CN114039772B - Detection method for network attack and electronic equipment - Google Patents
Detection method for network attack and electronic equipment Download PDFInfo
- Publication number
- CN114039772B CN114039772B CN202111314793.0A CN202111314793A CN114039772B CN 114039772 B CN114039772 B CN 114039772B CN 202111314793 A CN202111314793 A CN 202111314793A CN 114039772 B CN114039772 B CN 114039772B
- Authority
- CN
- China
- Prior art keywords
- network
- data
- attack
- log
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title abstract description 21
- 238000004458 analytical method Methods 0.000 claims abstract description 108
- 230000006399 behavior Effects 0.000 claims abstract description 42
- 238000000034 method Methods 0.000 claims abstract description 25
- 238000004891 communication Methods 0.000 claims description 37
- 238000012545 processing Methods 0.000 claims description 15
- 230000010354 integration Effects 0.000 claims description 14
- 230000008569 process Effects 0.000 claims description 8
- 238000009825 accumulation Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 description 11
- 230000009471 action Effects 0.000 description 9
- 230000000694 effects Effects 0.000 description 8
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003542 behavioural effect Effects 0.000 description 2
- 239000003999 initiator Substances 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000016571 aggressive behavior Effects 0.000 description 1
- 230000032683 aging Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 238000011534 incubation Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a detection method for network attack and electronic equipment, wherein the method comprises the following steps: acquiring log data of a first network; the log data comprises a plurality of log units, wherein the log units respectively correspond to different data characteristics of data traffic in the first network; analyzing the log units in the log data by using at least one analysis model to generate integral data representing the behavior of the network equipment in the first network; determining network equipment corresponding to data higher than a first threshold value in the integrated data as a target node; and determining a target network with network attack behaviors in the first network based on the node information of the target node. According to the method, the core network can be analyzed by utilizing a plurality of different analysis models with respective analysis characteristics, so that the relevant information of the botnet in the first network can be accurately acquired from a plurality of data in different aspects in a large-flow and massive linked core network, and the detection efficiency is effectively improved.
Description
Technical Field
The present application relates to the field of network information processing, and in particular, to a method for detecting a network attack and an electronic device.
Background
With the rapid development of the internet and the mobile internet, governments and enterprises increasingly provide services to the public and users through internet information systems, and the internet information systems bring convenience to the governments, enterprises, the public and the users and simultaneously become targets for attack implementation by various hacking organizations in the world. And botnets are particularly prominent means of attack. The botnet can realize attacks such as DDos, malicious mails, attack springboards and the like by controlling a large number of bot hosts. Because of the greater hazards, detection techniques for botnets are valued. However, most of the current botnet detection technologies adopt detection engines to match the botnet characteristics of network data or adopt statistical analysis types of historical accumulated data for processing. If the botnet is detected for a network (such as a core network scene) with large flow and a large number of links, no detection mode for ensuring detection accuracy and high processing efficiency exists at present.
Disclosure of Invention
The embodiment of the application aims to provide a detection method for network attack and electronic equipment. The method can accurately and efficiently detect the botnet with the attack action in the network (especially the core network) so as to process the botnet.
In order to achieve the above object, an embodiment of the present application provides a method for detecting a network attack, including:
acquiring log data of a first network; the log data is provided with a plurality of log units, and the log units respectively correspond to different data characteristics of the data traffic in the first network;
analyzing the log units in the log data by using at least one analysis model to generate integral data representing the behavior of network devices in the first network;
determining network equipment corresponding to data higher than a first threshold value in the integrated data as a target node;
and determining a target network with network attack behaviors in the first network based on the node information of the target node.
Optionally, the analyzing the log units in the log data with at least one analysis model generates integral data characterizing the behavior of network devices in the first network, including:
determining flow characteristics in the log data, which characterize session communication between different network devices, by using a first analysis model;
based on the traffic characteristics, a first integral value of the corresponding network device is generated.
Optionally, the determining the traffic characteristics of session communication between different network devices in the log data includes:
determining the communication quantity of each network device for communicating with other network devices;
correspondingly, the generating a first integral value of the corresponding network device based on the traffic characteristics includes:
determining network equipment of which the communication quantity meets the quantity requirement in all network equipment;
and generating the corresponding first integral value based on the flow characteristics of the network equipment meeting the quantity requirements.
Optionally, the analyzing the log units in the log data with at least one analysis model generates integral data characterizing the behavior of network devices in the first network, including:
determining network attack information representing the network equipment to implement network attack in the log data by using a second analysis model;
based on the network attack information, a second integral value is generated that characterizes a degree to which the network device is conducting a network attack.
Optionally, the determining, by using the second analysis model, network attack information characterizing network device to conduct network attack in the log data includes:
Respectively analyzing attack source information and attack destination information in the process of implementing network attack for the network equipment;
correspondingly, the generating, based on the network attack information, a second integral value capable of characterizing the degree of the network attack conducted by the network device includes:
determining a plurality of different attack phases in the attack source information;
and generating the second integral value at least based on the stage parameters corresponding to the second analysis model in each attack stage.
Optionally, the analyzing the log units in the log data with at least one analysis model generates integral data characterizing the behavior of network devices in the first network, including:
analyzing short sessions, of which the session time is lower than a second threshold value, of the log data, by using a third analysis model, and determining a first type session, of which the session time accords with a first condition, of the short sessions;
a third integral value is generated based on the number and/or the number ratio of the first type of sessions.
Optionally, the analyzing, with the third analysis model, the short session in the log data, where the session time of the short session characterizes the network device is lower than a second threshold, and determining a first type session that meets a first condition in the short session includes:
Determining the message type of the short session;
and determining a first type session meeting a first condition in the short sessions according to the proportion information of the short sessions of each message type in all the short sessions.
Optionally, the analyzing the log units in the log data with at least one analysis model generates integral data characterizing the behavior of network devices in the first network, including:
accumulating sub-integration data corresponding to each analysis model;
the integration data is generated based on the accumulation result.
Optionally, the determining, based on the node information of the target node, the target network having network attack behavior in the first network includes:
determining associated IP information associated with an IP address of the target node;
and determining an association node associated with the target node in the first network based on the association IP information, wherein the target node and the association node form the target network.
The embodiment of the application also provides electronic equipment, which comprises:
an acquisition module configured to acquire log data of a first network; the log data is provided with a plurality of log units, and the log units respectively correspond to different data characteristics of the data traffic in the first network;
An analysis module configured to analyze the log elements in the log data using at least one analysis model, generating integral data characterizing the behavior of network devices in the first network;
a processing module configured to determine a network device corresponding to data higher than a first threshold value in the integrated data as a target node; and determining a target network with network attack behaviors in the first network based on the node information of the target node.
According to the method, a plurality of different analysis models with respective analysis characteristics can be utilized to analyze the first network (such as a core network), so that in the first network (such as the core network) with large flow and massive links, relevant information of the botnet in the first network is accurately obtained from data in a plurality of different aspects, and the detection efficiency is effectively improved.
Drawings
FIG. 1 is a flow chart of a method for detecting network attacks according to an embodiment of the present application;
FIG. 2 is a flow chart of one embodiment of step S200 of FIG. 1 according to an embodiment of the present application;
FIG. 3 is a flow chart of one embodiment of step S220 of FIG. 2 according to an embodiment of the present application;
FIG. 4 is a flowchart of another embodiment of step S200 of FIG. 1 according to an embodiment of the present application;
FIG. 5 is a flowchart of a further embodiment of step S200 of FIG. 1 according to an embodiment of the present application;
FIG. 6 is a flow chart of one embodiment of step S250 of FIG. 5 according to an embodiment of the present application;
FIG. 7 is a flow chart of one embodiment of step S400 of FIG. 1 according to an embodiment of the present application;
fig. 8 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the accompanying drawings.
It should be understood that various modifications may be made to the embodiments of the application herein. Therefore, the above description should not be taken as limiting, but merely as exemplification of the embodiments. Other modifications within the scope and spirit of the application will occur to persons of ordinary skill in the art.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the application and, together with a general description of the application given above, and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the application will become apparent from the following description of a preferred form of embodiment, given as a non-limiting example, with reference to the accompanying drawings.
It is also to be understood that, although the application has been described with reference to some specific examples, a person skilled in the art will certainly be able to achieve many other equivalent forms of the application, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present application will become more apparent in light of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application will be described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application in unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not intended to be limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the word "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
The embodiment of the application provides a detection method for network attack, which can be applied to a network, in particular to a core network with high weight. Integrating network equipment in the network by combining all analysis results, determining the network equipment with the integral higher than a threshold value based on the integration results, and determining the network equipment as a target node, namely a key node of the botnet in the core network, so that the whole botnet is detected based on the related information of the target node.
The detection method is described in detail below with reference to the accompanying drawings, and fig. 1 is a flowchart of a detection method for network attack according to an embodiment of the present application, and as shown in fig. 1, the detection method includes the following steps:
s100, acquiring log data of a first network; the log data is provided with a plurality of log units, and the log units respectively correspond to different data characteristics of the data traffic in the first network.
The first network may be a different type of network, such as a core network, in which large data traffic and a large number of links are involved. The first network may include a botnet, which needs to be detected.
The log data of the first network is data generated during the operation of the first network, and may be recorded in the form of a log. Including information related to interactions and other behavioral actions between network devices in the first network. Such as information about the IP communication of the first network device with other network devices in the first network, etc.
In this embodiment, the log data has a plurality of log units, and the log units respectively correspond to different data features of the data traffic in the first network. For example, the log unit may include at least one of: IP session logs, zombie feature logs, malicious file propagation logs, DNS logs, HTTP logs, and the like.
The specific content of the log unit is different in emphasis point, and when the log data is analyzed, the analysis can be performed according to the emphasis point of the log unit, so that different types of information in the log data can be accurately obtained.
In one embodiment, processing the log data to form a plurality of log cells may include normalizing the log data to provide readability of the formed log cells and to provide the log cells in a standard format for reading and analysis.
S200, analyzing the log units in the log data by utilizing at least one analysis model to generate integral data representing the behavior of network equipment in the first network.
When the log data is analyzed, one or more analysis models can be used for analyzing the log data, and particularly, a plurality of different analysis models are used for analyzing the log data, each analysis model has respective analysis tendency, and the emphasis of the analysis is different.
Each analysis model in this embodiment may generate, when analyzing log units in the log data, point data characterizing the point data of the behaviour of the network device in the first network. In one embodiment, the behavior of the network device may be a network attack behavior, such as a botnet-based network attack behavior. The integral data may characterize the extent to which the network device has network attack activity, e.g., a higher integral value in the integral data indicates a more pronounced extent of network attack activity of the network device, and a lower integral value in the integral data indicates a less pronounced extent of network attack activity of the network device.
And S300, determining the network equipment corresponding to the data higher than the first threshold value in the integral data as a target node.
The content of the integral data may include a specific integral value, or the integral data may be embodied directly in the integral value. Analysis of the network device by the analytical model forms integral data. In this embodiment, the network device corresponding to the data higher than the first threshold value in the integrated data is determined as the target node. If the integral data is directly embodied in an integral value, if the integral value is higher than a first threshold (may be a value range or a preset value), the network device corresponding to the integral value may be determined as the target node; and the integral value is below the first threshold, the network device to which the integral value corresponds may be determined to be the other node in the first network.
In addition, the target node may be an important node of the target network with network attack behavior in the first network, for example, the target network is a botnet, where the botnet includes a plurality of different nodes, and the target node in this embodiment may be an important node or a core node in the botnet, where the target node cooperates with other auxiliary nodes in the botnet, so as to implement network attack.
S400, determining a target network with network attack behaviors in the first network based on the node information of the target node.
The node information of the target node includes information related to communication between the target node and other devices in the first network, and further includes characteristic information of the target node itself. Since the target node needs to interact with other nodes in the first network, other nodes associated with the target node can be determined from the node information of the target node.
And then, based on the target node and other nodes associated with the target node, the target network with network attack behaviors can be determined, such as the botnet in the first network. So that the detected botnet can be processed.
According to the method, a plurality of different analysis models with respective analysis characteristics can be utilized to analyze the first network (such as a core network), so that in the first network (such as the core network) with large flow and massive links, relevant information of the botnet in the first network is accurately obtained from data in a plurality of different aspects, and the detection efficiency is effectively improved.
In one embodiment of the present application, the analyzing the log units in the log data using at least one analysis model generates integral data characterizing the behavior of network devices in the first network, as shown in fig. 2, including:
S210, determining flow characteristics of session communication among different network devices in the log data by using a first analysis model;
s220, generating a first integral value of the corresponding network equipment based on the flow characteristics.
In particular, the first analytical model may be pre-constructed for characterizing traffic characteristics of conversational communication between different network devices in the log data. Session communication needs to be performed between network devices, for example, a first network device performs session communication with a plurality of other network devices, where the session communication has corresponding traffic characteristics, for example, the traffic characteristics of some session communication are small traffic characteristics, for example, the traffic size is less than 20KB; while the traffic characteristics of some session communications, such as the large traffic of one network device communicating with other network devices, are greater than 20KB in size.
For a target node in a botnet, it typically has less traffic for conversational communication with other nodes (other network devices). In this embodiment, the first analysis model may be used to generate the first integral value corresponding to the network device in combination with the number of other network devices that perform a session with the network device and the traffic characteristics of the network device that perform communication with the other network devices. The first integral value has a characterizing effect on the network device, and is capable of characterizing the extent to which the network device is determined to be a target node. For example, the higher the first score value, the more likely the network device is to be considered a target node in a botnet.
In one embodiment of the present application, the determining the traffic characteristics in the log data characterizing session communications between different network devices includes:
determining the communication quantity of each network device for communicating with other network devices;
in particular, each network device in the first network may be in session communication with other network devices, and the different network devices may have different amounts of communication, e.g., the first network device is in communication with N other network devices, and the second network device is in communication with M other network devices.
Accordingly, the generating, based on the traffic characteristics, a first integral value of the corresponding network device, as shown in fig. 3, includes:
s2210, determining network equipment with the communication quantity meeting the quantity requirement in all network equipment;
s2220, based on the flow characteristics of the network devices meeting the quantity requirements, generating the corresponding first integral value.
Specifically, the number of target nodes in a botnet that communicate with other network devices is high. Typically, it may be higher than an empirical value based on which the above-mentioned quantitative requirements may be built. Network devices whose number of communications exceeds the empirical value may be determined as network devices that meet the number requirement.
However, the normal network device in the first network may also have a situation that the communication quantity meets the quantity requirement, so the first analysis model in this embodiment may also combine the flow characteristics of the network device to perform comprehensive analysis processing to generate a corresponding first integral value.
In connection with one particular embodiment, a target node of a botnet is capable of controlling multiple bot hosts (other network devices). The log data of the IP session of the network device may include counting the number a of other network devices that are different in communication by a single network device in a unit time (recommended duration of 10 minutes). The count refresh after unit time is 0, and session communication between a single network device and different other network devices needs to satisfy the characteristic of small flow to have statistical value through being observed in the environment of a core network (a first network), the empirical value can take 20KB of flow as an consideration threshold value, the flow is lower than the threshold value, and the non-DNS protocol IP session log performs statistical integration. And in the implementation process, the white list of the threshold value size and the protocol supports secondary configuration.
One network device communicates with other network devices in a number c 1 Matching hyperbolic tangent function with probability relation graph comparison of central node (target node) of botnet finally:for c 1 Through a function a=f 1 (c 1 )=(c 1 And/4) processing, wherein the current function is an approximate function, and the processing function f is continuously optimized subsequently 1 Finally, the first integral data z obtained by the first analysis model is determined 1 The calculation formula of (2) is +.>Where M is a base score, which may be m=1000, n is a positive integer, and e is a constant, which may be specifically 2.72. The floating point calculation can be removed from the first integral data for statistical convenience and calculation efficiency, and integral processing is performed.
In one embodiment of the present application, the analyzing the log units in the log data using at least one analysis model generates integral data characterizing the behavior of network devices in the first network, as shown in fig. 4, including:
s230, determining network attack information representing network equipment to implement network attack in the log data by using a second analysis model;
s240, based on the network attack information, generating a second integral value capable of characterizing the degree to which the network device performs the network attack.
Specifically, when a target node (main device) in the botnet performs a network attack, the attack action has corresponding network attack information, including attack source information, attack destination information and the like. Furthermore, the degree of network attacks made by different nodes in the botnet, including the target node and other nodes, is not the same. The attack degree of the target node is heavier, and the attack degree of other nodes is lighter.
In this implementation, the second analysis model may analyze the network attack action of the network device, and analyze the network attack action by using the second analysis model to determine the network attack information corresponding to the network device. The network attack information is not the same for different network devices. The target node and other nodes in the botnet have network attack actions but the corresponding network attack information is not the same. In addition, other network devices in the first network may not have the network attack action, but may also have corresponding network attack information, where the network attack information indicates that the network device does not have the network attack action.
Further, the second analysis model may generate a second integral value capable of characterizing a degree to which the network device is conducting a network attack based on the network attack information. The second integral value characterizes the degree of implementing the network attack, and if the second integral value is higher, the degree of the network attack is more serious, and if the second integral value is lower, the degree of the network attack is lighter or can be ignored.
In one embodiment of the present application, the determining, using a second analysis model, network attack information characterizing a network device performing a network attack in the log data includes:
Respectively analyzing attack source information and attack destination information in the process of implementing network attack for the network equipment;
specifically, the attack source information includes relevant information of an attack source (initiator) of the network attack, such as network address information of the initiator, attack time information (such as attack time interval) and the like; the attack destination information includes information about the attack destination (object) of the network attack, such as network address information of an attacker, refresh time information, etc. The second analysis model can analyze the attack source information and the attack destination information respectively, and improves the logic analysis effect, so that a more accurate analysis result is obtained.
Correspondingly, the generating, based on the network attack information, a second integral value capable of characterizing the degree of the network attack conducted by the network device includes:
determining a plurality of different attack phases in the attack source information;
and generating the second integral value at least based on the stage parameters corresponding to the second analysis model in each attack stage.
Specifically, the network attack is implemented to have a plurality of different attack phases, including a detection phase, a specific attack phase, a delivery phase and a latency phase, the network device with attack behavior makes different actions in each attack phase, and the second analysis model has corresponding phase parameters for each attack phase, and the phase parameters can represent relevant conditions of the corresponding attack phase. A second integral value can be generated using the second analytical model based at least on the stage parameter, thereby characterizing the extent to which the corresponding network device is implementing the network attack.
In combination with a specific embodiment, for the bot feature actions in the bot network, the second analysis model can be used for carrying out integration and differentiation processing, for command messages such as online, information transfer and attack implementation of the bot program, a matching engine for deploying the bot feature in online bot network detection is used for detecting the bot network, but in a practical core network environment, the number of simple feature detection is huge, the implementation of the detection of the specific bot network is inconvenient, and the integration treatment of the log data can be carried out.
For the integral calculation mode, the integral calculation can be respectively carried out considering the attack source and the attack destination, the integral calculation mode can be adopted as a unit time calculation mode, the network attack can be adopted as a mode of triggering fixed time intervals, the time unit of the IP statistical refreshing of the network equipment related to the attack is shorter than the time unit of the attack stage, the statistical time of the IP of the attack target in the implementation process can be set to be 10 minutes, and the time of the attack stage can be set to be 24 hours. Wherein, after deduplication, the statistical number of attack targets is c 2 。
Integration of attack sources z 2 Influence attackThe main calculation parameters of the integration of the attack source include the statistical quantity c of attack targets 2 Stage parameters of each attack stage; wherein the attack phase comprises: detection stage (S) 1 ) Attack stage (S) 2 ) Delivery stage (S) 3 ) Incubation stage (S) 4 ) The method comprises the steps of carrying out a first treatment on the surface of the The integral formula may be a function of,wherein the function f 2 (x) = (x/3), in an implementation, f 6 (S)=(S 1 +S 2 +S 3 +S 4 )×1500=(S 1 +S 2 +S 3 +S 4 ) 1500, in practice, may set S 1 =0.1S 2 =0.2,S 3 =0.4,S 4 =0.3; n is a positive integer and e is a constant, which may be specifically 2.72.
In one embodiment of the present application, the analyzing the log units in the log data using at least one analysis model generates integral data characterizing the behavior of network devices in the first network, as shown in fig. 5, including:
s250, analyzing short sessions, of which the session time is lower than a second threshold value, of the log data, by using a third analysis model, and determining a first type session conforming to a first condition in the short sessions;
and S260, generating a third integral value based on the number and/or the number ratio of the first type of sessions.
Specifically, the third analysis model is a model that analyzes for a short session of the network device, which is a session or connection with a short communication time. A large number of short sessions may occur in a botnet, so a third analysis model may perform analysis operations for this feature of the botnet. Of course, for the definition of the session-return, a short session with a session time below the second threshold may be determined to be a first type of session that meets the first condition, with a higher probability of being a session of the target node in the botnet. The third analysis model may be utilized to calculate a third integral value based on a number of sessions of the first type and/or a ratio of the number of sessions of the first type over all sessions of the respective network device.
In one embodiment of the present application, the analyzing, by using a third analysis model, the short session in the log data, where the session time of the network device is characterized as being lower than a second threshold, determines a first type of session that meets a first condition, as shown in fig. 6, includes:
s2510, determining the message type of the short session;
s2520, determining a first type session meeting a first condition in the short sessions according to the proportion information of the short sessions of each message type in all the short sessions.
Specifically, the short session has different message types, such as syn type, fin type, ack type, rst type, and the like. Where the ack type is a type related to the act of aggression, a target node in a botnet may have a relatively large number and/or a large percentage of short sessions of the ack type. Therefore, in this embodiment, the third analysis model may be used to analyze related information of the short session of the network device, and specifically, the first type of session meeting the first condition may be determined according to the proportion information of the short session of each packet type of the network device in all the short sessions, so that the first type of session may be considered as the short session possessed by the target node, and thus the target node of the zombie network may be determined.
In combination with a specific embodiment, for the main features of a large number of short links existing in the botnet, the third analysis model may be used to calculate the proportion of the message types (syn, fin, ack, rst) of the IP communication performed by the network device (with the IP address) in unit time, where the calculation unit time may be configured, for example, may be 10 minutes, a proportion formula is set as (ack): syn+ack+rst), an upper limit and a lower limit are set, and (10:1) is an upper limit, when the ratio is higher than the upper limit, the involved attack types match the botnet and do not participate in the integration, and when the ratio is lower than the lower limit (1:1), the ratio value lower than the lower limit is lower, the normal access proportion is very high and does not participate in the integration, so that the ratio accords with the interval, and the botnet is subjected to the operation of the methodProbability influence of the complex, add function f 5 (t), the observation is in accordance with the normal distribution rule, and for the convenience of calculation, 9 fixed values (0.326,0.363,0.401,0.44,0.49,0.44,0.401,0.363,0.326), the ratio intervals of [1,2 ], [2,3 ], [3,4 ], [4,5 ], [5,6 ], [6,7 ], [7,8 ], [8, 9) and [9,10 can be directly set]Respectively correspond to the above. At the same time, the specific number c of short sessions of the network equipment can be counted in real time 3 Incorporate c 3 The statistical session needs to meet that the session flow is less than 10K, the integral formula brings in a hyperbolic function, And calculating to obtain a third integral value.
In one embodiment of the present application, the analyzing the log units in the log data using at least one analysis model generates integral data characterizing the behavior of network devices in the first network, including:
accumulating sub-integration data corresponding to each analysis model;
the integration data is generated based on the accumulation result.
In particular, different analysis models can calculate respective sub-integral data from different aspects, for example, the sub-integral data obtained by the first analysis model is the first integral value described above; the sub-integral data obtained by the second analysis model is the second integral value; the sub-integral data obtained by the third analysis model is the third integral value.
And accumulating the obtained sub-integration data, namely accumulating the specific values, so as to obtain the integration data corresponding to the network equipment, such as the specific integration values.
In one embodiment, for the point values corresponding to the respective network devices in the first network, the network device with the higher point value may be determined as the target node, or the network devices may be further analyzed to determine the target node more accurately. For example, the network device with the first 100 bits of the integral value is further analyzed, the aging time of the integral is set to be N, and when the updated integral time interval is greater than N, the integral is cleared and accumulated again. Thus avoiding the occurrence of calculation errors.
In one embodiment of the present application, the determining, based on node information of the target node, a target network having network attack behavior in the first network, as shown in fig. 7, includes:
s410, determining associated IP information associated with the IP address of the target node;
s420, determining an association node associated with the target node in the first network based on the association IP information, wherein the target node and the association node form the target network.
In particular, the target network may be a botnet with network attack, in which the target node is its primary core network device, and the target node may be associated with other network devices in the first network. Thus, other network devices (associated nodes) associated therewith may be determined based on the relevant information of the target node.
In this embodiment, the associated IP information associated with the IP address may be determined based on the IP address of the target node, where the associated IP information may be IP information of other network devices (association nodes) associated with the target node, such as IP addresses of other network devices (association nodes), so that the association node can be determined.
The target node and the associated node can form a target network, and after the target node and the associated node are determined, the target network, such as a botnet, can be determined, so that the botnet can be processed, such as striking or innocent treatment.
The embodiment of the application also provides an electronic device, as shown in fig. 8, including:
an acquisition module configured to acquire log data of a first network; the log data is provided with a plurality of log units, and the log units respectively correspond to different data characteristics of the data traffic in the first network.
In particular, the first network may be a different type of network, such as a core network, in which large data traffic and a large number of links are involved. The first network may include a botnet, which needs to be detected.
The log data of the first network is data generated in the operation process of the first network, and the acquisition module can record the log data in the form of a log. Including information related to interactions and other behavioral actions between network devices in the first network. Such as information about the IP communication of the first network device with other network devices in the first network, etc.
In this embodiment, the log data has a plurality of log units, and the log units respectively correspond to different data features of the data traffic in the first network. For example, the log unit may include at least one of: IP session logs, zombie feature logs, malicious file propagation logs, DNS logs, HTTP logs, and the like.
The specific content of the log unit is different in emphasis point, and when the log data is analyzed, the analysis can be performed according to the emphasis point of the log unit, so that different types of information in the log data can be accurately obtained.
In one embodiment, processing the log data to form a plurality of log cells may include normalizing the log data to provide readability of the formed log cells and to provide the log cells in a standard format for reading and analysis.
An analysis module configured to analyze the log elements in the log data using at least one analysis model to generate integral data characterizing the behavior of network devices in the first network.
Specifically, when the analysis module analyzes the log data, one or more analysis models can be used for analyzing the log data, and particularly, a plurality of different analysis models are used for analyzing the log data, each analysis model has respective analysis tendency, and the emphasis of the analysis is different.
The analysis module in this embodiment may generate, with each analysis model, point data characterizing the point data of the behaviour of the network device in the first network when analyzing the log units in the log data. In one embodiment, the behavior of the network device may be a network attack behavior, such as a botnet-based network attack behavior. The integral data may characterize the extent to which the network device has network attack activity, e.g., a higher integral value in the integral data indicates a more pronounced extent of network attack activity of the network device, and a lower integral value in the integral data indicates a less pronounced extent of network attack activity of the network device.
A processing module configured to determine a network device corresponding to data higher than a first threshold value in the integrated data as a target node; and determining a target network with network attack behaviors in the first network based on the node information of the target node.
Specifically, the content of the integral data may include a specific integral value, or the integral data may be directly embodied as an integral value. Analysis of the network device by the analytical model forms integral data. In this embodiment, the processing module determines, as the target node, a network device corresponding to data higher than a first threshold value in the integrated data. If the integral data is directly embodied in an integral value, if the integral value is higher than a first threshold (may be a value range or a preset value), the network device corresponding to the integral value may be determined as the target node; and the integral value is below the first threshold, the network device to which the integral value corresponds may be determined to be the other node in the first network.
In addition, the target node may be an important node of the target network with network attack behavior in the first network, for example, the target network is a botnet, where the botnet includes a plurality of different nodes, and the target node in this embodiment may be an important node or a core node in the botnet, where the target node cooperates with other auxiliary nodes in the botnet, so as to implement network attack.
The node information of the target node includes information related to communication between the target node and other devices in the first network, and further includes characteristic information of the target node itself. Since the target node needs to interact with other nodes in the first network, other nodes associated with the target node can be determined from the node information of the target node.
Further, the processing module may determine, based on the target node and other nodes associated therewith, a target network having network attack behavior, such as determining a botnet network present in the first network. So that the detected botnet can be processed.
In one embodiment of the application, the analysis module is further configured to:
Determining flow characteristics in the log data, which characterize session communication between different network devices, by using a first analysis model;
based on the traffic characteristics, a first integral value of the corresponding network device is generated.
In one embodiment of the application, the analysis module is further configured to:
determining the communication quantity of each network device for communicating with other network devices;
accordingly, the analysis module is further configured to:
determining network equipment of which the communication quantity meets the quantity requirement in all network equipment;
and generating the corresponding first integral value based on the flow characteristics of the network equipment meeting the quantity requirements.
In one embodiment of the application, the analysis module is further configured to:
determining network attack information representing the network equipment to implement network attack in the log data by using a second analysis model;
based on the network attack information, a second integral value is generated that characterizes a degree to which the network device is conducting a network attack.
In one embodiment of the application, the analysis module is further configured to:
respectively analyzing attack source information and attack destination information in the process of implementing network attack for the network equipment;
Accordingly, the analysis module is further configured to:
determining a plurality of different attack phases in the attack source information;
and generating the second integral value at least based on the stage parameters corresponding to the second analysis model in each attack stage.
In one embodiment of the application, the analysis module is further configured to:
analyzing short sessions, of which the session time is lower than a second threshold value, of the log data, by using a third analysis model, and determining a first type session, of which the session time accords with a first condition, of the short sessions;
a third integral value is generated based on the number and/or the number ratio of the first type of sessions.
In one embodiment of the application, the analysis module is further configured to:
determining the message type of the short session;
and determining a first type session meeting a first condition in the short sessions according to the proportion information of the short sessions of each message type in all the short sessions.
In one embodiment of the application, the analysis module is further configured to:
accumulating sub-integration data corresponding to each analysis model;
the integration data is generated based on the accumulation result.
In one embodiment of the application, the processing module is further configured to:
determining associated IP information associated with an IP address of the target node;
and determining an association node associated with the target node in the first network based on the association IP information, wherein the target node and the association node form the target network.
The above embodiments are only exemplary embodiments of the present application and are not intended to limit the present application, the scope of which is defined by the claims. Various modifications and equivalent arrangements of this application will occur to those skilled in the art, and are intended to be within the spirit and scope of the application.
Claims (9)
1. A method for detecting a network attack, comprising:
acquiring log data of a first network; the log data is provided with a plurality of log units, and the log units respectively correspond to different data characteristics of the data traffic in the first network;
analyzing the log units in the log data by utilizing various analysis models to generate integral data representing the behaviors of network equipment in the first network;
Determining network equipment corresponding to data higher than a first threshold value in the integrated data as a target node;
determining a target network with network attack behaviors in the first network based on node information of the target node; wherein,
the analyzing the log units in the log data using a plurality of analysis models to generate integral data characterizing the behavior of network devices in the first network, including:
analyzing short sessions in the log data, wherein the short sessions are characterized in that the session time of the network equipment is lower than a second threshold value, by using a third analysis model, and determining a first type of session which accords with a first condition in the short sessions, wherein the first condition comprises a condition that the session time of the short session is compared with the second threshold value;
a third integral value is generated based on the number and/or the number ratio of the first type of sessions.
2. The method of claim 1, wherein analyzing the log elements in the log data using a plurality of analysis models to generate integral data characterizing the behavior of network devices in the first network comprises:
determining flow characteristics in the log data, which characterize session communication between different network devices, by using a first analysis model;
Based on the traffic characteristics, a first integral value of the corresponding network device is generated.
3. The method of claim 2, wherein said determining traffic characteristics in the log data characterizing session communications between different network devices comprises:
determining the communication quantity of each network device for communicating with other network devices;
correspondingly, the generating a first integral value of the corresponding network device based on the traffic characteristics includes:
determining network equipment of which the communication quantity meets the quantity requirement in all network equipment;
and generating the corresponding first integral value based on the flow characteristics of the network equipment meeting the quantity requirements.
4. The method of claim 1, wherein analyzing the log elements in the log data using a plurality of analysis models to generate integral data characterizing the behavior of network devices in the first network comprises:
determining network attack information representing the network equipment to implement network attack in the log data by using a second analysis model;
based on the network attack information, a second integral value is generated that characterizes a degree to which the network device is conducting a network attack.
5. The method of claim 4, wherein determining network attack information in the log data characterizing a network device conducting a network attack using a second analysis model comprises:
respectively analyzing attack source information and attack destination information in the process of implementing network attack for the network equipment;
correspondingly, the generating, based on the network attack information, a second integral value capable of characterizing the degree of the network attack conducted by the network device includes:
determining a plurality of different attack phases in the attack source information;
and generating the second integral value at least based on the stage parameters corresponding to the second analysis model in each attack stage.
6. The method of claim 1, wherein analyzing short sessions in the log data that characterize the network device as having a session time below a second threshold using a third analysis model, determining a first type of session in the short sessions that meets a first condition, comprises:
determining the message type of the short session;
and determining a first type of session which accords with a first condition in the short sessions according to the proportion information of the short sessions of each message type in all the short sessions, wherein the first condition also comprises the condition of the proportion information of the short session corresponding to each message type in all the short sessions.
7. The method of claim 1, wherein analyzing the log elements in the log data using a plurality of analysis models to generate integral data characterizing the behavior of network devices in the first network comprises:
accumulating sub-integration data corresponding to each analysis model;
the integration data is generated based on the accumulation result.
8. The method according to claim 1, wherein the determining a target network having network attack behavior in the first network based on node information of the target node includes:
determining associated IP information associated with an IP address of the target node;
and determining an association node associated with the target node in the first network based on the association IP information, wherein the target node and the association node form the target network.
9. An electronic device, comprising:
an acquisition module configured to acquire log data of a first network; the log data is provided with a plurality of log units, and the log units respectively correspond to different data characteristics of the data traffic in the first network;
An analysis module configured to analyze the log elements in the log data using a plurality of analysis models, generating integral data characterizing the behavior of network devices in the first network;
a processing module configured to determine a network device corresponding to data higher than a first threshold value in the integrated data as a target node; determining a target network with network attack behaviors in the first network based on node information of the target node; wherein,
the analysis module is further configured to:
analyzing short sessions in the log data, wherein the short sessions are characterized in that the session time of the network equipment is lower than a second threshold value, by using a third analysis model, and determining a first type of session which accords with a first condition in the short sessions, wherein the first condition comprises a condition that the session time of the short session is compared with the second threshold value;
a third integral value is generated based on the number and/or the number ratio of the first type of sessions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111314793.0A CN114039772B (en) | 2021-11-08 | 2021-11-08 | Detection method for network attack and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111314793.0A CN114039772B (en) | 2021-11-08 | 2021-11-08 | Detection method for network attack and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114039772A CN114039772A (en) | 2022-02-11 |
| CN114039772B true CN114039772B (en) | 2023-11-28 |
Family
ID=80143396
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111314793.0A Active CN114039772B (en) | 2021-11-08 | 2021-11-08 | Detection method for network attack and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114039772B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101282340A (en) * | 2008-05-09 | 2008-10-08 | 华为技术有限公司 | Method and apparatus for processing network attack |
| KR101156011B1 (en) * | 2010-12-24 | 2012-06-18 | 고려대학교 산학협력단 | System and method for botnet risk analysis to network traffic analysis |
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
| CN104980402A (en) * | 2014-04-09 | 2015-10-14 | 腾讯科技(北京)有限公司 | Method and device for recognizing malicious operation |
| US9430646B1 (en) * | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
| CN111355697A (en) * | 2018-12-24 | 2020-06-30 | 深信服科技股份有限公司 | Detection method, device, equipment and storage medium for botnet domain name family |
| CN113037785A (en) * | 2021-05-26 | 2021-06-25 | 杭州海康威视数字技术股份有限公司 | Botnet defense method, device and equipment for multi-layer full-period Internet of things equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9083741B2 (en) * | 2011-12-29 | 2015-07-14 | Architecture Technology Corporation | Network defense system and framework for detecting and geolocating botnet cyber attacks |
-
2021
- 2021-11-08 CN CN202111314793.0A patent/CN114039772B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101282340A (en) * | 2008-05-09 | 2008-10-08 | 华为技术有限公司 | Method and apparatus for processing network attack |
| KR101156011B1 (en) * | 2010-12-24 | 2012-06-18 | 고려대학교 산학협력단 | System and method for botnet risk analysis to network traffic analysis |
| US9430646B1 (en) * | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
| CN104980402A (en) * | 2014-04-09 | 2015-10-14 | 腾讯科技(北京)有限公司 | Method and device for recognizing malicious operation |
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
| CN111355697A (en) * | 2018-12-24 | 2020-06-30 | 深信服科技股份有限公司 | Detection method, device, equipment and storage medium for botnet domain name family |
| CN113037785A (en) * | 2021-05-26 | 2021-06-25 | 杭州海康威视数字技术股份有限公司 | Botnet defense method, device and equipment for multi-layer full-period Internet of things equipment |
Non-Patent Citations (1)
| Title |
|---|
| 基于云模型的网络异常流量检测;费金龙;王禹;王天鹏;祝跃飞;;计算机工程(第01期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114039772A (en) | 2022-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230117494A1 (en) | Cyberanalysis Workflow Acceleration | |
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| US9769190B2 (en) | Methods and apparatus to identify malicious activity in a network | |
| CN108632227B (en) | Malicious domain name detection processing method and device | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| US8341742B2 (en) | Network attack detection devices and methods | |
| CN107770132B (en) | Method and device for detecting algorithmically generated domain name | |
| US20090282478A1 (en) | Method and apparatus for processing network attack | |
| CN107124434B (en) | Method and system for discovering DNS malicious attack traffic | |
| US10193900B2 (en) | Methods and apparatus to identify an internet protocol address blacklist boundary | |
| CN111245784A (en) | Method for multi-dimensional detection of malicious domain name | |
| EP3913888A1 (en) | Detection method for malicious domain name in domain name system and detection device | |
| Salih et al. | Detection and classification of covert channels in IPv6 using enhanced machine learning | |
| Lahrouni et al. | Using mathematical methods against denial of service (DoS) attacks in VANET | |
| CN112449371A (en) | Performance evaluation method of wireless router and electronic equipment | |
| CN113055333B (en) | Network flow clustering method and device capable of adaptively and dynamically adjusting density grid | |
| CN114039772B (en) | Detection method for network attack and electronic equipment | |
| CN114760216B (en) | Method and device for determining scanning detection event and electronic equipment | |
| Ouyang et al. | Can network characteristics detect spam effectively in a stand-alone enterprise? | |
| Nashat et al. | Detecting http flooding attacks based on uniform model | |
| CN112261004B (en) | Method and device for detecting Domain Flux data stream | |
| US9450982B1 (en) | Email spoofing detection via infrastructure machine learning | |
| CN111885089A (en) | DNS server DDoS attack defense method based on analytic hierarchy process | |
| CN110162969B (en) | Flow analysis method and device | |
| RU2680038C1 (en) | Method of computer networks protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |