CN113904853B - Intrusion detection method, device, electronic equipment and medium of network system - Google Patents
Intrusion detection method, device, electronic equipment and medium of network system Download PDFInfo
- Publication number
- CN113904853B CN113904853B CN202111192319.5A CN202111192319A CN113904853B CN 113904853 B CN113904853 B CN 113904853B CN 202111192319 A CN202111192319 A CN 202111192319A CN 113904853 B CN113904853 B CN 113904853B
- Authority
- CN
- China
- Prior art keywords
- computer
- port
- address
- source
- destination
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 94
- 230000004044 response Effects 0.000 claims abstract description 42
- 230000000977 initiatory effect Effects 0.000 claims abstract description 36
- 238000004590 computer program Methods 0.000 claims abstract description 18
- 238000000034 method Methods 0.000 claims description 47
- 239000000523 sample Substances 0.000 claims description 16
- 238000004891 communication Methods 0.000 description 17
- 230000006399 behavior Effects 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 11
- 238000012545 processing Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000013459 approach Methods 0.000 description 3
- 235000012907 honey Nutrition 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000010267 cellular communication Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides an intrusion detection method, an intrusion detection device, an electronic device, a medium and a computer program product of a network system, relates to the technical field of Internet, and particularly relates to the technical field of network security. The implementation scheme is as follows: in response to detecting that a message sent or received by at least one of the plurality of computers includes first response information, acquiring destination network configuration information of the computer performing port detection and a source IP address of the computer initiating the port detection, the first response information indicating that a port of the computer performing the port detection is unavailable; counting the acquisition times of each source IP address acquired within a preset time length aiming at each destination network configuration information; based on the comparison result of the acquisition times and a preset threshold value, whether the computer initiating the port detection initiates network intrusion is determined.
Description
Technical Field
The present disclosure relates to the field of internet technology, and in particular, to the field of network security technology, and in particular, to an intrusion detection method, an intrusion detection device, an electronic device, a computer readable storage medium, and a computer program product for a network system.
Background
Network intrusion is an attack on systems and resources that exploits vulnerabilities and security flaws present in network information systems. Various network intrusions pose a serious threat to network security. Intrusion detection technology refers to technology that discovers whether there is a behavior violating security policies and is under attack in a network or system by collecting information from several nodes in the computer network or computer system and analyzing it. In the aspect of intrusion detection technology, a great deal of research and experiments have been carried out in recent years, and various detection methods are proposed, and have certain applicability to detection of specific intrusion and attack behaviors. But in general, the intrusion detection method is still to be further researched and perfected in the face of increasingly complex high-speed networks and increasingly novel intrusion means.
The approaches described in this section are not necessarily approaches that have been previously conceived or pursued. Unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section. Similarly, the problems mentioned in this section should not be considered as having been recognized in any prior art unless otherwise indicated.
Disclosure of Invention
The present disclosure provides a method, apparatus, electronic device, computer readable storage medium and computer program product for intrusion detection of a network system.
According to an aspect of the present disclosure, there is provided an intrusion detection method of a network system including a plurality of computers communicating with each other using messages, the method including: in response to detecting that a message sent or received by at least one of the plurality of computers includes first response information, acquiring destination network configuration information of the computer performing port detection and a source IP address of the computer initiating the port detection, wherein the first response information indicates that a port of the computer performing the port detection is unavailable; counting the acquisition times of each source IP address acquired within a preset time length aiming at each destination network configuration information; and determining whether the computer initiating the port detection initiates network intrusion based on a comparison result of the acquisition times and a preset threshold value.
According to another aspect of the present disclosure, there is provided an intrusion detection apparatus of a network system including a plurality of computers communicating with each other using messages, the apparatus comprising: an obtaining unit configured to obtain destination network configuration information of a computer performing port detection and a source IP address of the computer initiating the port detection in response to detecting that first response information is included in a message sent or received by at least one of the plurality of computers, wherein the first response information indicates that a port of the computer performing the port detection is unavailable; the statistics unit is configured to count the acquisition times of each source IP address acquired within a preset time length according to each destination network configuration information; and a determining unit configured to determine whether the computer initiating the port detection initiates a network intrusion based on a result of comparing the number of acquisitions with a preset threshold.
According to another aspect of the present disclosure, there is provided an electronic device including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the intrusion detection method of the network system described above.
According to another aspect of the present disclosure, there is also provided a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform an intrusion detection method according to the above-described network system.
According to another aspect of the present disclosure, there is also provided a computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements the intrusion detection method of a network system as described above.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
The accompanying drawings illustrate exemplary embodiments and, together with the description, serve to explain exemplary implementations of the embodiments. The illustrated embodiments are for exemplary purposes only and do not limit the scope of the claims. Throughout the drawings, identical reference numerals designate similar, but not necessarily identical, elements.
FIG. 1 illustrates a schematic diagram of an exemplary system in which various methods described herein may be implemented, in accordance with an embodiment of the present disclosure;
FIG. 2 illustrates a flow chart of an intrusion detection method of a network system according to an embodiment of the present disclosure;
FIG. 3 illustrates a schematic diagram of an exemplary system in which an intrusion detection method of a network system may be implemented, according to an embodiment of the present disclosure;
FIG. 4 illustrates a schematic diagram of an exemplary system in which an intrusion detection method of a network system may be implemented, according to an embodiment of the present disclosure;
FIG. 5 illustrates a schematic diagram of an exemplary system in which an intrusion detection method of a network system may be implemented, according to an embodiment of the present disclosure;
FIG. 6 shows a flowchart of a portion of an example process in the method of FIG. 2, according to an embodiment of the present disclosure;
Fig. 7 shows a block diagram of an intrusion detection device of a network system according to an embodiment of the present disclosure; and
Fig. 8 illustrates a block diagram of an exemplary electronic device that can be used to implement embodiments of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
In the present disclosure, the use of the terms "first," "second," and the like to describe various elements is not intended to limit the positional relationship, timing relationship, or importance relationship of the elements, unless otherwise indicated, and such terms are merely used to distinguish one element from another. In some examples, a first element and a second element may refer to the same instance of the element, and in some cases, they may also refer to different instances based on the description of the context.
The terminology used in the description of the various illustrated examples in this disclosure is for the purpose of describing particular examples only and is not intended to be limiting. Unless the context clearly indicates otherwise, the elements may be one or more if the number of the elements is not specifically limited. Furthermore, the term "and/or" as used in this disclosure encompasses any and all possible combinations of the listed items.
As mentioned above, in the intrusion detection technology, there are a variety of detection methods.
In the related art, the rule-based intrusion detection technology is to analyze and extract features of various network intrusion behaviors, preset rules in an intrusion detection system, and finally perform rule matching on network traffic, thereby detecting network intrusion. The technology requires that the characteristics of the intrusion behavior are known in advance before network intrusion is encountered, so that the intrusion behavior of unknown characteristics cannot be dealt with, and the problem of avoiding preset rules exists. In addition, since the method needs to perform rule matching on all network traffic, the system performance is greatly consumed based on matching of normal rules, and the consumption of computing resources is higher and higher along with the exponential growth of the network traffic.
In other related technologies, the statistical-based intrusion detection technology is that an intrusion detection system establishes a track of normal behavior of the system through flow statistical analysis, and when the behavior of the system runs beyond a threshold value of the track of normal behavior, the system is considered to be possibly intruded. However, the rate of false negatives and false positives is high. In addition, the threshold value in the statistical method is difficult to determine effectively, if the threshold value is too small, a large number of false positives may be generated, and if the threshold value is too large, a large number of false negatives may be generated.
Furthermore, both of the above techniques cannot process encrypted data, and if the data is encrypted during transmission, intrusion detection is difficult.
In view of this, the present disclosure provides an intrusion detection method, apparatus, electronic device, computer-readable storage medium, and computer program product for a network system.
Embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings.
Fig. 1 illustrates a schematic diagram of an exemplary system 100 in which various methods and apparatus described herein may be implemented, in accordance with an embodiment of the present disclosure. Referring to fig. 1, the system 100 includes one or more client devices 101, 102, 103, 104, 105, and 106, a server 120, and one or more communication networks 110 coupling the one or more client devices to the server 120. Client devices 101, 102, 103, 104, 105, and 106 may be configured to execute one or more applications.
In embodiments of the present disclosure, the server 120 may run one or more services or software applications that enable the intrusion detection methods of the network system to be performed.
In some embodiments, server 120 may also provide other services or software applications that may include non-virtual environments and virtual environments. In some embodiments, these services may be provided as web-based services or cloud services, for example, provided to users of client devices 101, 102, 103, 104, 105, and/or 106 under a software as a service (SaaS) model.
In the configuration shown in fig. 1, server 120 may include one or more components that implement the functions performed by server 120. These components may include software components, hardware components, or a combination thereof that are executable by one or more processors. A user operating client devices 101, 102, 103, 104, 105, and/or 106 may in turn utilize one or more client applications to interact with server 120 to utilize the services provided by these components. It should be appreciated that a variety of different system configurations are possible, which may differ from system 100. Accordingly, FIG. 1 is one example of a system for implementing the various methods described herein and is not intended to be limiting.
The client device may provide an interface that enables a user of the client device to interact with the client device. The client device may also output information to the user via the interface. Although fig. 1 depicts only six client devices, those skilled in the art will appreciate that the present disclosure may support any number of client devices.
Client devices 101, 102, 103, 104, 105, and/or 106 may include various types of computer devices, such as portable handheld devices, general purpose computers (such as personal computers and laptop computers), workstation computers, wearable devices, smart screen devices, self-service terminal devices, service robots, gaming systems, thin clients, various messaging devices, sensors or other sensing devices, and the like. These computer devices may run various types and versions of software applications and operating systems, such as MICROSOFT Windows, APPLE iOS, UNIX-like operating systems, linux, or Linux-like operating systems (e.g., GOOGLE Chrome OS); or include various mobile operating systems such as MICROSOFT Windows Mobile OS, iOS, windows Phone, android. Portable handheld devices may include cellular telephones, smart phones, tablet computers, personal Digital Assistants (PDAs), and the like. Wearable devices may include head mounted displays (such as smart glasses) and other devices. The gaming system may include various handheld gaming devices, internet-enabled gaming devices, and the like. The client device is capable of executing a variety of different applications, such as various Internet-related applications, communication applications (e.g., email applications), short Message Service (SMS) applications, and may use a variety of communication protocols.
Network 110 may be any type of network known to those skilled in the art that may support data communications using any of a number of available protocols, including but not limited to TCP/IP, SNA, IPX, etc. For example only, the one or more networks 110 may be a Local Area Network (LAN), an ethernet-based network, a token ring, a Wide Area Network (WAN), the internet, a virtual network, a Virtual Private Network (VPN), an intranet, an extranet, a Public Switched Telephone Network (PSTN), an infrared network, a wireless network (e.g., bluetooth, WIFI), and/or any combination of these and/or other networks.
The server 120 may include one or more general purpose computers, special purpose server computers (e.g., PC (personal computer) servers, UNIX servers, mid-end servers), blade servers, mainframe computers, server clusters, or any other suitable arrangement and/or combination. The server 120 may include one or more virtual machines running a virtual operating system, or other computing architecture that involves virtualization (e.g., one or more flexible pools of logical storage devices that may be virtualized to maintain virtual storage devices of the server). In various embodiments, server 120 may run one or more services or software applications that provide the functionality described below.
The computing units in server 120 may run one or more operating systems including any of the operating systems described above as well as any commercially available server operating systems. Server 120 may also run any of a variety of additional server applications and/or middle tier applications, including HTTP servers, FTP servers, CGI servers, JAVA servers, database servers, etc.
In some implementations, server 120 may include one or more applications to analyze and consolidate data feeds and/or event updates received from users of client devices 101, 102, 103, 104, 105, and 106. Server 120 may also include one or more applications to display data feeds and/or real-time events via one or more display devices of client devices 101, 102, 103, 104, 105, and 106.
In some implementations, the server 120 may be a server of a distributed system or a server that incorporates a blockchain. The server 120 may also be a cloud server, or an intelligent cloud computing server or intelligent cloud host with artificial intelligence technology. The cloud server is a host product in a cloud computing service system, so as to solve the defects of large management difficulty and weak service expansibility in the traditional physical host and Virtual special server (VPS PRIVATE SERVER) service.
The system 100 may also include one or more databases 130. In some embodiments, these databases may be used to store data and other information. For example, one or more of databases 130 may be used to store information such as audio files and video files. Database 130 may reside in various locations. For example, the database used by the server 120 may be local to the server 120, or may be remote from the server 120 and may communicate with the server 120 via a network-based or dedicated connection. Database 130 may be of different types. In some embodiments, the database used by server 120 may be, for example, a relational database. One or more of these databases may store, update, and retrieve the databases and data from the databases in response to the commands.
In some embodiments, one or more of databases 130 may also be used by applications to store application data. The databases used by the application may be different types of databases, such as key value stores, object stores, or conventional stores supported by the file system.
The system 100 of fig. 1 may be configured and operated in various ways to enable application of the various methods and apparatus described in accordance with the present disclosure.
The applicant finds that in network intrusion, the available ports of the computer are generally determined through port scanning, then the service types of the ports are identified according to the response information of the ports, and finally the network intrusion is completed by utilizing the loopholes of the services. Port scanning is a method of determining processes and services running on a target computer through ports (e.g., transmission Control Protocol (TCP) ports and (user datagram protocol) UDP ports) connected to the target computer, the purpose of scanning being to determine the services opened by the target computer and the specifics of the operating system, so that a scanner directly or indirectly knows security holes that the target computer exists through which to implement an attack. The principle of port scanning is to send information to all the ports of the target computer to be scanned, and analyze whether the ports of the target computer are available according to the returned response information.
When a computer in a network system is invaded, the invaded computer may perform port scanning on other computers in the network system to further invade other computers. For example, the compromised computer may send a message to a port of another computer via the TCP protocol to request a connection be established. When the port of the other computer receiving the request message is in an available state, the port can return, for example, a SYN/ACK message; when the port of the other computer that received the request message is in an unavailable state, it may return, for example, a RST message. For another example, the invaded computer may send a message to the port of the other computer via UDP protocol, and when the port of the other computer receiving the message is in an unavailable state, it may return a response message such as ICMP port unreachable (ICMP Port Unreachable).
In normal traffic operation of the network system, the computer typically does not scan the ports of other computers in large numbers, but rather directly connects with the available ports of other computers. Thus, by detecting reply information such as the RST message mentioned above or that the ICMP port is not reachable, the port scanning behavior in the network system can be identified to determine if a network intrusion is present.
Fig. 2 shows a flowchart of an intrusion detection method 200 of a network system according to an embodiment of the present disclosure. The network system includes a plurality of computers that communicate with each other using messages.
The method 200 comprises the following steps: step S210, in response to detecting that a message sent or received by at least one computer in a plurality of computers comprises first response information, acquiring destination network configuration information of the computer executing port detection and a source IP address of the computer initiating the port detection, wherein the first response information indicates that a port of the computer executing the port detection is unavailable; step S220, counting the acquisition times of each source IP address acquired in a preset time length according to each destination network configuration information; and step S230, determining whether the computer initiating the port detection initiates network intrusion or not based on the comparison result of the acquisition times and the preset threshold value.
Thus, by detecting first reply information in the network system (e.g., the RST message mentioned above or reply information that is not reachable by the ICMP port), identifying the computer in the network system that initiated the port detection, and by counting the number of occurrences of the IP address of the computer that initiated the port detection over a period of time, and comparing the number with a preset threshold, it can be determined whether the computer that initiated the port detection initiated the network intrusion. Therefore, on one hand, the computer can determine whether the network intrusion is initiated or not without carrying out rule matching on all network traffic and without pre-knowing the behavior characteristics of the network intrusion, so that the computing resources and the computing time are saved, and the intrusion detection speed and efficiency are improved; on the other hand, through setting a reasonable preset threshold value, false alarm and missing alarm conditions of intrusion detection can be reduced, so that the precision of intrusion detection is improved.
The method 200 is further described below in conjunction with fig. 3-6.
Fig. 3-5 illustrate diagrams of exemplary network systems in which intrusion detection methods of the network systems may be implemented according to embodiments of the present disclosure.
As shown in fig. 3, the network system includes computers 310A to 310D and a server 320. The server 320 has the same features as the server 120 described above with respect to fig. 1 and will not be described in detail herein for the sake of brevity. Computers 310A-310D may communicate with each other using messages. Solid arrows in the figure represent communication of computer 310A with computer 310B, computer 310C, and computer 310D, respectively. Dashed arrows in the figure represent communication between computers 310A-310D and server 320. The steps of method 200 may be performed by, for example, server 320.
In step S210, in response to detecting that the first reply information (e.g., the RST message mentioned above or reply information that is not reachable by the ICMP port) is included in the message sent or received by at least one of the plurality of computers (e.g., any one or more of computers 310A-310D), destination network configuration information of the computer (e.g., computer 310B-310D) that performed the port probe and a source IP address of the computer (e.g., computer 310A) that initiated the port probe may be obtained.
In some embodiments, the destination network configuration information may include a destination IP address or destination port.
In step S220, the number of acquisitions of each source IP address acquired within a preset length of time (for example, within 1 second) may be counted for each destination IP address. As shown in table 1 below, the number of acquisitions of each source IP address IP 310A acquired within 1 second is 6 for each destination IP address IP 310B; the number of acquisitions of each source IP address IP 310A acquired within 1 second is 3 for each destination IP address IP 310C; the number of acquisitions of each source IP address IP 310A acquired within 1 second is 1 for each destination IP address IP 310D.
Or in step S220, the number of acquisitions of each source IP address acquired within a preset length of time (for example, within 1 second) may be counted for each destination port. As shown in table 1 below, the number of acquisitions of each source IP address IP 310A acquired within 1 second is 6 for destination port 1; the number of acquisitions of each source IP address IP 310A acquired within 1 second is 4 for destination port 2.
TABLE 1
| Source IP address | Destination IP address | Destination port |
| IP310A | IP310B | Port 1 |
| IP310A | IP310B | Port 1 |
| IP310A | IP310B | Port 1 |
| IP310A | IP310B | Port 1 |
| IP310A | IP310B | Port 1 |
| IP310A | IP310B | Port 2 |
| IP310A | IP310C | Port 1 |
| IP310A | IP310C | Port 2 |
| IP310A | IP310C | Port 2 |
| IP310A | IP310D | Port 2 |
In step S230, it may be determined whether the computer (e.g., computer 310A) that initiated the port probe initiated a network intrusion to a different port of the same computer based on the result of the comparison of the number of acquisitions (6 acquisitions per source IP address IP 310A acquired within 1 second for each destination IP address IP 310B) with a preset threshold (e.g., 5).
Or in step S230, it may be determined whether the computer (for example, the computer 310A) that initiates the port probe initiates the network intrusion to the same port of a different computer, based on the result of comparing the acquisition number (the acquisition number of each source IP address IP 310A acquired in 1 second is 6 for the destination port 1) with the preset threshold (for example, 5 times).
It should be understood that only 10 sets of data are schematically listed in table 1, and that the data may be more sets and will not be described in detail herein.
In some embodiments, at step S230, determining whether the computer initiating the port probe initiated a network intrusion may include: and in response to determining that the value obtained by multiplying the acquisition times by the weighting coefficient is greater than a preset threshold, determining that the computer initiating the port detection initiates network intrusion. The weighting coefficients are related to the traffic properties of the computer on which the port probing is performed.
For example, the traffic nature of computer 310B determines that it needs to be probed by a certain amount of ports during normal traffic operation. A smaller weighting factor (e.g., 0.5) may be set, the number of acquisitions (e.g., 6 acquisitions per source IP address IP 310A acquired in 1 second for each destination IP address IP 310B) is multiplied by the weighting factor 0.5 to obtain a value of 3, where the value of 3 is less than a preset threshold of 5, and it may be determined that the computer 310A initiating the port probe did not initiate a network intrusion to the computer 310B, but performed normal traffic operations.
Similarly, different weighting coefficients may be set for each of the plurality of computers, respectively, depending on the business nature of the computers.
Therefore, according to the business property of the computer, different coefficients are set for different computers, and when the coefficients are compared with corresponding preset thresholds, the accuracy of intrusion detection can be further improved, so that the error recognition of the port scanning behavior belonging to normal business operation as network intrusion is reduced or avoided.
In some embodiments, the plurality of computers comprises honeypot computers, the destination network configuration information comprises a destination IP address, and the value of the weighting factor is greater than 1. And, at step S230, determining that the computer initiating the port probe initiated the network intrusion may include: and aiming at the destination IP address corresponding to the honeypot computer, determining that the computer initiating the port detection initiates network intrusion in response to the fact that the value obtained by multiplying the acquired times and the weighting coefficient is larger than a preset threshold value.
For example, the computer 310D may be a honey computer, which is a technique for spoofing network intruders, by arranging for example a honey computer to induce network intrusion into the honey computer to attack, thereby capturing and analyzing network intrusion behavior and knowing the tools and methods used by the network intruder.
Normally, normal business operation will not port scan the honeypot computer, and only the computer initiating the network intrusion will port scan the honeypot computer when it does not perform differential port scan on multiple computers. Thus, as shown in table 1, although the number of acquisitions of each source IP address IP 310A acquired within 1 second is only 1 for the destination IP address IP 310D, the weighting factor may be set to 10, and the value 10 obtained by multiplying the number of acquisitions 1 by the weighting factor 10 is greater than the preset threshold value 5, it may be determined that a network intrusion has been initiated to the computer 310A that initiated the port probe. Therefore, the coefficient larger than 1 is set for the honeypot computer, and the accuracy of intrusion detection can be further improved.
As shown by the dashed lines in fig. 3, a plurality of computers 310A through 310D may each send information to a server 320. However, in one example, when computer 310A sends a message request to computer 310B via the TCP protocol, if a port of computer 310B is not available, computer 310B may send information to server 320 such as a source IP address, a destination IP address, and a destination port; the computer 310A, upon receiving the response message indicating that the port is not available, also sends information such as the source IP address, destination IP address, and destination port to the server 320. This may cause the server 320 to count the source IP address twice, but in fact, there is only one corresponding scanning behavior, which may cause inaccuracy in the statistics, affecting the accuracy of intrusion detection.
Thus, in some embodiments, the method 200 may further comprise: timestamp information parsed from messages sent or received by at least one computer is obtained, the timestamp information being associated with a source IP address and indicating a time of sending the first reply information. In step S220, counting the number of times of obtaining each source IP address obtained in the preset time period may include: and de-duplicating the acquisition times of the source IP addresses associated with the same time stamp to obtain the de-duplicated acquisition times as the acquisition times of each source IP address.
Since the time stamp information may indicate the issue time of the first response information. Thus, for example, when the associated timestamp information of the source IP address IP 310A acquired from the computer 310B is the same as the associated timestamp information of the source IP address IP 310A acquired from the computer 310A, the number of acquisitions of the two source IP addresses may be deduplicated to obtain the number of acquisitions after deduplication as the number of acquisitions of each source IP address, thereby reducing statistics of errors and further improving accuracy affecting intrusion detection.
In some embodiments, a network proxy may be provided at each of the plurality of computers, and wherein, at step S210, obtaining destination network configuration information for the computer on which the port probing is performed and a source IP address of the computer on which the port probing is initiated may include: destination network configuration information of the computer on which the port probing is performed and a source IP address of the computer on which the port probing is initiated are obtained from the network proxy.
For example, as shown in fig. 4, the network system includes computers 410A to 410D and a server 420. The server 420 has the same features as the server 320 described above with respect to fig. 3 and will not be described in detail herein for brevity. Computers 410A-410D may communicate with each other using messages. Solid arrows in the figure represent communication between computer 410A and computers 410B, 410C, 410D, respectively. Dashed arrows in the figure represent communication between computer 410A and server 420.
Network proxies may be provided at each of the four computers 410A-410D, and when a computer (e.g., computer 410A) initiates a port scan to another computer, destination network configuration information (e.g., destination IP address or destination port) of the computer (e.g., computer 410B, 410C, or 410D) on which the port probe was performed and the source IP address of the computer (e.g., computer 410A) that initiated the port probe may be sent to the server 420 only by the network proxy provided at the computer 410A. Therefore, the situation that the scanning behavior of the same port is counted for two or more times can be avoided, error statistics is reduced, and the accuracy rate of affecting intrusion detection is further improved.
In some embodiments, multiple computers may be communicatively connected to each other through a switch.
As shown in fig. 5, the network system includes computers 510A to 510D and a server 520. The server 520 has the same characteristics as the server 320 described above with respect to fig. 3 and will not be described again here for brevity. Computers 510A-510D are communicatively coupled to each other via switch 530, and messages sent from each of computers 510A-510D are communicated via switch 530.
Fig. 6 shows a flowchart of a portion of an example process of the method 200 of fig. 2, according to an embodiment of the disclosure. As shown in fig. 6, in the method 200, obtaining destination network configuration information of a computer on which port probing is performed and a source IP address of the computer on which the port probing is initiated (step S210) may include: step S611, receiving a message sent by the switch; and step S612, analyzing the destination network configuration information of the computer executing the port detection and the source IP address of the computer initiating the port detection from the message sent by the switch.
Referring again to fig. 5, in response to detecting that the first response information is included in the message sent or received by at least one of the plurality of computers, the server 520 may receive the message sent by the switch 530 and parse from the message destination network configuration information (e.g., destination IP address or destination port) of the computer on which the port probing is performed and the source IP address of the computer that initiated the port probing. Thus, the information such as the source IP address can be fed back to the server without providing a network proxy at the plurality of computers, and the server can further detect whether or not a network intrusion has occurred based on the information such as the source IP address.
In some embodiments, the method 200 may further comprise: in response to determining that the computer initiating the port probe initiated the network intrusion, an alert signal is issued. Thus, a warning can be sent to the user to prompt the user which computer initiates the network intrusion, so that corresponding measures can be taken, such as isolating the computer or tracking the intrusion behavior, to ensure the safety of the network system.
Fig. 7 shows a block diagram of an intrusion detection device 700 of a network system according to an embodiment of the present disclosure.
According to fig. 7, the intrusion detection apparatus 700 includes: an obtaining unit 710, where the obtaining unit 710 is configured to obtain, in response to detecting that a message sent or received by at least one of the plurality of computers includes first response information, destination network configuration information of the computer performing the port detection and a source IP address of the computer initiating the port detection, where the first response information indicates that a port of the computer performing the port detection is unavailable; a statistics unit 720, wherein the statistics unit 720 is configured to count, for each destination network configuration information, the number of times of obtaining each source IP address obtained within a preset time length; and a determining unit 730, wherein the determining unit 730 is configured to determine whether the computer initiating the port detection initiates a network intrusion based on a comparison result of the acquisition times and a preset threshold.
In some embodiments, the determining unit 730 may be further configured to: and in response to determining that the value obtained by multiplying the acquisition times by the weighting coefficient is greater than the preset threshold, determining that the computer initiating the port detection initiates network intrusion. Wherein the weighting coefficients are related to traffic properties of the computer on which the port probing is performed.
In some embodiments, the plurality of computers may comprise honeypot computers, the destination network configuration information may comprise a destination IP address, and the weighting factor has a value greater than 1. And wherein the determining unit 730 may be further configured to: and aiming at the destination IP address corresponding to the honeypot computer, determining that the computer initiating the port detection initiates network intrusion in response to the fact that the value obtained by multiplying the acquired times and the weighting coefficient is larger than a preset threshold value.
In some embodiments, the acquisition unit 710 may be further configured to: timestamp information parsed from messages sent or received by at least one computer is obtained, the timestamp information being associated with a source IP address and indicating a time of sending the first reply information. The counting the number of times of acquiring each source IP address acquired within the preset time length may include: and de-duplicating the acquisition times of the source IP addresses associated with the same time stamp to obtain the de-duplicated acquisition times as the acquisition times of each source IP address.
In some embodiments, a network proxy may be provided at each of the plurality of computers. And wherein the acquisition unit 710 may be further configured to: destination network configuration information of the computer on which the port probing is performed and a source IP address of the computer on which the port probing is initiated are obtained from the network proxy.
In some embodiments, the plurality of computers may be communicatively connected to each other through a switch, and wherein the acquisition unit 710 may be further configured to: receiving a message sent by a switch; and analyzing the destination network configuration information of the computer executing the port detection and the source IP address of the computer initiating the port detection from the message sent by the switch.
In some embodiments, the apparatus 700 may further comprise: a warning unit (not shown) may be configured to issue a warning signal in response to determining that the computer initiating the port probe initiated the network intrusion.
In some embodiments, the destination network configuration information may include a destination IP address or destination port.
In the technical scheme of the disclosure, the related processes of collecting, storing, using, processing, transmitting, providing, disclosing and the like of the personal information of the user accord with the regulations of related laws and regulations, and the public order colloquial is not violated.
According to embodiments of the present disclosure, there is also provided an electronic device, a readable storage medium and a computer program product.
Referring to fig. 8, a block diagram of an electronic device 800 that may be a server or a client of the present disclosure, which is an example of a hardware device that may be applied to aspects of the present disclosure, will now be described. Electronic devices are intended to represent various forms of digital electronic computer devices, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 8, the apparatus 800 includes a computing unit 801 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 802 or a computer program loaded from a storage unit 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data required for the operation of the device 800 can also be stored. The computing unit 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to the bus 804.
Various components in device 800 are connected to I/O interface 805, including: an input unit 806, an output unit 807, a storage unit 808, and a communication unit 809. The input unit 806 may be any type of device capable of inputting information to the device 800, the input unit 806 may receive input numeric or character information and generate key signal inputs related to user settings and/or function control of the electronic device, and may include, but is not limited to, a mouse, a keyboard, a touch screen, a trackpad, a trackball, a joystick, a microphone, and/or a remote control. The output unit 807 may be any type of device capable of presenting information and may include, but is not limited to, a display, speakers, video/audio output terminals, vibrators, and/or printers. The storage unit 808 may include, but is not limited to, magnetic disks, optical disks. The communication unit 809 allows the device 800 to exchange information/data with other devices over computer networks, such as the internet, and/or various telecommunications networks, and may include, but is not limited to, modems, network cards, infrared communication devices, wireless communication transceivers and/or chipsets, such as bluetooth (TM) devices, 1302.11 devices, wiFi devices, wiMax devices, cellular communication devices, and/or the like.
The computing unit 801 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 801 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 801 performs the various methods and processes described above, such as method 200. For example, in some embodiments, the method 200 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 808. In some embodiments, part or all of the computer program may be loaded and/or installed onto device 800 via ROM 802 and/or communication unit 809. When a computer program is loaded into RAM 803 and executed by computing unit 801, one or more steps of method 200 described above may be performed. Alternatively, in other embodiments, the computing unit 801 may be configured to perform the method 200 by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
Although embodiments or examples of the present disclosure have been described with reference to the accompanying drawings, it is to be understood that the foregoing methods, systems, and apparatus are merely exemplary embodiments or examples, and that the scope of the present invention is not limited by these embodiments or examples but only by the claims following the grant and their equivalents. Various elements of the embodiments or examples may be omitted or replaced with equivalent elements thereof. Furthermore, the steps may be performed in a different order than described in the present disclosure. Further, various elements of the embodiments or examples may be combined in various ways. It is important that as technology evolves, many of the elements described herein may be replaced by equivalent elements that appear after the disclosure.
Claims (17)
1. An intrusion detection method of a network system including a plurality of computers that communicate with each other using messages, the method comprising:
In response to detecting that a message sent or received by at least one computer of the plurality of computers comprises first response information, acquiring destination network configuration information of the computer performing port detection and a source IP address of the computer initiating the port detection, wherein the first response information indicates that a port of the computer performing the port detection is unavailable;
obtaining timestamp information parsed from messages sent or received by the at least one computer, the timestamp information being associated with the source IP address and indicating a time of sending the first reply information,
Counting the acquisition times of each source IP address acquired in a preset time length aiming at each destination network configuration information, wherein the acquisition times comprise the following steps: performing deduplication on the acquisition times of the source IP addresses associated with the same timestamp to obtain the acquisition times after deduplication as the acquisition times of each source IP address; and
And determining whether the computer initiating the port detection initiates network intrusion or not based on a comparison result of the acquisition times and a preset threshold value.
2. The method of claim 1, wherein determining whether the computer initiating the port probe initiated a network intrusion comprises:
And in response to determining that the value obtained by multiplying the acquisition times by a weighting coefficient is greater than the preset threshold, determining that a computer initiating the port detection initiates a network intrusion, wherein the weighting coefficient is related to the service property of the computer executing the port detection.
3. The method of claim 2, wherein the plurality of computers comprises a honeypot computer, the destination network configuration information comprises a destination IP address, and the weighting factor has a value greater than 1, and wherein determining that the computer initiating the port probe initiated a network intrusion comprises:
and aiming at the destination IP address corresponding to the honeypot computer, determining that the computer initiating the port detection initiates network intrusion in response to determining that the value obtained by multiplying the acquisition times by the weighting coefficient is larger than the preset threshold.
4. A method according to any one of claims 1 to 3, wherein a network proxy is provided at each of the plurality of computers, and wherein obtaining destination network configuration information for the computer on which port probing is performed and the source IP address of the computer from which the port probing originated comprises:
destination network configuration information of the computer on which the port probing is performed and a source IP address of the computer on which the port probing is initiated are obtained from the network proxy.
5. A method according to any one of claims 1 to 3, wherein the plurality of computers are communicatively connected to each other through a switch, and wherein obtaining destination network configuration information of the computer on which the port probing is performed and a source IP address of the computer on which the port probing is initiated comprises:
Receiving a message sent by the switch; and
And analyzing the destination network configuration information of the computer for executing the port detection and the source IP address of the computer for initiating the port detection from the message sent by the switch.
6. A method according to any one of claims 1 to 3, further comprising:
In response to determining that the computer initiating the port probe initiated the network intrusion, an alert signal is issued.
7. The method of claim 1 or 2, wherein the destination network configuration information comprises a destination IP address or a destination port.
8. An intrusion detection apparatus of a network system including a plurality of computers that communicate with each other using messages, the apparatus comprising:
an obtaining unit configured to obtain destination network configuration information of a computer performing port detection and a source IP address of the computer initiating the port detection in response to detecting that a first response information is included in a message sent or received by at least one computer of the plurality of computers, wherein the first response information indicates that a port of the computer performing the port detection is not available, the obtaining unit being further configured to: obtaining timestamp information parsed from messages sent or received by the at least one computer, the timestamp information being associated with the source IP address and indicating a time of sending the first reply information;
The statistics unit is configured to count, for each destination network configuration information, the number of times of acquiring each source IP address acquired within a preset time length, and includes: performing deduplication on the acquisition times of the source IP addresses associated with the same timestamp to obtain the acquisition times after deduplication as the acquisition times of each source IP address; and
And the determining unit is configured to determine whether the computer initiating the port detection initiates network intrusion or not based on a comparison result of the acquisition times and a preset threshold value.
9. The apparatus of claim 8, wherein the determining unit is further configured to:
And in response to determining that the value obtained by multiplying the acquisition times by a weighting coefficient is greater than the preset threshold, determining that a computer initiating the port detection initiates a network intrusion, wherein the weighting coefficient is related to the service property of the computer executing the port detection.
10. The apparatus of claim 9, wherein the plurality of computers comprises a honeypot computer, the destination network configuration information comprises a destination IP address, and the weighting coefficient has a value greater than 1, and wherein the determining unit is further configured to:
and aiming at the destination IP address corresponding to the honeypot computer, determining that the computer initiating the port detection initiates network intrusion in response to determining that the value obtained by multiplying the acquisition times by the weighting coefficient is larger than the preset threshold.
11. The apparatus of any of claims 8-10, wherein a network proxy is provided at each of the plurality of computers, and wherein the acquisition unit is further configured to:
destination network configuration information of the computer on which the port probing is performed and a source IP address of the computer on which the port probing is initiated are obtained from the network proxy.
12. The apparatus of any of claims 8-10, wherein the plurality of computers are communicatively connected to each other through a switch, and wherein the acquisition unit is further configured to:
Receiving a message sent by the switch; and
And analyzing the destination network configuration information of the computer for executing the port detection and the source IP address of the computer for initiating the port detection from the message sent by the switch.
13. The apparatus of any of claims 8 to 10, further comprising:
and a warning unit configured to issue a warning signal in response to determining that the computer initiating the port probe initiated the network intrusion.
14. The apparatus of claim 8 or 9, wherein the destination network configuration information comprises a destination IP address or a destination port.
15. An electronic device, comprising:
at least one processor; and
A memory communicatively coupled to the at least one processor; wherein the method comprises the steps of
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1 to 7.
16. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1 to 7.
17. A computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111192319.5A CN113904853B (en) | 2021-10-13 | 2021-10-13 | Intrusion detection method, device, electronic equipment and medium of network system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111192319.5A CN113904853B (en) | 2021-10-13 | 2021-10-13 | Intrusion detection method, device, electronic equipment and medium of network system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113904853A CN113904853A (en) | 2022-01-07 |
| CN113904853B true CN113904853B (en) | 2024-05-14 |
Family
ID=79191804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111192319.5A Active CN113904853B (en) | 2021-10-13 | 2021-10-13 | Intrusion detection method, device, electronic equipment and medium of network system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113904853B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118518A (en) * | 2022-07-21 | 2022-09-27 | 深圳安天网络安全技术有限公司 | Anti-detection method and device |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101123492A (en) * | 2007-09-06 | 2008-02-13 | 杭州华三通信技术有限公司 | Method and device for detecting scanning attack |
| US7624447B1 (en) * | 2005-09-08 | 2009-11-24 | Cisco Technology, Inc. | Using threshold lists for worm detection |
| US8578493B1 (en) * | 2011-05-10 | 2013-11-05 | Narus, Inc. | Botnet beacon detection |
| US9148424B1 (en) * | 2015-03-13 | 2015-09-29 | Snapchat, Inc. | Systems and methods for IP-based intrusion detection |
| CN105262712A (en) * | 2014-05-27 | 2016-01-20 | 腾讯科技(深圳)有限公司 | Network intrusion detection method and device |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN109598128A (en) * | 2018-12-11 | 2019-04-09 | 郑州云海信息技术有限公司 | A kind of method and device of scanography |
| CN111225002A (en) * | 2020-03-18 | 2020-06-02 | 深圳市腾讯计算机系统有限公司 | Network attack tracing method and device, electronic equipment and storage medium |
| CN112153044A (en) * | 2020-09-23 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Flow data detection method and related equipment |
| CN112769595A (en) * | 2020-12-22 | 2021-05-07 | 北京百度网讯科技有限公司 | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7768911B2 (en) * | 2006-03-29 | 2010-08-03 | Intel Corporation | Platform-based method and apparatus for containing worms using multi-timescale heuristics |
| US20180159894A1 (en) * | 2016-12-01 | 2018-06-07 | Cisco Technology, Inc. | Automatic threshold limit configuration for internet of things devices |
-
2021
- 2021-10-13 CN CN202111192319.5A patent/CN113904853B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7624447B1 (en) * | 2005-09-08 | 2009-11-24 | Cisco Technology, Inc. | Using threshold lists for worm detection |
| CN101123492A (en) * | 2007-09-06 | 2008-02-13 | 杭州华三通信技术有限公司 | Method and device for detecting scanning attack |
| US8578493B1 (en) * | 2011-05-10 | 2013-11-05 | Narus, Inc. | Botnet beacon detection |
| CN105262712A (en) * | 2014-05-27 | 2016-01-20 | 腾讯科技(深圳)有限公司 | Network intrusion detection method and device |
| US9148424B1 (en) * | 2015-03-13 | 2015-09-29 | Snapchat, Inc. | Systems and methods for IP-based intrusion detection |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN109598128A (en) * | 2018-12-11 | 2019-04-09 | 郑州云海信息技术有限公司 | A kind of method and device of scanography |
| CN111225002A (en) * | 2020-03-18 | 2020-06-02 | 深圳市腾讯计算机系统有限公司 | Network attack tracing method and device, electronic equipment and storage medium |
| CN112153044A (en) * | 2020-09-23 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Flow data detection method and related equipment |
| CN112769595A (en) * | 2020-12-22 | 2021-05-07 | 北京百度网讯科技有限公司 | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 一种基于概率的实时扫描检测方法;丁剑等;计算机应用研究;全文 * |
| 基于改进加权关联规则算法的入侵检测系统;李艳霞;李彩玲;;河北北方学院学报(自然科学版)(第06期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113904853A (en) | 2022-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3552363B1 (en) | Near real-time detection of suspicious outbound traffic | |
| CN112911013B (en) | Cloud application processing method and device, computer equipment and storage medium | |
| CN112953938B (en) | Network attack defense method, device, electronic equipment and readable storage medium | |
| US11595418B2 (en) | Graphical connection viewer for discovery of suspect network traffic | |
| US20180183819A1 (en) | System to detect machine-initiated events in time series data | |
| CN113904853B (en) | Intrusion detection method, device, electronic equipment and medium of network system | |
| US10671708B2 (en) | Periodicity detection of network traffic | |
| CN112769595B (en) | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium | |
| US11005797B2 (en) | Method, system and server for removing alerts | |
| EP3685296B1 (en) | Configurable cyber-attack trackers | |
| CN115811421A (en) | Network security event monitoring method and device, electronic equipment and storage medium | |
| CN115314322A (en) | Vulnerability detection confirmation method, device, equipment and storage medium based on flow | |
| CN116015860A (en) | Network asset simulation method, device, equipment and medium based on honeypot technology | |
| CN111258845A (en) | Detection of event storms | |
| US10491615B2 (en) | User classification by local to global sequence alignment techniques for anomaly-based intrusion detection | |
| CN114205164B (en) | Traffic classification method and device, training method and device, equipment and medium | |
| CN115378746B (en) | Network intrusion detection rule generation method, device, equipment and storage medium | |
| CN115859349B (en) | Data desensitization method and device, electronic equipment and storage medium | |
| CN114928482B (en) | Method and device for testing network communication function of software, electronic equipment and storage medium | |
| CN117251769B (en) | Abnormal data identification method, device, equipment and medium based on monitoring component | |
| CN114090073A (en) | Interface information extraction method and device, electronic equipment and storage medium | |
| CN117729005A (en) | Network asset mapping method | |
| WO2024137138A1 (en) | Detecting a spoofed entity based on complexity of a distribution of events initiated by the spoofed entity | |
| CN116248340A (en) | Interface attack detection method and device, electronic equipment and storage medium | |
| CN116846744A (en) | Log collection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |