CN115396163B - Malicious periodic behavior detection method - Google Patents

Malicious periodic behavior detection method Download PDF

Info

Publication number
CN115396163B
CN115396163B CN202210959300.7A CN202210959300A CN115396163B CN 115396163 B CN115396163 B CN 115396163B CN 202210959300 A CN202210959300 A CN 202210959300A CN 115396163 B CN115396163 B CN 115396163B
Authority
CN
China
Prior art keywords
malicious
behavior
detection
data
window
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210959300.7A
Other languages
Chinese (zh)
Other versions
CN115396163A (en
Inventor
邹凯
陈凯枫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Trustmo Information System Co ltd
Original Assignee
Guangzhou Trustmo Information System Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Trustmo Information System Co ltd filed Critical Guangzhou Trustmo Information System Co ltd
Priority to CN202210959300.7A priority Critical patent/CN115396163B/en
Publication of CN115396163A publication Critical patent/CN115396163A/en
Application granted granted Critical
Publication of CN115396163B publication Critical patent/CN115396163B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a malicious periodic behavior detection method, which comprises the following steps: acquiring flow data: acquiring network communication traffic data from network traffic acquisition equipment or a traffic data storage server; step two: processing flow data: carrying out white list filtering processing on the flow data acquired in the step one, screening the flow data which do not meet the white list according to a behavior screening mode to obtain the occurrence time data of the same type of behaviors and carrying out ascending arrangement, then calculating a behavior interval sequence, and carrying out windowing processing on the behavior interval sequence to obtain multi-window interval sequence data of a detection object; step three: on the basis of a high-adaptability optimal interval unit algorithm, malicious periodic behavior detection is respectively carried out on the multi-window interval sequence, each detection object obtains the detection results of a plurality of detection windows, and the fourth step is that: and (4) taking the two indexes of the total maliciousness degree and the total maliciousness rate of the detection object in the step three as a final detection result, and outputting the final detection result to a malicious behavior warning and responding system.

Description

Malicious periodic behavior detection method
Technical Field
The invention relates to the technical field of information security, in particular to a malicious periodic behavior detection method.
Background
In the field of information security, periodic behavior (Beaconing) refers to communication behavior with a fixed period or a regular dynamic period between network devices. The benign periodic behavior has no threat to information systems and network security, such as the automatic calibration behavior of an operating system, antivirus software periodically requesting updates from a server, a time calibration service, and the like. The malignant periodic behavior poses a great threat to information security, and the most typical malignant periodic behavior exists in command and control (C & C) attack scenarios: infected machines that are compromised by C & C will typically regularly initiate communication to the control machine in order to sense which infected machines are active and controlled; in addition, some low-frequency attacks, such as low-speed denial of service attacks, low-frequency password blasting attacks, and the like, also conform to the characteristics of the malignant periodic behavior.
In a complex network environment with large flow, the malignant periodic behavior is easier to hide; on the other hand, the new attack usually adopts more interference technologies, and the detection effect of the traditional method on the malicious periodic behaviors is seriously weakened. Therefore, a more effective method for detecting malicious periodic behaviors is needed to improve the capability of discovering the network threat and ensure the information security.
In an actual network environment, when a device is offline to cause a request cycle interruption, or a malicious program actively interrupts or sleeps, or other servers intentionally add random disturbance to a malicious behavior cycle, the missed report rate of the existing method is significantly increased, for example:
the patent with publication number CN106850647B discloses a malicious domain name detection algorithm based on DNS request periodicity, the method firstly processes DNS request records into histogram data, calculates similarity by using a Jeffrey divergence algorithm, and determines a malicious domain name when the similarity is lower than a threshold value and determines a periodic behavior, and the method has the defects of low robustness and high missing report rate.
A patent with publication number CN108347447B discloses a P2P botnet detection method based on periodic communication behavior analysis, which mainly comprises the following steps: the access timestamp sequences are arranged in an ascending order, the first-order difference of the access timestamp sequences is obtained, the variation coefficient of the first-order difference sequences is obtained, when the variation coefficient is smaller than a threshold value, the data volume is judged to be a periodic data stream, and a host generating the periodic data stream is a zombie machine, so that the method also has the defects of low robustness and high missing report rate.
The other type of detection method based on machine learning greatly depends on collected sample data of malicious behaviors, and most of key algorithms belong to a 'black box model'. When the method is used for dealing with novel attacks, an old sample fails, the detection result is not ideal, and the method has the defects of high cost, poor interpretability and unstable accuracy and report missing rate.
Disclosure of Invention
The invention aims to provide a malicious periodic behavior detection method, which has wide and flexible application scenes and can detect novel advanced attacks: the method is suitable for various complex attack detection scenes, such as a command and control attack detection scene, a low-speed denial of service attack detection scene, a DNS malicious domain name detection scene, a malicious attack detection scene of large-scale flow data, a detection scene based on encryption protocol attack and the like, and can reduce the detection cost, improve the accuracy, reduce the rate of missing report and improve the interpretability.
The purpose of the invention can be realized by the following technical scheme:
a malicious periodic behavior detection method comprises the following steps:
the method comprises the following steps: acquiring flow data: acquiring network communication traffic data from network traffic acquisition equipment or a traffic data storage server;
step two: processing flow data: carrying out white list filtering processing on the flow data acquired in the step one, screening the flow data which do not meet the white list according to a behavior screening mode to obtain the occurrence time data of the same type of behaviors and carrying out ascending arrangement, then calculating a behavior interval sequence, and carrying out windowing processing on the behavior interval sequence to obtain multi-window interval sequence data of a detection object;
step three: malicious periodic behavior detection is respectively carried out on the multi-window interval sequence based on a high-adaptability optimal interval unit algorithm, each detection object obtains detection results of a plurality of detection windows, and the detection results comprise total malicious degree, total malicious rate and period;
step four: and (4) taking the two indexes of the total maliciousness degree and the total maliciousness rate of the detection object in the step three as a final detection result, and outputting the final detection result to a malicious behavior warning and responding system.
As a further scheme of the invention: in the first step, the main fields contained in the traffic data include a client IP, a server IP, and a behavior occurrence time.
As a further scheme of the invention: in the second step, the behavior screening modes are in different application scenes, and comprise a plurality of screening modes, such as:
a client IP + a server IP + an application layer protocol;
the duration of the client IP + the server IP + the application layer protocol + the application layer session is less than X seconds;
the total flow of the client IP + the application layer protocol + the application layer session is less than or equal to Y bits;
an application layer protocol, an application layer login user name and an application layer login failure;
client IP + other protocol layer behavior;
wherein, X and Y are empirical threshold values calculated according to historical data of the protocol to be detected.
As a further scheme of the invention: in the second step, the calculation method of the behavior interval sequence is to obtain the behavior interval time by calculating the time difference between the next behavior time point and the previous behavior time point.
As a further scheme of the invention: in the second step, the acquisition of the multi-window interval sequence data of the detection object is to set 2 windowing parameters: dividing a window once according to every window _ size interval element, sliding the window _ step interval elements forward to divide the window once again until the last interval element is less than the window size, and stopping;
wherein, window _ size and window _ step are positive integers.
As a further scheme of the invention: in the third step, the total maliciousness is obtained by calculating the average value of the maliciousness of a plurality of windows;
the total malicious rate is calculated by the malicious ratio of whether the window is malicious or not.
As a further scheme of the invention: in the third step, the steps of the high-adaptability optimal interval unit algorithm are as follows:
k1: inputting: a single interval sequence series to be detected, a lower bound coefficient L, an upper bound coefficient U, a step _ size for searching steps and a standardization coefficient N;
k2: a number of parameters are calculated: searching a lower bound lower, searching an upper bound upper and calculating a searching step length step; calculating a discrete search range search _ scope;
wherein lower = min (series) × L, where min represents the minimum of the series;
uper = mean (series) × U, where mean represents the median of the series;
step=(upper-lower)/step_size;
search_scope=range(lower,upper,step);
wherein, range represents that 1 search point is taken every step length from lower until upper, and step _ size search points are obtained in total;
k3: calculating the loss value of each search point in the discrete search range to obtain a loss value sequence Cost;
k4: calculating the period UNIT and the malice degree anomaliy;
wherein, the cycle:
Figure BDA0003791672680000043
degree of maliciousness:
Figure BDA0003791672680000041
solving the value of a subscript i when the minimum value in the Cost is obtained, wherein the value is expressed by imin, N is an input standardization coefficient, and RL1 is a loss function;
k5: determining a maliciousness threshold value T by an empirical threshold value method, a statistical method or a machine learning method;
k6: judging whether the detected object is malicious analog _ binary or not, as follows:
Figure BDA0003791672680000042
wherein T is a maliciousness threshold; 1 represents "malicious", 0 represents "non-malicious";
k7: outputting the detection result of a single interval sequence: maliciousness anomalality, whether anomalality _ binary, and periodic UNIT;
wherein, the lower bound coefficient L takes the positive number between 0.5 and 1, and the upper bound coefficient U =1; step size =1000, normalization factor N =4, maliciousness threshold T =0.45,
as a further scheme of the invention: in K3, the steps of obtaining the loss value sequence Cost are as follows:
k31: ui is the ith element in the discrete search range search _ scope;
K32:
Figure BDA0003791672680000051
wherein Cost _ Function represents a loss Function;
the calculation formula of the Cost _ Function loss Function comprises the following steps:
k321: RL1 loss function:
Figure BDA0003791672680000052
k322: RLk loss function:
Figure BDA0003791672680000053
where "C" represents the number of all elements of sequence x,
Figure BDA0003791672680000054
representing the rounding operator, "| |" represents the absolute value operator, and k is a positive integer.
The invention has the beneficial effects that: the invention has wide and flexible application scene and can detect novel advanced attacks: the method is suitable for various complex attack detection scenes, such as a command and control attack detection scene, a low-speed denial of service attack detection scene, a DNS malicious domain name detection scene, a malicious attack detection scene of large-scale flow data and a detection scene based on encryption protocol attack, and has the characteristics of low cost, high accuracy, low rate of missing report and high interpretability.
Drawings
The invention is further described below with reference to the accompanying drawings.
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a flow chart of the present invention for processing traffic data;
FIG. 3 is a flow chart of the high-adaptability optimal interval unit algorithm of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-3, the present invention is a method for detecting malicious periodic behaviors, which includes the following steps:
the method comprises the following steps: acquiring flow data: acquiring network communication flow data (traffic data for short) from a network flow acquisition device or a flow data storage server;
step two: processing flow data: carrying out white list filtering processing on the flow data acquired in the step one, screening the flow data which do not meet the white list according to a behavior screening mode to obtain the occurrence time data of the same type of behaviors and carrying out ascending arrangement, then calculating a behavior interval sequence, and carrying out windowing processing on the behavior interval sequence to obtain multi-window interval sequence data of a detection object;
step three: respectively carrying out malicious periodic behavior detection on the multi-window interval sequence by adopting a high-adaptability optimal interval unit algorithm, wherein each detection object obtains detection results of a plurality of detection windows, and the detection results comprise total malicious degree, total malicious rate and period;
step four: and outputting the detection result to a malicious behavior warning and responding system.
In the first step, the main fields contained in the flow data comprise a client IP, a server IP and action occurrence time;
in some embodiments, the traffic data further comprises or partially comprises: transport layer protocol, source port number, destination port number, application layer protocol, application layer login user name, whether application layer login is successful, application layer behavior of deep packet identification, application layer session duration, application layer session traffic (including total traffic, upstream traffic, downstream traffic), application layer session data packet number (including total packet number, upstream packet number, downstream packet number), other protocol layer behavior (such as "initiate request for a domain name to DNS server", "initiate PING request", "initiate TCK SYN request");
wherein, the direction of the uplink flow is the flow from the client to the server;
the downlink traffic direction is the traffic from the "server" to the "client".
In the second step, the processing of the flow data comprises the following steps:
s1: filtering the white list of the traffic data to obtain the traffic data (blacklist traffic data) which does not meet the white list condition;
s2: processing the blacklist flow data according to a behavior screening mode, screening similar behavior flow data, and selecting a behavior occurrence time column to obtain similar behavior occurrence time data;
s3: arranging the same type of behavior occurrence time data in ascending order, and then calculating a behavior interval sequence;
s4: and performing windowing processing on the behavior interval sequence data to obtain multi-window detection sequence data of the detection object.
The white list is a feature list of legal software or service collected, the software or service meeting the white list condition has no threat, and the flow data is not detected.
In S2, the behavior filtering modes in different application scenarios and different embodiments include multiple filtering modes according to the types of the traffic data in the step one, as follows:
s21: in some embodiments, the screening conditions are: the method comprises the steps that a client IP + a server IP + an application layer protocol is adopted, namely all flow data of a certain application layer protocol between a client and a server are screened and used as detection objects; the method is applied to malicious periodic behavior detection in a conventional scene;
s22: in some embodiments, the screening conditions are: the client IP + the server IP + the application layer protocol + the application layer session duration are less than X seconds, namely all flow data of a certain application layer protocol and with certain duration characteristics between the client and the server are screened and used as detection objects; the method is applied to malicious periodic behavior detection in a conventional scene; wherein, X is an experience threshold value calculated according to the historical data of the protocol to be detected;
s23: in some embodiments, the screening conditions are: the total flow of the client IP + the application layer protocol + the application layer session is less than or equal to Y bits, namely screening all flow data of the client, of a certain application layer protocol and with certain flow characteristics as detection objects; the method is applied to malicious periodic behavior detection under the condition that a client is controlled by one or more C & C servers; the method can also be applied to malicious periodic behavior detection in an encryption protocol attack scene; wherein, Y is an experience threshold value calculated according to the historical data of the protocol to be detected;
s24: in some embodiments, the screening conditions are: the method comprises the steps of selecting failure login flow data of a certain user name of a certain application layer protocol as a detection object; the method comprises the following steps of (1) detecting malicious periodic behaviors applied to a low-speed password cracking scene aiming at a specific user name of an application;
s25: in some embodiments, the screening conditions are: "client IP + other protocol layer behaviors", that is, screening the flow data of a certain protocol behavior of the client as a detection object; the method is applied to malicious periodic behavior detection aiming at a certain class of specific behaviors; wherein the "other protocol layer behavior" may be "initiate a request for a domain name to a DNS server", "initiate a PING request", "initiate a TCP SYN request", and so on.
In S3, the calculation method of the behavior interval sequence is as follows:
and calculating the time difference between the next action time point and the last action time point to obtain the action interval time.
In S4, multi-window interval sequence data W of the detection object is obtained by the following method:
setting 2 windowing parameters: window size (window _ size) and window step size (window _ step), dividing the window once per window _ size number of interval elements, sliding the window _ step number of interval elements forward to divide the window once again, and stopping until the last remaining interval elements are insufficient in window size;
the parameters window _ size and window _ step are positive integers and can be flexibly set according to an application scene and the computing capacity of the deployment server.
S41: in some embodiments, when server performance is insufficient, consider increasing window _ size and window _ step appropriately;
preferably, window _ size =30, window _step =1.
Specifically, after the processing of S1 and S2, the following similar behavior occurrence time data is obtained: [1600326765.5388,1600327125.4243,1600327245.8115,1600327488.2358,1600327609.2651,1600327727.1547], as sample [ data 1 ];
data 1
Time of occurrence data of homogeneous behavior
1600326765.5388
1600327125.4243
1600327245.8115
1600327488.2358
1600327609.2651
1600327727.1547
Carrying out ascending arrangement and calculation of behavior interval sequences on the data 1 to obtain data 2, and calculating time difference from the data of the occurrence time of the same type behaviors sequenced by the data 1 to obtain data 2;
data 2
Behavioral interval sequence data
-
359.8855
120.3872
242.4243
121.0293
117.8896
Performing windowing processing on the [ data 2 ] to obtain interval sequence data after 3 windowing, namely [ data 3 ];
Figure BDA0003791672680000091
Figure BDA0003791672680000101
in the third step, the steps of the high-adaptability optimal interval unit algorithm are as follows;
w1: inputting: a single interval sequence to be detected (denoted by series), a lower bound coefficient (denoted by L), an upper bound coefficient (denoted by U), a number of search steps (denoted by step _ size), a normalization coefficient N;
w2: a number of parameters are calculated: searching a lower bound (represented by lower), searching an upper bound (represented by upper), and calculating a search step size (represented by step); calculating a discrete search range (represented by search _ scope); the formula is as follows:
lower = min (series) × L, where min () represents the minimum of the sequence series;
upper = mean (series) × U, where mean () represents the median of the series;
step=(upper-lower)/step_size
search_scope=range(lower,upper,step)
wherein, range () represents that 1 search point is taken every step length from lower until upper, and step _ size search points are obtained in total;
w3: calculating the loss value of each search point in the discrete search range to obtain a loss value sequence Cost; the method comprises the following steps:
ui is the ith element in the discrete search range search _ scope;
W32:
Figure BDA0003791672680000102
wherein Cost _ Function represents a loss Function;
the calculation formula of the Cost _ Function loss Function is one of the following two formulas:
rl1 loss function:
Figure BDA0003791672680000111
RLk loss function:
Figure BDA0003791672680000112
where "C" represents the number of all elements of sequence x,
Figure BDA0003791672680000116
representing the operator of rounding up, "| |" represents the operator of taking the absolute value, k is a positive integer;
w4, calculating period (expressed by UNIT) and maliciousness (expressed by anomally); the method comprises the following steps:
w41: solving the value of the subscript i when the minimum value in the Cost is obtained, and expressing the value by imin;
w42: and (3) period:
Figure BDA0003791672680000113
w43: degree of maliciousness:
Figure BDA0003791672680000114
wherein N is an input normalization coefficient, and RL1 is a loss function;
w5: determining a maliciousness threshold (denoted by T); the method is specifically one of the following three methods:
w51: empirical threshold method: determining the value of T by means of experience of a professional technician;
w52: the statistical method comprises the following steps: determining a T value by using a normal distribution 'small probability event' thought based on historical attack data or simulated penetration test attack data;
w53: the machine learning method comprises the following steps: establishing a supervised learning model with high interpretation degree based on historical attack data or simulated penetration test attack data, and determining the value of T; the preferred machine learning method is a "decision tree" algorithm;
w6: judging whether the detected object is malicious (represented by anomally _ bank); the formula is as follows:
Figure BDA0003791672680000115
wherein T is a maliciousness threshold; 1 represents "malicious", 0 represents "non-malicious";
w7: outputting the detection result of a single interval sequence: maliciousness (anomalty), whether malicious (anomaly _ binary), and period (UNIT).
Preferably, the lower bound coefficient L takes a positive number between 0.5 and 1, and the upper bound coefficient U =1; the number of search steps step size =1000, the normalization factor N =4, and the maliciousness threshold T =0.45.
One of the core points of the present invention: the fields of the flow data comprise client IP, server IP, action occurrence time, a transport layer protocol, a source port number, a destination port number, an application layer protocol, an application layer login user name, whether the application layer login is successful or not, application layer actions identified by a deep packet, application layer session flow, application layer session data packet number and other protocol layer actions;
the second core point of the invention is as follows: the behavior screening modes can be flexibly combined according to the flow data in different application scenes to obtain a plurality of combined screening schemes; such as:
(1) Client IP + server IP + application layer protocol
(2) The duration of the client IP + the server IP + the application layer protocol + the application layer session is less than X seconds
(3) The total flow of the client IP + the application layer protocol + the application layer session is less than or equal to Y bits
(4) Application layer protocol + application layer login user name + application layer login failure
(5) Client IP + other protocol layer behavior
Wherein, X and Y are empirical thresholds calculated according to historical data of the protocol to be detected.
The third core point of the invention: the application scene is wide and flexible, and novel advanced attacks can be detected: the method is suitable for various complex attack detection scenes, such as a command and control attack detection scene, a low-speed denial of service attack detection scene, a DNS malicious domain name detection scene, a malicious attack detection scene of large-scale flow data, a detection scene based on encryption protocol attack and the like.
While one embodiment of the present invention has been described in detail, the description is only a preferred embodiment of the present invention and should not be taken as limiting the scope of the invention. All equivalent changes and modifications made within the scope of the present invention shall fall within the scope of the present invention.

Claims (7)

1. A malicious periodic behavior detection method is characterized by comprising the following steps:
the method comprises the following steps: acquiring flow data: acquiring network communication traffic data from network traffic acquisition equipment or a traffic data storage server;
step two: processing flow data: carrying out white list filtering processing on the flow data acquired in the step one, screening the flow data which do not meet the white list according to a behavior screening mode to obtain the occurrence time data of the same type of behaviors and carrying out ascending arrangement, then calculating a behavior interval sequence, and carrying out windowing processing on the behavior interval sequence to obtain multi-window interval sequence data of a detection object;
step three: respectively carrying out malicious periodic behavior detection on the multi-window interval sequence based on a high-adaptability optimal interval unit algorithm, wherein each detection object obtains detection results of a plurality of detection windows, and the detection results comprise total malicious degree, total malicious rate and period;
step four: taking the two indexes of the total maliciousness and the total maliciousness rate of the detection object in the step three as a final detection result, and outputting the final detection result to a malicious behavior warning and responding system;
in step three, the steps of the high-adaptability optimal interval unit algorithm are as follows:
k1: inputting: a single interval sequence series to be detected, a lower bound coefficient L, an upper bound coefficient U, a step _ size for searching steps and a standardization coefficient N;
k2: a number of parameters are calculated: searching the lower bound lower, searching the upper bound upper and calculating the step length of search; calculating a discrete search range search _ scope;
wherein lower = min (series) × L, where min represents the minimum of series;
uper = mean (series) × U, where mean represents the median of the series;
step=(upper-lower)/step_size;
search_scope=range(lower,upper,step);
wherein, range represents that 1 search point is taken every step length from lower until upper, and step _ size search points are obtained in total;
k3: calculating the loss value of each search point in the discrete search range to obtain a loss value sequence Cost;
k4: calculating the period UNIT and the malice degree anomaliy;
wherein, the cycle:
Figure FDA0004089256730000023
degree of maliciousness:
Figure FDA0004089256730000021
solving the value of a subscript i when the minimum value in the Cost is obtained, wherein imin represents the value, N is an input standardization coefficient, and RL1 is a loss function;
k5: determining a maliciousness threshold value T by an empirical threshold value method, a statistical method or a machine learning method;
k6: judging whether the detection object is malicious and the detection object is malicious _ binary, as follows:
Figure FDA0004089256730000022
wherein T is a maliciousness threshold; 1 represents "malicious", 0 represents "non-malicious";
k7: outputting the detection result of a single interval sequence: maliciousness anomalality, whether anomalality _ binary, and periodic UNIT;
wherein, the lower bound coefficient L takes the positive number between 0.5 and 1, and the upper bound coefficient U =1; the number of search steps step size =1000, normalization factor N =4, and maliciousness threshold T =0.45.
2. The method according to claim 1, wherein in step one, the traffic data includes main fields including a client IP, a server IP, and a behavior occurrence time.
3. The malicious periodic behavior detection method according to claim 1, wherein in the second step, the behavior screening means includes a plurality of screening means in different application scenarios, such as:
a client IP + a server IP + an application layer protocol;
the duration of the client IP + the server IP + the application layer protocol + the application layer session is less than X seconds;
the total flow of the client IP + the application layer protocol + the application layer session is less than or equal to Y bits;
an application layer protocol, an application layer login user name and an application layer login failure;
client IP + other protocol layer behavior;
wherein, X and Y are empirical thresholds calculated according to historical data of the protocol to be detected.
4. The method for detecting the malicious periodic behaviors as claimed in claim 1, wherein in the second step, the behavior interval sequence is calculated by calculating a time difference between a subsequent behavior time point and a previous behavior time point, so as to obtain the behavior interval time.
5. The malicious periodic behavior detection method according to claim 1, wherein in the second step, the acquisition of the multi-window interval sequence data of the detection object is to set 2 windowing parameters: dividing a window once according to every window _ size interval element, sliding forward the window _ step interval elements to divide the window once again until the last remaining interval elements are insufficient in window size, and stopping;
wherein, window _ size and window _ step are positive integers.
6. The method according to claim 1, wherein in step three, the total maliciousness is calculated as the average of the "maliciousness" of a plurality of windows;
the total malicious rate is calculated by the malicious ratio of whether the window is malicious or not.
7. The method for detecting the malicious periodic behaviors according to claim 1, wherein in the K3, the loss value sequence Cost is obtained by the following steps:
k31: ui is the ith element in the discrete search range search _ scope;
K32:
Figure FDA0004089256730000031
wherein, cost _ Function representsA loss function;
the calculation formula of the Cost _ Function loss Function comprises the following steps:
k321: RL1 loss function:
Figure FDA0004089256730000032
k322: RLk loss function:
Figure FDA0004089256730000033
where "C" represents the number of all elements of sequence x,
Figure FDA0004089256730000034
representing the rounding operator, "| |" represents the absolute value operator, and k is a positive integer. />
CN202210959300.7A 2022-08-10 2022-08-10 Malicious periodic behavior detection method Active CN115396163B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210959300.7A CN115396163B (en) 2022-08-10 2022-08-10 Malicious periodic behavior detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210959300.7A CN115396163B (en) 2022-08-10 2022-08-10 Malicious periodic behavior detection method

Publications (2)

Publication Number Publication Date
CN115396163A CN115396163A (en) 2022-11-25
CN115396163B true CN115396163B (en) 2023-04-11

Family

ID=84118472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210959300.7A Active CN115396163B (en) 2022-08-10 2022-08-10 Malicious periodic behavior detection method

Country Status (1)

Country Link
CN (1) CN115396163B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116720824B (en) * 2023-05-30 2024-02-13 南京邮电大学 Electronic license library management system and method based on blockchain

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850647A (en) * 2017-02-21 2017-06-13 上海交通大学 Malice domain name detection algorithm based on the DNS request cycle
CN107071084A (en) * 2017-04-01 2017-08-18 北京神州绿盟信息安全科技股份有限公司 A kind of DNS evaluation method and device

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704103B (en) * 2014-11-26 2017-05-10 中国科学院沈阳自动化研究所 Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model
US20200204571A1 (en) * 2018-12-19 2020-06-25 AVAST Software s.r.o. Malware detection in network traffic time series
CN110113349A (en) * 2019-05-15 2019-08-09 北京工业大学 A kind of malice encryption traffic characteristics analysis method
CN110719272A (en) * 2019-09-27 2020-01-21 湖南大学 LR algorithm-based slow denial of service attack detection method
CN111339297B (en) * 2020-02-21 2023-04-25 广州天懋信息系统股份有限公司 Network asset anomaly detection method, system, medium and equipment
CN112953933B (en) * 2021-02-09 2023-02-17 恒安嘉新(北京)科技股份公司 Abnormal attack behavior detection method, device, equipment and storage medium
CN113890762B (en) * 2021-09-29 2023-09-29 中孚安全技术有限公司 Method and system for detecting web crawler behaviors based on flow data
CN114024762B (en) * 2021-11-11 2022-08-16 湖南大学 LDoS attack detection method based on S-R analysis and FASSA-SVM

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850647A (en) * 2017-02-21 2017-06-13 上海交通大学 Malice domain name detection algorithm based on the DNS request cycle
CN107071084A (en) * 2017-04-01 2017-08-18 北京神州绿盟信息安全科技股份有限公司 A kind of DNS evaluation method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
X. Zang.Identifying DGA Malware via Behavior Analysis.《2021 IEEE Wireless Communications and Networking Conference (WCNC)》.2021,全文. *
芦效峰 ; 蒋方朔 ; 周箫 ; 崔宝江 ; 伊胜伟 ; 沙晶 ; .基于API序列特征和统计特征组合的恶意样本检测框架.清华大学学报(自然科学版).2018,(第05期),全文. *

Also Published As

Publication number Publication date
CN115396163A (en) 2022-11-25

Similar Documents

Publication Publication Date Title
CN108494746B (en) Method and system for detecting abnormal flow of network port
Loukas et al. Likelihood ratios and recurrent random neural networks in detection of denial of service attacks
CN108632269B (en) Distributed denial of service attack detection method based on C4.5 decision tree algorithm
Le et al. Data analytics on network traffic flows for botnet behaviour detection
US20070300300A1 (en) Statistical instrusion detection using log files
EP2612481B1 (en) Method and system for classifying traffic
Dabbagh et al. Slow port scanning detection
Amoli et al. Unsupervised network intrusion detection systems for zero-day fast-spreading attacks and botnets
CN104850780A (en) Discrimination method for advanced persistent threat attack
CN115396163B (en) Malicious periodic behavior detection method
ALEKSIEVA et al. An approach for host based botnet detection system
CN110557397A (en) DDoS attack detection method based on chaos theory analysis
Bulle et al. A host-based intrusion detection model based on OS diversity for SCADA
Mohan et al. Complex event processing based hybrid intrusion detection system
Zhai et al. Distributed denial of service defense in software defined network using openflow
CN112769734B (en) Network attack detection method and device and computer readable storage medium
Arifin et al. Denial of service attacks detection on scada network iec 60870-5-104 using machine learning
Saiyed et al. Entropy and divergence-based DDoS attack detection system in IoT networks
Heryanto et al. Cyberattack feature selection using correlation-based feature selection method in an intrusion detection system
Shinde et al. Early dos attack detection using smoothened time-series andwavelet analysis
CN110611636B (en) Major data algorithm-based defect host detection method
Li et al. Optimizing network anomaly detection scheme using instance selection mechanism
Khodadadi et al. Ichnaea: Effective P2P botnet detection approach based on analysis of network flows
Thoma et al. Detection of collaborative cyber-attacks through correlation and time dependency analysis
CN115208596B (en) Network intrusion prevention method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant