CN114006750A - Abnormal operation detection method and device and electronic equipment - Google Patents

Abnormal operation detection method and device and electronic equipment Download PDF

Info

Publication number
CN114006750A
CN114006750A CN202111269519.6A CN202111269519A CN114006750A CN 114006750 A CN114006750 A CN 114006750A CN 202111269519 A CN202111269519 A CN 202111269519A CN 114006750 A CN114006750 A CN 114006750A
Authority
CN
China
Prior art keywords
protocol
network data
data stream
detected
function code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111269519.6A
Other languages
Chinese (zh)
Inventor
王锐畅
董阳
史博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dingxiang Technology Co ltd
Original Assignee
Beijing Dingxiang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dingxiang Technology Co ltd filed Critical Beijing Dingxiang Technology Co ltd
Priority to CN202111269519.6A priority Critical patent/CN114006750A/en
Publication of CN114006750A publication Critical patent/CN114006750A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The invention provides a method and a device for detecting abnormal operation and electronic equipment, wherein the method comprises the following steps: acquiring a network data stream and a protocol rule signature; acquiring a to-be-detected network data stream matched with a to-be-detected protocol from the network data stream; calling a target protocol analyzer to analyze the network data stream to be detected, and matching an analysis result with the abnormal function code; and if the analysis result is matched with the abnormal function code, determining the operation corresponding to the network data stream to be detected as abnormal operation. The method of the invention is based on the detection of the network data flow to be detected realized by the abnormal function code, can be used for dealing with complex and various industrial control system networks, and has more accurate abnormal operation and high precision.

Description

Abnormal operation detection method and device and electronic equipment
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting abnormal operation, and an electronic device.
Background
The new infrastructure is a further deep digitalized accelerator, more and more government and enterprise businesses are operated on digitalization, and the informatization degree of the industrial control system is higher and higher along with the gradual fusion of informatization and industrialization. The wide use of general software and hardware and network facilities breaks through the original isolation protection of the traditional industrial control system, and the safety problem of the traditional IT network gradually permeates into the industrial internet while the development of the industrial internet is continuously promoted. However, compared with the conventional IT network, the characteristics of the industrial internet are more complex, not only the types of the industrial internet are more, but also more common protocols or proprietary protocols are used, and meanwhile, the requirements on the stability and real-time performance of the production environment of the whole industrial system are higher, so that the factors which form a security threat to the industrial internet are more.
In the prior art, a coding matching mode of matching special character strings of a data stream by hard coding is adopted more, such an abnormal operation detection mode is more suitable for an IT protocol with less service protocols and complicated protocol structure design, and when the detection mode is applied to the industrial Internet, a data packet which contains the corresponding special character strings but belongs to a normal function is easily detected, so that misinformation is caused.
In conclusion, the existing detection method for abnormal operation has the technical problem of poor accuracy.
Disclosure of Invention
In view of the above, the present invention provides a method, an apparatus and an electronic device for detecting an abnormal operation, so as to alleviate the technical problem of poor accuracy of the existing method for detecting an abnormal operation.
In a first aspect, an embodiment of the present invention provides a method for detecting an abnormal operation, including:
acquiring a network data stream and a protocol rule signature, wherein the protocol rule signature carries information of a protocol to be detected and an abnormal function code corresponding to the protocol to be detected;
acquiring a to-be-detected network data stream matched with the to-be-detected protocol from the network data stream;
calling a target protocol analyzer to analyze the network data stream to be detected, and matching an analysis result with the abnormal function code, wherein the target protocol analyzer is a protocol analyzer with the same protocol as the network data stream to be detected;
and if the analysis result is matched with the abnormal function code, determining the operation corresponding to the network data stream to be detected as abnormal operation.
Further, before obtaining the network data flow and the protocol rule signature, the method further includes:
acquiring a self-defined rule file;
analyzing the rule file to obtain the information of the protocol to be detected and the information of the abnormal function code corresponding to the protocol to be detected, which are contained in the rule file;
and registering the information of the abnormal function code into a protocol rule signature corresponding to the information of the protocol to be detected to obtain the protocol rule signature.
Further, acquiring the network data stream includes:
calling a kernel module to obtain an initial network data stream of the network card;
decoding the initial network data stream to obtain a decoded network data stream;
and performing data packet recombination on the decoded network data stream to obtain the network data stream.
Further, after acquiring the to-be-detected network data stream matched with the to-be-detected protocol in the network data stream, before invoking a target protocol parser to parse the to-be-detected network data stream, the method further includes:
judging whether the port corresponding to the network data stream to be detected is the same as the port registered by the target protocol analyzer or not;
and if the data streams are the same, calling the target protocol analyzer to analyze the network data streams to be detected.
Further, acquiring the to-be-detected network data stream matched with the to-be-detected protocol from the network data stream includes:
analyzing the network data stream to obtain a protocol corresponding to the network data stream;
and acquiring the network data stream to be detected matched with the protocol to be detected in the network data stream according to the protocol corresponding to the network data stream.
Further, invoking a target protocol analyzer to analyze the network data stream to be detected, and matching an analysis result with the abnormal function code, including:
calling the target protocol analyzer to analyze the protocol program packet in the network data stream to be detected to obtain a function code in the network data stream to be detected;
and matching the function code with the abnormal function code.
Further, the target protocol parser is a custom registered protocol parser, which includes a function for performing protocol parsing.
In a second aspect, an embodiment of the present invention further provides an apparatus for detecting an abnormal operation, including:
the device comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a network data stream and a protocol rule signature, and the protocol rule signature carries information of a protocol to be detected and an abnormal function code corresponding to the protocol to be detected;
a second obtaining unit, configured to obtain, in the network data stream, a to-be-detected network data stream matched with the to-be-detected protocol;
the analysis and matching unit is used for calling a target protocol analyzer to analyze the network data stream to be detected and matching an analysis result with the abnormal function code, wherein the target protocol analyzer is a protocol analyzer with the same protocol as the network data stream to be detected;
and the determining unit is used for determining the operation corresponding to the network data stream to be detected as abnormal operation if the analysis result is matched with the abnormal function code.
In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method according to any one of the above first aspects when executing the computer program.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing machine executable instructions, which when invoked and executed by a processor, cause the processor to perform the method of any of the first aspect.
In an embodiment of the present invention, a method for detecting an abnormal operation is provided, including: acquiring a network data stream and a protocol rule signature, wherein the protocol rule signature carries information of a protocol to be detected and an abnormal function code corresponding to the protocol to be detected; acquiring a to-be-detected network data stream matched with a to-be-detected protocol from the network data stream; calling a target protocol analyzer to analyze the network data stream to be detected and matching an analysis result with the abnormal function code, wherein the target protocol analyzer is the protocol analyzer with the same protocol as the network data stream to be detected; and if the analysis result is matched with the abnormal function code, determining the operation corresponding to the network data stream to be detected as abnormal operation. According to the description, the abnormal operation detection method is realized based on the abnormal function code and is used for detecting the network data stream to be detected, the complicated and various industrial control system networks can be dealt with, the detected abnormal operation is more accurate and high in precision, and the technical problem that the existing abnormal operation detection method is poor in accuracy is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a method for detecting abnormal operation according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for obtaining a protocol rule signature according to an embodiment of the present invention;
fig. 3 is a flowchart of a method for acquiring a network data stream according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an apparatus for detecting abnormal operation according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, the abnormal operation detection mode usually adopts a coding matching mode of matching special character strings of a data stream by hard coding, is more suitable for an IT protocol with less service protocols and complicated protocol structure design, and when the detection mode is applied to the industrial Internet, a data packet which contains the corresponding special character strings but belongs to a normal function is easily detected, thereby causing false alarm.
Based on the method, the network data flow to be detected is detected based on the abnormal function code, the method can be applied to complex and various industrial control system networks, and the detected abnormal operation is more accurate and has high precision.
Embodiments of the present invention are further described below with reference to the accompanying drawings.
The first embodiment is as follows:
in accordance with an embodiment of the present invention, there is provided an embodiment of a method for detecting abnormal operation, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than that herein.
Fig. 1 is a flowchart of a method for detecting an abnormal operation according to an embodiment of the present invention, as shown in fig. 1, the method including the steps of:
step S102, acquiring a network data stream and a protocol rule signature, wherein the protocol rule signature carries information of a protocol to be detected and an abnormal function code corresponding to the protocol to be detected;
in the embodiment of the present invention, the protocol rule signature is self-defined, and carries self-defined information of the protocol to be detected and an abnormal function code corresponding to the protocol to be detected, so as to characterize which function code of which protocol is to be subjected to abnormal operation detection.
In order to clearly understand the technical solution of the present invention, the following describes a method for detecting abnormal operation according to the present invention with a specific example:
for example, to detect an illegal function code (Modbus. invalid _ function _ code) of a network data stream of the Modbus protocol, the obtained protocol rule signature is the Modbus protocol rule signature, the carried information of the protocol to be detected is the Modbus protocol, and the abnormal function code of the Modbus protocol is also carried, and the abnormal function code of the Modbus protocol can be customized, specifically, the detection of the abnormal operation developed by the Modbus protocol itself can be performed.
It should be noted that the number of the protocol rule signatures may be multiple, and each protocol rule signature corresponds to one protocol to be detected. For example, the protocol rule signature may also be a TCP protocol rule signature, which includes an abnormal function code of the TCP protocol.
Step S104, acquiring a to-be-detected network data stream matched with a to-be-detected protocol from the network data stream;
generally, the network data stream includes network data streams of various protocols, and the network data stream to be detected, which is the same as the protocol to be detected, needs to be obtained according to the information of the protocol to be detected carried by the signature of the protocol rule.
For example, protocol rule signatures include: and if the Modbus protocol rule signature and the TCP protocol rule signature are adopted, the to-be-detected network data stream of the Modbus protocol and the to-be-detected network data stream of the TCP protocol need to be obtained from the network data stream.
Step S106, a target protocol analyzer is called to analyze the network data stream to be detected, and the analysis result is matched with the abnormal function code, wherein the target protocol analyzer is a protocol analyzer with the same protocol as the network data stream to be detected;
after the network data stream to be detected is obtained, a target protocol parser (binding parser) is further called to parse the network data stream to be detected, and a parsing result is matched with the abnormal function code.
For example, if the acquired network data stream to be detected is a network data stream to be detected of a Modbus protocol, a target protocol analyzer of the Modbus protocol is called to analyze the network data stream to be detected of the Modbus protocol, and then an analysis result is matched with an abnormal function code of the Modbus protocol; and if the acquired network data stream to be detected also comprises the network data stream to be detected of the TCP protocol, calling a target protocol analyzer of the TCP protocol to analyze the network data stream to be detected of the TCP protocol, and matching an analysis result with the abnormal function code of the TCP protocol.
The target protocol analyzer is a self-defined registered protocol analyzer and comprises a function for protocol analysis.
And step S108, if the analysis result is matched with the abnormal function code, determining the operation corresponding to the network data stream to be detected as abnormal operation.
In an embodiment of the present invention, a method for detecting an abnormal operation is provided, including: acquiring a network data stream and a protocol rule signature, wherein the protocol rule signature carries information of a protocol to be detected and an abnormal function code corresponding to the protocol to be detected; acquiring a to-be-detected network data stream matched with a to-be-detected protocol from the network data stream; calling a target protocol analyzer to analyze the network data stream to be detected and matching an analysis result with the abnormal function code, wherein the target protocol analyzer is the protocol analyzer with the same protocol as the network data stream to be detected; and if the analysis result is matched with the abnormal function code, determining the operation corresponding to the network data stream to be detected as abnormal operation. According to the description, the abnormal operation detection method is realized based on the abnormal function code and is used for detecting the network data stream to be detected, the complicated and various industrial control system networks can be dealt with, the detected abnormal operation is more accurate and high in precision, and the technical problem that the existing abnormal operation detection method is poor in accuracy is solved.
The foregoing has briefly described the method for detecting abnormal operation of the present invention, and the details thereof will be described in detail.
In an alternative embodiment of the present invention, referring to fig. 2, before acquiring the network data flow and the protocol rule signature, the method further includes:
step S201, obtaining a self-defined rule file;
the rule file includes: the protocol to be detected can be various, and each protocol to be detected can correspond to various abnormal function codes.
It should be noted that: the protocol to be detected can be a private protocol, and after a specific private protocol and an abnormal function code corresponding to the private protocol are defined in the rule file, the subsequent abnormal operation cannot generate false alarm, namely, the detected abnormal operation is more accurate and has high precision.
Step S202, analyzing the rule file to obtain the information of the protocol to be detected and the information of the abnormal function code corresponding to the protocol to be detected, wherein the information of the protocol to be detected is contained in the rule file;
the information in the rule file is typically in a string format.
Step S203, registering the information of the abnormal function code into the protocol rule signature corresponding to the information of the protocol to be detected to obtain the protocol rule signature.
For example, if the information of the protocol to be detected contained in the rule file is the Modbus protocol and the abnormal function code of the Modbus protocol, the abnormal function code of the Modbus protocol is registered in the Modbus protocol rule signature.
Specifically, the rule input engine registers an abnormal function code of the Modbus protocol into a Modbus protocol rule signature (Modbus signature).
The process of obtaining the protocol rule signature is obtained by registering the information of the abnormal function code into the corresponding protocol rule signature at one time when the detection system of the abnormal operation is started.
In an optional embodiment of the present invention, referring to fig. 3, the step S102 of acquiring a network data stream specifically includes:
step S301, calling a kernel module to acquire an initial network data stream of the network card;
specifically, the initial network data stream of the network card may be copied by calling the bottom kernel module to obtain the initial network data stream of the network card.
Step S302, decoding the initial network data stream to obtain a decoded network data stream;
the initial network data stream is a coded network data stream, and after the initial network data stream is obtained, the initial network data stream needs to be decoded, so that the decoded network data stream is obtained.
Step S303, performing packet reassembly on the decoded network data stream to obtain a network data stream.
Specifically, some protocols are sent in packets, so after a decoded network data stream is obtained, the data packets in the network data stream need to be spliced and reassembled, so as to obtain the network data stream.
For example, after obtaining a decoded network data stream, which includes a plurality of data packets, the TCP protocol packet is sent in a packetized manner, and the plurality of data packets need to be spliced and reassembled, so as to obtain the network data stream of the TCP protocol.
In an optional embodiment of the present invention, after acquiring a network data stream to be detected matching a protocol to be detected in the network data stream, before invoking a target protocol parser to parse the network data stream to be detected, the method further includes: judging whether a port corresponding to the network data stream to be detected is the same as a port registered by a target protocol analyzer or not; and if the data flow is the same as the detected data flow, calling a target protocol analyzer to analyze the network data flow to be detected.
Specifically, each protocol has a specific port, so that it needs to first determine whether the port corresponding to the network data stream to be detected is the same as the port registered by the target protocol parser; and if the data flow is the same as the detected data flow, calling a target protocol analyzer to analyze the network data flow to be detected.
In an optional embodiment of the present invention, in step S104, acquiring, from the network data stream, the to-be-detected network data stream matched with the to-be-detected protocol specifically includes: analyzing the network data stream to obtain a protocol corresponding to the network data stream; and acquiring the network data stream to be detected matched with the protocol to be detected in the network data stream according to the protocol corresponding to the network data stream.
For example: analyzing the network data stream to obtain specific codes (each protocol has a specific code) in the network data stream, determining a corresponding protocol according to the specific codes, and if the corresponding protocol is a Modbus protocol and a TCP protocol and the protocol to be detected is the Modbus protocol, acquiring the network data stream corresponding to the Modbus protocol from the network data stream to obtain the network data stream to be detected.
In an optional embodiment of the present invention, in step S106, invoking the target protocol parser to parse the network data stream to be detected, and matching the parsing result with the abnormal function code, specifically includes: calling a target protocol analyzer to analyze a protocol program packet in the network data stream to be detected to obtain a function code in the network data stream; and matching the function code with the abnormal function code.
Taking the Modbus protocol as an example, firstly, a Modbus protocol analyzer and a function containing specific protocol analysis are registered in a self-defined manner, if the registered port of the Modbus protocol analyzer is the 502 port, abnormal function code detection is performed on the network data stream to be detected of the 502 port, when the network data stream to be detected is found, the Modbus protocol analyzer is called back, the network data stream to be detected is analyzed, the analysis result is matched with the abnormal function code registered in the Modbus protocol rule signature, and if the analysis result is matched with the abnormal function code in the Modbus protocol rule signature, the detection result is recorded to the detection engine.
The method for detecting abnormal operation provides a method for flexibly customizing the protocol to be detected and the analysis method of the protocol abnormal function code through the design thought of a systematic encapsulation interface (namely a target protocol analyzer), and customizes a technical method for realizing the protocol detection function, so that the method can be used for dealing with complicated and various OT network protocols based on the whole technical framework and is suitable for the customized detection support of a proprietary protocol.
Example two:
the embodiment of the present invention further provides a device for detecting an abnormal operation, where the device for detecting an abnormal operation is mainly used for executing the method for detecting an abnormal operation provided in the first embodiment of the present invention, and the device for detecting an abnormal operation provided in the first embodiment of the present invention is described in detail below.
Fig. 4 is a schematic diagram of an abnormal operation detection apparatus according to an embodiment of the present invention, as shown in fig. 4, the apparatus mainly includes: a first acquisition unit 10, a second acquisition unit 20, a parsing and matching unit 30 and a determination unit 40, wherein:
the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a network data stream and a protocol rule signature, and the protocol rule signature carries information of a protocol to be detected and an abnormal function code corresponding to the protocol to be detected;
the second acquisition unit is used for acquiring the network data stream to be detected matched with the protocol to be detected from the network data stream;
the analysis and matching unit is used for calling a target protocol analyzer to analyze the network data stream to be detected and matching an analysis result with the abnormal function code, wherein the target protocol analyzer is a protocol analyzer with the same protocol as the network data stream to be detected;
and the determining unit is used for determining the operation corresponding to the network data stream to be detected as the abnormal operation if the analysis result is matched with the abnormal function code.
In an embodiment of the present invention, there is provided an abnormal operation detection apparatus including: acquiring a network data stream and a protocol rule signature, wherein the protocol rule signature carries information of a protocol to be detected and an abnormal function code corresponding to the protocol to be detected; acquiring a to-be-detected network data stream matched with a to-be-detected protocol from the network data stream; calling a target protocol analyzer to analyze the network data stream to be detected and matching an analysis result with the abnormal function code, wherein the target protocol analyzer is the protocol analyzer with the same protocol as the network data stream to be detected; and if the analysis result is matched with the abnormal function code, determining the operation corresponding to the network data stream to be detected as abnormal operation. According to the above description, the abnormal operation detection device provided by the invention is used for detecting the network data stream to be detected based on the abnormal function code, can be used for dealing with complex and various industrial control system networks, is more accurate in abnormal operation and high in precision, and solves the technical problem of poor accuracy of the existing abnormal operation detection method.
Optionally, the apparatus is further configured to: acquiring a self-defined rule file; analyzing the rule file to obtain the information of the protocol to be detected and the information of the abnormal function code corresponding to the protocol to be detected, which are contained in the rule file; and registering the information of the abnormal function code into a protocol rule signature corresponding to the information of the protocol to be detected to obtain the protocol rule signature.
Optionally, the first obtaining unit is further configured to: calling a kernel module to obtain an initial network data stream of the network card; decoding the initial network data stream to obtain a decoded network data stream; and performing data packet recombination on the decoded network data stream to obtain the network data stream.
Optionally, the apparatus is further configured to: judging whether a port corresponding to the network data stream to be detected is the same as a port registered by a target protocol analyzer or not; and if the data flow is the same as the detected data flow, calling a target protocol analyzer to analyze the network data flow to be detected.
Optionally, the second obtaining unit is further configured to: analyzing the network data stream to obtain a protocol corresponding to the network data stream; and acquiring the network data stream to be detected matched with the protocol to be detected in the network data stream according to the protocol corresponding to the network data stream.
Optionally, the parsing and matching unit is further configured to: calling a target protocol analyzer to analyze a protocol program packet in the network data stream to be detected to obtain a function code in the network data stream; and matching the function code with the abnormal function code.
Optionally, the target protocol parser is a custom registered protocol parser, which includes a function for performing protocol parsing.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.
As shown in fig. 5, an electronic device 600 provided in an embodiment of the present application includes: a processor 601, a memory 602 and a bus, wherein the memory 602 stores machine-readable instructions executable by the processor 601, when the electronic device runs, the processor 601 and the memory 602 communicate with each other through the bus, and the processor 601 executes the machine-readable instructions to execute the steps of the method for detecting the abnormal operation.
Specifically, the memory 602 and the processor 601 can be general-purpose memories and processors, which are not specifically limited herein, and the detection method of the abnormal operation can be performed when the processor 601 runs a computer program stored in the memory 602.
The processor 601 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 601. The Processor 601 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 602, and the processor 601 reads the information in the memory 602 and completes the steps of the method in combination with the hardware thereof.
Corresponding to the above abnormal operation detection method, an embodiment of the present application further provides a computer-readable storage medium, where a machine executable instruction is stored, and when the machine executable instruction is called and executed by a processor, the computer executable instruction causes the processor to execute the steps of the above abnormal operation detection method.
The detection device for abnormal operation provided by the embodiment of the application can be specific hardware on the device, or software or firmware installed on the device, and the like. The device provided by the embodiment of the present application has the same implementation principle and technical effect as the foregoing method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing method embodiments where no part of the device embodiments is mentioned. It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the foregoing systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
For another example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments provided in the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing an electronic device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the vehicle marking method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus once an item is defined in one figure, it need not be further defined and explained in subsequent figures, and moreover, the terms "first", "second", "third", etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the scope of the embodiments of the present application. Are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method of detecting abnormal operation, comprising:
acquiring a network data stream and a protocol rule signature, wherein the protocol rule signature carries information of a protocol to be detected and an abnormal function code corresponding to the protocol to be detected;
acquiring a to-be-detected network data stream matched with the to-be-detected protocol from the network data stream;
calling a target protocol analyzer to analyze the network data stream to be detected, and matching an analysis result with the abnormal function code, wherein the target protocol analyzer is a protocol analyzer with the same protocol as the network data stream to be detected;
and if the analysis result is matched with the abnormal function code, determining the operation corresponding to the network data stream to be detected as abnormal operation.
2. The method of claim 1, wherein prior to obtaining the network data flow and protocol rule signature, the method further comprises:
acquiring a self-defined rule file;
analyzing the rule file to obtain the information of the protocol to be detected and the information of the abnormal function code corresponding to the protocol to be detected, which are contained in the rule file;
and registering the information of the abnormal function code into a protocol rule signature corresponding to the information of the protocol to be detected to obtain the protocol rule signature.
3. The method of claim 1, wherein obtaining a network data stream comprises:
calling a kernel module to obtain an initial network data stream of the network card;
decoding the initial network data stream to obtain a decoded network data stream;
and performing data packet recombination on the decoded network data stream to obtain the network data stream.
4. The method according to claim 1, wherein after acquiring the network data stream to be detected matching the protocol to be detected in the network data stream, before invoking a target protocol parser to parse the network data stream to be detected, the method further comprises:
judging whether the port corresponding to the network data stream to be detected is the same as the port registered by the target protocol analyzer or not;
and if the data streams are the same, calling the target protocol analyzer to analyze the network data streams to be detected.
5. The method according to claim 1, wherein obtaining the network data stream to be detected matching the protocol to be detected from the network data stream comprises:
analyzing the network data stream to obtain a protocol corresponding to the network data stream;
and acquiring the network data stream to be detected matched with the protocol to be detected in the network data stream according to the protocol corresponding to the network data stream.
6. The method of claim 1, wherein invoking a target protocol parser to parse the network data stream to be detected and match a parsing result with the abnormal function code comprises:
calling the target protocol analyzer to analyze the protocol program packet in the network data stream to be detected to obtain a function code in the network data stream to be detected;
and matching the function code with the abnormal function code.
7. The method of claim 1, wherein the target protocol parser is a custom registered protocol parser containing a function for performing protocol parsing.
8. An abnormal operation detection apparatus, comprising:
the device comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a network data stream and a protocol rule signature, and the protocol rule signature carries information of a protocol to be detected and an abnormal function code corresponding to the protocol to be detected;
a second obtaining unit, configured to obtain, in the network data stream, a to-be-detected network data stream matched with the to-be-detected protocol;
the analysis and matching unit is used for calling a target protocol analyzer to analyze the network data stream to be detected and matching an analysis result with the abnormal function code, wherein the target protocol analyzer is a protocol analyzer with the same protocol as the network data stream to be detected;
and the determining unit is used for determining the operation corresponding to the network data stream to be detected as abnormal operation if the analysis result is matched with the abnormal function code.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method of any of the preceding claims 1 to 7 are implemented when the computer program is executed by the processor.
10. A computer readable storage medium having stored thereon machine executable instructions which, when invoked and executed by a processor, cause the processor to perform the method of any of claims 1 to 7.
CN202111269519.6A 2021-10-29 2021-10-29 Abnormal operation detection method and device and electronic equipment Pending CN114006750A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111269519.6A CN114006750A (en) 2021-10-29 2021-10-29 Abnormal operation detection method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111269519.6A CN114006750A (en) 2021-10-29 2021-10-29 Abnormal operation detection method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN114006750A true CN114006750A (en) 2022-02-01

Family

ID=79925003

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111269519.6A Pending CN114006750A (en) 2021-10-29 2021-10-29 Abnormal operation detection method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN114006750A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474607A (en) * 2018-12-06 2019-03-15 连云港杰瑞深软科技有限公司 A kind of industrial control network safeguard protection monitoring system
CN111478966A (en) * 2020-04-07 2020-07-31 全球能源互联网研究院有限公司 Internet of things protocol analysis method and device, computer equipment and storage medium
CN112184091A (en) * 2020-12-01 2021-01-05 杭州木链物联网科技有限公司 Industrial control system security threat assessment method, device and system
CN113556354A (en) * 2021-07-29 2021-10-26 国家工业信息安全发展研究中心 Industrial Internet security threat detection method and system based on flow analysis

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474607A (en) * 2018-12-06 2019-03-15 连云港杰瑞深软科技有限公司 A kind of industrial control network safeguard protection monitoring system
CN111478966A (en) * 2020-04-07 2020-07-31 全球能源互联网研究院有限公司 Internet of things protocol analysis method and device, computer equipment and storage medium
CN112184091A (en) * 2020-12-01 2021-01-05 杭州木链物联网科技有限公司 Industrial control system security threat assessment method, device and system
CN113556354A (en) * 2021-07-29 2021-10-26 国家工业信息安全发展研究中心 Industrial Internet security threat detection method and system based on flow analysis

Similar Documents

Publication Publication Date Title
CN108763928B (en) Open source software vulnerability analysis method and device and storage medium
CN108763031B (en) Log-based threat information detection method and device
CN109325009B (en) Log analysis method and device
CN113489713B (en) Network attack detection method, device, equipment and storage medium
US20160352763A1 (en) Method And System For Detecting Malicious Code
US9117072B2 (en) Software exploit detection
KR101582601B1 (en) Method for detecting malignant code of android by activity string analysis
CN113949748B (en) Network asset identification method and device, storage medium and electronic equipment
CN108600172B (en) Method, device and equipment for detecting database collision attack and computer readable storage medium
CN108881271B (en) Reverse tracing method and device for proxy host
CN112738094B (en) Expandable network security vulnerability monitoring method, system, terminal and storage medium
CN108881150B (en) Detection task processing method and device, electronic equipment and storage medium
CN110708307A (en) Transcoder generation method and apparatus, electronic device, and storage medium
CN114003796A (en) Industrial control asset discovery method and device and electronic equipment
CN108763062B (en) Method for filtering buried point names and terminal equipment
CN111460448B (en) Malicious software family detection method and device
CN114006750A (en) Abnormal operation detection method and device and electronic equipment
CN108763053B (en) Method for generating buried point name and terminal equipment
CN115955457A (en) Malicious domain name detection method and device and electronic equipment
CN114662097A (en) CSV file injection attack detection method and device, electronic equipment and storage medium
CN113886812A (en) Detection protection method, system, computer equipment and readable storage medium
CN114169311A (en) Data analysis method and device
CN109214212B (en) Information leakage prevention method and device
CN113609111A (en) Big data testing method and system
CN109067726B (en) Identification method and device for station building system, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination