CN114884715A - Flow detection method, detection model training method, device and related equipment - Google Patents
Flow detection method, detection model training method, device and related equipment Download PDFInfo
- Publication number
- CN114884715A CN114884715A CN202210452457.0A CN202210452457A CN114884715A CN 114884715 A CN114884715 A CN 114884715A CN 202210452457 A CN202210452457 A CN 202210452457A CN 114884715 A CN114884715 A CN 114884715A
- Authority
- CN
- China
- Prior art keywords
- flow
- data
- traffic
- detection
- detection model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 179
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000012549 training Methods 0.000 title claims abstract description 37
- 230000002159 abnormal effect Effects 0.000 claims abstract description 34
- 238000000605 extraction Methods 0.000 claims abstract description 25
- 238000004590 computer program Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 8
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000006399 behavior Effects 0.000 description 33
- 230000000875 corresponding effect Effects 0.000 description 11
- 238000007637 random forest analysis Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000003066 decision tree Methods 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000036244 malformation Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Abstract
The application discloses a flow detection method, which is characterized by comprising the following steps: acquiring flow data in preset time, wherein the flow data comprises a plurality of data packets; performing feature extraction on the traffic data according to the distribution characteristics of the plurality of data packets to obtain traffic distribution features; and detecting the flow distribution characteristics by using a characteristic detection model to determine whether abnormal flow exists in the flow data. By applying the technical scheme provided by the application, the accurate detection of the data flow can be realized, and the network security of the user host is ensured. The application also discloses a detection model training method, a flow detection device, equipment and a computer readable storage medium, which have the beneficial effects.
Description
Technical Field
The application relates to the technical field of computer security, in particular to a flow detection method, a detection model training method, a flow detection device, equipment and a computer readable storage medium.
Background
A rebound shell, that is, a Control end monitors a certain TCP (Transmission Control Protocol)/UDP (User Datagram Protocol) port, a controlled end initiates a request to the port, and the input and output of a command line are transferred to the Control end. The reverse shell corresponds to standard shells such as telnet, ssh and the like, and is essentially the role reversal of a client and a server of a network concept.
The bounce shell is divided into a plain bounce shell and an encrypted bounce shell. The command interaction of the plaintext rebound shell is interacted in a plaintext mode in a TCP stream, the plaintext command interaction is easily detected by various security detection products, so that certain real directional attacks and even APT (Advanced Persistent thread) cannot be attacked by the plaintext rebound shell, the attack is easy to find, and meanwhile, the detection products with the plaintext rebound shell tend to be homogenized. The encrypted bounce shell refers to that an interactive command is subjected to secure encrypted transmission through an encrypted data Protocol, such as TLS (Transport Layer Security Protocol), and in this case, no plaintext command can be intercepted in a network, and rule detection is failed.
Therefore, how to implement network data traffic detection and ensure the network security of the user host is a problem to be urgently solved by those skilled in the art.
Disclosure of Invention
The method can realize accurate detection of flow data and ensure network security of a user host; another object of the present application is to provide a detection model training method, a flow detection device, an apparatus and a computer readable storage medium, all of which have the above advantages.
In a first aspect, the present application provides a traffic detection method, including:
acquiring flow data in preset time, wherein the flow data comprises a plurality of data packets;
performing feature extraction on the traffic data according to the distribution characteristics of the plurality of data packets to obtain traffic distribution features;
and detecting the flow distribution characteristics by using a characteristic detection model to determine whether abnormal flow exists in the flow data.
Optionally, the construction process of the feature detection model includes:
acquiring a positive sample data packet with an encrypted rebound shell behavior and a negative sample data packet without the encrypted rebound shell behavior;
performing feature extraction on the positive sample data packet to obtain positive sample features;
extracting the characteristics of the negative sample data packet to obtain negative sample characteristics;
and performing model training by using the positive sample characteristics and the negative sample characteristics to obtain the characteristic detection model.
Optionally, after the flow data in the preset time is obtained, the method further includes:
extracting protocol related characteristics of the flow data according to a data packet transmission protocol;
correspondingly, the detecting the flow distribution characteristics by using the characteristic detection model comprises the following steps:
and detecting the flow distribution characteristics and the protocol related characteristics by using a characteristic detection model.
Optionally, the protocol-related features include a certificate feature and/or a domain name feature and/or a handshake feature.
Optionally, the certificate characteristics include certificate signature information and/or a certificate validity period and/or an interval between the certificate validity period and a session creation time.
Optionally, the traffic distribution characteristics include packet access time distribution information and/or packet size distribution information.
Optionally, the packet access time distribution information includes packet access time delay information.
Optionally, the data packet size distribution information includes information of memory occupied by the data packet.
In a second aspect, the present application further discloses a detection model training method, which is characterized by including:
acquiring flow data in preset time, wherein the flow data comprises abnormal flow and normal flow;
extracting the characteristics of the abnormal flow to obtain the characteristics of a negative sample;
performing feature extraction on the normal flow to obtain positive sample features;
and training a feature detection model by using the positive sample features and the negative sample features to obtain the trained feature detection model.
In a third aspect, the present application further discloses a flow detection device, including:
the data packet acquisition module is used for acquiring flow data in preset time, and the flow data comprises a plurality of data packets;
the characteristic extraction module is used for extracting the characteristics of the flow data according to the distribution characteristics of the data packets to obtain flow distribution characteristics;
and the characteristic detection module is used for detecting the flow distribution characteristics by using a characteristic detection model and determining whether abnormal flow exists in the flow data.
In a fourth aspect, the present application further discloses a flow detection device, which includes:
a memory for storing a computer program;
a processor for implementing the steps of the flow detection method and/or the steps of the detection model training method as described above when executing the computer program.
In a fifth aspect, the present application further discloses a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores thereon a computer program, and the computer program, when executed by a processor, implements the steps of the flow detection method and/or the steps of the detection model training method.
The application provides a flow detection method, which is characterized by comprising the following steps: acquiring flow data in preset time, wherein the flow data comprises a plurality of data packets; performing feature extraction on the traffic data according to the distribution characteristics of the plurality of data packets to obtain traffic distribution features; and detecting the flow distribution characteristics by using a characteristic detection model to determine whether abnormal flow exists in the flow data.
Therefore, the flow detection method provided by the application firstly obtains the flow data, then extracts the preset features of the flow data to obtain the flow distribution features, and finally detects the extracted flow distribution features by using the feature detection model to determine whether abnormal flow exists in the flow data packet, so that the detection of the flow data is realized. The detection of the flow data is realized through the characteristic detection model, and the network security of the user host can be effectively ensured.
The detection model training method, the flow detection device, the equipment and the computer readable storage medium provided by the application all have the beneficial effects, and are not repeated herein.
Drawings
In order to more clearly illustrate the technical solutions in the prior art and the embodiments of the present application, the drawings that are needed to be used in the description of the prior art and the embodiments of the present application will be briefly described below. Of course, the following description of the drawings related to the embodiments of the present application is only a part of the embodiments of the present application, and it will be apparent to those skilled in the art that other drawings may be obtained from the provided drawings without any creative effort, and the obtained other drawings also belong to the protection scope of the present application.
Fig. 1 is a schematic flow chart of a flow detection method provided in the present application;
fig. 2 is a schematic flow chart of another flow rate detection method provided in the present application;
fig. 3 is a schematic structural diagram of a flow rate detection device provided in the present application;
fig. 4 is a schematic structural diagram of a flow rate detection device provided in the present application;
fig. 5 is a flowchart of a detection model training method provided in the present application.
Detailed Description
The core of the application is to provide a flow detection method, which can realize accurate detection of flow data and ensure the network security of a user host; another object of the present application is to provide a detection model training method, a flow detection device, an apparatus and a computer readable storage medium.
In order to more clearly and completely describe the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the related art, the encrypted bounce shell refers to that an interactive command is subjected to secure encrypted transmission through an encrypted data protocol, such as TLS, and in this case, no plaintext command can be intercepted in a network, and rule detection is failed.
Therefore, in order to solve the above technical problems, the present application provides a traffic detection method, in which traffic data is first obtained, and then preset features of the traffic data are extracted to obtain traffic distribution features, and finally the extracted traffic distribution features are detected by using a feature detection model, so as to determine whether abnormal traffic exists in a traffic data packet, thereby realizing detection of the traffic data. The detection of the flow data is realized through the characteristic detection model, and the network security of the user host can be effectively ensured.
The embodiment of the application provides a flow detection method.
Referring to fig. 1, fig. 1 is a schematic flow chart of a traffic detection method provided in the present application, where the traffic detection method may include:
s101: acquiring flow data in preset time, wherein the flow data comprises a plurality of data packets;
the step aims to obtain flow data in a preset time, and the flow data comprises a plurality of data packets. Further, the traffic data packet may be a to-be-detected data packet that needs to be subjected to encryption rebound shell behavior detection.
It should be noted that, in this embodiment of the application, the execution main body for implementing traffic detection may be a detection device disposed between the user host and the server, and is configured to perform traffic detection on a traffic data packet sent to and from the user host and the server, and therefore, the traffic data may be a communication packet sent by the user host to the server, or may also be a communication packet sent by the server to the user host.
In an actual detection scene, the detection device can intercept data transmitted between the user host and the server in real time or at regular time or according to a received detection instruction so as to acquire flow data.
Certainly, the obtaining mode of the traffic data is not unique, and the obtaining of the traffic data based on the data packet interception is only one implementation mode mentioned in the embodiment of the present application, and may also be implemented by using other methods, for example, the user host and the server may log the traffic data received and sent by themselves, and the detection device may implement the obtaining of the traffic data by detecting a log file in the user host or the server.
S102: carrying out feature extraction on the flow data according to the distribution characteristics of the plurality of data packets to obtain flow distribution characteristics;
the method comprises the following steps of extracting the characteristics of flow data according to the distribution characteristics of a plurality of data packets to obtain flow distribution characteristics. On the basis of obtaining the flow data, feature extraction can be carried out on the flow data, and the process can be realized through a corresponding feature extraction algorithm or a feature matching algorithm and the like, so that the flow distribution features are obtained. It can be understood that, since the present application can implement encrypted bounce shell behavior detection, the traffic distribution characteristics may be some characteristic information related to the encrypted bounce shell behavior.
The acquired features may further include protocol-related features, where the protocol-related features refer to features related to a data protocol used by the traffic data packet and may be obtained by analyzing the data protocol used by the traffic data. The traffic distribution characteristics refer to some characteristic information of the traffic data itself, and can be obtained by analyzing the traffic data itself. Of course, specific contents of the obtained features may be set by a technician according to actual requirements, which is not limited in the present application.
S103: and detecting the flow distribution characteristics by using the characteristic detection model, and determining whether abnormal flow exists in the flow data.
The method comprises the steps of detecting flow distribution characteristics by using a characteristic detection model and determining whether abnormal flow exists in flow data. After the traffic distribution characteristics of the traffic data packet are extracted, the step further detects the traffic distribution characteristics by using a characteristic detection model to determine whether abnormal traffic exists in the traffic data packet. Further, whether encrypted bounce shell behavior exists in the traffic data can be determined.
The feature detection model is a detection model obtained by pre-training based on sample data and can be pre-stored in a corresponding storage space so as to be directly called. And, the specific type of the feature detection model is also not unique, and may be, for example, a decision tree, a random forest, a support vector machine, a gradient lifting tree, a neural network, or the like. It should be noted that, as those skilled in the art will know, in other embodiments, the feature detection model may also be a determination model, a passing threshold corresponding to each feature in the traffic distribution features is set in the determination model, all the features in the traffic distribution features are respectively compared with the corresponding passing thresholds, so as to obtain a determination result corresponding to each feature, and thus, whether the encrypted bounce shell behavior exists in the traffic data packet is determined according to all the determination results.
Furthermore, when abnormal traffic (such as encryption rebound shell behavior) exists in the traffic data packet, an alarm prompt can be output, technicians can be reminded that abnormal attack exists in the current traffic data packet, and the technicians can conveniently perform safety protection in time. The warning prompt can be specifically an indicator light prompt, a buzzer prompt, a page popup prompt and the like, and the application does not limit the prompt.
Therefore, the flow detection method provided by the application firstly obtains the flow data, then extracts the preset features of the flow data to obtain the flow distribution features, and finally detects the extracted flow distribution features by using the feature detection model to determine whether abnormal flow exists in the flow data packet, so that the detection of the flow data is realized. The detection of the flow data is realized through the characteristic detection model, and the network security of the user host can be effectively ensured.
In an embodiment of the present application, the constructing process of the feature detection model may include: acquiring a positive sample data packet with an encrypted rebound shell behavior and a negative sample data packet without the encrypted rebound shell behavior; performing feature extraction on the positive sample data packet to obtain positive sample features; extracting the characteristics of the negative sample data packet to obtain the characteristics of the negative sample; and performing model training by using the positive sample characteristics and the negative sample characteristics to obtain a characteristic detection model.
The embodiment of the application provides a method for constructing a feature detection model. Specifically, under the condition that the feature detection model is a model generated through training, sample data can be collected firstly, wherein the sample data comprises a positive sample and a negative sample, namely the positive sample data packet and the negative sample data packet; further, respectively extracting the characteristics of the positive sample data packet and the negative sample data packet to obtain corresponding positive sample characteristics and negative sample characteristics; and finally, performing model training by taking the positive sample characteristics and the negative sample characteristics as training data to obtain a final characteristic detection model.
It should be noted that the positive samples in the embodiments of the present application refer to samples belonging to a certain category, and the negative samples refer to samples not belonging to the category.
In addition, in the process of applying the model, namely in the process of utilizing the characteristic detection model to carry out flow detection or encrypted rebound shell behavior detection, the characteristic detection model can be continuously optimized according to the detection result so as to continuously improve the model precision and further improve the accuracy of the detection result.
In an embodiment of the present application, after acquiring the flow data within the preset time, the method further includes:
extracting protocol related characteristics of flow data according to a data packet transmission protocol;
correspondingly, the flow distribution characteristics are detected by using the characteristic detection model, and the method comprises the following steps:
and detecting the flow distribution characteristics and the protocol related characteristics by using the characteristic detection model.
As can be seen, in the embodiment of the present application, after the traffic data is obtained, the protocol-related feature of the traffic data is extracted according to the packet transmission protocol, that is, the protocol-related feature is also obtained in addition to the traffic distribution feature. Correspondingly, the detection process is to detect the flow distribution characteristics and the protocol related characteristics by using the characteristic detection model.
It should be noted that, since the encrypted traffic data is encrypted by using the certificate protocol, there are many anomalies on the certificate, such as the use of a self-signature, the validity period of the certificate being close to the session creation time, and so on. Therefore, the data protocol features can be extracted to realize abnormal traffic detection, so that the accuracy of detecting abnormal traffic is improved.
In one embodiment of the present application, the protocol-related features described above may include certificate features and/or domain name features and/or handshake features.
Embodiments of the present application provide a specific type of protocol-related feature, namely the certificate feature and/or domain name feature and/or handshake feature described above. And, the certificate characteristics may include certificate signature information and/or certificate validity period and/or an interval between the certificate validity period and the session creation time. The certificate signature information refers to signature information of a certificate in a data protocol adopted by a corresponding flow data packet; the certificate validity period refers to the validity period of the certificate in the data protocol adopted by the corresponding traffic data packet.
It can be understood that, since the most part of the encrypted bounce shell is encrypted by using Openssl (secure socket layer cryptogram library), there are many exceptions on the certificate, such as using self-signature, the validity period of the certificate is close to the session creation time, and so on. Therefore, the data protocol features can be extracted to realize the encrypted rebound shell behavior detection. The session creation time refers to time information of a session created between the user host and the server, such as a creation time point and a creation time duration.
In an embodiment of the application, the traffic distribution characteristics include packet access time distribution information and/or packet size distribution information.
The embodiments of the present application provide specific types of traffic distribution characteristics, that is, packet access time distribution information and/or packet size distribution information. Wherein, the data packet access time distribution information refers to the access time point of the corresponding flow data packet; the packet size distribution information refers to the size of the corresponding traffic packet.
It is understood that the characteristics of the two dimensions of the packet access time and the packet size include specific behaviors of a large number of encrypted bounce shells, including time delay characteristics, upstream and downstream packet size ratio malformations, and the like, which are strongly correlated with the behaviors of the encrypted bounce shells. The time delay characteristic has a relatively strong manual operation phenomenon and is related to the specificity of the encryption rebound shell, because the naming interaction process of the encryption rebound shell is a command issuing type operation, a controlled host waits for a command issued by a control host, the situation is shown that more delay characteristics can appear in the Application packet operation, most of the delay is observed to be the delay of a downlink data packet, the downlink data packet is an issued command packet, and the uplink data packet is the echoed content after the command is executed. The uplink and downlink packet size ratio is the ratio of the uplink data packet size to the downlink data packet size, and when the traffic data packet has an encryption rebound shell behavior, the downlink data packet is smaller, the uplink data packet is larger, and thus the ratio is abnormal.
It should be noted that the data protocol feature and the traffic behavior feature are only one implementation manner provided by the two embodiments, and are not unique, and other types of data protocol features and traffic behavior features may be added according to an actual detection requirement, which is not limited in this application.
Further, the data packet access time distribution information includes data packet access time delay information, and the data packet size distribution information includes information of memory proportion occupied by the data packet.
In an embodiment of the application, the acquiring traffic data may include: traffic data encrypted based on the TLS protocol and/or traffic data encrypted based on the SSL (Secure Sockets Layer) protocol are obtained.
The embodiment of the application provides specific types of traffic data, namely traffic data encrypted based on a TLS protocol and/or traffic data encrypted based on an SSL protocol. It can be understood that traffic data with the encrypted bounce shell behavior is generally encrypted based on the TLS protocol or the SSL protocol, and therefore, the traffic data encrypted based on the TLS protocol and/or the traffic data encrypted based on the SSL protocol can be obtained from all traffic data in the current direction between the user host and the server, so as to effectively improve the detection efficiency of the encrypted bounce shell behavior.
In an embodiment of the application, the acquiring traffic data may include: and when the preset detection period is reached, acquiring each flow data in the preset detection period.
In the embodiment of the application, periodic detection can be realized according to a detection period, that is, when the preset detection period is reached, each traffic data between the user host and the server in the preset detection period is acquired, so that the acquisition of the traffic data in the preset detection period is realized. The preset detection period can be set by a technician according to actual detection requirements, and is not limited in the application, for example, 20:00 to 24:00 of a day can be set to acquire flow data, so that encrypted rebound shell behavior detection is realized, and a peak segment is used for a network in the period.
In an embodiment of the present application, the detecting the traffic distribution characteristics by using the characteristic detection model to determine whether there is an encrypted bounce shell behavior in the traffic data may include: and detecting the flow distribution characteristics by using a random forest model, and determining whether the encrypted rebound shell behavior exists in the flow data.
The embodiment of the application provides a specific type of feature detection model, namely a random forest model. Specifically, a Random Forest (Random Forest) refers to a classifier that trains and predicts a sample by using a plurality of trees, and the Random Forest is composed of a plurality of decision trees, and each decision tree is a tree structure, wherein each internal node represents a test on an attribute, each branch represents a test output, and each leaf node represents a category, so that the decision trees can detect whether there is a cipher rebound shell behavior on traffic data based on a series of features possessed by the traffic data. When the detection is carried out through the random forest, the type of all flow distribution characteristics of flow data is judged respectively based on a plurality of decision trees, and the statistical results of all the decision trees are accumulated to be used as a final result.
Of course, the random forest model is only a preferred implementation manner provided in the embodiment of the present application, and is not unique, and may also be other models such as a decision tree, a support vector machine, a gradient lifting tree, a neural network, and the like, which are specifically set by a technician according to an actual situation, and the present application does not limit this.
On the basis of the foregoing embodiments, please refer to fig. 2, where fig. 2 is a schematic flowchart of another encrypted resilient shell behavior detection method provided in the present application, and an implementation flow of the method is as follows:
(1) acquiring flow data in preset time, wherein the flow data comprises a plurality of data packets;
(2) carrying out feature extraction on the flow data packet, wherein the feature extraction process comprises certificate analysis and space-time feature processing to obtain corresponding protocol related features and flow distribution features; the relevant characteristics of the protocol comprise whether self-signature exists or not, the validity period of the certificate and the like, and the flow distribution characteristics comprise a packet delay peak value, a packet size ratio and the like;
(3) and inputting the extracted characteristic information into a random forest model for processing, and determining whether the encrypted rebound shell behavior exists in the flow data packet according to a processing result.
It can be seen that the encrypted resilient shell behavior detection method provided in the embodiment of the present application first obtains a traffic data packet, further performs traffic distribution feature extraction on the traffic data packet to obtain a data protocol feature and a traffic behavior feature, and finally detects the extracted traffic distribution feature by using a feature detection model, thereby determining whether an encrypted resilient shell behavior exists in the traffic data packet, and thus, implementing encrypted resilient shell behavior detection. The encrypted rebound shell behavior detection of the traffic data packet is realized through the characteristic detection model, and the network security of the user host can be effectively ensured.
Furthermore, in order to improve the effect of training the feature detection model, the accuracy of feature recognition based on the feature detection model is improved. The following describes a detection model training method provided by the present application by using an embodiment.
Referring to fig. 5, fig. 5 is a flowchart of a detection model training method provided in the present application.
In this embodiment, the method may include:
s201, obtaining flow data in preset time, wherein the flow data comprises abnormal flow and normal flow;
s202, extracting the characteristics of the abnormal flow to obtain the characteristics of the negative sample;
s203, extracting the features of the normal flow to obtain the features of the positive sample;
and S204, training the feature detection model by using the positive sample features and the negative sample features to obtain the trained feature detection model.
As can be seen, in the present embodiment, the training of the feature detection model can be performed based on the obtained abnormal traffic and normal traffic through the above steps, so as to obtain a trained feature detection model. Further, in this embodiment, the flow data under different conditions may be acquired, so as to detect the flows in different environments. The traffic data may be non-encrypted traffic data, or traffic data in which non-encrypted traffic data and encrypted traffic data are mixed. Correspondingly, the feature detection model obtained by training in the embodiment can be used for detecting the traffic data in a non-encryption environment, an encryption environment or a mixed environment of non-encryption and encryption.
Further, in this embodiment, the acquired traffic data includes abnormal traffic and normal traffic. The normal traffic is traffic data sent in the network when the network is not attacked, that is, the traffic data in the case of no abnormal condition. The abnormal traffic is traffic data when an attack behavior occurs, and the traffic data includes abnormal content or attack content.
Further, in this embodiment, the execution sequence of S202 and S203 is not limited, and S202 and S203 may be executed first, or S203 and S202 may be executed first, or S202 and S203 may be executed simultaneously.
The training process based on the positive sample feature and the negative sample feature may adopt a training mode provided in the prior art, and is not specifically limited herein.
Therefore, in the embodiment, the negative sample feature and the positive sample feature are further obtained by feature extraction through the abnormal flow and the normal flow obtained from the flow data, and finally, model training is performed to obtain a trained feature detection model, so that the effect of training the model is improved, the flow data can be accurately detected based on the feature detection model, and the network security is improved.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a flow rate detection device provided in the present application, where the flow rate detection device may include:
the data packet acquisition module 1 is used for acquiring flow data within a preset time, wherein the flow data comprises a plurality of data packets;
the characteristic extraction module 2 is used for extracting the characteristics of the traffic data according to the distribution characteristics of the plurality of data packets to obtain traffic distribution characteristics;
and the characteristic detection module 3 is used for detecting the flow distribution characteristics by using the characteristic detection model and determining whether abnormal flow exists in the flow data.
It can be seen that, the flow detection device provided in the embodiment of the present application first obtains flow data, further performs preset feature extraction on the flow data to obtain flow distribution features, and finally detects the extracted flow distribution features by using a feature detection model, so as to determine whether abnormal flow exists in a flow data packet, thereby realizing detection of the flow data. The detection of the flow data is realized through the characteristic detection model, and the network security of the user host can be effectively ensured.
In an embodiment of the present application, the traffic detection apparatus may further include a model building module, configured to obtain a positive sample data packet with the encrypted bounce shell behavior and a negative sample data packet without the encrypted bounce shell behavior; performing feature extraction on the positive sample data packet to obtain positive sample features; performing feature extraction on the negative sample data packet to obtain negative sample features; and performing model training by using the positive sample characteristics and the negative sample characteristics to obtain a characteristic detection model.
In an embodiment of the present application, the traffic detection apparatus may further include a protocol feature extraction module, configured to extract a protocol-related feature of the traffic data according to a packet transmission protocol. Correspondingly, the feature detection module 3 is specifically configured to detect the flow distribution features and the protocol-related features by using the feature detection model.
In one embodiment of the application, the protocol-related features described above comprise certificate features and/or domain name features and/or handshake features.
In one embodiment of the present application, the certificate characteristics include certificate signature information and/or certificate validity period and/or an interval between the certificate validity period and session creation time.
In an embodiment of the application, the traffic distribution characteristics include packet access time distribution information and/or packet size distribution information.
In an embodiment of the application, the packet access time distribution information includes packet access time delay information.
In an embodiment of the application, the packet size distribution information includes memory proportion information occupied by the packet.
For the introduction of the apparatus provided in the present application, please refer to the above method embodiments, which are not described herein again.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a flow detection device provided in the present application, where the flow detection device may include:
a memory for storing a computer program;
a processor, configured to execute a computer program, may implement the steps of any of the above-mentioned flow detection methods and/or detection model training methods.
As shown in fig. 4, which is a schematic view of a composition structure of a flow rate detection device, the flow rate detection device may include: a processor 10, a memory 11, a communication interface 12 and a communication bus 13. The processor 10, the memory 11 and the communication interface 12 all communicate with each other through a communication bus 13.
In the embodiment of the present application, the processor 10 may be a Central Processing Unit (CPU), an application specific integrated circuit, a digital signal processor, a field programmable gate array or other programmable logic device, etc.
The processor 10 may invoke a program stored in the memory 11, and in particular, the processor 10 may perform operations in embodiments of the traffic detection method and/or the detection model training method.
The memory 11 is used for storing one or more programs, the program may include program codes, the program codes include computer operation instructions, in this embodiment, the memory 11 stores at least the program for implementing the following functions:
acquiring flow data in preset time, wherein the flow data comprises a plurality of data packets;
performing feature extraction on the traffic data according to the distribution characteristics of the plurality of data packets to obtain traffic distribution features;
and detecting the flow distribution characteristics by using a characteristic detection model to determine whether abnormal flow exists in the flow data.
And/or obtaining flow data in a preset time, wherein the flow data comprises abnormal flow and normal flow;
extracting the characteristics of the abnormal flow to obtain the characteristics of a negative sample;
performing feature extraction on the normal flow to obtain positive sample features;
and training a feature detection model by using the positive sample features and the negative sample features to obtain the trained feature detection model.
In one possible implementation, the memory 11 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created during use.
Further, the memory 11 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 12 may be an interface of a communication module for connecting with other devices or systems.
It should be noted, of course, that the structure shown in fig. 4 does not constitute a limitation to the flow rate detection device in the embodiment of the present application, and in practical applications, the flow rate detection device may include more or less components than those shown in fig. 4, or some components may be combined.
The present application further provides a computer-readable storage medium having a computer program stored thereon, which, when being executed by a processor, is capable of implementing the steps of any one of the above-mentioned flow detection methods and/or the steps of the detection model training method.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
For the introduction of the computer-readable storage medium provided in the present application, please refer to the above method embodiments, which are not described herein again.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The technical solutions provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, without departing from the principle of the present application, several improvements and modifications can be made to the present application, and these improvements and modifications also fall into the protection scope of the present application.
Claims (10)
1. A method for detecting traffic, comprising:
acquiring flow data in preset time, wherein the flow data comprises a plurality of data packets;
performing feature extraction on the traffic data according to the distribution characteristics of the plurality of data packets to obtain traffic distribution features;
and detecting the flow distribution characteristics by using a characteristic detection model to determine whether abnormal flow exists in the flow data.
2. The flow rate detection method according to claim 1, after acquiring the flow rate data within the preset time, further comprising:
extracting protocol related characteristics of the flow data according to a data packet transmission protocol;
correspondingly, the detecting the flow distribution characteristics by using the characteristic detection model comprises the following steps:
and detecting the flow distribution characteristics and the protocol related characteristics by using a characteristic detection model.
3. The traffic detection method according to claim 1, wherein the traffic distribution characteristics comprise packet access time distribution information and/or packet size distribution information.
4. The traffic detection method according to claim 3, wherein the packet access time distribution information includes packet access time delay information.
5. The traffic detection method according to claim 3, wherein the packet size distribution information includes packet memory usage ratio information.
6. The traffic detection method according to claim 1, wherein the traffic data is encrypted traffic data.
7. A detection model training method is characterized by comprising the following steps:
acquiring flow data in preset time, wherein the flow data comprises abnormal flow and normal flow;
performing feature extraction on the abnormal flow to obtain negative sample features;
performing feature extraction on the normal flow to obtain positive sample features;
and training a feature detection model by using the positive sample features and the negative sample features to obtain the trained feature detection model.
8. A flow sensing device, comprising:
the data packet acquisition module is used for acquiring flow data in preset time, and the flow data comprises a plurality of data packets;
the characteristic extraction module is used for extracting the characteristics of the flow data according to the distribution characteristics of the data packets to obtain flow distribution characteristics;
and the characteristic detection module is used for detecting the flow distribution characteristics by using a characteristic detection model and determining whether abnormal flow exists in the flow data.
9. A flow sensing device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the flow detection method according to any one of claims 1 to 6 and/or the steps of the detection model training method according to claim 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, carries out the steps of the flow detection method according to any one of claims 1 to 6 and/or the steps of the detection model training method according to claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210452457.0A CN114884715A (en) | 2022-04-27 | 2022-04-27 | Flow detection method, detection model training method, device and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210452457.0A CN114884715A (en) | 2022-04-27 | 2022-04-27 | Flow detection method, detection model training method, device and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114884715A true CN114884715A (en) | 2022-08-09 |
Family
ID=82671472
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210452457.0A Pending CN114884715A (en) | 2022-04-27 | 2022-04-27 | Flow detection method, detection model training method, device and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114884715A (en) |
Citations (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150009038A1 (en) * | 2013-07-02 | 2015-01-08 | Icf International | Method and apparatus for visualizing network security alerts |
| WO2016070538A1 (en) * | 2014-11-05 | 2016-05-12 | 中国科学院声学研究所 | Secure shell (ssh2) protocol data collection method and device |
| CN105791236A (en) * | 2014-12-23 | 2016-07-20 | 北京网御星云信息技术有限公司 | Trojan communication channel detection method and system |
| US20160219067A1 (en) * | 2015-01-28 | 2016-07-28 | Korea Internet & Security Agency | Method of detecting anomalies suspected of attack, based on time series statistics |
| CN106254321A (en) * | 2016-07-26 | 2016-12-21 | 中国人民解放军防空兵学院 | A kind of whole network abnormal data stream sorting technique |
| CN108833360A (en) * | 2018-05-23 | 2018-11-16 | 四川大学 | A kind of malice encryption flow identification technology based on machine learning |
| CN109379377A (en) * | 2018-11-30 | 2019-02-22 | 极客信安(北京)科技有限公司 | Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN111431887A (en) * | 2020-03-19 | 2020-07-17 | 深信服科技股份有限公司 | Reverse Shell monitoring method and device, terminal equipment and medium |
| CN111478921A (en) * | 2020-04-27 | 2020-07-31 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| CN111478920A (en) * | 2020-04-27 | 2020-07-31 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| CN112637908A (en) * | 2021-03-08 | 2021-04-09 | 中国人民解放军国防科技大学 | Fine-grained layered edge caching method based on content popularity |
| CN112822167A (en) * | 2020-12-31 | 2021-05-18 | 杭州立思辰安科科技有限公司 | Abnormal TLS encrypted traffic detection method and system |
| US20210185072A1 (en) * | 2018-09-27 | 2021-06-17 | Bayshore Networks, Inc. | System and methods for automated computer security policy generation and anomaly detection |
| US20210203683A1 (en) * | 2019-12-30 | 2021-07-01 | Hangzhou Dptech Technologies Co., Ltd. | Abnormality detection |
| CN113329023A (en) * | 2021-05-31 | 2021-08-31 | 西北大学 | Encrypted flow malice detection model establishing and detecting method and system |
| CN113364792A (en) * | 2021-06-11 | 2021-09-07 | 奇安信科技集团股份有限公司 | Training method of flow detection model, flow detection method, device and equipment |
| US20210367885A1 (en) * | 2020-05-22 | 2021-11-25 | National Taiwan University | Anomaly flow detection device and anomaly flow detection method |
| CN113965390A (en) * | 2021-10-26 | 2022-01-21 | 杭州安恒信息技术股份有限公司 | Malicious encrypted traffic detection method, system and related device |
| CN114091602A (en) * | 2021-11-18 | 2022-02-25 | 西安电子科技大学 | SSR flow identification system and method based on machine learning |
-
2022
- 2022-04-27 CN CN202210452457.0A patent/CN114884715A/en active Pending
Patent Citations (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150009038A1 (en) * | 2013-07-02 | 2015-01-08 | Icf International | Method and apparatus for visualizing network security alerts |
| WO2016070538A1 (en) * | 2014-11-05 | 2016-05-12 | 中国科学院声学研究所 | Secure shell (ssh2) protocol data collection method and device |
| CN105791236A (en) * | 2014-12-23 | 2016-07-20 | 北京网御星云信息技术有限公司 | Trojan communication channel detection method and system |
| US20160219067A1 (en) * | 2015-01-28 | 2016-07-28 | Korea Internet & Security Agency | Method of detecting anomalies suspected of attack, based on time series statistics |
| CN106254321A (en) * | 2016-07-26 | 2016-12-21 | 中国人民解放军防空兵学院 | A kind of whole network abnormal data stream sorting technique |
| CN108833360A (en) * | 2018-05-23 | 2018-11-16 | 四川大学 | A kind of malice encryption flow identification technology based on machine learning |
| US20210185072A1 (en) * | 2018-09-27 | 2021-06-17 | Bayshore Networks, Inc. | System and methods for automated computer security policy generation and anomaly detection |
| CN109379377A (en) * | 2018-11-30 | 2019-02-22 | 极客信安(北京)科技有限公司 | Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| US20210203683A1 (en) * | 2019-12-30 | 2021-07-01 | Hangzhou Dptech Technologies Co., Ltd. | Abnormality detection |
| CN111431887A (en) * | 2020-03-19 | 2020-07-17 | 深信服科技股份有限公司 | Reverse Shell monitoring method and device, terminal equipment and medium |
| CN111478920A (en) * | 2020-04-27 | 2020-07-31 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| CN111478921A (en) * | 2020-04-27 | 2020-07-31 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| US20210367885A1 (en) * | 2020-05-22 | 2021-11-25 | National Taiwan University | Anomaly flow detection device and anomaly flow detection method |
| CN112822167A (en) * | 2020-12-31 | 2021-05-18 | 杭州立思辰安科科技有限公司 | Abnormal TLS encrypted traffic detection method and system |
| CN112637908A (en) * | 2021-03-08 | 2021-04-09 | 中国人民解放军国防科技大学 | Fine-grained layered edge caching method based on content popularity |
| CN113329023A (en) * | 2021-05-31 | 2021-08-31 | 西北大学 | Encrypted flow malice detection model establishing and detecting method and system |
| CN113364792A (en) * | 2021-06-11 | 2021-09-07 | 奇安信科技集团股份有限公司 | Training method of flow detection model, flow detection method, device and equipment |
| CN113965390A (en) * | 2021-10-26 | 2022-01-21 | 杭州安恒信息技术股份有限公司 | Malicious encrypted traffic detection method, system and related device |
| CN114091602A (en) * | 2021-11-18 | 2022-02-25 | 西安电子科技大学 | SSR flow identification system and method based on machine learning |
Non-Patent Citations (1)
| Title |
|---|
| 陈骋等: "基于HTTP协议组合的隐蔽信道构建方法研究", 信息网络安全, no. 6, pages 57 - 64 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| CN113705619A (en) | Malicious traffic detection method, system, computer and medium | |
| CN111866024B (en) | Network encryption traffic identification method and device | |
| CN109936578A (en) | The detection method of HTTPS tunnel traffic in a kind of network-oriented | |
| CN113468071B (en) | Fuzzy test case generation method, system, computer equipment and storage medium | |
| CN109474603B (en) | Data packet grabbing processing method and terminal equipment | |
| CN113206860B (en) | DRDoS attack detection method based on machine learning and feature selection | |
| CN113542253B (en) | Network flow detection method, device, equipment and medium | |
| CN110868409A (en) | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN111371774A (en) | Information processing method and device, equipment and storage medium | |
| CN112565229B (en) | Hidden channel detection method and device | |
| CN111049858A (en) | Cross validation based baseline scanning vulnerability duplication removing method, device and equipment | |
| CN112165445B (en) | Method, device, storage medium and computer equipment for detecting network attack | |
| CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
| CN114448830A (en) | Equipment detection system and method | |
| CN114785567A (en) | Traffic identification method, device, equipment and medium | |
| Waagsnes et al. | Intrusion Detection System Test Framework for SCADA Systems. | |
| US10963562B2 (en) | Malicious event detection device, malicious event detection method, and malicious event detection program | |
| CN111209998A (en) | Training method and device of machine learning model based on data type | |
| CN113037748A (en) | C and C channel hybrid detection method and system | |
| CN114884715A (en) | Flow detection method, detection model training method, device and related equipment | |
| Hejun et al. | Online and automatic identification and mining of encryption network behavior in big data environment | |
| CN114363059A (en) | Attack identification method and device and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |