CN113949571A - Software behavior identification method and system based on behavior feature knowledge base - Google Patents
Software behavior identification method and system based on behavior feature knowledge base Download PDFInfo
- Publication number
- CN113949571A CN113949571A CN202111211216.9A CN202111211216A CN113949571A CN 113949571 A CN113949571 A CN 113949571A CN 202111211216 A CN202111211216 A CN 202111211216A CN 113949571 A CN113949571 A CN 113949571A
- Authority
- CN
- China
- Prior art keywords
- software
- behavior
- data
- terminal side
- network protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000006399 behavior Effects 0.000 claims abstract description 234
- 238000007619 statistical method Methods 0.000 claims abstract description 23
- 238000005516 engineering process Methods 0.000 claims abstract description 8
- 230000006870 function Effects 0.000 claims description 16
- 238000009411 base construction Methods 0.000 claims description 14
- 238000001914 filtration Methods 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 6
- 206010000117 Abnormal behaviour Diseases 0.000 abstract description 8
- 238000012423 maintenance Methods 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000013480 data collection Methods 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a software behavior identification method and a system based on a behavior feature knowledge base, comprising the following steps: determining terminal side software to be identified, collecting the progress of the terminal side software and the data traffic of a corresponding traffic side, and aligning the collected data timeline by using an end flow timeline data alignment technology; performing statistical analysis on the data of the aligned time line by combining URL access information and a network protocol in the data of the aligned time line to obtain standard behaviors of the terminal side software; and the obtained standard behaviors of the terminal side software are arranged into behavior rules to form a software behavior characteristic knowledge base. And identifying the specific behavior credibility of the software actually operated at the terminal side by using the software behavior feature library. The method and the system can provide a network behavior baseline of the terminal software, assist the user in judging the behaviors of the trusted software and the untrusted software, assist operation and maintenance personnel in mastering the network behavior condition of the equipment, and find and dispose abnormal behaviors in time.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a software behavior identification method and system based on a behavior characteristic knowledge base.
Background
The mainstream network security traffic detection equipment mainly has the primary capabilities of detecting malicious attacks and restoring and analyzing network traffic. However, some suspicious network behaviors cannot be judged accurately, and in an actual user environment, operation and maintenance personnel have limited knowledge on information such as specific functions and network behaviors of network devices in the jurisdiction of the operation and maintenance personnel, and the postposition of device use information update iteration occurs. Therefore, it is impossible to determine whether the network behavior of the device is normal in the actual operation and maintenance work.
Disclosure of Invention
In view of the above, the present invention provides a software behavior identification method and system based on a behavior feature knowledge base, which judges the standard behavior of terminal software by collecting data at a terminal side and a traffic side and combining with a behavior information boundary of the terminal software, and forms a software behavior feature knowledge base to provide a network behavior baseline of the terminal software, so as to judge which behaviors of the terminal software are credible and which behaviors are incredible, thereby at least partially solving the problems existing in the prior art.
The specific invention content is as follows:
a method for constructing a software behavior feature knowledge base comprises the following steps:
determining terminal side software to be identified, collecting the progress of the terminal side software and the data traffic of a corresponding traffic side, and aligning the collected data timeline by using an end flow timeline data alignment technology; after aligning the time lines, the behavior information boundary of the terminal side software can be identified;
performing statistical analysis on the data of the aligned time line by combining URL access information and a network protocol in the data of the aligned time line to obtain standard behaviors of the terminal side software;
and the obtained standard behaviors of the terminal side software are arranged into behavior rules to form a software behavior characteristic knowledge base.
The software behavior feature library is used for providing a terminal side software behavior baseline and comprises a plurality of standard behavior rules of software, and each software comprises a plurality of standard behaviors.
Further, the performing statistical analysis on the data of the aligned timeline by combining the URL access information and the network protocol in the data of the aligned timeline specifically includes:
according to a specific related network protocol, splitting the data of the aligned time lines according to a common network protocol and a special network protocol, and filtering out interference data; the common network protocols comprise HTTP, DNS, TCP/IP and the like;
for data in a common network protocol, extracting URL access information in the data, analyzing the function of a domain name requested by the URL, and judging specific software behavior by combining specific parameter information of the URL; the process can be combined with modes such as a search engine, direct access and the like to analyze the function of the domain name;
and analyzing the original flow packet of the corresponding flow side of the data in the special network protocol to obtain specific network protocol information, and judging specific software behaviors according to the specified character information of the specified position.
A software behavior credibility identification method comprises the following steps:
monitoring the terminal side software process and the flow side data flow in real time to obtain the specific behavior of the terminal side software;
and comparing the specific behavior of the terminal side software with the standard behavior rule of the corresponding software in the software behavior characteristic knowledge base, and judging that the corresponding software behavior belongs to an unreliable behavior when the software behavior which does not conform to the standard rule of the corresponding software exists in the comparison, so as to give an early warning. The software behavior characteristic knowledge base defines boundaries for terminal side software behaviors, daily running conditions of the software are recorded by log files, and unreliable behavior conditions can be accurately positioned in the log records by combining early warning information, so that abnormal behavior data can be better provided for service personnel to investigate and obtain evidence.
A software behavior feature knowledge base building system, comprising:
the data acquisition module is used for determining terminal side software to be identified, collecting the progress of the terminal side software and the data traffic of a corresponding traffic side, aligning the collected data timeline by using an end flow timeline data alignment technology, and sending the data of the aligned timeline to the statistical analysis module; after aligning the time lines, the behavior information boundary of the terminal side software can be identified;
the statistical analysis module is used for receiving the data of the aligned time line sent by the data acquisition module, performing statistical analysis on the data of the aligned time line by combining URL (uniform resource locator) access information and a network protocol in the data of the aligned time line to obtain the standard behavior of the terminal side software, and sending the obtained standard behavior information of the terminal side software to the characteristic knowledge base construction module; the URL access information and the network protocol form a behavior information boundary of terminal side software;
and the characteristic knowledge base construction module is used for receiving the standard behavior information of the terminal side software sent by the statistical analysis module, and arranging the standard behavior information into behavior rules to form a software behavior characteristic knowledge base.
The software behavior feature library is used for providing a terminal side software behavior baseline and comprises a plurality of standard behavior rules of software, and each software comprises a plurality of standard behaviors.
Further, the performing statistical analysis on the data of the aligned timeline by combining the URL access information and the network protocol in the data of the aligned timeline specifically includes:
according to a specific related network protocol, splitting the data of the aligned time lines according to a common network protocol and a special network protocol, and filtering out interference data; the common network protocols comprise HTTP, DNS, TCP/IP and the like;
for data in a common network protocol, extracting URL access information in the data, analyzing the function of a domain name requested by the URL, and judging specific software behavior by combining specific parameter information of the URL; the process can be combined with modes such as a search engine, direct access and the like to analyze the function of the domain name;
and analyzing the original flow packet of the corresponding flow side of the data in the special network protocol to obtain specific network protocol information, and judging specific software behaviors according to the specified character information of the specified position.
A software behavior trustworthiness identification system, comprising:
the software behavior acquisition module is used for monitoring the terminal side software process and the flow side data flow in real time to obtain the specific behavior of the terminal side software and sending the specific behavior of the terminal side software to the software behavior judgment module;
and the software behavior judging module is used for receiving the specific behavior of the terminal side software sent by the software behavior acquiring module, comparing the specific behavior of the terminal side software with the standard behavior rule of the corresponding software in the software behavior characteristic knowledge base, and judging that the corresponding software behavior belongs to the unreliable behavior when the software behavior which does not conform to the standard rule of the corresponding software exists, so as to give an early warning. The software behavior characteristic knowledge base defines boundaries for terminal side software behaviors, daily running conditions of the software are recorded by log files, and unreliable behavior conditions can be accurately positioned in the log records by combining early warning information, so that abnormal behavior data can be better provided for service personnel to investigate and obtain evidence.
A software behavior recognition system based on a behavioral characteristic knowledge base, comprising:
the software behavior characteristic knowledge base construction system is used for constructing a software behavior characteristic knowledge base according to the standard behavior of the terminal side software;
the software behavior credibility identification system is used for judging the credibility of the software behavior at the terminal side according to the software behavior characteristic knowledge base and giving an early warning when an incredible software behavior is found.
An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for executing the aforementioned method.
A computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the aforementioned method.
The invention has the beneficial effects that:
the invention judges the standard behavior of the terminal software by the data collection of the terminal side and the flow side and combining the behavior information boundary of the terminal software to form a software behavior characteristic knowledge base. The software behavior characteristic knowledge base can provide a network behavior baseline of the terminal software and assist a user in judging the behaviors of the trusted software and the untrusted software. The invention can enrich the behavior portrayal of the terminal equipment and support the data for asset identification and asset function conjecture. Meanwhile, the invention can define the boundary for the network behavior of the terminal equipment, assist operation and maintenance personnel to master the network behavior condition of the equipment, and find and dispose abnormal behaviors in time.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of a software behavior feature knowledge base construction method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating network protocol information content according to an embodiment of the present invention;
FIG. 3 is a flow chart of a software behavior feature knowledge base construction method according to another embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for identifying trustworthiness of software behavior according to an embodiment of the present invention;
FIG. 5 is a diagram of a system for constructing a knowledge base of behavior characteristics of software according to an embodiment of the present invention;
FIG. 6 is a block diagram of a software behavior credibility identification system according to an embodiment of the present invention;
FIG. 7 is a block diagram of a software behavior recognition system based on a knowledge base of behavior features according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be noted that, in the case of no conflict, the features in the following embodiments and examples may be combined with each other; moreover, all other embodiments that can be derived by one of ordinary skill in the art from the embodiments disclosed herein without making any creative effort fall within the scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
The invention provides an embodiment of a method for constructing a software behavior characteristic knowledge base, which comprises the following steps of:
s11: determining terminal side software to be identified, collecting the progress of the terminal side software and the data traffic of a corresponding traffic side, and aligning the collected data timeline by using an end flow timeline data alignment technology; after aligning the time lines, the behavior information boundary of the terminal side software can be identified;
s12: performing statistical analysis on the data of the aligned time line by combining URL access information and a network protocol in the data of the aligned time line to obtain standard behaviors of the terminal side software;
s13: and the obtained standard behaviors of the terminal side software are arranged into behavior rules to form a software behavior characteristic knowledge base.
The software behavior feature library is used for providing a terminal side software behavior baseline and comprises a plurality of standard behavior rules of software, and each software comprises a plurality of standard behaviors.
Preferably, the performing statistical analysis on the data of the aligned timeline by combining the URL access information and the network protocol in the data of the aligned timeline specifically includes:
according to a specific related network protocol, splitting the data of the aligned time lines according to a common network protocol and a special network protocol, and filtering out interference data; the common network protocols comprise HTTP, DNS, TCP/IP and the like;
for data in a common network protocol, extracting URL access information in the data, analyzing the function of a domain name requested by the URL, and obtaining specific software behaviors by combining specific parameter information of the URL; the process can be combined with modes such as a search engine, direct access and the like to analyze the function of the domain name;
and analyzing the original flow packet of the corresponding flow side of the data in the special network protocol to obtain specific network protocol information, and then obtaining specific software behaviors according to the specified character information of the specified position.
For example, as shown in fig. 2, it can be obtained that the network behavior is system update according to hostname, url, and http _ user _ agent fields.
In order to further explain the above method, in combination with the above preferred solution, another embodiment of the method for constructing a knowledge base of behavior characteristics of software is provided, as shown in fig. 3, including:
s31: determining terminal side software to be identified, collecting the progress of the terminal side software and the data traffic of a corresponding traffic side, and aligning the collected data timeline by using an end flow timeline data alignment technology;
s32: according to a specific related network protocol, splitting the data of the aligned time lines according to a common network protocol and a special network protocol, and filtering out interference data; for data in a common network protocol, go to S33; for data in the special network protocol, go to S34;
s33: for data in a common network protocol, extracting URL access information in the data, analyzing the function of a domain name requested by the URL, and obtaining specific software behaviors by combining specific parameter information of the URL;
s34: analyzing the original flow packet of the corresponding flow side of the data in the special network protocol to obtain specific network protocol information, and then obtaining specific software behaviors according to the specified character information of the specified position;
s35: and the obtained standard behaviors of the terminal side software are arranged into behavior rules to form a software behavior characteristic knowledge base.
In order to more accurately obtain the data of the software behavior characteristic knowledge base, the invention can do the following work in the implementation process, firstly, prepare a plurality of virtual machines or virtual devices of different operating systems, install a main stream operating system and software, and prepare a database and related tool scripts. And secondly, terminal process monitoring software and a network flow monitoring tool are installed in the virtual machine or the virtual equipment and are used for collecting the data flow of the terminal side software process and the flow side.
The invention provides an embodiment of a software behavior credibility identification method, as shown in fig. 4, comprising:
s41: monitoring the terminal side software process and the flow side data flow in real time to obtain the specific behavior of the terminal side software;
s42: comparing the specific behavior of the terminal side software with the standard behavior rule of the corresponding software in the software behavior characteristic knowledge base;
s43: judging whether software behaviors which do not accord with the standard rule of the corresponding software exist or not, if so, judging that the corresponding software behaviors belong to untrusted behaviors, and giving an early warning; otherwise, return to S42.
The software behavior characteristic knowledge base can provide a network behavior baseline of the terminal software, assist a user in judging trusted network behaviors and untrusted network behaviors, assist operation and maintenance personnel in mastering equipment network behavior conditions, and find and dispose abnormal behaviors in time. Daily running conditions of the software are recorded by log files, and by combining with early warning information, unreliable behavior conditions can be accurately positioned in the log records, so that abnormal behavior data can be better provided for the unsuccessfully taken evidence by service personnel during investigation.
The invention provides an embodiment of a software behavior feature knowledge base construction system, as shown in fig. 5, comprising:
the data acquisition module 51 is configured to determine terminal side software to be identified, collect a process of the terminal side software and data traffic of a corresponding traffic side, align collected data timelines by using an end-stream timeline data alignment technology, and send data of the aligned timelines to the statistical analysis module 52; after aligning the time lines, the behavior information boundary of the terminal side software can be identified;
the statistical analysis module 52 is configured to receive the data of the aligned timeline sent by the data acquisition module 51, perform statistical analysis on the data of the aligned timeline in combination with URL access information and a network protocol in the data of the aligned timeline to obtain a standard behavior of the terminal-side software, and send the obtained standard behavior information of the terminal-side software to the feature knowledge base construction module 53; the URL access information and the network protocol form a behavior information boundary of terminal side software;
and the feature knowledge base construction module 53 is configured to receive the standard behavior information of the terminal-side software sent by the statistical analysis module, and arrange the standard behavior information into behavior rules to form a software behavior feature knowledge base.
Preferably, the performing statistical analysis on the data of the aligned timeline by combining the URL access information and the network protocol in the data of the aligned timeline specifically includes:
according to a specific related network protocol, splitting the data of the aligned time lines according to a common network protocol and a special network protocol, and filtering out interference data; the common network protocols comprise HTTP, DNS, TCP/IP and the like;
for data in a common network protocol, extracting URL access information in the data, analyzing the function of a domain name requested by the URL, and obtaining specific software behaviors by combining specific parameter information of the URL; the process can be combined with modes such as a search engine, direct access and the like to analyze the function of the domain name;
and analyzing the original flow packet of the corresponding flow side of the data in the special network protocol to obtain specific network protocol information, and then obtaining specific software behaviors according to the specified character information of the specified position.
The present invention provides an embodiment of a software behavior credibility identification system, as shown in fig. 6, including:
the software behavior acquisition module 61 is configured to monitor a terminal side software process and a traffic side data traffic in real time to obtain a specific behavior of the terminal side software, and send the specific behavior of the terminal side software to the software behavior determination module 62;
a software behavior determination module 62, configured to receive the specific behavior of the terminal-side software sent by the software behavior acquisition module 61, compare the specific behavior of the terminal-side software with the standard behavior rule of the corresponding software in the software behavior feature knowledge base, and when a software behavior that does not meet the standard rule of the corresponding software is compared, determine that the corresponding software behavior belongs to an untrusted behavior, and perform an early warning. The software behavior characteristic knowledge base defines boundaries for terminal side software behaviors, daily running conditions of the software are recorded by log files, and unreliable behavior conditions can be accurately positioned in the log records by combining early warning information, so that abnormal behavior data can be better provided for service personnel to investigate and obtain evidence.
The invention provides an embodiment of a software behavior recognition system based on a behavior feature knowledge base, as shown in fig. 7, comprising:
the software behavior characteristic knowledge base construction system specifically comprises a data acquisition module 51, a statistical analysis module 52 and a characteristic knowledge base construction module 53, and is used for constructing a software behavior characteristic knowledge base according to the standard behavior of terminal-side software;
the software behavior credibility identification system specifically comprises a software behavior acquisition module 61 and a software behavior judgment module 62, and is used for judging the credibility of the software behavior at the terminal side according to the software behavior feature knowledge base and giving an early warning when an untrusted software behavior is found.
The partial process of the system embodiment of the invention is similar to that of the method embodiment, the description of the system embodiment is simpler, and the method embodiment is referred to for the corresponding part.
An embodiment of the present invention further provides an electronic device, as shown in fig. 8, which can implement the processes in the embodiments shown in fig. 1, 3, and 4 of the present invention, where the electronic device includes: the device comprises a shell 81, a processor 82, a memory 83, a circuit board 84 and a power circuit 85, wherein the circuit board 84 is arranged inside a space surrounded by the shell 81, and the processor 82 and the memory 83 are arranged on the circuit board 84; a power supply circuit 85 for supplying power to each circuit or device of the electronic apparatus; the memory 83 is used for storing executable program codes; the processor 82 runs a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method described in the foregoing embodiment.
For the specific execution process of the above steps by the processor 82 and the steps further executed by the processor 82 by running the executable program code, reference may be made to the description of the embodiments shown in fig. 1, 3, and 4 of the present invention, which is not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(2) And other electronic equipment with data interaction function.
Embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the method described in the foregoing embodiments.
The invention judges the standard behavior of the terminal software by the data collection of the terminal side and the flow side and combining the behavior information boundary of the terminal software to form a software behavior characteristic knowledge base. The software behavior characteristic knowledge base can provide a network behavior baseline of the terminal software and assist a user in judging the behaviors of the trusted software and the untrusted software. The invention can enrich the behavior portrayal of the terminal equipment and support the data for asset identification and asset function conjecture. Meanwhile, the invention can define the boundary for the network behavior of the terminal equipment, assist operation and maintenance personnel to master the network behavior condition of the equipment, and find and dispose abnormal behaviors in time.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (9)
1. A method for constructing a knowledge base of software behavior characteristics is characterized by comprising the following steps:
determining terminal side software to be identified, collecting the progress of the terminal side software and the data traffic of a corresponding traffic side, and aligning the collected data timeline by using an end flow timeline data alignment technology;
performing statistical analysis on the data of the aligned time line by combining URL access information and a network protocol in the data of the aligned time line to obtain standard behaviors of the terminal side software;
and the obtained standard behaviors of the terminal side software are arranged into behavior rules to form a software behavior characteristic knowledge base.
2. The method according to claim 1, wherein the performing statistical analysis on the data of the aligned timeline in combination with URL access information and a network protocol in the data of the aligned timeline specifically includes:
according to a specific related network protocol, splitting the data of the aligned time lines according to a common network protocol and a special network protocol, and filtering out interference data;
for data in a common network protocol, extracting URL access information in the data, analyzing the function of a domain name requested by the URL, and obtaining specific software behaviors by combining specific parameter information of the URL;
and analyzing the original flow packet of the corresponding flow side of the data in the special network protocol to obtain specific network protocol information, and then obtaining specific software behaviors according to the specified character information of the specified position.
3. A software behavior credibility identification method is characterized by comprising the following steps:
monitoring the terminal side software process and the flow side data flow in real time to obtain the specific behavior of the terminal side software;
and comparing the specific behavior of the terminal side software with the standard behavior rule of the corresponding software in the software behavior characteristic knowledge base, and judging that the corresponding software behavior belongs to an unreliable behavior when the software behavior which does not conform to the standard rule of the corresponding software exists in the comparison, so as to give an early warning.
4. A software behavior feature knowledge base construction system is characterized by comprising:
the data acquisition module is used for determining terminal side software to be identified, collecting the progress of the terminal side software and the data traffic of a corresponding traffic side, aligning the collected data timeline by using an end flow timeline data alignment technology, and sending the data of the aligned timeline to the statistical analysis module;
the statistical analysis module is used for receiving the data of the aligned time line sent by the data acquisition module, performing statistical analysis on the data of the aligned time line by combining URL (uniform resource locator) access information and a network protocol in the data of the aligned time line to obtain the standard behavior of the terminal side software, and sending the obtained standard behavior information of the terminal side software to the characteristic knowledge base construction module;
and the characteristic knowledge base construction module is used for receiving the standard behavior information of the terminal side software sent by the statistical analysis module, and arranging the standard behavior information into behavior rules to form a software behavior characteristic knowledge base.
5. The system according to claim 4, wherein the performing statistical analysis on the data of the aligned timeline in combination with the URL access information and the network protocol in the data of the aligned timeline specifically includes:
according to a specific related network protocol, splitting the data of the aligned time lines according to a common network protocol and a special network protocol, and filtering out interference data;
for data in a common network protocol, extracting URL access information in the data, analyzing the function of a domain name requested by the URL, and obtaining specific software behaviors by combining specific parameter information of the URL;
and analyzing the original flow packet of the corresponding flow side of the data in the special network protocol to obtain specific network protocol information, and then obtaining specific software behaviors according to the specified character information of the specified position.
6. A software behavior credibility identification system, comprising:
the software behavior acquisition module is used for monitoring the terminal side software process and the flow side data flow in real time to obtain the specific behavior of the terminal side software and sending the specific behavior of the terminal side software to the software behavior judgment module;
and the software behavior judging module is used for receiving the specific behavior of the terminal side software sent by the software behavior acquiring module, comparing the specific behavior of the terminal side software with the standard behavior rule of the corresponding software in the software behavior characteristic knowledge base, and judging that the corresponding software behavior belongs to the unreliable behavior when the software behavior which does not conform to the standard rule of the corresponding software exists, so as to give an early warning.
7. A software behavior recognition system based on a behavior feature knowledge base, comprising:
the software behavior characteristic knowledge base construction system is used for constructing a software behavior characteristic knowledge base according to the standard behavior of the terminal side software;
the software behavior credibility identification system is used for judging the credibility of the software behavior at the terminal side according to the software behavior characteristic knowledge base and giving an early warning when an incredible software behavior is found.
8. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the method of any one of claims 1 to 3.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the method of any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111211216.9A CN113949571B (en) | 2021-10-18 | 2021-10-18 | Software behavior recognition method and system based on behavior feature knowledge base |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111211216.9A CN113949571B (en) | 2021-10-18 | 2021-10-18 | Software behavior recognition method and system based on behavior feature knowledge base |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113949571A true CN113949571A (en) | 2022-01-18 |
| CN113949571B CN113949571B (en) | 2023-12-22 |
Family
ID=79331244
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111211216.9A Active CN113949571B (en) | 2021-10-18 | 2021-10-18 | Software behavior recognition method and system based on behavior feature knowledge base |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113949571B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110231519A1 (en) * | 2006-06-09 | 2011-09-22 | Qualcomm Incorporated | Enhanced block-request streaming using url templates and construction rules |
| CN103699489A (en) * | 2014-01-03 | 2014-04-02 | 中国人民解放军装甲兵工程学院 | Software remote fault diagnosis and repair method based on knowledge base |
| CN106664254A (en) * | 2014-08-21 | 2017-05-10 | 七网络有限责任公司 | Optimizing network traffic management in a mobile network |
| CN108573308A (en) * | 2018-04-11 | 2018-09-25 | 湖南女子学院 | The automated construction method and system of soft project knowledge base based on big data |
-
2021
- 2021-10-18 CN CN202111211216.9A patent/CN113949571B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110231519A1 (en) * | 2006-06-09 | 2011-09-22 | Qualcomm Incorporated | Enhanced block-request streaming using url templates and construction rules |
| CN103699489A (en) * | 2014-01-03 | 2014-04-02 | 中国人民解放军装甲兵工程学院 | Software remote fault diagnosis and repair method based on knowledge base |
| CN106664254A (en) * | 2014-08-21 | 2017-05-10 | 七网络有限责任公司 | Optimizing network traffic management in a mobile network |
| CN108573308A (en) * | 2018-04-11 | 2018-09-25 | 湖南女子学院 | The automated construction method and system of soft project knowledge base based on big data |
Non-Patent Citations (2)
| Title |
|---|
| DAVID SINGER, WILLIAM BELKNAP, GUIDO FRANCESCHINI: "ISO Media File format specification MP4 Technology under consideration for ISO/IEC 14496-1:2001/Amd 3", INTERNATIONAL ORGANISATION FOR STANDARDISATION ORGANISATION INTERNATIONALE DE NORMALISATION * |
| 张凤斌, 杨永田: "基于网络性能异常检测算法的研究", 哈尔滨理工大学学报, no. 03 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113949571B (en) | 2023-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7752663B2 (en) | Log analysis system, method and apparatus | |
| CN108667855B (en) | Network flow abnormity monitoring method and device, electronic equipment and storage medium | |
| US20120311562A1 (en) | Extendable event processing | |
| CN112114995A (en) | Process-based terminal anomaly analysis method, device, equipment and storage medium | |
| CN110943984B (en) | Asset safety protection method and device | |
| CN107426196B (en) | Method and system for identifying WEB invasion | |
| CN103095821B (en) | Continuous auditing system based on virtual machine migration recognition | |
| CN112953917B (en) | Network attack source identification method and device, computer equipment and storage medium | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| CN114244564B (en) | Attack defense method, device, equipment and readable storage medium | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| CN107666464B (en) | Information processing method and server | |
| CN108566392B (en) | Machine learning-based system and method for preventing CC attack | |
| KR101266930B1 (en) | A visualization system for Forensics audit data | |
| CN114189378A (en) | Network security event analysis method and device, electronic equipment and storage medium | |
| CN114298558B (en) | Electric power network safety research and judgment system and research and judgment method thereof | |
| CN115296888A (en) | Data radar monitoring system | |
| CN115174205A (en) | Network space safety real-time monitoring method, system and computer storage medium | |
| US20240080330A1 (en) | Security monitoring apparatus, security monitoring method, and computer readable medium | |
| CN117973347A (en) | Automatic traceability report automatic generation method and system based on automatic template filling technology | |
| CN113987508A (en) | Vulnerability processing method, device, equipment and medium | |
| CN112699369A (en) | Method and device for detecting abnormal login through stack backtracking | |
| CN113949571B (en) | Software behavior recognition method and system based on behavior feature knowledge base | |
| CN115913634A (en) | Network security abnormity detection method and system based on deep learning | |
| CN117056918A (en) | Code analysis method and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |