CN114254309A - A Malicious Payload Labeling Method for Intrusion Detection System Separating Recording and Picking Processes - Google Patents

A Malicious Payload Labeling Method for Intrusion Detection System Separating Recording and Picking Processes Download PDF

Info

Publication number
CN114254309A
CN114254309A CN202111586943.3A CN202111586943A CN114254309A CN 114254309 A CN114254309 A CN 114254309A CN 202111586943 A CN202111586943 A CN 202111586943A CN 114254309 A CN114254309 A CN 114254309A
Authority
CN
China
Prior art keywords
malicious
payload
detection
load
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111586943.3A
Other languages
Chinese (zh)
Other versions
CN114254309B (en
Inventor
张广兴
姜海洋
廖志元
涂楚
谭航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Future Networks Innovation Institute
Original Assignee
Jiangsu Future Networks Innovation Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Future Networks Innovation Institute filed Critical Jiangsu Future Networks Innovation Institute
Priority to CN202111586943.3A priority Critical patent/CN114254309B/en
Publication of CN114254309A publication Critical patent/CN114254309A/en
Application granted granted Critical
Publication of CN114254309B publication Critical patent/CN114254309B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method for labeling a malicious load of an intrusion detection system with separated recording and picking processes, which is characterized by comprising the following steps: the network message is accessed into an intrusion detection system and completes decoding and recombination work; after receiving the unidirectional message, the message recombination module triggers detection work; the attack detection module acquires the complete load content containing the malicious load after recombination, and selects a pre-matching rule sequence from the rule set; recording the offset, length and type of the features in the reorganization load; and outputting the offset and the length of the malicious load. The invention provides a method for marking malicious loads in an intrusion detection system for the first time; the invention separates the recording and picking processes of the malicious load, effectively reduces the copying times of the load in the attack detection process and reduces the load of the intrusion detection system.

Description

Malicious load marking method of intrusion detection system with separated recording and picking processes
Technical Field
The invention relates to the field of network security, in particular to a malicious load labeling method of an intrusion detection system with separated recording and picking processes.
Background
Malicious loads are an attack component of a network attack that inflicts harm on the victim. Analysis of malicious loads in network attacks has become an integral part of intrusion behavior analysis. In a network intrusion detection system based on signatures, a large number of predefined malicious loads are recorded in the signatures, and an attack load is composed of fixed character strings or regular expressions and used for describing character strings meeting specific constraint conditions.
The intrusion detection system detects the attack behavior by comparing the incoming traffic with the rule set one by one. And when the attack behavior is detected, outputting an alarm log. The alarm comprises the time of the intrusion behavior, quintuple information, alarm action, alarm ID and other information. The network security administrator can obtain the alarm information of the attack behavior but cannot locate and extract the malicious load contained in the original flow. Based on the above, a malicious load labeling scheme of an intrusion detection system is provided, and a malicious load labeling function is completed by adopting a recording and picking separation mode.
Disclosure of Invention
The invention aims to provide a malicious load labeling method of an intrusion detection system, which records and separates from a pickup process, and can output the position deviation, the length and the specific content of the malicious load in the alarm in the recombined load. The design of separating the recording process from the picking process can effectively reduce the copying times of the load in the attack detection process and reduce the load of the intrusion detection system.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method for marking malicious loads of an intrusion detection system, which is separated from a pickup process, is characterized by comprising the following steps:
s1: the network message is accessed into an intrusion detection system and completes decoding and recombination work;
s2: after receiving the unidirectional message, the message recombination module triggers detection work;
s3: the attack detection module obtains the complete load content containing the malicious load after recombination, and selects a pre-matching rule sequence from the rule set: signature 0-signature, wherein the signature contains two malicious load characteristics of ABC and DEF;
s4: detecting the offset, the length and the type of features in the reorganized load when the signaturek is successfully matched with the reorganized load by the load features of 'ABC' and 'DEF';
s5: and after the detection is finished, the load picker acquires the restructured load and the detection recorder data structure according to the detection result, acquires the malicious load contents 'ABC' and 'DEF' from the restructured load, and outputs the offset and the length of the malicious load.
In step S4, the specific process of detecting the recorder is as follows:
s4.1: the attack detection module traverses the signatur 0-signaturei and takes out the signaturex, wherein x belongs to [0, i ];
s4.2: the attack detection module compares the attack characteristics in the signaturex with the recombination load; if the failure occurs, returning to the previous step;
s4.3: the comparison is successful, and the detection recorder records the offset position and the length of the first malicious load characteristic in the recombined load; circularly comparing the next malicious load characteristic in the rule; returning to the first step if the comparison fails;
s4.4: after the rule comparison is completed, the recorder already contains the offset, length and type data of all the malicious load characteristics; entering a picker module;
s4.5: the picker module obtains the reorganized load, obtains a data structure of the detection recorder, traverses the position of the malicious load in the detection recorder, and picks up the content, offset and length information of the malicious load into a log file.
The system for realizing the malicious load marking comprises the following steps: the attack detection system comprises a detection recorder module and a load picker module, wherein the detection recorder module is used for recording malicious load offset and length which can match a mode in a rule in the detection process of an attack detection module; after the detection is finished, if the message matches the rule, the result of the detection recorder is sent to the load picker module, and if the message does not match the rule, the malicious load information stored in the detection recorder is released; and the load picker picks up the malicious load according to the data of the detection records.
The detection recorder technology realizes that:
and embedding a detection recorder module in a mode of expanding the intrusion detection module. The detection recorder module completes the recording of the detection result in a linked list data structure form.
The load picker technique implements:
and an independent pickup module implementation mode is adopted, and the detection recorder module is accessed. And the load picker module picks up the malicious load uniformly after the detection recorder finishes recording.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a method for marking malicious loads in an intrusion detection system for the first time. The invention separates the recording and picking processes of the malicious load, effectively reduces the copying times of the load in the attack detection process and reduces the load of the intrusion detection system.
Drawings
FIG. 1 is a flow chart of intrusion system detection in the prior art;
FIG. 2 is a system block diagram of malicious load tagging in accordance with the present invention;
FIG. 3 is a schematic diagram illustrating a malicious load tagging step according to the present invention;
FIG. 4 is a schematic diagram of an exemplary deployment of an intrusion detection system of the present invention;
FIG. 5 is a flow chart of an intrusion detection system detection recorder;
fig. 6 is a flow chart of an intrusion detection system load picker.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it is to be understood that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments, and all other embodiments obtained by those skilled in the art without any inventive work based on the embodiments of the present invention belong to the scope of the present invention.
Examples
A method for marking malicious loads of an intrusion detection system, which is separated from a pickup process, is characterized by comprising the following steps:
s1: the network message is accessed into an intrusion detection system and completes decoding and recombination work;
s2: after receiving the unidirectional message, the message recombination module triggers detection work;
s3: the attack detection module obtains the complete load content containing the malicious load after recombination, and selects a pre-matching rule sequence from the rule set: signature 0-signature, wherein the signature contains two malicious load characteristics of ABC and DEF;
s4: detecting the offset, the length and the type of features in the reorganized load when the signaturek is successfully matched with the reorganized load by the load features of 'ABC' and 'DEF';
s5: and after the detection is finished, the load picker acquires the restructured load and the detection recorder data structure according to the detection result, acquires the malicious load contents 'ABC' and 'DEF' from the restructured load, and outputs the offset and the length of the malicious load.
As shown in fig. 5, in step S4, the specific process of detecting the recorder is as follows:
s4.1: the attack detection module traverses the signatur 0-signaturei and takes out the signaturex, wherein x belongs to [0, i ];
s4.2: the attack detection module compares the attack characteristics in the signaturex with the recombination load; if the failure occurs, returning to the previous step;
s4.3: the comparison is successful, and the detection recorder records the offset position and the length of the first malicious load characteristic in the recombined load; circularly comparing the next malicious load characteristic in the rule; returning to the first step if the comparison fails;
s4.4: after the rule comparison is completed, the recorder already contains the offset, length and type data of all the malicious load characteristics; entering a picker module;
s4.5: the picker module obtains the reorganized load, obtains a data structure of the detection recorder, traverses the position of the malicious load in the detection recorder, and picks up the content, offset and length information of the malicious load into a log file.
The system for realizing the malicious load marking comprises the following steps: the attack detection system comprises a detection recorder module and a load picker module, wherein the detection recorder module is used for recording malicious load offset and length which can match a mode in a rule in the detection process of an attack detection module; after the detection is finished, if the message matches the rule, the result of the detection recorder is sent to the load picker module, and if the message does not match the rule, the malicious load information stored in the detection recorder is released; and the load picker picks up the malicious load according to the data of the detection records.
The detection recorder technology realizes that:
and embedding a detection recorder module in a mode of expanding the intrusion detection module. The detection recorder module completes the recording of the detection result in a linked list data structure form.
As shown in fig. 6, the load picker technique implements:
and an independent pickup module implementation mode is adopted, and the detection recorder module is accessed. And the load picker module picks up the malicious load uniformly after the detection recorder finishes recording.
The deployment mode is as follows: in a typical deployment diagram (fig. 1) of an intrusion detection system, there are local area network computers, servers, switches, firewalls, routers, and intrusion detection system servers. The intrusion detection system is used as bypass equipment, and the collected switch image flow is used as an input source for analyzing network requests and interactive flows of all computers and servers in the network environment.
As shown in fig. 4, when the intrusion detection system is deployed for the first time, the specific implementation method is as follows:
a. configuring a mirror image port of a switch;
b. connecting a mirror image port of the switch to a flow acquisition network port of an intrusion detection system;
c. configuring an IP address of a management port of an intrusion detection system;
d. logging in a web client of the intrusion detection system and checking an alarm log of the intrusion detection system.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the preferred embodiments of the invention and described in the specification are only preferred embodiments of the invention and are not intended to limit the invention, and that various changes and modifications may be made without departing from the novel spirit and scope of the invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (3)

1.一种记录与拾取过程分离的入侵检测系统的恶意载荷标注方法,其特征在于,包括如下步骤:1. a malicious load labeling method of the intrusion detection system that is separated from a recording and picking process, is characterized in that, comprises the steps: S1:网络报文接入入侵检测系统,并完成解码和重组工作;S1: The network message is connected to the intrusion detection system, and the decoding and reorganization work is completed; S2:报文重组模块在接受完单方向报文后,触发检测工作;S2: After receiving the unidirectional message, the message reassembly module triggers the detection work; S3:攻击检测模块获取重组后包含恶意载荷的完整载荷内容,并从规则集中挑选预匹配规则序列:signature0~signaturei,其中signaturek包含“ABC”、“DEF”两个恶意载荷特征;S3: The attack detection module obtains the complete payload content containing the malicious payload after reorganization, and selects the pre-matching rule sequence from the rule set: signature0~signaturei, where signaturek contains two malicious payload characteristics of "ABC" and "DEF"; S4:检测记录器在signaturek与重组载荷匹配成功“ABC”、“DEF”载荷特征时,记录特征在重组载荷中的偏移、长度和类型;S4: The detection recorder records the offset, length and type of the feature in the reassembled payload when the signaturek and the reassembled payload are successfully matched with the "ABC" and "DEF" payload features; S5:载荷拾取器在检测完成后,根据检测的结果获取重组载荷与检测记录器数据结构,从重组载荷中获取恶意载荷内容“ABC”、“DEF”,并输出恶意载荷的偏移和长度。S5: After the detection is completed, the payload picker obtains the data structure of the restructured payload and the detection recorder according to the detection result, obtains the malicious payload contents "ABC" and "DEF" from the restructured payload, and outputs the offset and length of the malicious payload. 2.根据权利要求1所述的记录与拾取过程分离的入侵检测系统的恶意载荷标注方法,其特征在于:所述步骤S4中,检测记录器具体过程为:2. The malicious load labeling method of the intrusion detection system separated from the recording and picking process according to claim 1, is characterized in that: in the step S4, the specific process of the detection recorder is: S4.1:攻击检测模块遍历signatur0~signaturei,取出signaturex,其中x∈[0,i];S4.1: The attack detection module traverses signature0~signaturei, and takes out signaturex, where x∈[0,i]; S4.2:攻击检测模块将signaturex中的攻击特征与重组载荷进行对比;失败则返回上一步;S4.2: The attack detection module compares the attack features in signaturex with the reassembly payload; if it fails, it returns to the previous step; S4.3:比对成功,检测记录器记录第一个恶意载荷特征在重组载荷中的偏移位置,长度;循环比对规则中的下一个恶意载荷特征;比对失败则返回第一步;S4.3: The comparison is successful, the detection recorder records the offset position and length of the first malicious payload feature in the reorganized payload; the next malicious payload feature in the circular comparison rule; if the comparison fails, return to the first step; S4.4:完成规则比对后记录器中已包含所有恶意载荷特征的偏移、长度、类型数据;进入拾取器模块;S4.4: After completing the rule comparison, the recorder already contains the offset, length and type data of all malicious payload characteristics; enter the pickup module; S4.5:拾取器模块获取重组载荷、获取检测记录器数据结构,遍历检测记录器中恶意载荷的位置,将恶意载荷内容、偏移和长度信息拾取到日志文件中。S4.5: The picker module acquires the reorganized payload, acquires the data structure of the detection recorder, traverses the location of the malicious payload in the detection recorder, and picks up the content, offset and length of the malicious payload into the log file. 3.根据权利要求1所述的记录与拾取过程分离的入侵检测系统的恶意载荷标注方法,其特征在于:实现所述恶意载荷标注的系统包括:检测记录器模块和载荷拾取器模块,所述检测记录器模块用于在攻击检测模块检测过程中,记录检测过程中能够匹配规则中模式的恶意载荷偏移和长度;当检测结束后,如果报文匹配规则,则将检测记录器的结果送至载荷拾取器模块中,如报文未匹配规则,则释放检测记录器中已存放的恶意载荷信息;所述载荷拾取器根据检测记录的数据对恶意载荷进行拾取。3. The malicious load labeling method of the intrusion detection system that the recording and picking process are separated according to claim 1, it is characterized in that: the system that realizes the described malicious load labeling comprises: detecting a recorder module and a load pickup module, the described The detection recorder module is used to record the offset and length of malicious payloads that can match the pattern in the rule during the detection process of the attack detection module; after the detection, if the packet matches the rule, the result of the detection recorder will be sent to the In the payload picker module, if the message does not match the rule, the malicious payload information stored in the detection recorder is released; the payload picker picks up the malicious payload according to the detected and recorded data.
CN202111586943.3A 2021-12-23 2021-12-23 A malicious payload labeling method for intrusion detection system with separated recording and picking processes Active CN114254309B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111586943.3A CN114254309B (en) 2021-12-23 2021-12-23 A malicious payload labeling method for intrusion detection system with separated recording and picking processes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111586943.3A CN114254309B (en) 2021-12-23 2021-12-23 A malicious payload labeling method for intrusion detection system with separated recording and picking processes

Publications (2)

Publication Number Publication Date
CN114254309A true CN114254309A (en) 2022-03-29
CN114254309B CN114254309B (en) 2025-09-12

Family

ID=80797027

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111586943.3A Active CN114254309B (en) 2021-12-23 2021-12-23 A malicious payload labeling method for intrusion detection system with separated recording and picking processes

Country Status (1)

Country Link
CN (1) CN114254309B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116389088A (en) * 2023-03-22 2023-07-04 北京威努特技术有限公司 Attack detection rule matching method and device based on coordinate system
CN118631521A (en) * 2024-06-07 2024-09-10 奇安信科技集团股份有限公司 Intrusion detection method, device, electronic device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190245866A1 (en) * 2018-02-06 2019-08-08 Cisco Technology, Inc. Leveraging point inferences on http transactions for https malware detection
CN112054992A (en) * 2020-07-28 2020-12-08 北京邮电大学 Malicious traffic identification method and device, electronic equipment and storage medium
CN112333128A (en) * 2019-08-05 2021-02-05 四川大学 A Web Attack Behavior Detection System Based on Autoencoder
CN112615877A (en) * 2020-12-25 2021-04-06 江苏省未来网络创新研究院 Intrusion detection system rule matching optimization method based on machine learning
CN113360902A (en) * 2020-03-05 2021-09-07 奇安信科技集团股份有限公司 Detection method and device of shellcode, computer equipment and computer storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190245866A1 (en) * 2018-02-06 2019-08-08 Cisco Technology, Inc. Leveraging point inferences on http transactions for https malware detection
CN112333128A (en) * 2019-08-05 2021-02-05 四川大学 A Web Attack Behavior Detection System Based on Autoencoder
CN113360902A (en) * 2020-03-05 2021-09-07 奇安信科技集团股份有限公司 Detection method and device of shellcode, computer equipment and computer storage medium
CN112054992A (en) * 2020-07-28 2020-12-08 北京邮电大学 Malicious traffic identification method and device, electronic equipment and storage medium
CN112615877A (en) * 2020-12-25 2021-04-06 江苏省未来网络创新研究院 Intrusion detection system rule matching optimization method based on machine learning

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116389088A (en) * 2023-03-22 2023-07-04 北京威努特技术有限公司 Attack detection rule matching method and device based on coordinate system
CN118631521A (en) * 2024-06-07 2024-09-10 奇安信科技集团股份有限公司 Intrusion detection method, device, electronic device and storage medium

Also Published As

Publication number Publication date
CN114254309B (en) 2025-09-12

Similar Documents

Publication Publication Date Title
US9639697B2 (en) Method and apparatus for retroactively detecting malicious or otherwise undesirable software
Narayan et al. A survey of automatic protocol reverse engineering tools
Paxson Bro: a system for detecting network intruders in real-time
US7706378B2 (en) Method and apparatus for processing network packets
US8522348B2 (en) Matching with a large vulnerability signature ruleset for high performance network defense
CN102833240B (en) A kind of malicious code catching method and system
Sija et al. A survey of automatic protocol reverse engineering approaches, methods, and tools on the inputs and outputs view
US8751787B2 (en) Method and device for integrating multiple threat security services
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
CN103226675B (en) A kind of traceability system and method analyzing intrusion behavior
CN112039904A (en) Network traffic analysis and file extraction system and method
US11989161B2 (en) Generating readable, compressed event trace logs from raw event trace logs
US10659486B2 (en) Universal link to extract and classify log data
Lagrasse et al. Digital forensic readiness framework for software-defined networks using a trigger-based collection mechanism
CN114254309A (en) A Malicious Payload Labeling Method for Intrusion Detection System Separating Recording and Picking Processes
Khan et al. Network forensics investigation: Behaviour analysis of distinct operating systems to detect and identify the host in IPv6 network
US20120260141A1 (en) Learning signatures for application problems using trace data
Singh et al. Qualitative assessment of digital forensic tools
Giacinto et al. Alarm clustering for intrusion detection systems in computer networks
US7957372B2 (en) Automatically detecting distributed port scans in computer networks
CN115883574A (en) Access device identification method and device in industrial control network
CN115242436A (en) A method and system for detecting malicious traffic based on command line features
CN109474567A (en) DDOS attack source tracing method, device, storage medium and electronic device
Saravanan et al. A comprehensive survey on big data technology based cybersecurity analytics systems
CN113596037B (en) APT attack detection method based on event relation directed graph in network full flow

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant