CN115086068B - Network intrusion detection method and device - Google Patents

Network intrusion detection method and device Download PDF

Info

Publication number
CN115086068B
CN115086068B CN202210845301.9A CN202210845301A CN115086068B CN 115086068 B CN115086068 B CN 115086068B CN 202210845301 A CN202210845301 A CN 202210845301A CN 115086068 B CN115086068 B CN 115086068B
Authority
CN
China
Prior art keywords
file
target file
intrusion detection
current
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210845301.9A
Other languages
Chinese (zh)
Other versions
CN115086068A (en
Inventor
李慧萍
殷光强
王治国
王春雨
李振慧
何国峰
李超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN202210845301.9A priority Critical patent/CN115086068B/en
Publication of CN115086068A publication Critical patent/CN115086068A/en
Application granted granted Critical
Publication of CN115086068B publication Critical patent/CN115086068B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention relates to the technical field of computer security, and provides a network intrusion detection method and a network intrusion detection device.

Description

Network intrusion detection method and device
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a method and an apparatus for detecting network intrusion.
Background
In recent years, the global network security situation is becoming more severe, and security events such as network attacks and data leakage are frequent. The network intrusion detection technology monitors network communication data packets through a certain technical means, and analyzes the data packets to find whether malicious behaviors which may influence the network security of subsequent equipment exist in the network.
An Intrusion Detection System ("IDS") is a network security device that monitors network traffic in real-time, and alerts or takes proactive action when suspicious traffic is discovered. It differs from other network security devices in that: IDS is an active security technology.
Therefore, how to effectively increase the detection rate of network intrusion detection is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention provides a network intrusion detection method and a device for realizing the method, aiming at improving the detectable rate of network intrusion detection.
In a first aspect, a method for network intrusion detection includes:
analyzing the network traffic captured from the network equipment to be detected to obtain analysis data;
carrying out intrusion detection on the analyzed data to obtain a target file; the target files comprise a first target file and a second target file, the first target file is a file based on a remote desktop protocol, and the second target file is a file of which the format cannot be identified;
when the first target file is obtained, the following operations are executed: analyzing the current first target file to obtain a configuration item of the current first target file; carrying out intrusion detection on the current first target file based on a preset first intrusion detection strategy and a configuration item of the current first target file; wherein the first intrusion detection policy is determined based on all configuration items of a known remote desktop protocol-based file;
when the second target file is obtained, the following operations are executed: connecting the first binary data corresponding to the current second target file to the tail of the second binary data corresponding to the preset safety file to obtain target binary data; carrying out intrusion detection on the target binary data based on a preset second intrusion detection strategy; the security file comprises a portable execution body PE file and an executable and linkable format ELF file, and the second intrusion detection strategy corresponds to the type of the security file.
In one possible design, the first intrusion detection policy is specifically determined based on:
acquiring a score value given to each configuration item of a known file based on a remote desktop protocol;
obtaining classification results of threat level classification for all configuration items of known files based on a remote desktop protocol;
determining a threat threshold corresponding to each threat level based on the score value and the classification result;
and determining a first intrusion detection strategy based on the threat threshold corresponding to each threat level.
In one possible design, the determining a threat threshold corresponding to each threat level based on the score value and the classification result includes:
the threat thresholds corresponding to each threat level are determined using the following formula:
Figure 374552DEST_PATH_IMAGE001
wherein the content of the first and second substances,V i is as followsiA threat threshold for each of the threat levels,C ij is a firstiFirst in individual threat leveljThe score value of each of the configuration items,nis as followsiTotal number of configuration items in each threat level.
In one possible design, after the obtaining the score value assigned to each configuration item of the known remote desktop protocol-based file, the method further includes: obtaining a configuration item score value library based on all configuration items of a known file based on a remote desktop protocol and a score value corresponding to each configuration item;
the intrusion detection is carried out on the current first target file based on the preset first intrusion detection strategy and the configuration item of the current first target file, and the intrusion detection method comprises the following steps:
obtaining a security reference value of the current first target file based on the configuration item point value library and the configuration item of the current first target file;
and carrying out intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy.
In a possible design, the obtaining a security reference value of the current first target file based on the configuration item score value library and the configuration item of the current first target file includes:
obtaining a security reference value of the current first target file by adopting the following formula:
Figure 743392DEST_PATH_IMAGE002
wherein the content of the first and second substances,Sis the security reference value of the current first target file, is the first target file in the current first target filejThe score value of each of the configuration items,kis the total number of configuration items in the current first target file.
In one possible design, the performing intrusion detection on the current first target file based on the security reference value and the first intrusion detection policy includes:
and comparing the security reference value with threat threshold values corresponding to each threat level and included in the first intrusion detection strategy to obtain the threat level of the current first target file so as to complete intrusion detection on the current first target file.
In one possible design, after the performing the intrusion detection on the target binary data, the method further includes:
and in response to the detection result that the second target file is a dangerous file, releasing the network traffic corresponding to the second target file, so that the terminal device receiving the network traffic monitors a process calling the second target file, and the process calling the second target file can be determined as a malicious process.
In a second aspect, a network intrusion detection apparatus includes:
the analysis module is used for analyzing the network flow captured from the network equipment to be detected to obtain analysis data;
the detection module is used for carrying out intrusion detection on the analyzed data to obtain a target file; the target files comprise a first target file and a second target file, the first target file is a file based on a remote desktop protocol, and the second target file is a file of which the format cannot be identified;
a first executing module, configured to, when the first target file is obtained, execute the following operations: analyzing the current first target file to obtain a configuration item of the current first target file; carrying out intrusion detection on the current first target file based on a preset first intrusion detection strategy and the configuration item of the current first target file; wherein the first intrusion detection policy is determined based on all configuration items of a known remote desktop protocol-based file;
a second executing module, configured to, when the second target file is obtained, execute the following operations: connecting the first binary data corresponding to the current second target file to the tail of the second binary data corresponding to the preset safety file to obtain target binary data; carrying out intrusion detection on the target binary data based on a preset second intrusion detection strategy; the security file comprises a PE file and an ELF file, and the second intrusion detection strategy corresponds to the type of the security file.
The method has the advantages that the analysis data is obtained by analyzing the network flow captured from the network equipment to be detected, then the target files comprising the first target file and the second target file are obtained by carrying out intrusion detection on the analysis data, and finally the first target file and the second target file are subjected to intrusion detection by respectively utilizing the preset first intrusion detection strategy and the preset second intrusion detection strategy, so that the detection rate of network intrusion detection can be effectively improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a network intrusion detection method according to an embodiment of the present invention;
fig. 2 is a hardware architecture diagram of an electronic device according to an embodiment of the present invention;
fig. 3 is a block diagram of a network intrusion detection device according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, it is obvious that the described embodiments are some, but not all embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
Referring to fig. 1, an embodiment of the present invention provides a network intrusion detection method, which is applied to an intrusion detection system, and the method includes:
analyzing the network traffic captured from the network equipment to be detected to obtain analysis data;
carrying out intrusion detection on the analyzed data to obtain a target file; the target files comprise a first target file and a second target file, the first target file is a file based on a remote desktop protocol, and the second target file is a file of which the format cannot be identified;
when the first target file is obtained, the following operations are executed: analyzing the current first target file to obtain a configuration item of the current first target file; carrying out intrusion detection on the current first target file based on a preset first intrusion detection strategy and a configuration item of the current first target file; wherein the first intrusion detection policy is determined based on all configuration items of a known remote desktop protocol-based file;
when the second target file is obtained, the following operations are executed: connecting the first binary data corresponding to the current second target file to the tail of the second binary data corresponding to the preset safety file to obtain target binary data; carrying out intrusion detection on the target binary data based on a preset second intrusion detection strategy; the security file comprises a PE file and an ELF file, and the second intrusion detection strategy corresponds to the type of the security file.
In the embodiment of the invention, the network flow captured from the network equipment to be detected is analyzed to obtain the analysis data, then the analysis data is subjected to intrusion detection to obtain the target file comprising the first target file and the second target file, and finally the first target file and the second target file are subjected to intrusion detection by respectively utilizing the preset first intrusion detection strategy and the preset second intrusion detection strategy, so that the detection rate of network intrusion detection can be effectively improved.
The manner in which the various steps shown in fig. 1 are performed is described below.
The intrusion detection system is deployed in a form of software in a network device to be detected (such as a firewall) to monitor all network traffic data packets transmitted through the network device to be detected. Network traffic packets include, but are not limited to, IP packets, TCP packets, UDP packets, and ICMP packets.
The parsing process completes the functions of decoding, protocol preprocessing, protocol identification, application identification, etc. of the network traffic, which are well known to those skilled in the art and will not be described herein again. Among the identified protocols are, but not limited to: IP (Internet Protocol, protocol for interconnection between networks), TCP (Transmission Control Protocol), UDP (User Datagram Protocol), ICMP (Internet Control Protocol Version 6); the following application layer protocols are supported and are not limited to be identified: HTTP (Hyper Text Transfer Protocol over Secure Socket Layer), FTP (File Transfer Protocol), TLS (Transport Layer Security Protocol), SMB (Server Message Block, protocol Name), DNS (Domain Name System, domain Name resolution Protocol), SSH (Secure Shell Protocol), SMTP (Simple Mail Transfer Protocol), DHCP (Dynamic Host Configuration Protocol).
Intrusion detection refers to detecting whether analyzed data is malicious data, and specific detection means include, but are not limited to, streaming estimation detection, file extraction, and the like, which are well known to those skilled in the art and are not described herein again.
In some related technologies, a hacker may induce a user to click a related link by using an email, a chat, or the like, and then load a malicious Remote Desktop Protocol (RDP) -based file, which may cause the user computer to establish a connection with a Remote server controlled by the hacker, where the hacker may control the user computer to perform a related malicious operation through the Remote server.
Specifically, a hacker may preset configuration items such as a driver map, a USB device map, a printer map, and a clipboard map in a loaded malicious remote desktop protocol-based file in advance, so that the hacker can perform relevant malicious operations on the user computer by manipulating the remote server, for example, stealing important file contents in the user computer. Therefore, intrusion detection of files based on remote desktop protocols is necessary.
In other related technologies, in order to improve the detection efficiency, the intrusion detection system may classify files according to file formats, and implement different detection strategies for different file formats. For file formats that are not recognizable to the intrusion detection system, the intrusion detection system typically does not process (e.g., delete) files in that format. Therefore, hackers often modify the format of the threat file to prevent detection of the threat file by the intrusion detection system.
Specifically, the hacker may extract the malicious code in the dangerous file to generate a file in a format that cannot be recognized by the intrusion detection system, and then open the generated new file in the user computer using a file without the malicious code to acquire the malicious code and execute the malicious code, which is disadvantageous to the security of the user computer. Therefore, intrusion detection of files based on remote desktop protocols is necessary.
In summary, in order to effectively increase the detection rate of network intrusion detection, intrusion detection may be performed on the two types of object files (i.e., a first object file based on a remote desktop protocol and a second object file whose format cannot be recognized by an intrusion detection system).
The following description focuses on how to efficiently detect the first object file and the second object file.
After a first target file is obtained through intrusion detection, firstly, the first target file is analyzed to obtain a configuration item of the first target file, and then, intrusion detection is performed on the current first target file based on a preset first intrusion detection strategy and the obtained configuration item of the first target file, so that whether the first target file is a dangerous file or not can be determined (for example, the first target file with a threat level determined below as a medium security threat or a high security threat is determined as a dangerous file), and thus, the detection rate of network intrusion detection can be effectively improved.
In some embodiments, the first intrusion detection policy is specifically determined based on:
a1, acquiring a score value assigned to each configuration item of a known file based on a remote desktop protocol;
a2, obtaining classification results of threat level classification for all configuration items of known files based on a remote desktop protocol;
step A3, determining a threat threshold corresponding to each threat level based on the score value and the classification result;
and A4, determining a first intrusion detection strategy based on the threat threshold corresponding to each threat level.
In this embodiment, a score value is assigned to each configuration item of a known file based on a remote desktop protocol, and a threat level classification manner is performed to calculate a threat threshold corresponding to each threat level, so as to formulate a first intrusion detection policy by using the threat threshold. Therefore, when the intrusion detection is subsequently performed on the first target file, the intrusion detection result of the first target file can be obtained according to the score value of the configuration item in the first target file and the first intrusion detection strategy.
In step A1, the staff member may list all configuration items in the known remote desktop protocol-based file in advance, and then score the security of each configuration item according to a priori knowledge (e.g., an expert security knowledge base) (i.e., assign a score value), so that the user computer may obtain the score value assigned to each configuration item of the known remote desktop protocol-based file.
In some embodiments, the score value assigned to each configuration item of the known RDP file acquired by the user computer may be referred to in table 1. It should be noted that only some configuration items and their score values of the known RDP files are listed in table 1.
TABLE 1
Figure 60104DEST_PATH_IMAGE003
In step A2, the threat levels may be classified into three categories, i.e., high security threat, medium security threat, and low security threat, for example. Of course, a greater or lesser number of threat levels may be assigned, and the number of threat levels is not limited herein.
In some embodiments, high security threats may include configuration items such as driver maps, clipboard maps, USB device maps, and printer maps, for example, medium security threats may include configuration items such as smart card maps, for example, and low security threats may include configuration items such as remote application icons and screen display modes, for example.
In some embodiments, the classification results of threat level classifications made by the user computer for all configuration items of a known remote desktop protocol-based file may be found in table 2. It should be noted that only some configuration items of the same known remote desktop protocol-based file as that in table 1 and their threat levels are listed in table 2.
TABLE 2
Figure 391859DEST_PATH_IMAGE004
In addition, the sequence of steps A1 and A2 is not specifically limited, that is, step A1 may be performed first and then step A2 may be performed, or step A2 may be performed first and then step A1 may be performed.
After steps A1 and A2, the configuration items in each threat level are given score values, so that the threat threshold value of each threat level can be determined to facilitate the subsequent intrusion detection on the first target file.
In some embodiments, step A3 may specifically include:
the threat thresholds corresponding to each threat level are determined using the following formula:
Figure 255648DEST_PATH_IMAGE001
wherein the content of the first and second substances,V i is a firstiA threat threshold for each of the threat levels,C ij is as followsiFirst in each threat leveljThe score value of each of the configuration items,nis as followsiThe total number of configuration items in each threat level.
For example, as shown in tables 1 and 2, the threat thresholds corresponding to the threat levels of the high security threat, the medium security threat, and the low security threat can be calculated by using the above formulas, so that the threat thresholds of the high security threat, the medium security threat, and the low security threat can be calculated to be 85, 10, and 1, respectively.
It should be noted that, by using the mean value of the configuration items in each threat level as the threat threshold, it can be avoided that when the threat levels are less divided and the difference between the score values of different configuration items in each threat level is large, a more objective and accurate threat threshold of each threat level can still be obtained, so as to improve the accuracy of intrusion detection on the first target file.
In step A3, the threat threshold of each threat level may also be determined in other manners, for example, the lowest score value of the configuration item in each threat level may be used as the threat threshold of the threat level. Of course, the median of the configuration items in each threat level may also be used as the threat threshold of the threat level, so the mode of determining the threat threshold is not specifically limited here.
It should be noted that, when the first object file is detected, the intrusion detection system may firstly perform parsing on the first object file to obtain a configuration item in the first object file, and then perform intrusion detection on the first object file by using a preset first intrusion detection policy and the parsed configuration item of the first object file. Here, the analysis processing manner of the first target file in the embodiment of the present invention is not particularly limited, and may be, for example, regular matching.
In some embodiments, after step A1, further comprising: obtaining a configuration item point value library based on all configuration items of a known file based on a remote desktop protocol and a point value corresponding to each configuration item;
based on a preset first intrusion detection strategy and a configuration item of a current first target file, carrying out intrusion detection on the current first target file, wherein the intrusion detection comprises the following steps:
b1, obtaining a safety reference value of the current first target file based on the configuration item point value library and the configuration item of the current first target file;
and B2, carrying out intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy.
In this embodiment, the score value of the configuration item of the first target file is obtained by using the configuration item score value library, the security reference value of the first target file is determined according to the score value of the configuration item of the first target file, and the threat levels of the first target file are obtained by comparing the security reference value with the threat threshold values corresponding to each threat level included in the first intrusion detection policy, so as to complete intrusion detection on the first target file.
In step B1, the configuration item score value library may be used to perform score value matching on the configuration item of the first target file obtained through analysis, and then the score value of the configuration item of the first target file is used to calculate the security reference value, so as to facilitate subsequent intrusion detection on the first target file.
In some embodiments, step B1 may specifically include:
obtaining a security reference value of the current first target file by adopting the following formula:
Figure 723669DEST_PATH_IMAGE005
wherein the content of the first and second substances,Sis the security reference value of the current first target file,D j is the first target file in the current first target filejThe score value of each of the configuration items,kis the total number of configuration items in the current first target file.
In this embodiment, the sum of the score values of all the configuration items in the first target file is used as the security reference value of the first target file, and compared with a mode in which the average value, the highest value, the lowest value and other numerical values of the score values of all the configuration items in the first target file are used as the security reference value of the first target file, the former mode can prevent that when the number of the configuration items of the first target file is small and the score value difference of different configuration items is large, a more objective and accurate security reference value for representing the threat level of the first target file can still be obtained, so that the accuracy of intrusion detection on the first target file can be improved.
Of course, the security reference value of the first target file may also be determined in other manners, for example, an average value of all configuration items in the first target file or a highest score value of the configuration items may be used as the security reference value, and the determination manner of the security reference value is not particularly limited herein.
In some embodiments, step B2 may specifically include:
and comparing the security reference value with threat threshold values corresponding to each threat level and included in the first intrusion detection strategy to obtain the threat level of the current first target file so as to complete intrusion detection on the current first target file.
For example, the obtained security reference value may be compared with threat threshold values corresponding to the determined threat levels, and if the security reference value is greater than or equal to the threat threshold value of the high security threat, that is, S is greater than or equal to V3, it indicates that the threat level of the first target file is a high security threat level; if the security reference value is greater than or equal to the threat threshold value of the medium security threat and smaller than the threat threshold value of the high security threat, namely S is less than V3 and S is greater than or equal to V2, the threat level of the first target file is the medium security threat level; and if the security reference value is greater than or equal to the threat threshold value of the low security threat and smaller than the threat threshold value of the medium security threat, namely S < V2 and S is greater than or equal to V1, indicating that the threat level of the first target file is the low security threat level. In this way, the intrusion detection result of the first target file (i.e., the threat level of the first target file) may be obtained, and then corresponding operations may be executed according to the threat level of the first target file, for example, operations such as prohibiting running, selecting whether to run by the user after popping a frame, and allowing running may be performed.
After the second target file is obtained through intrusion detection, first binary data corresponding to the current second target file is connected to the tail of second binary data corresponding to a preset security file to obtain target binary data, namely, a file with a format which cannot be identified by an intrusion detection system is converted into a file with a format which can be identified by the intrusion detection system (namely, a PE file and an ELF file), so that intrusion detection can be performed on the second target file, the problem that the file with the format which cannot be identified by the intrusion detection system cannot be effectively detected is solved, and the detection rate of network intrusion detection can be effectively improved.
It should be noted that the "format that cannot be recognized by the intrusion detection system" may be understood as: neither in a file format known to those skilled in the art nor in a file format that is pre-arranged in the intrusion detection system to be recognizable. In contrast, a "format recognizable by an intrusion detection system" may be understood as: either in a file format known to those skilled in the art or in a file format that is pre-installed in the intrusion detection system and is recognizable.
The PE file and the ELF file are selected as security files, and the two types of files can be executed by a computer, so that the subsequent intrusion detection of target binary data is facilitated.
It should be noted that Portable Executable (PE) is a file format for Executable files, target files and dynamic link libraries, and is mainly used in Windows operating systems with 32 bits and 64 bits. "portable" refers to the versatility of the file format to be used in many different operating systems and architectures. The PE file format encapsulates some of the information necessary for the Windows operating system to load executable program code. Such information includes dynamic link libraries, API import and export tables, resource management data, and thread local storage data. In the windows nt operating system, the PE file format is mainly used for EXE files, DLL files, SYSs (drivers), and other file types. The Extensible Firmware Interface (EFI) specification states that the PE format is a standard executable file format in an EFI environment, beginning with a DOS header.
Executable and Linkable Format (ELF), often referred to as ELF Format, is a standard file Format for execution files, destination files, shared libraries, and core dumps in computer science.
In order to ensure the comprehensiveness and accuracy of the detection of the second target file, it may be considered that the number of target binary data and the number of security files are set to be the same. That is, the first binary data corresponding to the second target file is copied for a plurality of times, and each group of copied first binary data is respectively connected to the tail of the second binary data of each different type of security file, so that a plurality of target binary data are obtained.
It should be noted that the second intrusion detection policy preset in the intrusion detection system may be obtained based on existing mature detection policies, which are well known to those skilled in the art, and the detailed description of the detection policy is omitted here.
If the detection result of the intrusion detection system is that the second target file is a dangerous file, it indicates that malicious codes exist in the second target file, and the malicious codes are likely to be called by a relevant malicious process in the user computer subsequently, so as to complete the infection of the user computer.
In order to solve the technical problem, in some embodiments, the method further includes:
and in response to the detection result that the second target file is a dangerous file, releasing the network traffic corresponding to the second target file, so that the terminal device receiving the network traffic monitors the process for calling the second target file, and the process for calling the second target file can be determined as a malicious process.
In this embodiment, when it is determined that the second target file is a dangerous file, the intrusion detection system may release the network traffic corresponding to the second target file, so that on the premise that the second target file is known to be a dangerous file, the network traffic corresponding to the second target file is released, which is beneficial to monitoring and analyzing the process associated with the second target file by using subsequent terminal devices. That is, when it is determined that the second target file is a dangerous file, the terminal device (e.g., the user computer) receiving the network traffic monitors the process calling the second target file (e.g., by using hook technology), so as to determine the process calling the second target file as a malicious process, and may further process (e.g., delete or perform further correlation analysis) the malicious process, thereby ensuring that the user computer is not infected by a virus, and performing correlation analysis on the virus, which is beneficial for a worker to grasp an attack habit of the virus.
As shown in fig. 2 and fig. 3, an embodiment of the present invention provides a network intrusion detection apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware level, as shown in fig. 2, for a hardware architecture diagram of an electronic device in which a network intrusion detection apparatus according to an embodiment of the present invention is located, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 2, the electronic device in which the apparatus is located may also include other hardware, such as a forwarding chip responsible for processing a packet. Taking a software implementation as an example, as shown in fig. 3, as a logically meaningful device, the device is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of an electronic device where the device is located and running the computer program.
As shown in fig. 3, the network intrusion detection apparatus provided in this embodiment includes:
the analysis module is used for analyzing and processing the network traffic captured from the network equipment to be detected to obtain analysis data;
the detection module is used for carrying out intrusion detection on the analyzed data to obtain a target file; the target files comprise a first target file and a second target file, the first target file is a file based on a remote desktop protocol, and the second target file is a file of which the format cannot be identified;
a first executing module, configured to, when the first target file is obtained, execute the following operations: analyzing the current first target file to obtain a configuration item of the current first target file; carrying out intrusion detection on the current first target file based on a preset first intrusion detection strategy and the configuration item of the current first target file; wherein the first intrusion detection policy is determined based on all configuration items of a known remote desktop protocol-based file;
a second executing module, configured to, when the second target file is obtained, execute the following operations: continuing the first binary data corresponding to the current second target file to the tail of the second binary data corresponding to the preset safety file to obtain target binary data; carrying out intrusion detection on the target binary data based on a preset second intrusion detection strategy; the security file comprises a PE file and an ELF file, and the second intrusion detection strategy corresponds to the type of the security file.
In an embodiment of the present invention, the first intrusion detection policy is specifically determined based on the following manner:
acquiring a score value assigned to each configuration item of a known remote desktop protocol-based file;
obtaining classification results of threat level classification for all configuration items of known files based on a remote desktop protocol;
determining a threat threshold corresponding to each threat level based on the score value and the classification result;
and determining a first intrusion detection strategy based on the threat threshold corresponding to each threat level.
In one embodiment of the present invention, the determining a threat threshold corresponding to each threat level based on the score value and the classification result comprises:
determining a threat threshold corresponding to each threat level using the following equation:
Figure 916010DEST_PATH_IMAGE006
wherein, the first and the second end of the pipe are connected with each other,
Figure 735061DEST_PATH_IMAGE007
is as followsiThe threat threshold of each threat level isiFirst in individual threat leveljThe score value of each of the configuration items,nis as followsiTotal number of configuration items in each threat level.
In an embodiment of the present invention, the first executing module is further configured to perform the following operations: obtaining a configuration item score value library based on all configuration items of a known file based on a remote desktop protocol and a score value corresponding to each configuration item;
the first execution module is used for executing the following operations when executing the intrusion detection on the current first target file based on the preset first intrusion detection strategy and the configuration item of the current first target file:
obtaining a security reference value of the current first target file based on the configuration item point value library and the configuration item of the current first target file;
and carrying out intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy.
In an embodiment of the present invention, when the configuration item based on the configuration item score value library and the current first target file is executed to obtain the security reference value of the current first target file, the first execution module is configured to perform the following operations:
obtaining a security reference value of the current first target file by adopting the following formula:
Figure 700743DEST_PATH_IMAGE005
wherein the content of the first and second substances,Sis the security reference value of the current first target file,D j is the first target file in the current first target filejThe score value of each of the configuration items,kis the total number of configuration items in the current first target file.
In an embodiment of the present invention, when performing the intrusion detection on the current first target file based on the security reference value and the first intrusion detection policy, the first execution module is configured to perform the following operations:
and comparing the security reference value with threat threshold values corresponding to each threat level and included in the first intrusion detection strategy to obtain the threat level of the current first target file so as to complete intrusion detection on the current first target file.
In an embodiment of the present invention, the second execution module is further configured to perform the following operations: and in response to the detection result that the second target file is a dangerous file, releasing the network traffic corresponding to the second target file, so that the terminal device receiving the network traffic monitors a process calling the second target file, and the process calling the second target file can be determined as a malicious process.
It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to a network intrusion detection apparatus. In other embodiments of the present invention, a network intrusion detection apparatus may include more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides electronic equipment which comprises a memory and a processor, wherein the memory is stored with a computer program, and when the processor executes the computer program, the network intrusion detection method in any embodiment of the invention is realized.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program causes the processor to execute a network intrusion detection method according to any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the embodiments described above are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a" \8230; "does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (8)

1. A method for network intrusion detection, comprising:
analyzing the network traffic captured from the network equipment to be detected to obtain analysis data;
carrying out intrusion detection on the analyzed data to obtain a target file; the target files comprise a first target file and a second target file, the first target file is a file based on a remote desktop protocol, and the second target file is a file of which the format cannot be identified by an intrusion detection system;
when the first target file is obtained, the following operations are executed: analyzing the current first target file to obtain a configuration item of the current first target file; carrying out intrusion detection on the current first target file based on a preset first intrusion detection strategy and the configuration item of the current first target file; wherein the first intrusion detection policy is determined based on all configuration items of a known remote desktop protocol-based file;
when the second target file is obtained, the following operations are executed: connecting the first binary data corresponding to the current second target file to the tail of the second binary data corresponding to the preset safety file to obtain target binary data; carrying out intrusion detection on the target binary data based on a preset second intrusion detection strategy; the security file comprises a portable executive PE file and an executable ELF file in a linkable format, and the second intrusion detection strategy corresponds to the type of the security file.
2. The method of claim 1, wherein the first intrusion detection policy is determined based on, in particular:
acquiring a score value assigned to each configuration item of a known remote desktop protocol-based file;
obtaining classification results of threat level classification for all configuration items of known files based on a remote desktop protocol;
determining a threat threshold corresponding to each threat level based on the score value and the classification result;
and determining a first intrusion detection strategy based on the threat threshold corresponding to each threat level.
3. The method of claim 2, wherein determining a threat threshold corresponding to each threat level based on the score value and the classification result comprises:
determining a threat threshold corresponding to each threat level as follows:
Figure DEST_PATH_IMAGE001
wherein the content of the first and second substances,V i is a firstiA threat threshold for each of the threat levels,C ij is as followsiFirst in individual threat leveljThe score value of each of the configuration items,nis as followsiTotal number of configuration items in each threat level.
4. The method of claim 2, further comprising, after the obtaining the score value assigned to each configuration item of the known remote desktop protocol-based file: obtaining a configuration item point value library based on all configuration items of a known file based on a remote desktop protocol and a point value corresponding to each configuration item;
the intrusion detection of the current first target file based on the preset first intrusion detection strategy and the configuration item of the current first target file comprises the following steps:
obtaining a security reference value of the current first target file based on the configuration item point value library and the configuration item of the current first target file;
and carrying out intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy.
5. The method of claim 4, wherein obtaining the security reference value of the current first target file based on the configuration item score value library and the configuration item of the current first target file comprises:
obtaining a security reference value of the current first target file by adopting the following method:
Figure DEST_PATH_IMAGE002
wherein, the first and the second end of the pipe are connected with each other,Sis the security reference value of the current first target file,D j for the current first target file found based on the configuration item point value basejThe score value of each of the configuration items,kis the total number of configuration items in the current first target file.
6. The method of claim 4, wherein the performing intrusion detection on the current first target file based on the security reference value and the first intrusion detection policy comprises:
and comparing the security reference value with threat threshold values corresponding to each threat level and included in the first intrusion detection strategy to obtain the threat level of the current first target file so as to complete intrusion detection on the current first target file.
7. The method of any of claims 1-6, further comprising, after said performing intrusion detection on said target binary data:
and in response to the detection result that the second target file is a dangerous file, releasing the network traffic corresponding to the second target file, so that the terminal device receiving the network traffic monitors a process calling the second target file, and the process calling the second target file can be determined as a malicious process.
8. A network intrusion detection device, comprising:
the analysis module is used for analyzing and processing the network traffic captured from the network equipment to be detected to obtain analysis data;
the detection module is used for carrying out intrusion detection on the analyzed data to obtain a target file; the target files comprise a first target file and a second target file, the first target file is a file based on a remote desktop protocol, and the second target file is a file of which the format cannot be identified;
a first executing module, configured to, when the first target file is obtained, execute the following operations: analyzing the current first target file to obtain a configuration item of the current first target file; carrying out intrusion detection on the current first target file based on a preset first intrusion detection strategy and the configuration item of the current first target file; wherein the first intrusion detection policy is determined based on all configuration items of a known remote desktop protocol-based file;
a second executing module, configured to, when the second target file is obtained, execute the following operations: continuing the first binary data corresponding to the current second target file to the tail of the second binary data corresponding to the preset safety file to obtain target binary data; carrying out intrusion detection on the target binary data based on a preset second intrusion detection strategy; the security file comprises a PE file and an ELF file, and the second intrusion detection strategy corresponds to the type of the security file.
CN202210845301.9A 2022-07-19 2022-07-19 Network intrusion detection method and device Active CN115086068B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210845301.9A CN115086068B (en) 2022-07-19 2022-07-19 Network intrusion detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210845301.9A CN115086068B (en) 2022-07-19 2022-07-19 Network intrusion detection method and device

Publications (2)

Publication Number Publication Date
CN115086068A CN115086068A (en) 2022-09-20
CN115086068B true CN115086068B (en) 2022-11-08

Family

ID=83259812

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210845301.9A Active CN115086068B (en) 2022-07-19 2022-07-19 Network intrusion detection method and device

Country Status (1)

Country Link
CN (1) CN115086068B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102043915A (en) * 2010-11-03 2011-05-04 厦门市美亚柏科信息股份有限公司 Method and device for detecting malicious code contained in non-executable file
CN103401872A (en) * 2013-08-05 2013-11-20 北京工业大学 Method for preventing and detecting man-in-the-middle attack based on improved RDP (Remote Desktop Protocol)
CN111324890A (en) * 2018-12-14 2020-06-23 华为技术有限公司 Processing method, detection method and device of portable executive body file
CN111865981A (en) * 2020-07-20 2020-10-30 交通运输信息安全中心有限公司 Network security vulnerability assessment system and method
CN114036042A (en) * 2021-10-25 2022-02-11 杭州安恒信息技术股份有限公司 Model testing method, device, computer and readable storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8769127B2 (en) * 2006-02-10 2014-07-01 Northrop Grumman Systems Corporation Cross-domain solution (CDS) collaborate-access-browse (CAB) and assured file transfer (AFT)
US20210092136A1 (en) * 2019-09-24 2021-03-25 Pc Matic Inc Protecting Against Remote Desktop Protocol Intrusions
CN112333203A (en) * 2020-11-26 2021-02-05 哈尔滨工程大学 RDP conversation method of high-interaction honeypot system based on man-in-the-middle technology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102043915A (en) * 2010-11-03 2011-05-04 厦门市美亚柏科信息股份有限公司 Method and device for detecting malicious code contained in non-executable file
CN103401872A (en) * 2013-08-05 2013-11-20 北京工业大学 Method for preventing and detecting man-in-the-middle attack based on improved RDP (Remote Desktop Protocol)
CN111324890A (en) * 2018-12-14 2020-06-23 华为技术有限公司 Processing method, detection method and device of portable executive body file
CN111865981A (en) * 2020-07-20 2020-10-30 交通运输信息安全中心有限公司 Network security vulnerability assessment system and method
CN114036042A (en) * 2021-10-25 2022-02-11 杭州安恒信息技术股份有限公司 Model testing method, device, computer and readable storage medium

Also Published As

Publication number Publication date
CN115086068A (en) 2022-09-20

Similar Documents

Publication Publication Date Title
US10721244B2 (en) Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
US9306964B2 (en) Using trust profiles for network breach detection
US9001661B2 (en) Packet classification in a network security device
US8010685B2 (en) Method and apparatus for content classification
US7873998B1 (en) Rapidly propagating threat detection
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
US20090178140A1 (en) Network intrusion detection system
JP2006279930A (en) Method and device for detecting and blocking unauthorized access
KR20230004222A (en) System and method for selectively collecting computer forensic data using DNS messages
US20150163230A1 (en) System and method for detecting network activity of interest
US20070289014A1 (en) Network security device and method for processing packet data using the same
EP3732844A1 (en) Intelligent defense and filtration platform for network traffic
WO2019163963A1 (en) Traffic feature information extraction device, traffic feature information extraction method, and traffic feature information extraction program
CN112532631A (en) Equipment safety risk assessment method, device, equipment and medium
CN108566384B (en) Traffic attack protection method and device, protection server and storage medium
US20220263846A1 (en) METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
CN110430199B (en) Method and system for identifying internet of things botnet attack source
CN115086068B (en) Network intrusion detection method and device
US11973773B2 (en) Detecting and mitigating zero-day attacks
CN115022034A (en) Attack message identification method, device, equipment and medium
CN114553513A (en) Communication detection method, device and equipment
KR100976602B1 (en) Method and Apparatus for file transference security
CN110784471A (en) Blacklist collection management method and device, computer equipment and storage medium
KR100961075B1 (en) Device and method of detecting polymorphic malicious code

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant