CN114697136B - Network attack detection method and system based on switching network - Google Patents

Abstract

The embodiment of the application provides a network attack detection method and system based on a switching network, which are used for analyzing a message generated by a session initiated by a host in the switching network to obtain message information of a plurality of domain segments. And then establishing analysis units according to the message information, and detecting network attack behaviors by each analysis unit according to the corresponding message information. When the network attack behavior is detected, a session feature statistical unit and a session feature statistical array are also arranged. The session feature statistics unit is used for calling one or more analysis units to detect the network attack according to the features of the network attack, each session feature statistics unit corresponds to one analysis unit, and the session feature statistics units form a session feature statistics array. And controlling the scanning precision of the session feature statistics unit by setting a sliding window for each session feature statistics unit. The method solves the problem of missing report network attack caused by lack of total flow analysis capability in network attack detection.

Description

Network attack detection method and system based on switching network

Technical Field

The present application relates to the field of network security technologies, and in particular, to a method and a system for detecting a network attack based on a switched network.

Background

With the rapid development of the Internet, various network attacks are endless. Before implementing a network attack, an attacker scans a target network to acquire network topology information and network host information. Thus, real-time detection of the scanning behavior of an attacker and the means of attack is required.

In order to discover and prevent network attacks in time, related art generally employs setting trap IP, setting firewall, and deploying scan detection tools. The trap IP is set by arranging a plurality of trap IPs in the network, and the addresses of the trap IPs are adjacent to the IP addresses of the hosts to be protected. And meanwhile, a scanning detection tool is deployed on the trap IP to detect and prevent network attacks. However, the method for setting the trap IP only enables an attacker to attack the trap IP, so that a detection tool can find the attack and the overall protection capability is lacking. Firewalls are typically deployed at network control nodes between an intranet and an extranet, and detect traffic coming in and going out of the extranet to discover network scanning behavior associated with an attacker, but not to detect scanning behavior of an attacker on the intranet.

The method for deploying the scanning detection tools is to deploy the port detection tools on all network hosts so as to find out the scanning behavior and the attack means of an attacker on the network hosts, but each port detection tool only detects a single network host, so that the method lacks the capability of overall flow analysis and has high probability of missing network attacks.

Disclosure of Invention

The application provides a network attack detection method and system based on a switching network, which are used for solving the problem of missing report network attack caused by lack of total flow analysis capability in the related technology of network attack detection.

In a first aspect, an embodiment of the present application provides a method for detecting a network attack based on a switch network, by analyzing a packet generated when a host in the switch network initiates a session, to discover a network attack behavior, including:

And inputting the message to be detected into a message analysis unit.

Decomposing the message content according to a network protocol to obtain message information of each domain segment for analyzing the session initiated by the host, wherein the message information comprises: IP messages, TCP messages and UDP messages.

Establishing analysis units according to the message information, wherein each analysis unit corresponds to one message information; the analysis unit includes: host security detection unit, TCP processing unit and UDP processing unit.

And according to the characteristics of the network attack, one or more analysis units are called to analyze the network attack scanning behaviors, so that the analysis result of the network attack scanning behaviors is obtained.

In a second aspect, an embodiment of the present application provides a network attack detection system based on a switched network, including: the system comprises a control module, a message analysis module and a session feature statistics module. The message analysis module comprises: the system comprises a message analysis unit, a host security detection unit, a TCP processing unit and a UDP processing unit; the session feature statistics module comprises: session feature statistics unit and session feature statistics array.

The control module is used for inputting the message to be detected to the message analysis unit.

The message analysis module is used for decomposing the message content according to a network protocol to obtain message information of each domain segment for analyzing the session initiated by the host, and the message information comprises: IP messages, TCP messages and UDP messages.

The message analysis module is also used for establishing analysis units according to the message information, and each analysis unit corresponds to one type of message information; the analysis unit includes: host security detection unit, TCP processing unit and UDP processing unit.

The session feature statistics module is used for calling one or more analysis units to analyze network attack scanning behaviors according to the features of the network attack, and obtaining analysis results of the network attack scanning behaviors.

As can be seen from the above technical solutions, the embodiments of the present application provide a network scanning detection method and system based on a switch network, which analyzes a message generated by a session initiated by a host in the switch network to obtain message information of multiple domain segments. And then establishing analysis units according to the message information, and detecting network attack behaviors by each analysis unit according to the corresponding message information. When the network attack behavior is detected, a session feature statistical unit and a session feature statistical array are also arranged. The session feature statistics unit is used for calling one or more analysis units to detect the network attack according to the features of the network attack, each session feature statistics unit corresponds to one analysis unit, and the session feature statistics units form a session feature statistics array. And controlling the scanning precision of the session feature statistics unit by setting a sliding window for each session feature statistics unit. The method solves the problem of missing report network attack caused by lack of total flow analysis capability in network attack detection.

Drawings

In order to more clearly illustrate the technical solution of the present application, the drawings that are needed in the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.

Fig. 1 is a flow chart of a network attack detection method based on a switching network according to an embodiment of the present application;

Fig. 2 is a schematic diagram of a host security detection unit according to the present embodiment for detecting network attack behavior according to an IP packet;

Fig. 3 is a flowchart of the TCP processing unit provided in the present embodiment for detecting network attack behavior according to TCP state identification;

fig. 4 is a flow configuration diagram of TCP session ID identification provided in the present embodiment;

Fig. 5 is a flowchart of a TCP processing unit according to an embodiment of the present application for detecting a network attack according to TCP connection identification.

Detailed Description

Reference will now be made in detail to the embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The embodiments described in the examples below do not represent all embodiments consistent with the application. Merely exemplary of systems and methods consistent with aspects of the application as set forth in the claims.

When a network attacker performs network attack, a host in the switching network needs to perform network scanning to obtain network topology information and host information. Aiming at the network scanning attack behavior, the related technology mostly adopts the modes of setting trap IP, setting firewall and deploying scanning detection tools to carry out network protection. The trap IP setting method protects the scanning behavior of network attacker by disposing a honeypot, and the IP address of the honeypot is similar to the IP address of a host in the switching network, so that the trap IP setting method has the function of spoofing the scanning behavior of network attack, and further protects the host information in the switching network. However, the trap IP setting method is passive, and only when the trap IP is scanned by a network attacker, the trap IP can be protected. The firewall is limited in the way that only the incoming and outgoing traffic of the external network can be detected, but the traffic of the internal network cannot be detected, so that the scanning behavior of the internal network cannot be detected, and the scanning behavior of network attack on the internal network can be missed.

Deploying the scanning detection tool refers to deploying the scanning detection tool at the host interfaces of all the switching networks so as to detect the host traffic, but the scanning detection tool at each host interface can only detect single host traffic and does not have the overall analysis capability, so that the protection cost is higher.

In order to solve the problem of missing report network attack behavior caused by lack of means for analyzing the total flow of the switching network in the related technology, the embodiment of the application provides a network attack detection method based on the switching network.

Fig. 1 is a flow chart of a network attack detection method based on a switching network according to an embodiment of the present application. The method discovers network attack behaviors by analyzing messages generated when a host in the switching network initiates a session. As shown in fig. 1, the method comprises the steps of:

s101: inputting a message to be detected into a message analysis unit;

The hosts in the switching network communicate with each other by establishing a session, and the process of establishing the session and the process of performing data interaction after establishing the session are realized by sending out a request message and a response message. The message is a data unit for data interaction and transmission in the switched network, and contains complete data information to be transmitted in one data transmission. The messages are classified according to the information of a physical interface, a sub-interface, an MAC address, an IP five-tuple and the like, and one message can be divided into message information of a plurality of domain segments in sequence. Therefore, the message is analyzed and decomposed to obtain the message information of each domain segment, and then the message information of each domain segment is detected according to the characteristics of network attack, so that the session established by the current host can be analyzed, and the attack behavior in the switching network is identified.

In one embodiment, an attacker scans hosts in a switching network to obtain host information and conduct targeted attacks. In the process that an attacker scans the host, the attacker accesses the information of the host by establishing a session to acquire the information of each interface of the host and the related network topology information, so that network attack is performed aiming at the existing loopholes to steal the information. In order to verify whether the session is a secure session, the embodiment inputs a message generated by establishing the session and a message generated after establishing the session to a message analysis unit, and the message analysis unit decomposes a message to be analyzed to obtain an IP message, a TCP message and a UDP message. And then judging whether the session is initiated by an attacker or not by detecting abnormal states in the IP message/TCP message/UDP message, thereby determining that the attack behavior exists in the current switching network.

S102: decomposing the message content according to a network protocol to obtain message information of each domain segment for analyzing the session initiated by the host, wherein the message information comprises: IP message, TCP message and UDP message;

The IP message comprises a message source IP binding record, wherein the binding record comprises a source MAC address, a VLAN and an input port corresponding to the source IP. The source MAC address is the MAC address of the host corresponding to the source IP address of the message to be detected; the VLAN is the VLAN to which the IP address of the message source to be detected belongs; the input port is the input port for connecting the message to be detected with the host in the switching network. Therefore, the security source IP binding record can be introduced, and by comparing the source MAC address, VLAN and input port with the source MAC address, VLAN and input port in the security source IP binding record, any item which does not accord with the content of the security record is regarded as suspicious message, and further detection is needed.

The TCP packet includes characteristic information for identifying the TCP session state and the TCP connection state, for example: TCP session four-tuple information, TCP Flag, a target host list of TCP connections, a target port number list of TCP connections. The TCP session state refers to whether the TCP traffic behavior is normal, and the TCP connection state refers to whether the connection information such as the number of connected hosts/host ports/ports is normal when the TCP session is established. By extracting the characteristic information, the state of the current TCP session, the state after the TCP change at the next moment, the port/host computer of the TCP connection and other information can be identified, and the information is compared with the corresponding safety characteristic information in the TCP safety record to judge whether the TCP flow is abnormal or not or whether the TCP connection is abnormal or not, so as to judge whether the TCP message carries network attack behavior or not. The characteristics of the UDP message are similar to those of the TCP message, except that UDP is a non-connection communication, so that the UDP message is analyzed together with the ICMP message.

S103: establishing analysis units according to the message information, wherein each analysis unit corresponds to one type of message information; the analysis unit includes: the device comprises a host security detection unit, a TCP processing unit and a UDP processing unit;

And respectively establishing a host security detection unit, a TCP processing unit and a UDP processing unit aiming at the IP message, the TCP message and the UDP message. The method comprises the steps that an IP message is input to a host security detection unit, and the host security detection unit firstly obtains a source IP binding record in the IP message and then calls the security source IP binding record for comparison. And under the condition that the source MAC address, VLAN and input port carried by the IP message to be detected are successfully matched with the security source IP binding record, judging the IP message to be detected as the security message.

The security source IP binding record in this embodiment has the characteristic of self-learning, and its content is as follows:

Firstly, a security source IP white list is obtained from a network security management system through network equipment hardware, wherein the security source IP white list comprises security source IP binding records. And then matching the source IP binding record acquired by the host security detection unit with the security source IP binding record in the white list, and if the source IP binding record is matched with the security source IP binding record in the white list, recognizing that the source IP binding record acquired by the host security detection unit is in the white list authentication range, and improving the security evaluation of the source IP, wherein the source IP binding record is recognized as the security source IP binding record. And meanwhile, periodically monitoring the source IP binding record acquired by the host safety detection unit, if the safety source IP binding record does not have the related action of data interaction in a preset period, taking the safety source IP binding record as the source IP binding record for aging, and taking deleting operation on the aged source IP binding record to save the cache space and ensure the good operation of network equipment.

The TCP message is input to a TCP processing unit, and the TCP processing unit recognizes the network attack behavior through TCP behavior feature recognition. The present embodiment recognizes the TCP behavior feature by recognizing both the TCP session state and the TCP connection state. In the process of identifying the TCP session state, the TCP session ID and the TCP Flag need to be obtained as keywords of the state analysis. Therefore, the embodiment provides a method for acquiring the TCP session ID by the hardware self-learning mechanism, which is based on the TCP session quadruple, performs data processing, and can match the relation between the existing data result and the TCP session ID according to the obtained data result, and can generate a new TCP session ID according to the data result, so as to cope with the situations of rapid change and various network scanning behaviors based on TCP initiation.

In identifying the state of a TCP connection, by assigning IDs to the target host and target port of the TCP connection, its ID source takes the same form as the TCP session ID. The TCP traffic of the target host and the target port can be detected through ID allocation, and then the history record of the TCP traffic corresponding to the ID is called and compared, so that the abnormal situation of the TCP traffic can be found, and the network attack behavior is found.

The UDP message is input to the UDP processing unit, which works in a similar way as the TCP processing unit, but since UDP is a non-connection communication, it is also analyzed in combination with the ICMP message for connectionless communication when analyzing the UDP message.

S104: and according to the characteristics of the network attack, one or more analysis units are called to analyze the network attack scanning behaviors, so that the analysis result of the network attack scanning behaviors is obtained.

The analysis unit comprises a host detection unit, a TCP processing unit and a UDP processing unit. Different kinds of network attacks exist in the switching network, and the different network attacks have different attack characteristics, such as forging source IP and outputting TCP message/UDP message in any state. In order to improve the network attack scanning efficiency, on the basis that the current exchange network loopholes are determined, messages associated with the loopholes can be analyzed in advance according to the loopholes, and one or more analysis units can be called for the loopholes and the associated message types to conduct targeted analysis. And under the condition of unfamiliar with the switching network, all analysis units can be called to carry out overall flow analysis so as to ensure the safety of the switching network.

Fig. 2 is a flowchart of the host security detection unit according to the present embodiment for detecting network attack according to an IP packet.

In one embodiment, an attacker attacks the host/server using the feature of three handshakes that are required when the TCP protocol establishes an online. In the process of performing the three-way handshake, the requesting host sets the identifier SYN (synchronous) for confirming that the online is established to 1, and randomly generates a packet to be packaged and sent to the server. After receiving the data packet with syn=1, the server needs to return a data packet with syn=1 to the host sending syn=1 to confirm whether to send out the online request, and meanwhile, the server enters a state waiting for confirmation. After the host computer sending the request confirms the online request, the server resumes the normal state, and other host computers in the switching network respond to the online request. The attacker sends a large number of forged source IP data packets with SYN=1 to the server, and after the server receives the large number of forged source IP data packets, the attacker replies a SYN confirmation packet to a host used by the attacker and enters a state waiting for confirmation. At this time, the attacker does not confirm the confirmation packet, so that the server is always in a state of waiting for confirmation, and the normal request is not responded, thus greatly influencing the use of normal users in the switching network.

In this embodiment, a message analysis unit decomposes a message generated by a host session in which an attacker sends a request, and further analyzes an IP message by a host security detection unit to obtain a binding record of the IP message sent by the attacker, i.e., obtain a MAC address, a VLAN, and an input port of the host in which the attacker sends the IP message. And then, calling the security source IP binding record to match with the binding record of the IP message sent by the attacker, and if the matching is found to be failed, indicating that the host sending the online request has the behavior of forging the source IP, and discarding the IP message with the current behavior of forging the source IP.

The embodiment of the application also detects the TCP message and the UDP message through the TCP processing unit/the UDP processing unit, and the working flow of the TCP processing unit is taken as an example for explanation because the working flow of the TCP processing unit is similar to the working flow of the UDP processing unit. The TCP processing unit carries out TCP behavior feature recognition according to the TCP message to detect network attack behavior, wherein the TCP behavior feature recognition comprises: TCP state identification and TCP connection identification. Fig. 3 is a flowchart of the TCP processing unit according to the present embodiment for detecting network attack behavior according to TCP state identification.

In one embodiment, a host receives a large number of TCP exception messages. The present embodiment detects an abnormality in the host state, and thus recognizes the TCP state. Analyzing a TCP message by a TCP processing unit to obtain keywords for real-time TCP session state analysis, wherein the keywords comprise: TCP session ID and TCP Flag. The four-element group is as follows: source address, source port, destination address, destination port; the TCP session ID is obtained by matching a hash value obtained by hash compression of a quadruple of the TCP session with a session ID library, so that the TCP session ID also comprises information of the quadruple. The TCP Flag includes the status of each Flag bit in the TCP packet, including: SYN, FIN, RST, PSH, URG, ACK. And then calling an addressing tool to search the keywords to analyze the real-time TCP session state, which is equivalent to the detection of the attack behavior of the source address, the source port, the destination address, the destination port and the zone bit in the message of the TCP. The method comprises the steps of finding that a large number of TCP abnormal messages received by a host come from one or a plurality of fixed hosts, fixing ports of the fixed hosts, and determining that the TCP messages have network attack behaviors due to the fact that the message flag bit is abnormal.

The addressing tool comprises: linear tables, hash tables, and TCAMs. When searching the TCP session ID, the addressing tool obtains a hash value corresponding to the TCP session ID, and a plurality of quadruples corresponding to the hash value can be obtained through restoring the hash value, so that the real-time state of the TCP session can be identified through tracing the quadruples. And judging the state of the current TCP session by carrying out state detection on the security judgment of the quadruple, namely the source, the destination and the flow of the TCP message. When searching TCP Flag, the addressing tool obtains the states of six Flag bits in the TCP message, the states of the Flag bits correspond to the states of the message, and the Flag bits of the current TCP message are compared with the Flag bits of the normal TCP message, so that whether the current TCP message is normal or not is judged.

TCP session ID identification is a key step in TCP state identification. Fig. 4 is a flow configuration diagram of TCP session ID identification provided in the present embodiment. In this embodiment, when identifying a TCP session ID, a self-learning mechanism is used to obtain the TCP session ID, as shown in fig. 4: firstly, a TCP processing unit acquires a TCP session four-tuple according to the TCP message, then carries out hash compression on the TCP session four-tuple to obtain a hash calculated value, and then carries out session ID matching according to a matching relation library of the hash calculated value and the TCP session ID. If the matching relation library of the hash calculated value and the TCP session ID is successfully matched, the session ID matched by the current hash calculated value is endowed, and the current session ID is read out for keyword searching in subsequent TCP state identification; if the matching fails, a new session ID is distributed according to the hash calculated value and is stored in a matching relation library, and the new session ID is read out as well and is used for keyword searching of subsequent TCP state identification. The method is characterized in that a new session ID is given to a hash calculated value with failed matching and is stored in a matching relation library according to a corresponding relation, so that the matching relation library of the TCP session ID can be updated in time to cope with various behaviors existing in a switching network and data generated by the behaviors.

The four-tuple has several combinations, but hash calculated values obtained by performing hash compression on the several combinations may be the same, so that one hash calculated value may correspond to one four-tuple or may correspond to a plurality of four-tuples, and thus one TCP session ID may be regarded as a set of the four-tuples. Keyword searching on one TCP session ID is equivalent to detecting states of a plurality of tetrads, and the tetrads are not required to be called one by one, so that detection efficiency is improved.

In an embodiment, the TCP session ID in the matching relation library may correspond to a normal TCP packet or an abnormal TCP packet. The TCP session ID corresponding to the normal TCP message may be used as a security ID in a subsequent detection process. Similarly, the TCP session ID corresponding to the abnormal TCP packet may also be used as the attack ID in the subsequent detection process. And directly filtering the message with the attack behavior according to the attack ID. The matching relation library has a self-learning function, and meanwhile, the detection efficiency of network attack is improved.

Fig. 5 is a flowchart of a TCP processing unit according to an embodiment of the present application for detecting a network attack according to TCP connection identification. In an embodiment, an attacker initiates a large number of TCP connections to a server, and after initiating a large number of TCP connections, the attacker can occupy traffic resources of the server by sending a large number of messages to the server on one hand, and can occupy only connection resources to consume TCP connection resources of the server on the other hand. For such attack modes, the application distributes host IDs and target port IDs for the target hosts and target ports connected by the TCP message according to the TCP message. And counting the flow of the connection ports by acquiring the connection ports of the host computers which send and receive messages in the current switching network, and comparing the flow with a set TCP flow threshold. If the flow statistic value of the connection port is larger than the set TCP flow threshold value, judging that the current TCP message has network attack behavior.

The flow threshold includes not only an upper limit value, but also a lower limit value for detecting an attack situation in which only a connection relationship is established but no data is transmitted, for the case of occupying connection resources. The means for setting the lower limit value is applied to: a large number of TCP connection relations are established between an attacker host and a target host/server within a period of time, but no data receiving and transmitting operation is performed; or frequently disconnecting and re-requesting connection establishment after connection establishment; in an environment with higher safety requirements, the threshold range can be further narrowed to: newly-built connection rate and connection quantity. The behavior of an attacker to attack a host/server over a TCP connection is limited by setting a connection threshold.

The network attack means is not limited to one type, and one or more vulnerabilities exist in the switching network, so that an attacker can perform combined attack on the host/server in the process of sending a message once. Aiming at the combined attack of an attacker, the embodiment invokes one or more analysis units to analyze the scanning behavior of the network attack according to the characteristics of the network attack by setting a session characteristic statistical unit. Each session feature statistics unit corresponds to an analysis unit, and a plurality of session feature statistics units can also be combined into a session feature statistics array.

The analysis unit is not limited to the host security detection unit, the TCP processing unit, the UDP processing unit mentioned in the above. The system also comprises an application layer processing unit and a non-IP/TCP/UDP processing unit. The non-IP/TCP/UDP messages include but are not limited to ICMP messages/ARP messages and application layer protocol messages, and correspond to the non-IP/TCP/UDP processing units and the application layer processing units one by one. The present embodiment obtains the non-IP/TCP/UDP message in a manner based on a multi-layer ACL (Access Control List, rule set). The process comprises the following steps: firstly, non-IP/TCP/UDP message data to be detected is obtained through a processing unit, then the offset of the effective message data is configured according to the message type, and finally, invalid message data (message segment identification) is added into the effective message data according to the offset, so that the non-IP/TCP/UDP message data of each domain segment is obtained. And then, a corresponding processing unit is called to analyze, decompose and detect the non-IP/TCP/UDP message data of each domain segment so as to find out network attack behaviors.

In addition, when the session feature statistics units and the session feature statistics array are used, a sliding statistics window is also set for controlling the scanning detection precision of each session feature statistics unit. The specific method is as follows: in one network attack detection, a plurality of session feature statistics units are called, and a sliding statistics window is set for each session feature statistics unit. The sliding window has a sliding speed, and in the embodiment of the application, the scanning detection precision of the session feature statistics unit can be controlled by adjusting the sliding speed of the sliding window. In one embodiment, a host computer receives a large amount of abnormal TCP data at random, and when network attack detection is performed, a missing report phenomenon is often generated according to the normal speed of a sliding window.

The embodiment also provides a network attack detection system based on the switching network, which comprises: the system comprises a control module, a message analysis module and a session feature statistics module; the message analysis module comprises: the system comprises a message analysis unit, a host security detection unit, a TCP processing unit and a UDP processing unit; the session feature statistics module comprises: a session feature statistics unit and a session feature statistics array;

the control module is used for inputting the message to be detected to the message analysis unit;

The message analysis module is used for decomposing the message content according to a network protocol to obtain message information of each domain segment for analyzing the session initiated by the host, and the message information comprises: IP message, TCP message and UDP message;

The message analysis module is also used for establishing analysis units according to the message information, and each analysis unit corresponds to one type of message information; the analysis unit includes: the device comprises a host security detection unit, a TCP processing unit and a UDP processing unit;

the session feature statistics module is used for calling one or more analysis units to analyze network attack scanning behaviors according to the features of the network attack, and obtaining analysis results of the network attack scanning behaviors.

The embodiment of the application provides a network scanning detection method and system based on a switching network, which are used for analyzing a message generated by a session initiated by a host in the switching network to obtain message information of a plurality of domain segments. And then establishing analysis units according to the message information, and detecting network attack behaviors by each analysis unit according to the corresponding message information. When the network attack behavior is detected, a session feature statistical unit and a session feature statistical array are also arranged. The session feature statistics unit is used for calling one or more analysis units to detect the network attack according to the features of the network attack, each session feature statistics unit corresponds to one analysis unit, and the session feature statistics units form a session feature statistics array. And controlling the scanning precision of the session feature statistics unit by setting a sliding window for each session feature statistics unit. The method solves the problem of missing report network attack caused by lack of total flow analysis capability in network attack detection.

The above-provided detailed description is merely a few examples under the general inventive concept and does not limit the scope of the present application. Any other embodiments which are extended according to the solution of the application without inventive effort fall within the scope of protection of the application for a person skilled in the art.

Claims (9)

1. A network attack detection method based on a switching network is characterized in that a message generated when a host in the switching network initiates a session is analyzed to find out network attack behaviors; characterized by comprising the following steps:

inputting a message to be detected into a message analysis unit;

Decomposing the message content according to a network protocol to obtain message information of each domain segment for analyzing the session initiated by the host, wherein the message information comprises: IP message, TCP message and UDP message;

Establishing analysis units according to the message information, wherein each analysis unit corresponds to one type of message information; the analysis unit includes: the device comprises a host security detection unit, a TCP processing unit and a UDP processing unit;

According to the characteristics of the network attack, one or more analysis units are called to analyze the network attack behaviors, so that the analysis result of the network attack behaviors is obtained; the TCP processing unit is used for identifying and detecting network attack behaviors according to the TCP state, and the method comprises the following steps:

acquiring a TCP session security state record and a TCP session security skip record;

analyzing the TCP message to obtain a keyword for analyzing the real-time TCP session state; the keywords comprise a TCP session ID and a TCP Flag;

calling an addressing tool to search keywords for real-time TCP session state analysis to obtain the real-time TCP session state of the TCP message; the addressing tool comprises: linear tables, hash tables, and TCAMs;

acquiring a TCP session state and a TCP session jump record at the next moment according to the real-time TCP session state and the TCP Flag;

Matching the TCP session state with the TCP session security state record; matching the TCP session jump record with the TCP session security jump record; if any one of the matching fails, judging that the TCP message has network attack behavior.

2. The method according to claim 1, wherein the host security detection unit sets an access port of a host, and the host security detection unit detects the act of forging an IP message source IP in a network attack according to a source IP binding record of the IP message, comprising the steps of:

acquiring a security source IP binding record, wherein the binding record comprises a source MAC address, a VLAN and an input port of a host corresponding to a source IP;

Analyzing the binding record of the IP message to be detected to obtain the MAC address, VLAN and input port of the host corresponding to the source IP of the IP message to be detected;

And matching the binding record of the IP message to be detected with the binding record of the IP of the security source, and judging that the network attack behavior of the counterfeit source IP exists in the IP message to be detected if the binding record is not successfully matched.

3. The method according to claim 1, wherein the TCP processing unit performs TCP behavior feature recognition according to the TCP packet to detect network attack behavior, the TCP behavior feature recognition including: TCP state identification and TCP connection identification.

4. The method according to claim 1, wherein the step of obtaining the TCP session ID comprises:

acquiring a corresponding TCP session tetrad according to the TCP message, wherein the TCP session tetrad comprises (DIP, SIP, dport, sport);

carrying out hash compression on the session tetrad to obtain a hash calculated value;

And matching the TCP session ID according to the hash calculated value.

5. The method of claim 4, wherein the step of matching the TCP session ID based on the hash calculation comprises:

invoking a matching relation library of TCP session IDs;

searching a TCP session ID matched with the hash calculation value in the matching relation library, and setting a TCP session ID for the current TCP message if the matching is successful;

and if the matching fails, a new TCP session ID is allocated to the hash calculated value, and the hash calculated value and the new TCP session ID are stored in the matching relation library in a corresponding relation.

6. A method according to claim 3, wherein the TCP processing unit recognizes the scanning behaviour of detecting network attacks from a TCP connection, the steps comprising:

Distributing a target host ID and a target port ID for a target host and a target port connected with the TCP message according to the TCP message; the target host ID and the target port ID are used for TCP traffic statistics;

Setting a TCP flow threshold;

Comparing the TCP flow statistics in the same time period with the TCP flow threshold, and judging that the current TCP message has network attack behavior if the TCP flow statistics is larger than the TCP flow threshold.

7. The method according to claim 1, wherein a session feature statistics unit is configured to invoke one or more analysis units to perform network attack scanning behavior analysis according to the features of the network attack;

The analysis unit further includes: an application layer processing unit, a non-IP/TCP/UDP processing unit;

Each session feature statistics unit corresponds to one analysis unit;

And a plurality of session feature statistical units form a session feature statistical array.

8. The method of claim 7, wherein a sliding statistics window is set for each of the session feature statistics units; and controlling the scanning precision of each session feature statistical unit by adjusting the sliding speed of the sliding statistical window.

9. A network scan detection system based on a switched network, comprising: the system comprises a control module, a message analysis module and a session feature statistics module; the message analysis module comprises: the system comprises a message analysis unit, a host security detection unit, a TCP processing unit and a UDP processing unit; the session feature statistics module comprises: a session feature statistics unit and a session feature statistics array;

the control module is used for inputting the message to be detected to the message analysis unit;

The message analysis module is used for decomposing the message content according to a network protocol to obtain message information of each domain segment for analyzing the session initiated by the host, and the message information comprises: IP message, TCP message and UDP message;

The message analysis module is also used for establishing analysis units according to the message information, and each analysis unit corresponds to one type of message information; the analysis unit includes: the device comprises a host security detection unit, a TCP processing unit and a UDP processing unit;

The session feature statistics module is used for calling one or more analysis units to analyze network attack behaviors according to the features of the network attack, so as to obtain analysis results of the network attack behaviors; the session feature statistics module is used for enabling the TCP processing unit to identify and detect network attack behaviors according to the TCP state, and the method comprises the following steps:

acquiring a TCP session security state record and a TCP session security skip record;

analyzing the TCP message to obtain a keyword for analyzing the real-time TCP session state; the keywords comprise a TCP session ID and a TCP Flag;

calling an addressing tool to search keywords for real-time TCP session state analysis to obtain the real-time TCP session state of the TCP message; the addressing tool comprises: linear tables, hash tables, and TCAMs;

acquiring a TCP session state and a TCP session jump record at the next moment according to the real-time TCP session state and the TCP Flag;

Matching the TCP session state with the TCP session security state record; matching the TCP session jump record with the TCP session security jump record; if any one of the matching fails, judging that the TCP message has network attack behavior.