CN114338593A - Behavior detection method and device for network scanning by using address resolution protocol - Google Patents

Behavior detection method and device for network scanning by using address resolution protocol Download PDF

Info

Publication number
CN114338593A
CN114338593A CN202111594056.0A CN202111594056A CN114338593A CN 114338593 A CN114338593 A CN 114338593A CN 202111594056 A CN202111594056 A CN 202111594056A CN 114338593 A CN114338593 A CN 114338593A
Authority
CN
China
Prior art keywords
request
address
source address
determining
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111594056.0A
Other languages
Chinese (zh)
Other versions
CN114338593B (en
Inventor
徐�明
辜乘风
魏国富
夏玉明
殷钱安
周晓勇
陶景龙
余贤喆
梁淑云
刘胜
王启凡
马影
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN202111594056.0A priority Critical patent/CN114338593B/en
Publication of CN114338593A publication Critical patent/CN114338593A/en
Application granted granted Critical
Publication of CN114338593B publication Critical patent/CN114338593B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a behavior detection method and device for network scanning by using an address resolution protocol, a storage medium and computer equipment. The method comprises the following steps: acquiring communication information, wherein the communication information comprises a source address, a destination address, request time and a request result; determining a request rule corresponding to a source address according to a destination address and request time; determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address; and according to the request rule score, the request result score and the request breadth score, determining a target source address corresponding to network scanning in source addresses corresponding to the plurality of communication information, and determining that a target request corresponding to the target source address is a network scanning behavior. The method improves the accuracy of ARP network scanning behavior detection.

Description

Behavior detection method and device for network scanning by using address resolution protocol
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for detecting network scanning behavior by using an address resolution protocol, a storage medium, and a computer device.
Background
ARP (address resolution protocol) is a protocol used to implement mapping from an IP address to a MAC address, i.e., to query a MAC address corresponding to a target IP. The ARP protocol is of great importance in IPv 4. ARP scanning is a process used to identify other active hosts on a local network. In the penetration, when an attacker takes down one server as a springboard to further perform intranet penetration, the information of the surviving host in the link can be quickly collected through ARP network scanning.
For the behavior of network scanning by using an address resolution protocol (APR), the existing detection method can only determine whether the host has the network scanning behavior according to the total number of ARP requests sent by the host in the network, and the accuracy of the determination result is low.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for detecting network scanning behavior by using an address resolution protocol, a storage medium, and a computer device, which can improve the accuracy of detecting ARP network scanning behavior.
According to an aspect of the present application, there is provided a network scanning behavior detection method, including:
acquiring communication information, wherein the communication information comprises a source address, a destination address, request time and a request result;
determining a request rule corresponding to the source address according to a destination address corresponding to the source address and request time corresponding to the source address;
determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address;
and according to the request rule score, the request result score and the request breadth score, determining a target source address corresponding to network scanning in source addresses corresponding to the communication information, and determining that a target request corresponding to the target source address is a network scanning behavior.
Optionally, the request rule comprises a character rule;
the determining, according to the destination address corresponding to the source address and the request time corresponding to the source address, a request rule corresponding to the source address specifically includes:
determining at least one first destination address corresponding to the source address according to the communication information;
dividing each first destination address into a plurality of address segments, determining the position of each address segment in the first destination address, and taking the address segments with the same position as an address segment set;
in each address segment set, sequencing a plurality of address segments according to the sequence from small to large of first destination addresses corresponding to the address segments, and taking each address segment as an element in a first-layer address segment sequence to obtain the first-layer address segment sequence corresponding to the address segment set;
subtracting two adjacent elements in the ith layer address segment sequence to obtain an ith +1 layer address segment sequence, wherein i is 1 or i is 2;
and determining the character rule according to the elements in the third-layer address field sequence.
Optionally, the request laws comprise access laws;
the determining, according to the destination address corresponding to the source address and the request time corresponding to the source address, a request rule corresponding to the source address specifically includes:
in the communication information, respectively determining target request time of the source address in each preset time window and a second destination address corresponding to the target request time;
removing the multiple second destination addresses to obtain the address number of the second destination addresses;
sequencing the number of addresses corresponding to a plurality of time windows according to the sequence of the time windows from first to last, and taking each address number as an element in a first layer address number sequence to obtain the first layer address number sequence;
for elements in the j-th layer address number sequence, obtaining a j + 1-th layer address number sequence by subtracting two adjacent elements to obtain a difference, wherein j is 1 or j is 2;
and determining the access rule according to the elements in the third-layer address number sequence.
Optionally, the request rules include wave rules,
the determining, according to the destination address corresponding to the source address and the request time corresponding to the source address, a request rule corresponding to the source address specifically includes:
respectively determining a third destination address corresponding to the source address and the access times of each third destination address in the communication information;
sequencing the access times corresponding to the third destination addresses according to the sequence of the third destination addresses from small to large, and taking each access time as an element in a first-layer access time sequence to obtain the first-layer access time sequence;
obtaining a k + 1-th layer access frequency sequence by subtracting two adjacent elements from each other for the elements in the k-th layer access frequency sequence, wherein k is 1 or k is 2;
and determining the fluctuation rule according to elements in the third-layer access time sequence.
Optionally, the determining a request result score according to the request result corresponding to the source address specifically includes:
according to at least one request result corresponding to the source address, determining that the request result is failed communication information with access failure in communication information corresponding to the source address, and determining the number of the failed communication information and the proportion of the failed communication information in the communication information;
and determining the score of the request result by utilizing a solitary forest model according to the quantity of the failed communication information and the proportion.
Optionally, the determining a request breadth score according to a destination address corresponding to the source address specifically includes:
determining the quantity of communication information corresponding to the source address and the quantity of fourth destination addresses corresponding to the source address according to the plurality of communication information;
and determining the request breadth score according to the number of the communication information corresponding to the source address and the number of the fourth destination addresses by using the solitary forest model.
Optionally, determining, according to the request rule score, the request result score, and the request breadth score, a target source address corresponding to network scanning among source addresses corresponding to the plurality of pieces of communication information, specifically including:
sequencing the request rule scores corresponding to the source addresses in the order from large to small, determining the request rule score of the first N% of the sequencing positions as a target request rule score, and forming a first source address set by using the first source addresses corresponding to the target request rule score, wherein 0< N < 5;
sorting the request result scores corresponding to the source addresses in a descending order, determining the request result scores of the top N% of the sorting positions as target request result scores, and forming a second source address set by using second source addresses corresponding to the target request result scores;
sequencing the request breadth scores corresponding to the source addresses in a descending order, determining the request breadth score of the top N% of the sequencing positions as a target request breadth score, and forming a third source address set by using a third source address corresponding to the target request breadth score;
if the first source address set, the second source address set and the third source address set contain the same source address, determining that the same source address is the target source address.
According to another aspect of the present application, there is provided a network scanning behavior detection apparatus, including:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring communication information, and the communication information comprises a source address, a destination address, request time and a request result;
the calculation module is used for determining a request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address;
the analysis module is used for determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address;
and the judging module is used for determining a target source address corresponding to network scanning in the source addresses corresponding to the communication information according to the request rule score, the request result score and the request breadth score, and determining that a target request corresponding to the target source address is a network scanning behavior.
Optionally, the calculation module includes a character rule calculation unit, and the character rule calculation unit is specifically configured to:
determining at least one first destination address corresponding to the source address according to the communication information;
dividing each first destination address into a plurality of address segments, determining the position of each address segment in the first destination address, and taking the address segments with the same position as an address segment set;
in each address segment set, sequencing a plurality of address segments according to the sequence from small to large of first destination addresses corresponding to the address segments, and taking each address segment as an element in a first-layer address segment sequence to obtain the first-layer address segment sequence corresponding to the address segment set;
subtracting two adjacent elements in the ith layer address segment sequence to obtain an ith +1 layer address segment sequence, wherein i is 1 or i is 2;
and determining the character rule according to the elements in the third-layer address field sequence.
Optionally, the computing module includes an access rule computing unit, and the access rule computing unit is specifically configured to:
in the communication information, respectively determining target request time of the source address in each preset time window and a second destination address corresponding to the target request time;
removing the multiple second destination addresses to obtain the address number of the second destination addresses;
sequencing the number of addresses corresponding to a plurality of time windows according to the sequence of the time windows from first to last, and taking each address number as an element in a first layer address number sequence to obtain the first layer address number sequence;
for elements in the j-th layer address number sequence, obtaining a j + 1-th layer address number sequence by subtracting two adjacent elements to obtain a difference, wherein j is 1 or j is 2;
and determining the access rule according to the elements in the third-layer address number sequence.
Optionally, the computing module includes a fluctuation rule computing unit, and the fluctuation rule computing unit is specifically configured to:
respectively determining a third destination address corresponding to the source address and the access times of each third destination address in the communication information;
sequencing the access times corresponding to the third destination addresses according to the sequence of the third destination addresses from small to large, and taking each access time as an element in a first-layer access time sequence to obtain the first-layer access time sequence;
obtaining a k + 1-th layer access frequency sequence by subtracting two adjacent elements from each other for the elements in the k-th layer access frequency sequence, wherein k is 1 or k is 2;
and determining the fluctuation rule according to elements in the third-layer access time sequence.
Optionally, the analysis module is specifically configured to:
according to at least one request result corresponding to the source address, determining that the request result is failed communication information with access failure in communication information corresponding to the source address, and determining the number of the failed communication information and the proportion of the failed communication information in the communication information;
and determining the score of the request result by utilizing a solitary forest model according to the quantity of the failed communication information and the proportion.
Optionally, the analysis module is specifically configured to:
determining the quantity of communication information corresponding to the source address and the quantity of fourth destination addresses corresponding to the source address according to the plurality of communication information;
and determining the request breadth score according to the number of the communication information corresponding to the source address and the number of the fourth destination addresses by using the solitary forest model.
Optionally, the determining module is specifically configured to:
sequencing the request rule scores corresponding to the source addresses in a descending order, determining the request rule score of the top N% of the sequencing positions as a target request rule score, and forming a first source address set by using the first source addresses corresponding to the target request rule score, wherein 0< N < 5;
sorting the request result scores corresponding to the source addresses in a descending order, determining the request result scores with the top N% of the sorting positions as target request result scores, and forming a second source address set by using second source addresses corresponding to the target request result scores;
sequencing the request breadth scores corresponding to the source addresses in a descending order, determining the request breadth score of the top N% of the sequencing positions as a target request breadth score, and forming a third source address set by using a third source address corresponding to the target request breadth score;
if the first source address set, the second source address set and the third source address set contain the same source address, determining that the same source address is the target source address.
According to yet another aspect of the application, a storage medium is provided, on which a computer program is stored, which program, when being executed by a processor, carries out the above-mentioned detection method.
According to yet another aspect of the present application, there is provided a computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor implementing the detection method when executing the program.
By means of the technical scheme, the communication information sent by the source address is comprehensively analyzed from the three aspects of the request rule, the request result and the request breadth, whether the network scanning behavior exists in the source address or not is judged, the generation of false alarm or missing alarm is reduced, and the accuracy of the judgment result is improved.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a behavior detection method for network scanning using an address resolution protocol according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating another behavior detection method for network scanning using an address resolution protocol according to an embodiment of the present application;
fig. 3 is a schematic diagram illustrating a request rule score calculation of another behavior detection method for network scanning using an address resolution protocol according to an embodiment of the present application;
fig. 4 is a schematic diagram illustrating a request result score calculation of another behavior detection method for network scanning using an address resolution protocol according to an embodiment of the present application;
fig. 5 is a schematic diagram illustrating a request breadth score of another behavior detection method for network scanning using an address resolution protocol according to an embodiment of the present application;
fig. 6 is a second schematic flowchart illustrating another behavior detection method for network scanning using an address resolution protocol according to an embodiment of the present application;
fig. 7 is a third schematic flowchart illustrating another behavior detection method for network scanning using an address resolution protocol according to an embodiment of the present application;
fig. 8 is a block diagram illustrating a configuration of a behavior detection apparatus for network scanning using an address resolution protocol according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In this embodiment, a behavior detection method for network scanning using an address resolution protocol is provided, as shown in fig. 1, the method includes:
step 101, obtaining communication information, wherein the communication information comprises a source address, a destination address, request time and a request result;
the network scanning behavior detection method provided by the embodiment of the application is used for judging whether a host has a network scanning behavior. Since the host implements the network scanning behavior based on the address resolution protocol by sending the communication information, the embodiment first obtains the communication information sent by the host, and then analyzes the communication information to obtain the detection result.
The communication information may be based on Address Resolution Protocol (ARP), and the host determines which IP addresses have been connected to the computer by using the ARP, thereby implementing network scanning. Specifically, the source host sends request information including an IP address to the destination host, and the destination host corresponding to the IP address receives the request information, converts the IP address into an MAC address, and sends a reply message including the MAC address to the source host.
102, determining a request rule corresponding to a source address according to a destination address corresponding to the source address and request time corresponding to the source address;
in this embodiment, since the communication information at the time of normal communication and the communication information at the time of scanning have different characteristics. Based on the method, the request rule corresponding to the source address is determined according to the destination address corresponding to each source address in the communication information and the request time, so that the communication information during normal communication and the communication information during scanning are distinguished according to the request rule.
103, determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address;
in this embodiment, since the communication information during scanning has a certain rule, a request rule score is determined according to the request rule, so as to use the request rule score to represent whether a specific rule exists between all communication information sent by the source host; because the access failure condition of the communication information during scanning is far greater than that during normal communication, the score of the request result is determined according to the request result so as to represent the results of all the communication information sent by the source host by using the score of the request result; because communication information is sent to a large number of different destination addresses during scanning, and only the destination address needing communication is sent during normal communication, the request breadth score is determined according to the destination address, so that the request breadth score is used for representing the range of the destination address covered by all the communication information sent by the source host.
And step 104, determining a target source address corresponding to network scanning in the source addresses corresponding to the plurality of communication information according to the request rule score, the request result score and the request breadth score, and determining that the target request corresponding to the target source address is a network scanning behavior.
In the embodiment, the communication information sent by each source address is comprehensively analyzed from three aspects of the request rule, the request result and the request breadth, and whether the source address has a network scanning behavior is judged, so that the source address with the network scanning behavior is determined to be the target source address, and the request sent by the target source address is the network scanning behavior.
By applying the technical scheme of the embodiment, the communication information sent by the source address is comprehensively analyzed from the three aspects of the request rule, the request result and the request breadth, whether the network scanning behavior exists in the source address is judged, the generation of false alarm or false alarm is reduced, and the accuracy of the judgment result is improved.
Further, as a refinement and an extension of the specific implementation of the foregoing embodiment, in order to fully describe the specific implementation process of this embodiment, another network scanning behavior detection method is provided, in which a request rule includes a character rule, as shown in fig. 2, in the method, according to a destination address corresponding to a source address and a request time corresponding to the source address, a request rule corresponding to the source address is determined, which specifically includes:
step 201, determining at least one first destination address corresponding to a source address according to communication information;
in this embodiment, a source address may send communication information to multiple destination addresses, based on which a first destination address corresponding to the source address is first determined when determining whether network scanning activity exists for the source address.
Step 202, dividing each first destination address into a plurality of address segments, determining the position of each address segment in the first destination address, and using the address segments with the same position as an address segment set;
in this embodiment, each first destination address is divided into a plurality of address segments, and the number of address segments into which each first destination address is divided is the same.
Specifically, each first destination address may be divided into four address segments according to the dotted decimal system with the dots of the IP address as separators. For example, as shown in fig. 3, with dots as separators, 192.168.10.106 is divided into the following four address segments: 192.168, 10 and 106.
In this embodiment, address segments having the same position in the first destination addresses are taken as one address segment set, and since each first destination address is divided into four address segments, four address segment sets can be obtained. For example, for three destination addresses (192.168.10.106, 192.168.10.107, and 192.168.10.108) corresponding to the same source address, the following four sets of address segments are obtained: {192, 192, 192}, {168, 168, 168}, {10, 10, 10} and {106, 107, 108 }.
Step 203, in each address segment set, sequencing a plurality of address segments according to the sequence from small to large of first destination addresses corresponding to the address segments, and taking each address segment as an element in a first-layer address segment sequence to obtain a first-layer address segment sequence corresponding to the address segment set;
in this embodiment, the address segments in each address segment set are sorted in descending order of the first destination address. As in this example, [192, 192, 192], [168, 168, 168], [10, 10, 10] and [106, 107, 108] were obtained.
In addition, the address segments may be ordered in other orders.
Step 204, subtracting two adjacent elements from each other in the ith layer address segment sequence to obtain an ith +1 layer address segment sequence, wherein i is 1 or i is 2;
in this embodiment, in each layer of address segment sequence, for two adjacent elements, the following element minus the preceding element is used, and the obtained difference is used as the element in the next layer of address segment sequence.
For example, for the first layer address segment sequence [192, 192, 192], a second layer address segment sequence [ 192-; similarly, the third-layer address segment sequences corresponding to [168, 168, 168] and [10, 10, 10] can be obtained as [0 ]; for the first layer address segment sequence [106, 107, 108], a second layer address segment sequence [ 108-.
Step 205, determining the character rule according to the elements in the third layer address segment sequence.
In this embodiment, it can be understood that, if the first destination addresses corresponding to a plurality of pieces of communication information sent by a source address are closer, the regularity of the communication information sent by the source address is stronger, and the elements in the third-layer address field sequence in this embodiment may represent the closeness degree of the plurality of first destination addresses. Based on this, the character rule can be determined according to the elements in the third-layer address field sequence, and specifically, the more the elements with the numerical value of 0 in the third-layer address field sequence are, the closer the first destination addresses are, the stronger the character rule is.
For example, in this embodiment, the third-layer address segment sequences corresponding to the four first-layer address segment sequences [192, 192, 192], [168, 168], [10, 10, 10] and [106, 107, 108] are all [0], that is, the four third-layer address segment sequences have 4 elements with a value of 0 in total.
Further, in another network scanning behavior detection method, the request rule comprises an access rule; determining a request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address, specifically comprising:
step 301, respectively determining a target request time of a source address in each preset time window and a second destination address corresponding to the target request time in communication information;
in this embodiment, a plurality of communication information corresponding to the source address are sorted according to the order of the request time from first to last, and a plurality of consecutive time windows are preset, where the length of each time window is the same, for example, three time windows [ t _1, t _ n ], [ t _ (n +1), t _ (2n) ], [ t _ (2n +1), t _ (3n) ] are preset, and the length of each time window is n.
And determining target request time falling in each preset time window, and further determining a second destination address corresponding to each target request time.
Step 302, removing duplication of a plurality of second destination addresses to obtain the address number of the second destination addresses;
in this embodiment, when counting the number of the second destination addresses corresponding to each preset time window, the repeated second destination addresses are counted only once.
Step 303, sorting the number of addresses corresponding to the plurality of time windows according to the sequence of the time windows from first to last, and taking each address number as an element in the first layer address number sequence to obtain a first layer address number sequence;
in this embodiment, as shown in FIG. 4, for example, the number of second destination addresses (the number of access targets in FIG. 4) corresponding to the [ t _1, t _ n ] time window is determined to be m1, [ t _ (n +1), t _ (2n) ] time window is determined to be m2, [ t _ (2n +1), t _ (3n) ] time window is determined to be m 3. And sorting the address numbers according to the sequence of the preset time window from first to last to obtain a first-layer address number sequence [ m1, m2, m3 ].
In addition, the second number of destination addresses may be sorted in other orders.
Step 304, for elements in the j-th layer address number sequence, obtaining a j + 1-th layer address number sequence by subtracting two adjacent elements to obtain a difference, wherein j is 1 or j is 2;
in this embodiment, in each layer address number sequence, for two adjacent elements, the following element is subtracted from the preceding element, and the obtained difference is used as the element in the next layer address number sequence.
For example, for the first layer address number sequence [ m1, m2, m3], a second layer address number sequence [ m2-m1, m3-m2] is obtained, and a third layer address number sequence [ (m3-m2) - (m2-m1) ].
Step 305, determining an access rule according to the elements in the third-layer address quantity sequence.
In this embodiment, it can be understood that, the more the number of the second destination addresses corresponding to the plurality of communication information sent by one source address in each preset time window is, the more regularity the communication information sent by the source address is, and the elements in the third-layer address segment sequence of this embodiment may represent the proximity degree of the number of the second destination addresses. Based on this, the access rule may be determined according to the elements in the third-layer address segment sequence, and specifically, the more elements with a value of 0 in the third-layer address segment sequence, the closer the second destination address number is, the stronger the access rule is.
Further, in another network scanning behavior detection method, the request rule includes a fluctuation rule, and the determining of the request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address specifically includes:
step 401, respectively determining a third destination address corresponding to the source address and the number of times of access of each third destination address in the communication information;
in this embodiment, according to a plurality of pieces of communication information corresponding to the source address, each third destination address corresponding to the source address is determined, and the number of times of access by the source address to each third destination address is determined respectively. For example, as shown in fig. 5, if the source address sends communication information to the destination IP1, the destination IP2, the destination IP3, the destination IP4, and the destination IP5, respectively, the destination IP1-5 is a third destination address corresponding to the source address, and the number of communication information sent by the source address to each third destination address is the number of times of access of the third destination address.
Step 402, according to the sequence from the small to the large of the third destination addresses, sorting the access times corresponding to the plurality of third destination addresses, and using each access time as an element in the first-layer access time sequence to obtain a first-layer access time sequence;
in this embodiment, the number of accesses to the plurality of third destination addresses is sorted in the order of the third destination addresses from small to large. For example, the number of accesses corresponding to the five third destination addresses in this embodiment is sorted, and the first-layer access number sequence [25, 24, 23, 22, 23] is obtained.
In addition, the number of accesses may be sorted in other orders.
Step 403, obtaining a k + 1-th layer access frequency sequence by subtracting two adjacent elements from each other for the elements in the k-th layer access frequency sequence, where k is 1 or k is 2;
in this embodiment, in each layer access number sequence, for two adjacent elements, the element positioned later is subtracted from the element positioned earlier, and the obtained difference is used as the element in the next layer access number sequence.
For example, the second layer access number sequence [24-25, 23-24, 22-23, 23-22] [ -1, -1, -1, 1] is obtained for the first layer access number sequence [25, 24, 23, 22, 23], and the third layer access number sequence [ (-1) - (-1), (-1) - (-1), 1- (-1) ] - [0, 0, 2 ].
And step 404, determining a fluctuation rule according to the elements in the third-layer access time sequence.
In this embodiment, it can be understood that, the more the number of times of access to each third destination address by one source address is, the more regularity the communication information sent by the source address is, and the elements in the third-layer access number sequence of this embodiment may represent the similar degree of the number of times of access to a plurality of third destination addresses. Based on this, the fluctuation rule may be determined according to the elements in the third-layer access time sequence, and specifically, the more elements in the third-layer access time sequence having the values between [ -5, 5], the closer the third destination address access times are, the stronger the fluctuation rule may be determined, and in this embodiment, the three elements in the third-layer access time sequence [0, 0, 2] are all between [ -5, 5 ].
In addition, the fluctuation rule may also be judged according to the number of elements with a value of 0 in the third-layer access number sequence, for example, in this embodiment, the third-layer access number sequence [0, 0, 2] has two elements with a value of 0.
Further, in another network scanning behavior detection method, determining a score of a request result according to a request result corresponding to a source address specifically includes:
step 501, according to at least one request result corresponding to a source address, determining that the request result is failed communication information with access failure in communication information corresponding to the source address, and determining the quantity of the failed communication information and the proportion of the failed communication information in the communication information;
and 502, determining a request result score according to the quantity and the proportion of the failed communication information by utilizing the solitary forest model.
In this embodiment, the total number of the communication messages sent by the source address is determined, and the request result is the number of access failures, so as to determine the proportion of the number of the communication messages with access failures to the total number. And (4) bringing the quantity and the proportional relation of the failed communication information into a preset solitary forest model, and calculating the request result score of each source address by using a solitary forest algorithm.
Specifically, in the isolated forest model, each source address is taken as a sample point, and the data set is recursively randomly segmented until all sample points are isolated. Under this strategy of random segmentation, outliers typically have shorter paths. In this algorithm, given a data set containing n samples, the average path length of the tree is:
Figure BDA0003430037540000151
where H (i) is a harmonic number, which may be estimated as ln (i) + 0.5772156649. c (n) the average of the path lengths for a given number of samples n, to normalize the path length h (x) of the sample x.
The anomaly score for sample x is defined as:
Figure BDA0003430037540000152
s (x, n) is the request result score for the source address x.
Where E (h (x)) is the expected path length of sample x in a collection of isolated trees.
In addition, other models of machine learning methods may be utilized to determine the request result score.
Further, in another network scanning behavior detection method, determining a request breadth score according to a destination address corresponding to a source address specifically includes:
step 601, determining the number of communication information corresponding to a source address and the number of fourth destination addresses corresponding to the source address according to a plurality of communication information;
step 602, determining a request breadth score according to the number of the communication information corresponding to the source address and the number of the fourth destination address by using the solitary forest model.
In the embodiment, the total quantity of communication information sent by the source address and the quantity of all destination addresses corresponding to the source address are determined and are brought into a preset solitary forest model, and the request breadth score is calculated by utilizing a solitary forest algorithm.
In addition, other models of machine learning methods may be utilized to determine the request result score.
Further, as shown in fig. 6, in another network scanning behavior detection method, according to the request rule score, the request result score, and the request breadth score, a target source address corresponding to network scanning is determined from source addresses corresponding to a plurality of communication information, which specifically includes:
step 701, sequencing the request rule scores corresponding to the source addresses in a descending order, determining the request rule score of the top N% of the sequencing positions as a target request rule score, and forming a first source address set by using the first source addresses corresponding to the target request rule score, wherein 0< N < 5;
in this embodiment, the first source address is determined according to the request regularity scores of the plurality of source addresses, and the first source address set is further determined.
Specifically, if the request rule score of the source address is high, it may be considered that the request rule of the source address is abnormal. Based on this, the request rule scores corresponding to all the source addresses are sorted in the order from large to small, and the more advanced the request rule score is, the more likely the request rule of the corresponding source address is to be abnormal. And finding the request rule scores with the top N% of the sequencing positions, namely the top N% request rule scores with the highest scores, determining the key request rule scores as target request rule scores, wherein the source address corresponding to the target request rule scores is a first source address, and the set formed by all the first source addresses is a first source address set.
Furthermore, the detection precision of the detection method can be adjusted by adjusting the numerical value of N. Specifically, the larger the value of N, the less false negative results; the smaller the value of N, the less false positives. Considering the requirements of both the false alarm and the false alarm, N can be set between (0, 5).
Further, N may be 5.
Furthermore, each request rule score can be rounded to reserve a decimal, and then the probability distribution condition of the request rule scores is determined, so that the possibility of the repeat of the request rule scores is increased, and the condition that all the request rule scores are not repeated is avoided.
Step 702, sorting the request result scores corresponding to the source addresses in a descending order, determining the request result score of the top N% of the sorting positions as a target request result score, and forming a second source address set by using second source addresses corresponding to the target request result score;
step 703, sorting the request breadth scores corresponding to the plurality of source addresses in a descending order, determining the request breadth scores with the top N% of the sorting positions as target request breadth scores, and forming a third source address set by using third source addresses corresponding to the target request breadth scores;
step 704, if the first source address set, the second source address set, and the third source address set contain the same source address, determining that the same source address is the target source address.
In this embodiment, if the first source address set, the second source address set, and the third source address set contain a same source address, that is, the same source address exists in the first source address set, the second source address set, and the third source address set at the same time, it may be determined that the same source address is a target source address, and it is considered that a network scanning behavior exists.
Further, if a certain source address exists in two of the first source address set, the second source address set, and the third source address set at the same time, it may be determined that the source address is a suspected target source address, and it is considered that there is a possibility of network scanning behavior.
Further, as shown in fig. 7, in another network scanning behavior detection method, ARP communication data (i.e., communication information) sent by a source address is received first, and feature data corresponding to the source address is extracted from a plurality of ARP communication data sent by the source address, where the feature data includes a failure condition class feature, an access rule class feature, and an access breadth class feature, and the access rule class feature includes an access target IP character regularity (i.e., a character rule), an access target IP time variation rule (i.e., an access rule), and an access target number fluctuation rule (i.e., a fluctuation rule). After the three characteristics are determined, a preset abnormal failure algorithm (namely, a solitary forest algorithm) is utilized to request result scores from three aspects corresponding to the three characteristics, and request rule scores and request breadth scores are obtained through calculation. And finally, judging whether each score meets the judgment condition according to the probability distribution condition of the three scores, and further judging whether the ARP communication request sent by the source address is ARP attack.
Further, as a specific implementation of the network scanning behavior detection method, an embodiment of the present application provides a network scanning behavior detection apparatus, and as shown in fig. 8, the network scanning behavior detection apparatus includes: the device comprises an acquisition module, a calculation module, an analysis module and a judgment module.
The device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring communication information, and the communication information comprises a source address, a destination address, request time and a request result;
the computing module is used for determining a request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address;
the analysis module is used for determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address;
and the judging module is used for determining a target source address corresponding to the network scanning in the source addresses corresponding to the plurality of communication information according to the request rule score, the request result score and the request breadth score, and determining that the target request corresponding to the target source address is a network scanning behavior.
In a specific application scenario, optionally, the calculation module includes a character rule calculation unit, and the character rule calculation unit is specifically configured to:
determining at least one first destination address corresponding to the source address according to the communication information;
dividing each first destination address into a plurality of address segments, determining the position of each address segment in the first destination address, and taking the address segments with the same position as an address segment set;
in each address segment set, sequencing a plurality of address segments according to the sequence of the first destination addresses corresponding to the address segments from small to large, and taking each address segment as an element in a first-layer address segment sequence to obtain a first-layer address segment sequence corresponding to the address segment set;
subtracting two adjacent elements in the ith layer address segment sequence to obtain an ith +1 layer address segment sequence, wherein i is 1 or i is 2;
and determining the character rule according to the elements in the third-layer address field sequence.
In a specific application scenario, optionally, the calculation module includes an access rule calculation unit, and the access rule calculation unit is specifically configured to:
determining a request rule corresponding to the source address according to the destination address and the request time, specifically comprising:
in the communication information, respectively determining target request time of a source address in each preset time window and a second destination address corresponding to the target request time;
removing the duplication of the plurality of second destination addresses to obtain the address number of the second destination addresses;
sequencing the number of addresses corresponding to a plurality of time windows according to the sequence of the time windows from first to last, and taking each address number as an element in a first layer address number sequence to obtain a first layer address number sequence;
for elements in the j-th layer address number sequence, obtaining a j + 1-th layer address number sequence by subtracting two adjacent elements to obtain a difference, wherein j is 1 or j is 2;
and determining an access rule according to the elements in the third-layer address number sequence.
In a specific application scenario, optionally, the calculation module includes a fluctuation rule calculation unit, and the fluctuation rule calculation unit is specifically configured to:
determining a request rule corresponding to the source address according to the destination address and the request time, specifically comprising:
respectively determining a third destination address corresponding to the source address and the access times of each third destination address in the communication information;
sequencing the access times corresponding to the plurality of third destination addresses according to the sequence of the third destination addresses from small to large, and taking each access time as an element in the first-layer access time sequence to obtain a first-layer access time sequence;
obtaining a k + 1-th layer access frequency sequence by subtracting two adjacent elements from each other for the elements in the k-th layer access frequency sequence, wherein k is 1 or k is 2;
and determining a fluctuation rule according to the elements in the third-layer access time sequence.
In a specific application scenario, optionally, the analysis module is specifically configured to:
according to at least one request result corresponding to the source address, determining that the request result is failed communication information with access failure in the communication information corresponding to the source address, and determining the quantity of the failed communication information and the proportion of the failed communication information in the communication information;
and determining the score of the request result by utilizing the solitary forest model according to the quantity and the proportion of the failed communication information.
In a specific application scenario, optionally, the analysis module is specifically configured to:
determining the number of communication information corresponding to the source address and the number of fourth destination addresses corresponding to the source address according to the plurality of communication information;
and determining a request breadth score according to the number of the communication information corresponding to the source address and the number of the fourth destination addresses by using the solitary forest model.
In a specific application scenario, optionally, the determining module is specifically configured to:
sequencing the request rule scores corresponding to the source addresses in a descending order, determining the request rule score of the top N% of the sequencing positions as a target request rule score, and forming a first source address set by using the first source addresses corresponding to the target request rule score, wherein 0< N < 5;
sorting the request result scores corresponding to the source addresses in a descending order, determining the request result scores with the top N% of the sorting positions as target request result scores, and forming a second source address set by using second source addresses corresponding to the target request result scores;
sequencing the request breadth scores corresponding to the source addresses in a descending order, determining the request breadth score of the top N% of the sequencing positions as a target request breadth score, and forming a third source address set by using a third source address corresponding to the target request breadth score;
if the first source address set, the second source address set and the third source address set contain the same source address, determining that the same source address is the target source address.
It should be noted that other corresponding descriptions of the functional modules related to the network scanning behavior detection apparatus provided in the embodiment of the present application may refer to the corresponding descriptions in fig. 1 to fig. 7, and are not described herein again.
Based on the methods shown in fig. 1 to 7, correspondingly, the present application further provides a storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the detection method shown in fig. 1 to 7.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 to fig. 7 and the embodiment of the network scanning behavior detection apparatus shown in fig. 8, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the computer device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the detection method as described above with reference to fig. 1 to 7.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
It will be appreciated by those skilled in the art that the present embodiment provides a computer device architecture that is not limiting of the computer device, and that may include more or fewer components, or some components in combination, or a different arrangement of components.
The storage medium may further include an operating system and a network communication module. An operating system is a program that manages and maintains the hardware and software resources of a computer device, supporting the operation of information handling programs, as well as other software and/or programs. The network communication module is used for realizing communication among the controls in the storage medium and communication with other hardware and software in the entity equipment.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware.
Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred implementation scenario and that the elements or processes in the drawings are not necessarily required to practice the present application. Those skilled in the art will appreciate that elements of a device in an implementation scenario may be distributed in the device in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The units of the implementation scenario may be combined into one unit, or may be further split into a plurality of sub-units.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.

Claims (10)

1. A method for behavior detection for network scanning using an address resolution protocol, the method comprising:
acquiring communication information, wherein the communication information comprises a source address, a destination address, request time and a request result;
determining a request rule corresponding to the source address according to a destination address corresponding to the source address and request time corresponding to the source address;
determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address;
and according to the request rule score, the request result score and the request breadth score, determining a target source address corresponding to network scanning in source addresses corresponding to the communication information, and determining that a target request corresponding to the target source address is a network scanning behavior.
2. The detection method according to claim 1, wherein the request law comprises a character law;
the determining, according to the destination address corresponding to the source address and the request time corresponding to the source address, a request rule corresponding to the source address specifically includes:
determining at least one first destination address corresponding to the source address according to the communication information;
dividing each first destination address into a plurality of address segments, determining the position of each address segment in the first destination address, and taking the address segments with the same position as an address segment set;
in each address segment set, sequencing a plurality of address segments according to the sequence from small to large of first destination addresses corresponding to the address segments, and taking each address segment as an element in a first-layer address segment sequence to obtain the first-layer address segment sequence corresponding to the address segment set;
subtracting two adjacent elements in the ith layer address segment sequence to obtain an ith +1 layer address segment sequence, wherein i is 1 or i is 2;
and determining the character rule according to the elements in the third-layer address field sequence.
3. The detection method according to claim 1, wherein the request law comprises an access law;
the determining, according to the destination address corresponding to the source address and the request time corresponding to the source address, a request rule corresponding to the source address specifically includes:
in the communication information, respectively determining target request time of the source address in each preset time window and a second destination address corresponding to the target request time;
removing the multiple second destination addresses to obtain the address number of the second destination addresses;
sequencing the number of addresses corresponding to a plurality of time windows according to the sequence of the time windows from first to last, and taking each address number as an element in a first layer address number sequence to obtain the first layer address number sequence;
for elements in the j-th layer address number sequence, obtaining a j + 1-th layer address number sequence by subtracting two adjacent elements to obtain a difference, wherein j is 1 or j is 2;
and determining the access rule according to the elements in the third-layer address number sequence.
4. The detection method according to claim 1, wherein the request law includes a fluctuation law,
the determining, according to the destination address corresponding to the source address and the request time corresponding to the source address, a request rule corresponding to the source address specifically includes:
respectively determining a third destination address corresponding to the source address and the access times of each third destination address in the communication information;
sequencing the access times corresponding to the third destination addresses according to the sequence of the third destination addresses from small to large, and taking each access time as an element in a first-layer access time sequence to obtain the first-layer access time sequence;
obtaining a k + 1-th layer access frequency sequence by subtracting two adjacent elements from each other for the elements in the k-th layer access frequency sequence, wherein k is 1 or k is 2;
and determining the fluctuation rule according to elements in the third-layer access time sequence.
5. The detection method according to claim 1, wherein the determining a request result score according to the request result corresponding to the source address specifically includes:
according to at least one request result corresponding to the source address, determining that the request result is failed communication information with access failure in communication information corresponding to the source address, and determining the number of the failed communication information and the proportion of the failed communication information in the communication information;
and determining the score of the request result by utilizing a solitary forest model according to the quantity of the failed communication information and the proportion.
6. The detection method according to claim 5, wherein the determining the request breadth score according to the destination address corresponding to the source address specifically includes:
determining the quantity of communication information corresponding to the source address and the quantity of fourth destination addresses corresponding to the source address according to the plurality of communication information;
and determining the request breadth score according to the number of the communication information corresponding to the source address and the number of the fourth destination addresses by using the solitary forest model.
7. The method according to claim 1, wherein determining a target source address corresponding to a network scan among source addresses corresponding to a plurality of communication information according to the request rule score, the request result score, and the request breadth score includes:
sequencing the request rule scores corresponding to the source addresses in a descending order, determining the request rule score of the top N% of the sequencing positions as a target request rule score, and forming a first source address set by using the first source addresses corresponding to the target request rule score, wherein 0< N < 5;
sorting the request result scores corresponding to the source addresses in a descending order, determining the request result scores with the top N% of the sorting positions as target request result scores, and forming a second source address set by using second source addresses corresponding to the target request result scores;
sequencing the request breadth scores corresponding to the source addresses in a descending order, determining the request breadth score of the top N% of the sequencing positions as a target request breadth score, and forming a third source address set by using a third source address corresponding to the target request breadth score;
if the first source address set, the second source address set and the third source address set contain the same source address, determining that the same source address is the target source address.
8. A behavior detection system for network scanning using address resolution protocol, the system comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring communication information, and the communication information comprises a source address, a destination address, request time and a request result;
the calculation module is used for determining a request rule corresponding to the source address according to the destination address corresponding to the source address and the request time corresponding to the source address;
the analysis module is used for determining a request rule score according to the request rule, determining a request result score according to a request result corresponding to the source address, and determining a request breadth score according to a destination address corresponding to the source address;
and the judging module is used for determining a target source address corresponding to network scanning in the source addresses corresponding to the communication information according to the request rule score, the request result score and the request breadth score, and determining that a target request corresponding to the target source address is a network scanning behavior.
9. A readable storage medium on which a program or instructions are stored, characterized in that said program or instructions, when executed by a processor, implement the steps of the detection method according to any one of claims 1 to 7.
10. A computer device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the detection method of any one of claims 1 to 7 when executing the program.
CN202111594056.0A 2021-12-23 2021-12-23 Behavior detection method and device for network scanning by using address resolution protocol Active CN114338593B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111594056.0A CN114338593B (en) 2021-12-23 2021-12-23 Behavior detection method and device for network scanning by using address resolution protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111594056.0A CN114338593B (en) 2021-12-23 2021-12-23 Behavior detection method and device for network scanning by using address resolution protocol

Publications (2)

Publication Number Publication Date
CN114338593A true CN114338593A (en) 2022-04-12
CN114338593B CN114338593B (en) 2023-07-04

Family

ID=81013944

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111594056.0A Active CN114338593B (en) 2021-12-23 2021-12-23 Behavior detection method and device for network scanning by using address resolution protocol

Country Status (1)

Country Link
CN (1) CN114338593B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610266A (en) * 2009-07-28 2009-12-23 杭州华三通信技术有限公司 A kind of method and device that detects ARP message validity
US20130111589A1 (en) * 2011-10-28 2013-05-02 Samsung Sds Co., Ltd. System and method for detecting address resolution protocol (arp) spoofing
CN108229156A (en) * 2017-12-28 2018-06-29 阿里巴巴集团控股有限公司 URL attack detection methods, device and electronic equipment
US20190058731A1 (en) * 2017-08-17 2019-02-21 Qualcomm Incorporated User-side detection and containment of arp spoofing attacks
CN110430226A (en) * 2019-09-16 2019-11-08 腾讯科技(深圳)有限公司 Network attack detecting method, device, computer equipment and storage medium
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN111225002A (en) * 2020-03-18 2020-06-02 深圳市腾讯计算机系统有限公司 Network attack tracing method and device, electronic equipment and storage medium
CN111698214A (en) * 2020-05-15 2020-09-22 平安科技(深圳)有限公司 Network attack security processing method and device and computer equipment
CN112738018A (en) * 2020-11-30 2021-04-30 南方电网数字电网研究院有限公司 ARP spoofing attack detection method, device, computer equipment and storage medium
CN112910825A (en) * 2019-11-19 2021-06-04 华为技术有限公司 Worm detection method and network equipment
CN112953933A (en) * 2021-02-09 2021-06-11 恒安嘉新(北京)科技股份公司 Abnormal attack behavior detection method, device, equipment and storage medium

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610266A (en) * 2009-07-28 2009-12-23 杭州华三通信技术有限公司 A kind of method and device that detects ARP message validity
US20130111589A1 (en) * 2011-10-28 2013-05-02 Samsung Sds Co., Ltd. System and method for detecting address resolution protocol (arp) spoofing
US20150188942A1 (en) * 2011-10-28 2015-07-02 Samsung Sds Co., Ltd. System and method for detecting address resolution protocol (arp) spoofing
US20190058731A1 (en) * 2017-08-17 2019-02-21 Qualcomm Incorporated User-side detection and containment of arp spoofing attacks
CN108229156A (en) * 2017-12-28 2018-06-29 阿里巴巴集团控股有限公司 URL attack detection methods, device and electronic equipment
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN110430226A (en) * 2019-09-16 2019-11-08 腾讯科技(深圳)有限公司 Network attack detecting method, device, computer equipment and storage medium
CN112910825A (en) * 2019-11-19 2021-06-04 华为技术有限公司 Worm detection method and network equipment
CN111225002A (en) * 2020-03-18 2020-06-02 深圳市腾讯计算机系统有限公司 Network attack tracing method and device, electronic equipment and storage medium
CN111698214A (en) * 2020-05-15 2020-09-22 平安科技(深圳)有限公司 Network attack security processing method and device and computer equipment
CN112738018A (en) * 2020-11-30 2021-04-30 南方电网数字电网研究院有限公司 ARP spoofing attack detection method, device, computer equipment and storage medium
CN112953933A (en) * 2021-02-09 2021-06-11 恒安嘉新(北京)科技股份公司 Abnormal attack behavior detection method, device, equipment and storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
DI WU等: "An access-context based method to detect network scanning event in LAN", 2009 INTERNATIONAL CONFERENCE ON MACHINE LEARNING AND CYBERNETICS *
张洁;武装;陆倜;: "一种改进的ARP协议欺骗检测方法", 计算机科学, no. 03 *
禹龙;朱惠明;田生伟;高峰;: "基于SNMP的校园网ARP攻击检测方法研究", 计算机应用与软件, no. 05 *

Also Published As

Publication number Publication date
CN114338593B (en) 2023-07-04

Similar Documents

Publication Publication Date Title
CN113434859B (en) Intrusion detection method, device, equipment and storage medium
CN111475804A (en) Alarm prediction method and system
CN110415107B (en) Data processing method, data processing device, storage medium and electronic equipment
CN113378899B (en) Abnormal account identification method, device, equipment and storage medium
CN108600172B (en) Method, device and equipment for detecting database collision attack and computer readable storage medium
CN110365636B (en) Method and device for judging attack data source of industrial control honeypot
Saheed et al. An efficient hybridization of k-means and genetic algorithm based on support vector machine for cyber intrusion detection system
CN111835781A (en) Method and system for discovering host of homologous attack based on lost host
CN111431884B (en) Host computer defect detection method and device based on DNS analysis
CN114338593B (en) Behavior detection method and device for network scanning by using address resolution protocol
US12088602B2 (en) Estimation apparatus, estimation method and program
CN113765850B (en) Internet of things abnormality detection method and device, computing equipment and computer storage medium
EP4169223A1 (en) Method and apparatus to detect scripted network traffic
CN115296904B (en) Domain name reflection attack detection method and device, electronic equipment and storage medium
CN115037790B (en) Abnormal registration identification method, device, equipment and storage medium
CN115664931A (en) Alarm data association method, device, storage medium and equipment
CN112491820B (en) Abnormity detection method, device and equipment
CN112822220B (en) Multi-sample combination attack-oriented tracing method and device
CN113395246B (en) Method and system for determining bad domain name
CN114329449A (en) System security detection method and device, storage medium and electronic device
CN109583590B (en) Data processing method and data processing device
CN111431909A (en) Method and device for detecting grouping abnormity in user entity behavior analysis and terminal
CN113468011A (en) Online data anomaly detection method and device, storage medium and equipment
CN113572768B (en) Analysis method for abnormal change of number of botnet family propagation sources
CN115098602B (en) Data processing method, device and equipment based on big data platform and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant