CN114500123B - Network information analysis method and device - Google Patents

Network information analysis method and device Download PDF

Info

Publication number
CN114500123B
CN114500123B CN202210401625.3A CN202210401625A CN114500123B CN 114500123 B CN114500123 B CN 114500123B CN 202210401625 A CN202210401625 A CN 202210401625A CN 114500123 B CN114500123 B CN 114500123B
Authority
CN
China
Prior art keywords
target
payload information
address
payload
risk index
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210401625.3A
Other languages
Chinese (zh)
Other versions
CN114500123A (en
Inventor
王照旗
权晓文
王晶
王明鑫
王忠新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Webray Tech Beijing Co ltd
Original Assignee
Webray Tech Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Webray Tech Beijing Co ltd filed Critical Webray Tech Beijing Co ltd
Priority to CN202210401625.3A priority Critical patent/CN114500123B/en
Publication of CN114500123A publication Critical patent/CN114500123A/en
Application granted granted Critical
Publication of CN114500123B publication Critical patent/CN114500123B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

The invention provides a network information analysis method and a device, wherein the method comprises the following steps: determining a target IP address corresponding to a target message, and determining target Payload information corresponding to the target message; inquiring a target IP address and target Payload information in an intelligence characteristic library; and under the condition that at least one of the target IP address and the target Payload information is inquired, determining the target risk level of the target message based on the risk level corresponding to the target IP address and/or the risk level corresponding to the target Payload information. According to the network information analysis method, the IP address and the target Payload information of the target message are respectively matched with the IP address of the known message and the Payload information of the known message in the information characteristic library, risk analysis can be performed on the message with unknown risk in the protocol interaction process, and potential unknown risk can be found in time.

Description

Network information analysis method and device
Technical Field
The invention relates to the technical field of network security, in particular to a network information analysis method and device.
Background
With the development of network technology, the security of the ground network system and the satellite network system is more and more important. In the related art, a crawler is used to crawl CVE (Common Vulnerabilities & explorations) vulnerability, public network asset information and IP (Internet Protocol) reputation information disclosed on the Internet, so as to obtain network security information disclosed on the Internet.
In the related art, the network system is protected in a targeted manner by acquiring published information with potential threats and captured information of dangerous sources of the internet, but information analysis cannot be performed on unknown risks.
Disclosure of Invention
The invention provides a network information analysis method and a network information analysis device, which are used for solving the defect that only known bugs and threats can be analyzed in the prior art and realizing the effect of carrying out information analysis on unknown potential risks.
The invention provides a network information analysis method, which comprises the following steps:
determining a target IP address corresponding to a target message, and determining target Payload information corresponding to the target message, wherein the target message is a protocol interaction message of a target network system in a target time period;
inquiring the target IP address and the target Payload information in an intelligence characteristic library, wherein the intelligence characteristic library comprises a risk grade corresponding to the IP address of a known message and a risk grade corresponding to the Payload information of the known message;
and under the condition that at least one of the target IP address and the target Payload information is inquired, determining a target risk level of the target message based on a risk level corresponding to the target IP address and/or a risk level corresponding to the target Payload information.
According to the network intelligence analysis method provided by the invention, after the target IP address and the target Payload information are inquired in an intelligence feature library, the method further comprises the following steps:
under the condition that the target IP address or the target Payload information is not inquired, determining an IP risk index corresponding to the target IP address, and determining a Payload risk index corresponding to the target Payload information;
determining the target risk level based on a higher one of the IP risk index and the Payload risk index.
According to the network intelligence analysis method provided by the invention, the step of determining the IP risk index corresponding to the target IP address comprises the following steps:
determining the quantity and type of the associated Payload information of the target IP address in the target time period;
and determining the IP risk index corresponding to the target IP address based on the quantity of the associated Payload information, the type of the associated Payload information and the IP historical statistical risk index of the target IP address.
According to the network intelligence analysis method provided by the invention, the determining the IP risk index corresponding to the target IP address based on the number of the associated Payload information, the type of the associated Payload information, and the IP historical statistical risk index of the target IP address includes:
determining a statistical IP risk index of the target IP address based on the historical statistical risk index of the target IP address and the quantity of the associated Payload information;
determining an IP association risk index of the target IP address based on the number of the associated Payload information and the type of the associated Payload information;
and determining the sum of the statistical IP risk index and the IP associated risk index of the target IP address as the IP risk index corresponding to the target IP address.
According to the network intelligence analysis method provided by the invention, the step of determining the Payload risk index corresponding to the target Payload information comprises the following steps:
determining the type and the number of the associated IP addresses of the target Payload information in the target time period;
and determining the Payload risk index corresponding to the target Payload information based on the type of the associated IP addresses, the number of the associated IP addresses and the Payload historical statistical risk index of the target Payload information.
According to the network intelligence analysis method provided by the invention, the determining a Payload risk index corresponding to the target Payload information based on the type of the associated IP addresses, the number of the associated IP addresses and the Payload historical statistical risk index of the target Payload information includes:
determining a statistical Payload risk index of the target Payload information based on the Payload historical statistical risk index of the target Payload information and the number of the associated IP addresses;
determining a Payload association risk index of the target Payload information based on the type and number of the associated IP addresses;
and determining the sum of the statistical Payload risk index and the Payload associated risk index of the target Payload information as the Payload risk index corresponding to the target Payload information.
According to the network intelligence analysis method provided by the invention, the determining of the target Payload information corresponding to the target message comprises the following steps:
removing invalid data and repeated data in the target message to obtain effective message information;
extracting initial Payload information from the effective message information;
and normalizing the initial Payload information to obtain target Payload information.
The invention also provides a network information analysis device, comprising:
the system comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is used for determining a target IP address corresponding to a target message and determining target Payload information corresponding to the target message, and the target message is a protocol interaction message of a target network system in a target time period;
the second processing module is used for inquiring the target IP address and the target Payload information in an intelligence characteristic library, and the intelligence characteristic library comprises a risk level of the IP address corresponding to a known message and a risk level of the Payload information corresponding to the known message;
a third processing module, configured to determine a target risk level of the target packet based on a risk level corresponding to the target IP address and/or a risk level corresponding to the target Payload information when at least one of the target IP address and the target Payload information is queried.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the network intelligence analysis method.
The present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a network intelligence analysis method as described in any of the above.
The present invention also provides a computer program product comprising a computer program which, when executed by a processor, implements a network intelligence analysis method as described in any of the above.
According to the network information analysis method and device provided by the invention, the IP address and the target Payload information of the target message are respectively matched with the IP address of the known message and the Payload information of the known message in the information characteristic library, so that risk analysis can be carried out on the message with unknown risk in the protocol interaction process, the potential unknown risk in the network system can be found in time, the risk level of the target message is further matched, and corresponding safety measures can be conveniently and timely taken for the network system.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a network intelligence analysis method provided by the present invention;
FIG. 2 is a second schematic flow chart of the network intelligence analysis method provided by the present invention;
FIG. 3 is a third schematic flow chart of the network intelligence analysis method provided by the present invention;
FIG. 4 is a schematic structural diagram of a network information analysis apparatus provided in the present invention;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The network intelligence analysis method and apparatus of the present invention are described below with reference to fig. 1-5.
The network information analysis method provided by the embodiment of the invention can be applied to a satellite network system, and can analyze the unknown risk of high-emulation protocol interaction by processing the captured target message, so as to cope with unknown emergency events.
The execution main body of the network intelligence analysis method of the embodiment of the present invention may be a processor, and in some embodiments, the execution main body may also be a server, where the execution main body is not limited. The network information analysis method according to the embodiment of the present invention is described below using an execution entity as a server.
Referring to fig. 1, the network intelligence analysis method according to the embodiment of the present invention includes steps 110, 120, and 130.
And step 110, determining a target IP address and target Payload information corresponding to the target message.
It should be noted that the target packet is an abnormal protocol interaction packet of the target network system in the target time period.
It will be appreciated that the target network may be configured by building a deep interaction service, for example, in a manner similar to building a honeypot system.
In this case, the risk-free normal access behavior does not involve protocol interaction to the target network. And abnormal access behaviors such as hackers, network asset detection companies, topology companies, and asset fingerprinting companies can involve protocol interaction of the target network.
The target network system is a network system which needs to collect and analyze information in the embodiment of the invention. The target network system may be based on a satellite network system, a terrestrial computer communication network or a mobile communication network system, etc., but of course, the target network system may also be other types of network systems, and the specific form of the target network system is not limited herein.
It can be understood that the protocol interaction message is a message generated when deep network protocol interaction is performed in the target network system. The protocol of the embodiment of the invention is a high-emulation protocol and is mainly based on a general transmission and application protocol.
The general transmission and application Protocol may be http (Hyper Text Transfer Protocol), redis, snmp, rdp (Remote Display Protocol), ssh, and RTSP (Real Time Streaming Protocol), and the like, but the Protocol of the embodiment of the present invention may also be other network protocols, and the type of the Protocol is not limited here.
It should be noted that the Redis protocol is a Redis serialization protocol, and the Redis protocol is an interaction protocol used by the Redis client. The snmp protocol is a simple network management protocol, and is a standard protocol specially designed for managing network nodes such as servers, workstations, routers, and switches, and HUBS in an IP network. The ssh protocol is a main remote connection management protocol under the Linux server system, and the ssh protocol uses an asymmetric key to encrypt and transmit data, so that the security of remote management data is ensured.
The protocol interaction of the target network system may include the interaction of a request and a response between different terminals in the target network system through the above protocol, and may also include the protocol interaction of data transmission inside a client or a server, and the like, where the form of the protocol interaction is not limited.
For example, to collect and analyze the intelligence of the target network system in the network security direction, the protocol interaction may specifically include network probing behavior interaction, PoC (Proof of Concept) vulnerability verification interaction, vulnerability penetration utilization interaction, and the like.
Network probing behavior may include behavior to probe cyber-space assets, asset fingerprints, and ports of network devices, among others. For example, the server may send a fingerprint detection packet to the asset device and receive a fingerprint return packet fed back by the asset device from the fingerprint detection packet collecting fingerprint information.
PoC vulnerability verification interaction is an interactive behavior to verify vulnerabilities in a network system. For example, the server may send a vulnerability verification packet corresponding to the device in the network system according to the vulnerability information disclosed in the vulnerability library, and receive a vulnerability feedback packet returned by the device.
And the vulnerability penetration utilization interaction is the behavior of carrying out simulated attack test on the vulnerability in the network system. For example, the server may perform a simulation attack on the network device according to the determined vulnerability information in the vulnerability verification process, and receive a utilization feedback packet returned by the device.
In the target time period, after protocol interaction is performed in the target network system, a target message, such as the fingerprint detection packet, the fingerprint return packet, the vulnerability verification packet, the vulnerability feedback packet, the utilization feedback packet, and the like, is generated. In the embodiment of the invention, the target message generated during protocol interaction can be captured by the service which is deployed in the target network system in advance.
The target message comprises information such as message type, message version, message length, message header, source IP address, destination IP address, key content and the like.
As shown in fig. 2, taking a satellite network system as an example, a network intelligence analysis system service may be deployed in advance in the satellite network system, and the network intelligence analysis system may include a high-emulation protocol interaction unit, a packet processing unit, a packet analysis unit, a feature library unit, and an intelligence output unit.
The high-emulation protocol interaction unit is used for acquiring a target message. In this case, the high-emulation protocol interaction messages such as the asset, the fingerprint detection protocol message, the PoC vulnerability verification interaction message, and the vulnerability penetration utilization interaction message can be captured for the abnormal access behaviors of hackers, network asset detection companies, topology companies, asset fingerprint mapping companies, and the like.
After capturing the target message in the target time period, the high-emulation protocol interaction unit may process the target message first, and after processing, may determine a target IP address and target Payload information corresponding to the target message. As shown in fig. 2, the packet processing unit may process the target packet to obtain a target IP address and target Payload information.
In some embodiments, the destination IP address is an IP address of each network device node at the time of the protocol interaction, e.g., the destination IP address may be a source IP address or a destination IP address. In this embodiment, the destination IP address may be a source IP address of the protocol interaction.
Payload information is the most basic Payload data carried in a data packet. The target Payload information is the key content in the target message and is the most basic effective data carried in the data packet of the target message.
In some embodiments, the target Payload information may be determined in the following manner.
Due to the fact that repeated and invalid data exist in the target message, the invalid data and the repeated data in the target message can be cleared first, and then effective message information is obtained.
After obtaining the effective message information, extracting the initial Payload information from the effective message information. In the process, irrelevant characters, serial numbers, IP addresses and the like in the effective message information can be eliminated, and then the initial Payload information is obtained.
After the initial Payload information is obtained, normalizing the initial Payload information to obtain target Payload information.
After the initial Payload information is normalized, matching can be conveniently carried out, so that the matching speed is increased, and the calculation amount is reduced.
According to the network information analysis method provided by the embodiment of the invention, invalid data and repeated data in the target message are filtered, and Payload information is normalized, so that the matching difficulty can be effectively reduced, and the matching accuracy and speed can be improved.
And step 120, inquiring the target IP address and the target Payload information in the intelligence characteristic library.
It can be understood that, in the query process, the target IP address and the target Payload information may be respectively matched with the IP address of the known message and the Payload information of the known message in the intelligence feature library, and then the matching result of the target message is determined.
As shown in fig. 2, the packet analysis unit is configured to determine an intelligence feature library in the feature library unit, and match the target IP address and the target Payload information with the IP address of the known packet and the Payload information of the known packet in the intelligence feature library, respectively. The characteristic library unit is used for storing various information characteristics.
It should be noted that the intelligence feature library includes a risk level corresponding to the IP address of the known packet and a risk level corresponding to Payload information of the known packet, and the risk level of the known packet may be a higher one of the risk level corresponding to the IP address of the known packet and the risk level corresponding to the Payload information of the known packet.
The intelligence signature library includes acquired historical intelligence information. For example, the historical intelligence information may include messages and corresponding risk levels for protocol interactions through known vulnerabilities and messages and corresponding risk levels for historical high-risk protocol interactions.
The risk level of the known message in the intelligence characteristic library is obtained by dividing according to the known loophole and the harm of high-risk protocol interaction. For example, the risk level of the IP address of a known packet and the risk level of Payload information of a known packet may be classified as no risk, low risk, medium risk, high risk, and so on.
The IP address of the known message may include the IP address of each node of the protocol interaction behavior in the known message, and may include, for example, a source IP address and a destination IP address.
When the target IP address is the source IP address, the target IP address may be matched with the text of the source IP address of the known packet. When the target IP address is the same as the source IP address of the known message, the target IP address is determined to be matched with the IP address of the known message, and the target IP address can be inquired in the information characteristic library.
When the target Payload information is queried and matched with the Payload information of the known message, a text keyword matching mode can be adopted. For example, the text of the target Payload information and the text of the Payload information of the known message may be subjected to keyword extraction, and then the extracted keywords may be subjected to text matching.
When the target Payload information includes a plurality of keywords, if the target Payload information matches all the keywords of the Payload information of the known message, the target Payload information may be determined to match the Payload information of the known message, that is, the target Payload information may be queried in the intelligence feature library.
In other words, if the target Payload information partially matches or does not match all the keywords of the Payload information of the known message, the target Payload information may be determined to be not matched with the Payload information of the known message, that is, the target IP address and the target Payload information cannot be queried in the intelligence feature library.
Step 130, determining a target risk level of the target packet based on the risk level corresponding to the target IP address and/or the risk level corresponding to the target Payload information when at least one of the target IP address and the target Payload information is queried.
It can be understood that, according to the query matching result, in the case that at least one of the target IP address and the target Payload information matches with the IP address or Payload information of the target known packet, the target risk level of the target packet may be determined.
It can be understood that, under the condition that the target IP address of the target packet matches the IP address of the known packet, if the target Payload information of the target packet does not match the Payload information of the known packet, the risk level of the IP address of the known packet, for which the IP address matching is successful, may be used as the target risk level of the target packet.
Under the condition that the target IP address of the target message is matched with the IP address of the known message, if the target Payload information of the target message is matched with the Payload information of the known message, whether the IP address in the information characteristic library and the known message corresponding to the Payload information are the same message or not can be determined.
In this case, if the messages are the same, the risk level of the known message is directly used as the target risk level of the target message; and if the two risk levels are not the same message, taking the higher one of the two risk levels respectively corresponding to the IP address and the Payload information as the target risk level of the target message.
It can be understood that, under the condition that the target Payload information of the target packet matches the Payload information of the known packet, if the target IP address of the target packet does not match the IP address of the known packet, the risk level corresponding to the Payload information that is successfully matched may be used as the target risk level of the target packet.
In this embodiment, because the packet generated in the deep protocol interaction process in the network system carries the IP address and the key interaction information, that is, Payload information, the target IP address and the target Payload information of the target packet are determined by acquiring the target packet, and the potential risk existing in the target packet can be analyzed.
As shown in fig. 2, the intelligence output unit may classify and output the target risk level of the target packet according to the target IP address and the target Payload information of the target packet, and then feed back and apply the target risk level to each correlation engine.
The intelligence output unit can determine the intelligence type corresponding to the target message according to the target IP address and the target Payload information of the target message, for example, the intelligence type can be a detection behavior characteristic, a PoC vulnerability verification interaction characteristic, a vulnerability penetration utilization interaction characteristic and other unknown high-risk interaction characteristics.
In this case, the related intelligence may be fed back and applied to the fingerprint detection engine, the PoC verification engine, the vulnerability exploiting engine, and other engines according to the intelligence type.
Because the information characteristic library comprises the acquired historical information, and the historical information comprises the risk level of the known message of the protocol interaction of the known vulnerability and the protocol interaction of the high-risk behavior, the target IP address and the target Payload information of the target message are directly inquired and matched with the IP address or the Payload information of the known message, the known information associated with the risk of the target message can be preliminarily determined, and the risk level of the known information associated with the risk is used as the risk level of the target message, so that the information analysis of the message with unknown risk is realized.
According to the network information analysis method provided by the embodiment of the invention, the risk analysis can be carried out on the message with unknown risk in the protocol interaction process by respectively matching the IP address and the target Payload information of the target message with the IP address and the Payload information of the known message in the information characteristic library, so that the potential unknown risk in the network system can be found in time, the target risk level of the target message can be matched, and the corresponding safety measures can be conveniently and timely taken for the network system.
As shown in fig. 3, in some embodiments, at step 130: after querying the target IP address and the target Payload information in the intelligence feature library, the network intelligence analysis method of the embodiment of the present invention further includes step 310 and step 320.
Step 310, under the condition that the target IP address or the target Payload information is not inquired, determining an IP risk index corresponding to the target IP address, and determining a Payload risk index corresponding to the target Payload information.
It can be understood that, according to the query matching result, when both the target IP address and the target Payload information are not matched with the IP address or Payload information of the known packet, the IP risk index corresponding to the target IP address is determined, and the Payload risk index corresponding to the target Payload information is determined.
It can be understood that, in the case that neither the target IP address nor the target Payload information can be matched with the IP address or Payload information of the known packet, the target risk level of the target packet cannot be determined according to the risk level of the known information.
In order to analyze the risk level of the target packet, an IP risk index corresponding to the target IP address and a Payload risk index corresponding to the target Payload information may be determined respectively.
It should be noted that the IP risk index is a risk index determined by performing risk analysis based on the IP address in the target message, and the IP risk index is used to evaluate the risk degree of the IP address in the target message.
The Payload risk index is determined by performing risk analysis based on target Payload information in the target message, and is used for evaluating the risk degree of the target Payload information in the target message.
In some embodiments, the IP risk index corresponding to the target IP address can be determined by comprehensively analyzing the type, home, and public IP reputation information of the IP address.
It should be noted that the type of the IP address may be determined by a corresponding target packet. For example, the classification may be based on the protocol interaction type of the target packet. In this case, the type of IP address may be associated with protocol interactions such as network probing behavior, PoC vulnerability verification interactions, and vulnerability exploitation interactions, respectively.
In other embodiments, the IP risk index may also be determined based on Payload information associated with the target IP address.
In this case, determining the IP risk index corresponding to the target IP address includes first determining the number and type of the associated Payload information of the target IP address in the target time period.
It can be understood that N target packets may be obtained within a target time period, where N is a positive integer. The N target messages at least comprise N target IP addresses and N target Payload information.
The same destination IP address may exist in the N destination IP addresses, that is, the same destination IP address may correspond to different Payload information. And a plurality of different target Payload information corresponding to the same target IP address are all the associated Payload information of the target IP address.
In this case, the number and type of the corresponding associated Payload information of the target IP address in the target time period can be determined.
It should be noted that the type of the associated Payload information may be determined by a corresponding target packet. The type of the associated Payload information may be associated with protocol interactions such as network probing behavior, PoC vulnerability verification interactions, vulnerability exploiting interactions, and the like.
In this embodiment, based on the number of associated Payload information, the type of associated Payload information, and the IP historical statistical risk index of the target IP address, the IP risk index corresponding to the target IP address may be determined. And the IP historical statistical risk index of the target IP address is used for reflecting the protocol interaction risk condition of the IP address dimension in the last time period.
The historical IP statistical risk index of the target IP address may be determined according to the number of associated Payload information corresponding to the target IP address obtained in the previous time period.
For example, the IP historical statistical risk index of the target IP address may be a product of the number of associated Payload information corresponding to the target IP address in the previous time period and a first weight value.
In this embodiment, the first weight value may be a constant between 1 and 10 when determining the IP historical statistical risk index for the target IP address. In this embodiment, the first weight value may be 1. The first weight value is used for determining the relation between the quantity of the related Payload information and the IP historical statistical risk index in the historical time period.
In the embodiment, the statistical IP risk index of the target IP address can be determined based on the IP historical statistical risk index of the target IP address and the quantity of the associated Payload information, so that the influence of historical protocol interaction in a network system can be effectively considered, different analysis periods are associated, and the dimensionality of risk analysis is more comprehensive.
In other embodiments, the step of determining a statistical IP risk index for the target IP address based on the historical statistical risk index for the target IP address and the amount of associated Payload information may include: and determining the statistical IP risk index of the target IP address based on the IP historical statistical risk index of the target IP address and the quantity of the associated Payload information.
And the statistical IP risk index is used for reflecting the associated risk between the target IP address and the target Payload information in the current time period for acquiring the target message.
In this embodiment, an average value of the number of associated Payload information of the target IP address in the current target time period and the number of associated Payload information corresponding to the target IP address in the previous time period may be determined, and then a product of the average value and the second weight value may be used as the statistical IP risk index.
In other embodiments, when the number of the associated Payload information corresponding to the target IP address acquired in the previous time period is zero, a product of the number of the associated Payload information corresponding to the target IP address and the second weight value is zero, that is, the IP historical statistical risk index of the target IP address is zero.
In this embodiment, the IP historical statistical risk index of the target IP address is zero because the target IP address has no protocol interaction request behavior in the historical time period. And in the current target time period, the target IP address initially carries out protocol interaction request behavior.
In this case, the product of the number of target Payload information associated with the target IP address in the current target time period and the second weight value may be directly used as the statistical IP risk index.
In this embodiment, the second weight value may be a constant between 1-10 in determining the statistical IP risk index for the destination IP address. In this embodiment, the second weight value may be 1. The second weight value is used for determining the relation between the quantity of the related Payload information in the current target time period and the statistical IP risk index.
In this embodiment, the historical statistical risk index and the statistical risk index of the target IP address are determined according to the quantity of the associated Payload information and the corresponding weight value, and the historical statistical risk index and the statistical risk index of the target IP address may be measured by the product of the quantity unit and the weight value.
In this embodiment, the IP association risk index of the target IP address may be determined based on the number of associated Payload information and the type of associated Payload information.
The IP association risk index is used for reflecting the association degree risk of the protocol interaction behavior with the source IP as a dimension. And respectively determining Payload characteristic risk indexes corresponding to the associated Payload information according to the types of the associated Payload information.
The Payload characteristic risk index corresponding to the type of the Payload information can be obtained through a Payload mapping table, and the Payload characteristic risk index corresponding to the type of various Payload information is stored in the Payload mapping table. It should be noted that Payload characteristic risk indexes corresponding to different types of Payload information are manually set according to risk conditions.
In some embodiments, the number of the type of Payload information in the previous time period or the current target time period may be determined, and then a product of the determined number and the third weight value may be used as the Payload characteristic risk index corresponding to the type of Payload information. It will be appreciated that the different types of Payload-characterized risk indices are dynamically updated over time.
When determining different types of Payload characteristic risk indexes, the third weight value may be a constant between 1 and 10, and the third weight value is used for determining the relationship between the amount of Payload information and the Payload characteristic risk index.
In this embodiment, the estimated risk level of Payload information may be determined according to the type and maintenance degree of Payload information. The higher the estimated risk level of Payload information, the higher the third weight value.
In this embodiment, the Payload characteristic risk index of the plurality of pieces of associated Payload information is added to obtain the IP associated risk index of the target IP address.
In this case, the sum of the statistical IP risk index, the IP association risk index and the Payload characteristic risk index of the target IP address is determined as the IP risk index corresponding to the target IP address.
Of course, in other embodiments, the sum of the statistical IP risk index and the IP-related risk index of the target IP address may also be directly determined as the IP risk index corresponding to the target IP address, where the determination manner of the IP risk index corresponding to the target IP address is not limited.
It can be understood that the IP characteristic risk index corresponding to the target IP address can also be obtained through a mapping table, and the mapping table stores characteristic risk indexes corresponding to various types of target IP addresses.
In the embodiment, by comprehensively considering the protocol interaction behavior associated with the target IP address, the association analysis between the IP address and Payload information can be performed, so as to analyze unknown risks in the target packet, and thus, the potential risks can be comprehensively identified and discovered.
In some embodiments, the Payload risk index corresponding to the target Payload information may be determined by comprehensively analyzing the type of the target Payload information and the keyword.
It can be understood that the type of the target Payload information may be determined by the corresponding target packet. For example, the classification may be based on the protocol interaction type of the target packet. In this case, the type of the target Payload information may be associated with protocol interactions such as network probing behavior, PoC vulnerability verification interaction, vulnerability exploiting interaction, and the like, respectively.
In other embodiments, determining the Payload risk index corresponding to the target Payload information includes determining the number of associated IP addresses and the type of the associated IP addresses of the target Payload information in the target time period.
It is understood that the same target Payload information may correspond to different target packets, and different target packets may include multiple target IP addresses. Different target IP addresses in different target messages corresponding to the same target Payload information are associated IP addresses of the target Payload information.
In this case, the number of associated IP addresses of the target Payload information in the target time period may be determined, and then the Payload risk index corresponding to the target Payload information may be determined according to the number of associated IP addresses and the historical statistical risk index of the target Payload information.
The historical statistical risk index of the target Payload information may be determined according to the number of associated IP addresses corresponding to the target Payload information acquired in the previous time period.
For example, the Payload historical statistical risk index of the target Payload information may be a product of the number of associated IP addresses corresponding to the target Payload information in the previous time period and the fourth weight value.
In the present embodiment, the fourth weight value is a constant between 1 and 10. For example, the fourth weight value may be 1. The fourth weight value is used for determining the relation between the number of the associated IP addresses in the historical time period and the Payload historical statistical risk index.
In this embodiment, the Payload risk index corresponding to the target Payload information may be determined based on the type of the associated IP addresses, the number of the associated IP addresses, and the Payload historical statistical risk index of the target Payload information. The Payload historical statistical risk index is used for reflecting the protocol interaction risk condition of the Payload information dimension in the last time period.
The Payload risk index corresponding to the target Payload information is determined based on the number of the associated IP addresses and the Payload historical statistical risk index of the target Payload information, the influence of historical protocol interaction in a network system can be effectively considered, different analysis periods are associated, and the dimensionality of risk analysis is more comprehensive.
In some embodiments, the step of determining the Payload risk index corresponding to the target Payload information based on the number of associated IP addresses and the Payload historical statistical risk index of the target Payload information may further include determining a statistical Payload risk index of the target Payload information based on the Payload historical statistical risk index of the target Payload information and the number of associated IP addresses.
And the statistical Payload risk index is used for reflecting the associated risk between the target Payload information and the target IP address in the time period of the currently acquired target message.
In this embodiment, the number of the associated IP addresses of the target Payload information in the current target time period may be determined, then the number and the number of the associated IP addresses of the target Payload information in the previous time period are averaged, and then the product of the average and the fifth weight value is used as the statistical Payload risk index.
In other embodiments, when the number of associated IP addresses corresponding to the target Payload information acquired in the previous time period is zero, a product of the number of associated IP addresses corresponding to the target Payload information and the fifth weight value is zero, that is, the Payload historical statistical risk index of the target Payload information is zero.
In this embodiment, the reason why the Payload historical statistical risk index of the target Payload information is zero is that the target packet including the target Payload information is not acquired in the historical time period. And in the current target time period, acquiring the target message including the target Payload information for the first time.
In this case, the product of the number of target IP addresses associated with the current target Payload information and the fifth weight value may be directly used as the statistical Payload risk index.
In the present embodiment, the fifth weight value is a constant between 1 and 10. For example, the fifth weight value may be 1. The fifth weight value is used for determining the relation between the number of the associated IP addresses in the current target time period and the statistical Payload risk index.
In this embodiment, the Payload history statistical risk index and the statistical Payload risk index of the target Payload information are both determined according to the number of the associated IP addresses and the corresponding weight values, and the dimensions of the Payload history statistical risk index and the statistical Payload risk index of the target Payload information may both be measured by the product of the number unit and the weight value.
In this embodiment, the Payload associated risk index and the Payload characteristic risk index of the target Payload information may be determined based on the type and number of the associated IP addresses.
The IP characteristic risk index corresponding to the type of the IP address can be obtained through an IP mapping table in which the IP characteristic risk index corresponding to the type of each IP address is stored. It should be noted that the IP characteristic risk indexes corresponding to different types of IP addresses are set manually according to the risk condition.
In some embodiments, the number of the type of IP address in the previous time period or the current target time period may be determined, and then a product of the determined number and the sixth weight value may be used as the IP feature risk index corresponding to the type of IP address. It will be appreciated that different types of IP feature risk indices are dynamically updated over time.
When determining the different types of IP feature risk indexes, the sixth weight value may be a constant between 1 and 10, and the sixth weight value is used to determine the relation between the number of IP addresses and the IP feature risk index.
In this embodiment, the estimated risk level of the IP address may be determined according to the type of the IP address and the reputation value. The higher the estimated risk level of the IP address is, the higher the sixth weight value is.
In this embodiment, the Payload associated risk index of the target Payload information can be obtained by adding the IP feature risk indexes of a plurality of associated IP addresses according to the number and types of the associated IP addresses of the target Payload information.
In this case, the sum of the statistical Payload risk index, the Payload associated risk index, and the Payload characteristic risk index of the target Payload information may be determined as the Payload risk index corresponding to the target Payload information.
Of course, in other embodiments, the sum of the statistical Payload risk index and the Payload associated risk index of the target Payload information may also be determined as the Payload risk index corresponding to the target Payload information, where the determination manner of the Payload risk index corresponding to the target Payload information is not limited.
In the embodiment, by comprehensively considering the protocol interaction behavior associated with the target Payload information, the association analysis between the IP address and the Payload information can be performed, so as to analyze unknown risks in the target packet, and thus, fully identify and discover potential risks.
Step 320, determining a target risk level based on the higher of the IP risk index and Payload risk index.
It can be understood that, in order to implement the highest level response to the potential risk, a higher one of the IP risk index corresponding to the target IP address and the Payload risk index corresponding to the target Payload information is used as the actual risk index of the target packet, and then the target risk level of the target packet is divided according to the actual risk index.
In this embodiment, thresholds of different levels may be set to confirm different target risk levels corresponding to the IP risk index and the Payload risk index, and the size of the thresholds of different levels and the risk level corresponding to the different threshold intervals may be determined according to actual situations, which is not limited herein.
According to the network intelligence analysis method provided by the embodiment of the invention, under the condition that the known message in the intelligence characteristic library cannot be matched with the target message, the target risk level of the target message is determined by respectively determining the risk indexes of the IP address dimension and the Payload information dimension, the potential risks in the IP address and the Payload information of the target message can be comprehensively considered, and the dimension of unknown risk analysis is more comprehensive.
The network information analysis device provided by the invention is described below, and the network information analysis device described below and the network information analysis method described above can be referred to correspondingly.
Referring to fig. 4, the network intelligence analysis apparatus according to the embodiment of the present invention includes a first processing module 410, a second processing module 420, and a third processing module 430.
The first processing module 410 is configured to determine a target IP address corresponding to a target packet, and determine target Payload information corresponding to the target packet, where the target packet is a protocol interaction packet of a target network system in a target time period;
the second processing module 420 is configured to query a target IP address and target Payload information in an intelligence feature library, where the intelligence feature library includes a risk level of the IP address corresponding to a known packet and a risk level of the Payload information corresponding to the known packet;
the third processing module 430 is configured to, when at least one of the target IP address and the target Payload information is queried, determine a target risk level of the target packet based on a risk level corresponding to the target IP address and/or a risk level corresponding to the target Payload information.
According to the network information analysis device provided by the embodiment of the invention, the risk analysis can be carried out on the message with unknown risk in the protocol interaction process by respectively matching the IP address and the target Payload information of the target message with the IP address and the Payload information of the known message in the information characteristic library, so that the potential unknown risk in the network system can be found in time, the risk level of the target message can be matched, and the corresponding safety measures can be conveniently and timely taken for the network system.
In some embodiments, the network intelligence analysis apparatus according to the embodiments of the present invention further includes a fourth processing module, where the fourth processing module is configured to, when the target IP address or the target Payload information is not queried, determine an IP risk index corresponding to the target IP address, determine a Payload risk index corresponding to the target Payload information, and determine the target risk level based on a higher one of the IP risk index and the Payload risk index.
In some embodiments, the fourth processing module is further configured to determine the number and type of associated Payload information of the target IP address within the target time period; and determining the IP risk index corresponding to the target IP address based on the quantity of the associated Payload information, the type of the associated Payload information and the IP historical statistical risk index of the target IP address.
In some embodiments, the fourth processing module is further configured to determine a statistical IP risk index for the target IP address based on the historical statistical risk index for the target IP address and the amount of associated Payload information; determining an IP association risk index of the target IP address based on the quantity of the associated Payload information and the type of the associated Payload information; and determining the sum of the statistical IP risk index and the IP associated risk index of the target IP address as the IP risk index corresponding to the target IP address.
In some embodiments, the fourth processing module is further configured to determine a type and a number of associated IP addresses of the target Payload information in a target time period; and determining the Payload risk index corresponding to the target Payload information based on the type of the associated IP addresses, the number of the associated IP addresses and the Payload historical statistical risk index of the target Payload information.
In some embodiments, the fourth processing module is further configured to determine a statistical Payload risk index for the target Payload information based on the Payload historical statistical risk index for the target Payload information and the number of associated IP addresses; determining a Payload association risk index of the target Payload information based on the type and the number of the associated IP addresses; and determining the sum of the statistical Payload risk index of the target Payload information and the Payload associated risk index as the Payload risk index corresponding to the target Payload information.
In some embodiments, the first processing module 410 is further configured to clear invalid data and duplicate data in the target message, and obtain valid message information; extracting initial Payload information from the effective message information; and normalizing the initial Payload information to obtain target Payload information.
Fig. 5 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 5: a processor (processor) 510, a communication Interface (Communications Interface) 520, a memory (memory) 430 and a communication bus 540, wherein the processor 510, the communication Interface 520 and the memory 530 are communicated with each other via the communication bus 540. Processor 510 may invoke logic instructions in memory 530 to perform a network intelligence analysis method comprising: determining a target IP address corresponding to a target message, and determining target Payload information corresponding to the target message, wherein the target message is a protocol interaction message of a target network system in a target time period; inquiring a target IP address and target Payload information in an intelligence characteristic library, wherein the intelligence characteristic library comprises a risk grade corresponding to the IP address of a known message and a risk grade corresponding to the Payload information of the known message; and under the condition that at least one of the target IP address and the target Payload information is inquired, determining the target risk level of the target message based on the risk level corresponding to the target IP address and/or the risk level corresponding to the target Payload information.
Furthermore, the logic instructions in the memory 530 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product comprising a computer program, the computer program being storable on a non-transitory computer-readable storage medium, wherein when the computer program is executed by a processor, the computer is capable of executing the network intelligence analysis method provided by the above methods, the method comprising: determining a target IP address corresponding to a target message, and determining target Payload information corresponding to the target message, wherein the target message is a protocol interaction message of a target network system in a target time period; inquiring a target IP address and target Payload information in an intelligence characteristic library, wherein the intelligence characteristic library comprises a risk grade corresponding to the IP address of a known message and a risk grade corresponding to the Payload information of the known message; and under the condition that at least one of the target IP address and the target Payload information is inquired, determining the target risk level of the target message based on the risk level corresponding to the target IP address and/or the risk level corresponding to the target Payload information.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements a network intelligence analysis method provided by performing the above methods, the method comprising: determining a target IP address corresponding to a target message, and determining target Payload information corresponding to the target message, wherein the target message is a protocol interaction message of a target network system in a target time period; inquiring a target IP address and target Payload information in an intelligence characteristic library, wherein the intelligence characteristic library comprises a risk level corresponding to the IP address of a known message and a risk level corresponding to the Payload information of the known message; and under the condition that at least one of the target IP address and the target Payload information is inquired, determining the target risk level of the target message based on the risk level corresponding to the target IP address and/or the risk level corresponding to the target Payload information.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (7)

1. A network intelligence analysis method, comprising:
determining a target IP address corresponding to a target message, and determining target Payload information corresponding to the target message, wherein the target message is a protocol interaction message of a target network system in a target time period; the protocol interaction message is a message generated when deep network protocol interaction is carried out in a target network system; the protocol interaction comprises network detection behavior interaction, PoC vulnerability verification interaction and vulnerability penetration utilization interaction;
inquiring the target IP address and the target Payload information in an intelligence characteristic library, wherein the intelligence characteristic library comprises a risk grade corresponding to the IP address of a known message and a risk grade corresponding to the Payload information of the known message;
under the condition that at least one of the target IP address and the target Payload information is inquired, determining a target risk level of the target message based on a risk level corresponding to the target IP address and/or a risk level corresponding to the target Payload information;
after querying the target IP address and the target Payload information in an intelligence feature library, the method further comprises:
under the condition that the target IP address or the target Payload information is not inquired, determining an IP risk index corresponding to the target IP address, and determining a Payload risk index corresponding to the target Payload information;
determining the target risk level based on a higher one of the IP risk index and the Payload risk index;
the determining the IP risk index corresponding to the target IP address includes:
determining the quantity and type of the associated Payload information of the target IP address in the target time period;
determining an IP risk index corresponding to the target IP address based on the quantity of the associated Payload information, the type of the associated Payload information and the IP historical statistical risk index of the target IP address; the associated Payload information is different target Payload information corresponding to the same target IP address in different target messages; the historical IP statistical risk index is used for reflecting the protocol interaction risk condition of the IP address dimension in the previous time period;
the determining the Payload risk index corresponding to the target Payload information includes:
determining the type and the number of the associated IP addresses of the target Payload information in the target time period; determining a Payload risk index corresponding to the target Payload information based on the type of the associated IP addresses, the number of the associated IP addresses and the Payload historical statistical risk index of the target Payload information; the associated IP addresses are different target IP addresses corresponding to the same target Payload information in different target messages; the Payload historical statistical risk index is used for reflecting the protocol interaction risk condition of the Payload information dimension in the last time period.
2. The method of analyzing network intelligence according to claim 1, wherein the determining an IP risk index corresponding to the target IP address based on the quantity of the associated Payload information, the type of the associated Payload information, and the IP historical statistical risk index of the target IP address comprises:
determining a statistical IP risk index of the target IP address based on the historical statistical risk index of the target IP address and the quantity of the associated Payload information;
determining an IP associated risk index of the target IP address based on the quantity of the associated Payload information and the type of the associated Payload information;
and determining the sum of the statistical IP risk index and the IP associated risk index of the target IP address as the IP risk index corresponding to the target IP address.
3. The method for analyzing network intelligence according to claim 1, wherein the determining a Payload risk index corresponding to the target Payload information based on the type of the associated IP addresses, the number of the associated IP addresses, and the Payload historical statistical risk index of the target Payload information comprises:
determining a statistical Payload risk index of the target Payload information based on the Payload historical statistical risk index of the target Payload information and the number of the associated IP addresses;
determining a Payload association risk index of the target Payload information based on the type and number of the associated IP addresses;
and determining the sum of the statistical Payload risk index and the Payload associated risk index of the target Payload information as the Payload risk index corresponding to the target Payload information.
4. The method according to any of claims 1-3, wherein the determining the target Payload information corresponding to the target packet comprises:
removing invalid data and repeated data in the target message to obtain effective message information;
extracting initial Payload information from the effective message information;
and normalizing the initial Payload information to obtain target Payload information.
5. A network intelligence analysis apparatus, comprising:
the system comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is used for determining a target IP address corresponding to a target message and determining target Payload information corresponding to the target message, and the target message is a protocol interaction message of a target network system in a target time period; the protocol interaction message is a message generated when deep network protocol interaction is carried out in a target network system; the protocol interaction comprises network detection behavior interaction, PoC vulnerability verification interaction and vulnerability penetration utilization interaction;
the second processing module is used for inquiring the target IP address and the target Payload information in an intelligence characteristic library, and the intelligence characteristic library comprises a risk level of the IP address corresponding to a known message and a risk level of the Payload information corresponding to the known message;
a third processing module, configured to determine a target risk level of the target packet based on a risk level corresponding to the target IP address and/or a risk level corresponding to the target Payload information when at least one of the target IP address and the target Payload information is queried;
the fourth processing module is configured to determine, when the target IP address or the target Payload information is not queried, an IP risk index corresponding to the target IP address, and determine a Payload risk index corresponding to the target Payload information; determining the target risk level based on a higher one of the IP risk index and the Payload risk index;
the fourth processing module is further configured to determine the number and type of associated Payload information of the target IP address in the target time period; determining an IP risk index corresponding to the target IP address based on the quantity of the associated Payload information, the type of the associated Payload information and the IP historical statistical risk index of the target IP address; the associated Payload information is different target Payload information corresponding to the same target IP address in different target messages; the IP historical statistical risk index is used for reflecting the protocol interaction risk condition of the IP address dimension in the previous time period;
the fourth processing module is further configured to determine the type and number of the associated IP addresses of the target Payload information in the target time period; determining a Payload risk index corresponding to the target Payload information based on the type of the associated IP addresses, the number of the associated IP addresses and the Payload historical statistical risk index of the target Payload information; the associated IP addresses are different target IP addresses corresponding to the same target Payload information in different target messages; the Payload historical statistical risk index is used for reflecting the protocol interaction risk condition of the Payload information dimension in the last time period.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the network intelligence analysis method of any of claims 1 to 4 when executing the program.
7. A non-transitory computer readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the network intelligence analysis method of any of claims 1-4.
CN202210401625.3A 2022-04-18 2022-04-18 Network information analysis method and device Active CN114500123B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210401625.3A CN114500123B (en) 2022-04-18 2022-04-18 Network information analysis method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210401625.3A CN114500123B (en) 2022-04-18 2022-04-18 Network information analysis method and device

Publications (2)

Publication Number Publication Date
CN114500123A CN114500123A (en) 2022-05-13
CN114500123B true CN114500123B (en) 2022-08-02

Family

ID=81489449

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210401625.3A Active CN114500123B (en) 2022-04-18 2022-04-18 Network information analysis method and device

Country Status (1)

Country Link
CN (1) CN114500123B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108287823A (en) * 2018-02-07 2018-07-17 平安科技(深圳)有限公司 Message data processing method, device, computer equipment and storage medium
CN113765772A (en) * 2020-06-29 2021-12-07 北京沃东天骏信息技术有限公司 Risk control method and device, electronic equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104660481B (en) * 2013-11-18 2018-11-06 深圳市腾讯计算机系统有限公司 Instant communication information processing method and processing device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108287823A (en) * 2018-02-07 2018-07-17 平安科技(深圳)有限公司 Message data processing method, device, computer equipment and storage medium
CN113765772A (en) * 2020-06-29 2021-12-07 北京沃东天骏信息技术有限公司 Risk control method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN114500123A (en) 2022-05-13

Similar Documents

Publication Publication Date Title
US11212299B2 (en) System and method for monitoring security attack chains
CN109951500B (en) Network attack detection method and device
US11797671B2 (en) Cyberanalysis workflow acceleration
US11463457B2 (en) Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance
CN107454109B (en) Network privacy stealing behavior detection method based on HTTP traffic analysis
García et al. Survey on network‐based botnet detection methods
McHugh Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory
CN109194680B (en) Network attack identification method, device and equipment
CN111277570A (en) Data security monitoring method and device, electronic equipment and readable medium
CN110012005B (en) Method and device for identifying abnormal data, electronic equipment and storage medium
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
CN112953971B (en) Network security flow intrusion detection method and system
CN115134250A (en) Network attack source tracing evidence obtaining method
US10560473B2 (en) Method of network monitoring and device
Lu et al. Integrating traffics with network device logs for anomaly detection
CN115695031A (en) Host computer sink-loss detection method, device and equipment
CN114500123B (en) Network information analysis method and device
US11546356B2 (en) Threat information extraction apparatus and threat information extraction system
CN115225531B (en) Database firewall testing method and device, electronic equipment and medium
Sivabalan et al. Detecting IoT zombie attacks on web servers
Kheir et al. Peerviewer: Behavioral tracking and classification of P2P malware
CN113810351A (en) Method and device for determining attacker of network attack and computer readable storage medium
Hsiao et al. Detecting stepping‐stone intrusion using association rule mining
RU2787986C1 (en) Method for simulation of the process of functioning of automated systems
Bawa et al. Botnet detection from drive-by downloads

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant