed denial of service attacks detection method based on conditional random fields | |
| CN109257384B (en) | Application layer DDoS attack identification method based on access rhythm matrix | |
| CN114422207B (en) | C & C communication flow detection method and device based on multiple modes | |
| CN114205816B (en) | Electric power mobile internet of things information security architecture and application method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |