CN115022060A - Real-time filtering method and device for network attacks - Google Patents

Real-time filtering method and device for network attacks Download PDF

Info

Publication number
CN115022060A
CN115022060A CN202210664477.4A CN202210664477A CN115022060A CN 115022060 A CN115022060 A CN 115022060A CN 202210664477 A CN202210664477 A CN 202210664477A CN 115022060 A CN115022060 A CN 115022060A
Authority
CN
China
Prior art keywords
log
filtering
processed
network attack
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210664477.4A
Other languages
Chinese (zh)
Other versions
CN115022060B (en
Inventor
张洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anbotong Junshi Digital Technology Hubei Co ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202210664477.4A priority Critical patent/CN115022060B/en
Publication of CN115022060A publication Critical patent/CN115022060A/en
Application granted granted Critical
Publication of CN115022060B publication Critical patent/CN115022060B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a real-time filtering method and device for network attacks. The method comprises the following steps: the method comprises the steps of predetermining log filtering conditions according to key steps of a pre-constructed network attack event to be detected, pre-constructing a filtering analysis detection model according to a log filtering process corresponding to the log filtering conditions, and then carrying out filtering analysis detection on each structured behavior log to be processed in real time by using the filtering analysis detection model to obtain a detection result of the behavior log to be processed. The whole process mainly depends on the key steps of the network attack event to be detected to carry out network attack detection, so that the network attack detection is not limited by whether the threat event is known in advance, attacks such as threat event variation or abnormal flow can be effectively detected, abnormal behavior logs generated by a first attacked asset host can be found in real time, the network attack is prevented from continuously spreading among a plurality of asset devices through a local area network, and the loss caused by the network attack can be greatly reduced.

Description

Real-time filtering method and device for network attacks
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a real-time filtering method and device for network attacks.
Background
With the deep application of new generation IT technologies such as cloud computing, big data and the like in various industries, the IT scale and complexity of a government and enterprise organization are continuously improved, and the scale of various data such as network flow, logs and the like is greatly improved. Meanwhile, network attack and defense are increasingly intense, and technical methods of network attack are also diversified, for example: cross site scripting attack (XSS), cross site request forgery (CRSF), injection attack, file upload vulnerability, Web framework vulnerability, and the like. Generally, such a network attack is hidden in the process of normal use requirements, that is, the behavior log generated by the network attack is scattered on different types of hosts and hidden in other normal behavior logs. In order to protect the network better, the network attack needs to be detected in time.
The existing network security protection mainly adopts traditional security protection software and hardware devices such as a Firewall, a Web Application Firewall (WAF), an Intrusion Prevention System (IPS), and the like, and detects network attacks by using detection technologies of security features and signatures in the security field. However, the detection method can only detect known threat events, and attacks such as threat event variants or abnormal traffic can be stranded, so that the network attacks can be rapidly diffused among a plurality of asset devices through the local area network, and great loss is caused.
Disclosure of Invention
The application provides a real-time filtering method and device for network attacks, which can be used for solving the technical problem that the existing detection mode can only detect known threat events and can be stranded aiming at attacks such as threat event variation or abnormal flow and the like.
In a first aspect, an embodiment of the present application provides a method for filtering a network attack in real time, where the method includes:
acquiring a behavior log generated by each asset in real time in the whole network;
generalizing the behavior log into a structured behavior log to be processed;
inputting the behavior log to be processed into a pre-constructed filtering analysis detection model to perform log filtering analysis detection, so as to obtain a detection result of the behavior log to be processed; the filtering analysis detection model is used for executing a log filtering process corresponding to a log filtering condition, and the log filtering condition is determined according to key steps of a pre-constructed network attack event to be detected.
With reference to the first aspect, in an implementation manner of the first aspect, the key steps of the network attack event to be detected are pre-constructed in the following manner:
determining an intrusion scene of the network attack event to be detected by using a reverse engineering method according to the protection characteristics and the quantification of the characteristic structure in the security field and the data characteristics of each behavior log caused by the network attack event to be detected;
and extracting the network attack event to be detected according to the intrusion scene of the network attack event to be detected.
With reference to the first aspect, in an implementation manner of the first aspect, the filtering analysis detection model is established by:
generating log filtering conditions of a DSL mode according to the key steps of the network attack event to be detected and a preset detection rule;
acquiring an EPL filtering statement from a log filtering condition of the DSL mode;
splitting key conditions in the EPL filtering statement into a plurality of key characters by using a word segmentation algorithm;
generating an abstract syntax tree corresponding to the key condition according to a plurality of key characters;
generating a log filtering process corresponding to the log filtering condition according to the abstract syntax tree;
and obtaining a filtering analysis detection model according to the log filtering process.
With reference to the first aspect, in an implementation manner of the first aspect, the inputting the to-be-processed behavior log into a pre-constructed filtering analysis detection model for log filtering analysis detection to obtain a detection result of the to-be-processed behavior log includes:
converting the behavior log to be processed into a KEY-VALUE data structure to obtain converted data;
acquiring a condition to be processed from the converted data;
splitting the condition to be processed into a plurality of characters to be processed by using the word segmentation algorithm;
and executing the log filtering process on a plurality of characters to be processed to generate a detection result of the behavior log to be processed.
With reference to the first aspect, in an implementation manner of the first aspect, the executing the log filtering process on the multiple characters to be processed to generate the detection result of the to-be-processed behavior log includes:
comparing each character to be processed with each key character in sequence;
and if all the characters to be processed are completely consistent with all the key characters, generating the to-be-processed behavior log as a result of the abnormal log caused by the to-be-detected network attack event.
With reference to the first aspect, in an implementation manner of the first aspect, the method further includes:
if all the characters to be processed are not completely consistent with all the key characters, generating a result that the behavior log to be processed is a normal log;
and discarding the to-be-processed behavior logs of which the detection results are normal logs.
With reference to the first aspect, in an implementation manner of the first aspect, the obtaining a behavior log generated by each asset in real time in a whole network includes:
and acquiring a behavior log generated by each asset in real time in the whole network by using the monitoring network card.
In a second aspect, an embodiment of the present application provides a real-time filtering apparatus for network attacks, where the apparatus includes:
the behavior log real-time acquisition module is used for acquiring behavior logs generated by all assets in the whole network in real time;
the structured processing module is used for generalizing the behavior log into a structured behavior log to be processed;
the filtering analysis detection module is used for inputting the behavior log to be processed into a pre-constructed filtering analysis detection model for log filtering analysis detection to obtain a detection result of the behavior log to be processed; the filtering analysis detection model is used for executing a log filtering process corresponding to a log filtering condition, and the log filtering condition is determined according to key steps of a pre-constructed network attack event to be detected.
With reference to the second aspect, in an implementation manner of the second aspect, the key steps of the network attack event to be detected are pre-constructed in the following manner:
determining an intrusion scene of the network attack event to be detected by using a reverse engineering method according to the protection characteristics and the quantification of the characteristic structure in the security field and the data characteristics of each behavior log caused by the network attack event to be detected;
and extracting the network attack event to be detected according to the intrusion scene of the network attack event to be detected.
With reference to the second aspect, in an implementable manner of the second aspect, the filtering analysis detection model is built by:
generating log filtering conditions of a DSL mode according to the key steps of the network attack event to be detected and a preset detection rule;
acquiring an EPL filtering statement from a log filtering condition of the DSL mode;
splitting key conditions in the EPL filter statement into a plurality of key characters by using a word segmenter algorithm;
generating an abstract syntax tree corresponding to the key condition according to a plurality of key characters;
generating a log filtering process corresponding to the log filtering condition according to the abstract syntax tree;
and obtaining a filtering analysis detection model according to the log filtering process.
With reference to the second aspect, in an implementable manner of the second aspect, the filtering analysis detection module includes:
the conversion submodule is used for converting the behavior log to be processed into a KEY-VALUE data structure to obtain converted data;
the condition acquisition submodule is used for acquiring the condition to be processed from the converted data;
the word segmentation submodule is used for splitting the condition to be processed into a plurality of characters to be processed by using the word segmentation algorithm;
and the log filtering submodule is used for executing the log filtering process on a plurality of characters to be processed and generating a detection result of the behavior log to be processed.
With reference to the second aspect, in an implementation manner of the second aspect, the log filtering submodule is specifically configured to:
comparing each character to be processed with each key character in sequence;
and if all the characters to be processed are completely consistent with all the key characters, generating the to-be-processed behavior log as a result of the abnormal log caused by the to-be-detected network attack event.
With reference to the second aspect, in an implementation manner of the second aspect, the log filtering submodule is further specifically configured to:
if all the characters to be processed are not completely consistent with all the key characters, generating a result that the behavior log to be processed is a normal log;
and discarding the to-be-processed behavior logs of which the detection results are normal logs.
With reference to the second aspect, in an implementation manner of the second aspect, the behavior log real-time obtaining module is specifically configured to:
and acquiring a behavior log generated by each asset in real time in the whole network by using the monitoring network card.
The embodiment of the application provides a real-time filtering method and device for network attacks, in the real-time filtering method, log filtering conditions are determined according to key steps of a pre-constructed network attack event to be detected, then a filtering analysis detection model is constructed according to a log filtering process corresponding to the log filtering conditions, and finally, each structured behavior log to be processed is subjected to filtering analysis detection by the aid of the filtering analysis detection model, so that detection results of the behavior log to be processed are obtained. The whole method carries out network attack detection by depending on key steps of a network attack event to be detected, so that the network attack detection is not limited by whether the threat event is known in advance or not, attacks such as threat event variation or abnormal flow can be effectively detected, abnormal behavior logs generated by a first attacked asset host can be found in real time, further, holes can be repaired in time, the network attack of the type can be prevented from continuously spreading among a plurality of asset devices through a local area network, and therefore loss caused by the network attack can be greatly reduced.
Drawings
Fig. 1 is a schematic diagram illustrating an example of a network attack detectable by a real-time network attack filtering method according to an embodiment of the present application;
fig. 2 is a schematic overall workflow diagram of a real-time network attack filtering method according to an embodiment of the present application;
fig. 3 is a schematic diagram illustrating a specific implementation of a log filtering process executed by a filtering analysis detection model according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a real-time filtering apparatus for network attacks according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
In order to solve the problem that the existing detection mode can only detect known threat events and can tie up the misjudgment aiming at attacks such as threat event variants or abnormal flow and the like, so that the network attack can be rapidly diffused among a plurality of asset devices through a local area network to cause large loss, the embodiment of the application provides a real-time filtering method for the network attack. The scheme provided by the application is described by various embodiments in the following with reference to the attached drawings.
The real-time filtering method for the network attacks can be used for detecting the network attacks which enable the asset host to have abnormal behavior characteristics, the network attacks are usually hidden in the process of normal use requirements, and abnormal behavior logs generated by the asset host due to the network attacks are usually hidden in other large quantities of normal behavior logs. Fig. 1 is an exemplary schematic diagram of a network attack detectable by a real-time network attack filtering method according to an embodiment of the present application. As shown in fig. 1, in one example, the network attack is a persistent blue-carrying saun lemo virus variant, and after attacking the asset host, the asset host executes the virus parent file st.exe, and then downloads the file ms.exe and the file client.exe. The file ms.exe is a self-extracting file, and the file blue.exe and the file star.exe contained in the self-extracting file are used for executing the permanent blue vulnerability attack. Once the attack is successful, the file star.exe will load the payload (down64.dll), and the down64.dll is responsible for executing the payload, i.e. downloading and running st.exe. Exe is Satan lasso virus, can perform file encryption operation, and pop out lasso information. The steps of downloading the st.exe and executing the st.exe are repeatedly executed every time one station is infected through IP scanning, so that the network attack can be rapidly diffused through the local area network.
In addition, the real-time network attack filtering method provided by the embodiment of the application can also be used for detecting other network attacks which can cause the asset host to generate abnormal behavior logs, and the embodiment of the application does not specifically limit the detected network attack events.
Fig. 2 is a schematic overall workflow diagram of a real-time network attack filtering method according to an embodiment of the present application. As shown in fig. 2, the real-time filtering method for network attacks provided in the embodiment of the present application specifically includes the following steps:
s201: and acquiring a behavior log generated by each asset in real time in the whole network.
Specifically, a monitoring network card may be used to obtain a behavior log generated in real time by each asset in the whole network. In addition, a local area network bypass probe mode can also be adopted for collection, which is not limited in the embodiment of the present application.
S202: and generalizing the behavior log into a structured to-be-processed behavior log.
Specifically, unstructured behavior logs collected by the asset devices of the whole network are generalized into structured behavior log data by using regular expressions, and then the structured behavior log data are sent to a message queue in real time. Wherein the structured behavior log data is determined to be a pending behavior log.
Therefore, the behavior log is generalized into a structured behavior log to be processed, the data structure is more regular and uniform, and the subsequent further analysis is facilitated.
S203: and inputting the behavior log to be processed into a pre-constructed filtering analysis detection model for log filtering analysis detection to obtain a detection result of the behavior log to be processed.
The filtering analysis detection model is used for executing a log filtering process corresponding to a log filtering condition, and the log filtering condition is determined according to key steps of a pre-constructed network attack event to be detected.
The following describes a filtering analysis detection model provided in the embodiments of the present application.
Specifically, the key steps of the network attack event to be detected can be pre-constructed in the following manner:
firstly, determining an intrusion scene of a network attack event to be detected by using a reverse engineering method according to protection characteristics and quantification of characteristic structures in the security field and data characteristics of each behavior log caused by the network attack event to be detected.
And then, extracting the key step of the network attack event to be detected according to the intrusion scene of the network attack event to be detected.
Specifically, different network attack events are different for different network vulnerabilities, and thus different network attack events correspond to different intrusion scenarios.
Illustratively, the security guard department needs to protect against network attack events such as the "persistent blue carrying the Satan Lessovirus variant" shown in FIG. 1. According to the data characteristics of each behavior log caused by the network attack event of 'permanent blue carrying Saran Lessovirus variant', and the quantification of the protection characteristics and the characteristic structure of the security field, reverse engineering determines that the intrusion scene of the network attack event is to attack an internal network host by using a vulnerability MS17-010, and further continuously releases a virus parent file to further infect other hosts. According to the intrusion scene of the network attack event, key steps of extracting the network attack event to be detected comprise downloading a virus parent file st.exe, executing the virus parent file st.exe, downloading a file ms.exe, a file client.exe and the like.
Therefore, the key steps of constructing the network attack event to be detected by adopting the method can be matched with the network attack event of the same type, namely whether the network attack event is a known threat event or not, the network attack event can be detected as long as the asset host is triggered to generate the same behavior characteristics, so that the network attack event can be accurately detected in time when the attack such as threat event variation or abnormal flow is confronted.
After the key step of constructing the network attack event to be detected, a filtering analysis detection model can be established through the following steps:
step one, generating log filtering conditions of a DSL mode according to key steps of a network attack event to be detected and a preset detection rule.
Illustratively, the log filter criteria may include three filter criteria: the data source of the first filtering condition is a DNS resolution log, the filtering condition is "quote threat intelligence", and a log may be set when the filtering condition is specifically implemented. The second data source of the filter condition is a Windows host log, and the filter condition is 'create plan task', and the specific implementation includes mssecsvc2 for the application name. The data source of the third filtering condition is the TCP flow log, and the filtering condition is "destination interface is 445, 135, 137, 138, 139".
The DSL (Domain Specific Language) model is a computer programming Language with restricted expressiveness for a Domain, and is commonly used for focusing on a Specific Domain or problem. And generating log filtering conditions of the DSL mode, namely generating an XML file according to the DSL mode.
And step two, acquiring an EPL filtering statement from the log filtering condition of the DSL mode.
The EPL (Event processing Language) statement filtering expression mode is a statement conforming to the SQL-92 standard. The EPL filter statement is a value corresponding to a key labeled method in the XML file, where the value is the EPL statement. Therefore, the requirement of efficient real-time identification of the detection system can be met, and safety technical service personnel can flexibly arrange similar safety problems on a regular page.
Illustratively, taking the log filter condition as the application name containing msseccvc 2 as an example, after converting into an XML file, an < object > < type > filter </type > < method > select from where in the attribute of the XML file (app _ name ═ mssecvc2 ") </method > </object > tag indicates that the object is a filtering semantic object, and what can be executed is the content in the method tag, i.e., the EPL filter statement select from where the system can recognize (app _ name ═ mssecvc 2).
In addition, the conventional entity object initialization is carried out on other attributes except the method in the XML file.
Therefore, the EPL statement in the method tag has the characteristic of high system identification, can be converted into a java language object and then converted into a java executable byte code file without being converted into the java language object like other XML objects, and can be directly translated into byte codes due to the fact that the key step of compiling the java file into the executable byte code file in the java language is omitted, the construction speed of an abstract syntax tree is accelerated, and meanwhile, a plurality of virtual calls, forced conversions and branches can be eliminated for java language compiling, analyzing and executing program codes, so that the operating efficiency is improved when the byte codes are compiled into native codes in a java operating environment.
And step three, splitting the key conditions in the EPL filtering statement into a plurality of key characters by using a word segmentation algorithm.
The key condition is the content of the query object corresponding to the log filter condition, and for example, the EPL filter statement in the log filter condition is select from where (app _ name: "mssecvc 2"), where the key condition is the value "mssecvc 2" of the query object app _ name. The mssecvc2 is split into multiple key characters in order, m, s, e, c, v, c, 2, respectively, using a segmenter algorithm.
And step four, generating an abstract syntax tree corresponding to the key condition according to the plurality of key characters.
In particular, an Abstract Syntax Tree (AST) is an Abstract representation of the source code Syntax structure. It represents the syntactic structure of the programming language in the form of a tree, each node on the tree representing a structure in the source code. The syntax herein does not represent every detail that appears in the real syntax, e.g., nesting brackets are implicit in the structure of the tree and are not presented in the form of nodes. But rather executes a conditional jump statement similar to the if-condition-then, which may be represented using a node with two branches.
In the embodiment of the present application, each key character may be distributed on each node of the abstract syntax tree, or multiple key characters may be distributed on the same node, and a binary search tree is established to quickly find data of a matching condition, which is not limited in the embodiment of the present application.
And step five, generating a log filtering process corresponding to the log filtering condition according to the abstract syntax tree.
Specifically, the log filtering process is a process of sequentially comparing key conditions in the behavior log to be processed with each key character.
And step six, obtaining a filtering analysis detection model according to the log filtering process.
After the filtering analysis detection model is established by adopting the steps, the behavior log to be processed is input into the pre-established filtering analysis detection model for log filtering analysis detection, and the detection result of the behavior log to be processed is obtained, and the method specifically comprises the following steps:
firstly, converting the behavior log to be processed into a KEY-VALUE data structure to obtain converted data. Therefore, the generalized structured log is consumed from the message queue, the whole network log is converted into a Key-Value data structure, the condition that the known object attribute has a serialized object error due to the unknown or newly added attribute when the real-time structured log data of each device of the whole network is consumed can be avoided, and the code structure is not required to be modified due to the fact that the object attribute needs to be redefined in attribute change, so that the method has the principle of highly decoupling design from specific services. Illustratively, in the whole blog of the KEY-VALUE data structure in the message queue, the VALUE corresponding to the KEY labeled method may be represented by an EPL statement select from Map < KEY, VALUE > where (app _ name: "mssecvc 2").
And secondly, acquiring the conditions to be processed from the converted data.
Specifically, the converted data is a to-be-processed behavior log of the KEY-VALUE data structure. The condition to be processed is a value corresponding to the query object in the behavior log to be processed. Illustratively, the EPL filter statement is select from where (app _ name ═ mssecvc 2), and the query object app _ name ═ a in the to-be-processed behavior log of the KEY-VALUE data structure, then a is the to-be-processed condition.
And thirdly, dividing the condition to be processed into a plurality of characters to be processed by using a word segmentation algorithm.
And fourthly, executing a log filtering process on the plurality of characters to be processed to generate a detection result of the behavior log to be processed.
Specifically, the fourth step may be implemented by:
firstly, each character to be processed is compared with each key character in sequence.
Then, whether all the characters to be processed are completely consistent with all the key characters is judged.
And then, if all the characters to be processed are completely consistent with all the key characters, generating a behavior log to be processed as a result of an abnormal log caused by the network attack event to be detected. And if all the characters to be processed are not completely consistent with all the key characters, generating a result that the behavior log to be processed is a normal log.
And finally, discarding the to-be-processed behavior logs of which the detection results are normal logs.
Fig. 3 is a schematic diagram illustrating a specific implementation of a log filtering process performed by the filtering analysis detection model according to an embodiment of the present application. As shown in fig. 3, in a specific implementation, matching is performed sequentially by using a pattern algorithm from a first node in a statement sequence until a last node is matched, and the data satisfies a condition; if any character in the middle does not meet the condition, the return termination query can be executed, and the data is abandoned and filtered if the data does not meet the condition. Specifically, the log filtering process is executed in a manner similar to an if-condition-then conditional jump statement, if a statement sequence, for example: if the element formats of the EPL statements select from Map < key, Value > where (app _ name ═ mssecvc2 ") all meet the preset requirements, then white is entered, otherwise, return can be entered according to different situations. If the element format is incorrect and enters return, the result that the EPL statement definition is incorrect or the format of the checked field type is incorrect is returned, and if the content which does not conform to the Key-Value data format exists in the Map < Key, Value > memory, the returned data cannot analyze the wrong result. After entering while, the EPL statement is first decomposed into a body part and a condition part, for example: the main part is select from Map < key, Value >, and the condition part is where (app _ name ═ mssecvc2 "), and then, the data of Map in the memory is participled. In the condition, the question is judged as true or false, and the judgment can not meet the requirement of equality or inequality condition (compare op: ≠). For data meeting the condition requirement, a valid variable (variable name: b) is obtained; for data that does not meet the condition requirement, a constant value (0) is obtained as a flag to mark this time that match is not. In body, it is necessary to take a Branch (Branch) to obtain a valid variable, or constant, that already satisfies the condition requirement. condition, if-body, else-body are expressions of acquisition of a plurality of conditional structures for the condition of a complex scene, and are consistent with the action of the condition. After the result of the participle (Assign) matching is known through judgment of various conditional structures or conditions, n variables are obtained, and meanwhile, the participle may have suspected matching, and the common method is Bin op: the best matching character is taken to ensure its accuracy. Finally, matching the memory data in the current Map < key-value >, obtaining all the matching results of the participles and assembling the matching results into fields required to be displayed in the body, and finishing the filtering process.
Therefore, according to the real-time network attack filtering method provided by the embodiment of the application, log filtering conditions are determined according to key steps of a pre-constructed network attack event to be detected, then, a filtering analysis detection model is constructed according to a log filtering process corresponding to the log filtering conditions, and finally, each of the structured behavior logs to be processed is subjected to filtering analysis detection by using the filtering analysis detection model, so that a detection result of the behavior logs to be processed is obtained. The whole method carries out network attack detection by depending on key steps of a network attack event to be detected, so that the network attack detection is not limited by whether the threat event is known in advance or not, attacks such as threat event variation or abnormal flow can be effectively detected, abnormal behavior logs generated by a first attacked asset host can be found in real time, further, holes can be repaired in time, the network attack of the type can be prevented from continuously spreading among a plurality of asset devices through a local area network, and therefore loss caused by the network attack can be greatly reduced.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Fig. 4 schematically shows a structural diagram of a real-time network attack filtering apparatus provided by an embodiment of the present application. As shown in fig. 4, the device provided in the embodiment of the present application has a function of implementing the real-time filtering method for network attacks, where the function may be implemented by hardware, or may be implemented by hardware executing corresponding software. The apparatus may include: a behavior log real-time obtaining module 401, a structured processing module 402 and a filtering analysis detection module 403. Wherein:
and a behavior log real-time obtaining module 401, configured to obtain a behavior log generated in real time by each asset in the whole network.
And a structural processing module 402, configured to generalize the behavior log into a structural to-be-processed behavior log.
And a filtering analysis detection module 403, configured to input the to-be-processed behavior log into a pre-constructed filtering analysis detection model to perform log filtering analysis detection, so as to obtain a detection result of the to-be-processed behavior log. The filtering analysis detection model is used for executing a log filtering process corresponding to a log filtering condition, and the log filtering condition is determined according to key steps of a pre-constructed network attack event to be detected.
In one implementation, the key steps of the network attack event to be detected are pre-constructed in the following way:
and determining the intrusion scene of the network attack event to be detected by using a reverse engineering method according to the protection characteristics and the quantification of the characteristic structure in the security field and the data characteristics of each behavior log caused by the network attack event to be detected.
And extracting the network attack event to be detected according to the intrusion scene of the network attack event to be detected.
In one implementation, the filter analysis detection model is built by:
and generating log filtering conditions of the DSL mode according to the key steps of the network attack event to be detected and a preset detection rule.
The EPL filter statements are obtained from log filter conditions in DSL mode.
The keyword condition in the EPL filter statement is split into multiple keyword characters using a tokenizer algorithm.
And generating an abstract syntax tree corresponding to the key condition according to the plurality of key characters.
And generating a log filtering process corresponding to the log filtering condition according to the abstract syntax tree.
And obtaining a filtering analysis detection model according to the log filtering process.
In one implementation, the filtering analysis detection module 403 includes:
and the conversion submodule is used for converting the behavior log to be processed into a KEY-VALUE data structure to obtain converted data.
And the condition acquisition submodule is used for acquiring the conditions to be processed from the converted data.
And the word segmentation sub-module is used for splitting the condition to be processed into a plurality of characters to be processed by using a word segmentation device algorithm.
And the log filtering submodule is used for executing a log filtering process on the plurality of characters to be processed and generating a detection result of the behavior log to be processed.
In one implementation, the log filtering submodule is specifically configured to:
and comparing each character to be processed with each key character in sequence.
And if all the characters to be processed are completely consistent with all the key characters, generating a to-be-processed behavior log as a result of an abnormal log caused by the network attack event to be detected.
In one implementation, the log filtering submodule is further configured to:
and if all the characters to be processed are not completely consistent with all the key characters, generating a result that the behavior log to be processed is a normal log.
And discarding the to-be-processed behavior logs of which the detection results are normal logs.
In an implementation manner, the behavior log real-time obtaining module 401 is specifically configured to:
and acquiring a behavior log generated by each asset in real time in the whole network by using the monitoring network card.
In the real-time filtering device for network attacks provided by the embodiment of the application, log filtering conditions are determined according to key steps of a pre-constructed network attack event to be detected, then, a filtering analysis detection model is constructed according to a log filtering process corresponding to the log filtering conditions, and finally, each structured behavior log to be processed is subjected to filtering analysis detection by using the filtering analysis detection model, so that a detection result of the behavior log to be processed is obtained. The whole device carries out network attack detection by depending on key steps of a network attack event to be detected, so that the network attack detection is not limited by whether the threat event is known in advance or not, attacks such as threat event variation or abnormal flow can be effectively detected, abnormal behavior logs generated by a first attacked asset host can be found in real time, further, holes can be repaired in time, the network attack of the type can be prevented from continuously spreading among a plurality of asset devices through a local area network, and therefore loss caused by the network attack can be greatly reduced.
The present application has been described in detail with reference to specific embodiments and illustrative examples, but the description is not intended to limit the application. Those skilled in the art will appreciate that various equivalent substitutions, modifications or improvements may be made to the presently disclosed embodiments and implementations thereof without departing from the spirit and scope of the present disclosure, and these fall within the scope of the present disclosure. The protection scope of this application is subject to the appended claims.

Claims (10)

1. A method for real-time filtering of cyber attacks, the method comprising:
acquiring a behavior log generated by each asset in real time in the whole network;
generalizing the behavior log into a structured to-be-processed behavior log;
inputting the behavior log to be processed into a pre-constructed filtering analysis detection model for log filtering analysis detection to obtain a detection result of the behavior log to be processed; the filtering analysis detection model is used for executing a log filtering process corresponding to a log filtering condition, and the log filtering condition is determined according to key steps of a pre-constructed network attack event to be detected.
2. The method according to claim 1, characterized in that the key steps of the network attack events to be detected are pre-constructed by:
determining an intrusion scene of the network attack event to be detected by using a reverse engineering method according to the protection characteristics and the quantification of the characteristic structure in the security field and the data characteristics of each behavior log caused by the network attack event to be detected;
and extracting the network attack event to be detected according to the intrusion scene of the network attack event to be detected.
3. The method of claim 2, wherein the filter analysis detection model is established by:
generating log filtering conditions of a DSL mode according to the key steps of the network attack event to be detected and a preset detection rule;
acquiring an EPL filtering statement from a log filtering condition of the DSL mode;
splitting key conditions in the EPL filtering statement into a plurality of key characters by using a word segmentation algorithm;
generating an abstract syntax tree corresponding to the key condition according to a plurality of key characters;
generating a log filtering process corresponding to the log filtering condition according to the abstract syntax tree;
and obtaining a filtering analysis detection model according to the log filtering process.
4. The method according to claim 3, wherein the inputting the to-be-processed behavior log into a pre-constructed filtering analysis detection model for log filtering analysis detection to obtain a detection result of the to-be-processed behavior log comprises:
converting the behavior log to be processed into a KEY-VALUE data structure to obtain converted data;
acquiring a condition to be processed from the converted data;
splitting the condition to be processed into a plurality of characters to be processed by using the word segmentation algorithm;
and executing the log filtering process on a plurality of characters to be processed to generate a detection result of the behavior log to be processed.
5. The method according to claim 4, wherein the performing the log filtering process on the plurality of characters to be processed to generate the detection result of the log of the behavior to be processed includes:
comparing each character to be processed with each key character in sequence;
and if all the characters to be processed are completely consistent with all the key characters, generating the to-be-processed behavior log as a result of the abnormal log caused by the to-be-detected network attack event.
6. The method of claim 5, further comprising:
if all the characters to be processed are not completely consistent with all the key characters, generating a result that the behavior log to be processed is a normal log;
and discarding the to-be-processed behavior logs of which the detection results are normal logs.
7. The method of claim 1, wherein obtaining a behavior log generated in real-time for each asset across the network comprises:
and acquiring a behavior log generated by each asset in real time in the whole network by using the monitoring network card.
8. An apparatus for real-time filtering of cyber attacks, the apparatus comprising:
the behavior log real-time acquisition module is used for acquiring behavior logs generated by all assets in the whole network in real time;
the structured processing module is used for generalizing the behavior log into a structured behavior log to be processed;
the filtering analysis detection module is used for inputting the behavior log to be processed into a pre-constructed filtering analysis detection model for log filtering analysis detection to obtain a detection result of the behavior log to be processed; the filtering analysis detection model is used for executing a log filtering process corresponding to a log filtering condition, and the log filtering condition is determined according to key steps of a pre-constructed network attack event to be detected.
9. The apparatus according to claim 8, wherein the key steps of the network attack event to be detected are pre-constructed by:
determining an intrusion scene of the network attack event to be detected by using a reverse engineering method according to the protection characteristics and the quantification of the characteristic structure in the security field and the data characteristics of each behavior log caused by the network attack event to be detected;
and extracting the network attack event to be detected according to the intrusion scene of the network attack event to be detected.
10. The apparatus of claim 9, wherein the filter analysis detection model is established by:
generating log filtering conditions of a DSL mode according to the key steps of the network attack event to be detected and a preset detection rule;
acquiring an EPL filtering statement from a log filtering condition of the DSL mode;
splitting key conditions in the EPL filtering statement into a plurality of key characters by using a word segmentation algorithm;
generating an abstract syntax tree corresponding to the key condition according to a plurality of key characters;
generating a log filtering process corresponding to the log filtering condition according to the abstract syntax tree;
and obtaining a filtering analysis detection model according to the log filtering process.
CN202210664477.4A 2022-06-13 2022-06-13 Real-time filtering method and device for network attack Active CN115022060B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210664477.4A CN115022060B (en) 2022-06-13 2022-06-13 Real-time filtering method and device for network attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210664477.4A CN115022060B (en) 2022-06-13 2022-06-13 Real-time filtering method and device for network attack

Publications (2)

Publication Number Publication Date
CN115022060A true CN115022060A (en) 2022-09-06
CN115022060B CN115022060B (en) 2024-02-27

Family

ID=83075197

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210664477.4A Active CN115022060B (en) 2022-06-13 2022-06-13 Real-time filtering method and device for network attack

Country Status (1)

Country Link
CN (1) CN115022060B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110185425A1 (en) * 2010-01-22 2011-07-28 National Taiwan University Of Science & Technology Network attack detection devices and methods
CN102739647A (en) * 2012-05-23 2012-10-17 国家计算机网络与信息安全管理中心 High-interaction honeypot based network security system and implementation method thereof
US20130152197A1 (en) * 2011-12-12 2013-06-13 Neusoft Corporation Event detection method and apparatus in a distributed environment
US20160226894A1 (en) * 2015-02-04 2016-08-04 Electronics And Telecommunications Research Institute System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type model
CN110808968A (en) * 2019-10-25 2020-02-18 新华三信息安全技术有限公司 Network attack detection method and device, electronic equipment and readable storage medium
US20210051162A1 (en) * 2019-08-12 2021-02-18 Bank Of America Corporation Network threat detection and information security using machine learning
US20210099483A1 (en) * 2019-07-17 2021-04-01 Jayant Shukla Runtime detection of injection attacks on web applications via static and dynamic analysis
CN114172701A (en) * 2021-11-25 2022-03-11 北京天融信网络安全技术有限公司 Knowledge graph-based APT attack detection method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110185425A1 (en) * 2010-01-22 2011-07-28 National Taiwan University Of Science & Technology Network attack detection devices and methods
US20130152197A1 (en) * 2011-12-12 2013-06-13 Neusoft Corporation Event detection method and apparatus in a distributed environment
CN102739647A (en) * 2012-05-23 2012-10-17 国家计算机网络与信息安全管理中心 High-interaction honeypot based network security system and implementation method thereof
US20160226894A1 (en) * 2015-02-04 2016-08-04 Electronics And Telecommunications Research Institute System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type model
US20210099483A1 (en) * 2019-07-17 2021-04-01 Jayant Shukla Runtime detection of injection attacks on web applications via static and dynamic analysis
US20210051162A1 (en) * 2019-08-12 2021-02-18 Bank Of America Corporation Network threat detection and information security using machine learning
CN110808968A (en) * 2019-10-25 2020-02-18 新华三信息安全技术有限公司 Network attack detection method and device, electronic equipment and readable storage medium
CN114172701A (en) * 2021-11-25 2022-03-11 北京天融信网络安全技术有限公司 Knowledge graph-based APT attack detection method and device

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
CONG MENG: "Recursive Filtering for Complex Networks Against Random Deception Attacks", 《2018 IEEE INTERNATIONAL CONFERENCE ON BIG DATA AND SMART COMPUTING (BIGCOMP)》, 28 May 2018 (2018-05-28) *
ZHENGPENG LIU: "DDos attack detection scheme based on entry and PSO-BP neural network in SDN", 《CHINA COMMUNICATION》 *
周颖;方勇;黄诚;刘亮;: "面向PHP应用程序的SQL注入行为检测", 计算机应用, no. 01 *
姜典宾: "基于流量的工控网络攻击行为检测系统的设计与实现", 《中国优秀硕士论文全文库》, 15 April 2021 (2021-04-15) *

Also Published As

Publication number Publication date
CN115022060B (en) 2024-02-27

Similar Documents

Publication Publication Date Title
Catak et al. A benchmark API call dataset for windows PE malware classification
US8332944B2 (en) System and method for detecting new malicious executables, based on discovering and monitoring characteristic system call sequences
US7472167B2 (en) System and method for uniform resource locator filtering
KR102225460B1 (en) Method of detecting threat based on threat hunting using multi sensor data and apparatus using the same
US20040205411A1 (en) Method of detecting malicious scripts using code insertion technique
WO2017056121A1 (en) Method for the identification and prevention of client-side web attacks
KR101806118B1 (en) Method and Apparatus for Identifying Vulnerability Information Using Keyword Analysis for Banner of Open Port
Shahzad et al. Detecting scareware by mining variable length instruction sequences
US20240054210A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
US11423099B2 (en) Classification apparatus, classification method, and classification program
US20220253526A1 (en) Incremental updates to malware detection models
CN113886829B (en) Method and device for detecting defect host, electronic equipment and storage medium
Pranav et al. Detection of botnets in IoT networks using graph theory and machine learning
CN115022060B (en) Real-time filtering method and device for network attack
Li et al. LogKernel: A threat hunting approach based on behaviour provenance graph and graph kernel clustering
US20220164449A1 (en) Classifer generator
CN114205146A (en) Processing method and device for multi-source heterogeneous security log
Gupta et al. POND: polishing the execution of nested context-familiar runtime dynamic parsing and sanitisation of XSS worms on online edge servers of fog computing
Bhagwat et al. Behavioural analysis and results of malware and ransomware using optimal behavioural feature set
US20240054215A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
US20240214396A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
US20240214406A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
US20240348639A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
US20240346142A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
US20240346140A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20240709

Address after: Room 01, 1st Floor, Building 11, Phase I, Guanggu Power Energy saving and Environmental Protection Technology Enterprise Incubator (Accelerator), No. 308 Guanggu Avenue, Donghu New Technology Development Zone, Wuhan City, Hubei Province 430200

Patentee after: Anbotong Junshi Digital Technology (Hubei) Co.,Ltd.

Country or region after: China

Address before: 430070 room 01, 3rd floor, building 11, phase I, Guanggu power energy saving and environmental protection technology business incubator (accelerator), No. 308, Guanggu Avenue, Donghu New Technology Development Zone, Wuhan City, Hubei Province

Patentee before: WUHAN SIPULING TECHNOLOGY Co.,Ltd.

Country or region before: China