CN116232612A - Abnormal flow detection method, device and computer readable storage medium - Google Patents

Abnormal flow detection method, device and computer readable storage medium Download PDF

Info

Publication number
CN116232612A
CN116232612A CN202111460698.1A CN202111460698A CN116232612A CN 116232612 A CN116232612 A CN 116232612A CN 202111460698 A CN202111460698 A CN 202111460698A CN 116232612 A CN116232612 A CN 116232612A
Authority
CN
China
Prior art keywords
flow data
normal
traffic
abnormal
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111460698.1A
Other languages
Chinese (zh)
Inventor
李乘宇
乔喆
白雪
陈隽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202111460698.1A priority Critical patent/CN116232612A/en
Publication of CN116232612A publication Critical patent/CN116232612A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Measuring Volume Flow (AREA)
  • Devices For Checking Fares Or Tickets At Control Points (AREA)

Abstract

The application discloses a method and a device for detecting abnormal flow and a computer readable storage medium, wherein the method for detecting abnormal flow comprises the following steps: acquiring flow data of a terminal; comparing the flow data with preset features in the sand box model to obtain a first comparison result; determining first normal flow data in the flow data according to the first comparison result, and classifying the first normal flow data; and screening the classified first normal flow data, and determining first abnormal flow data in the first normal flow data according to a screening result. According to the method and the device, the abnormal flow data are determined by carrying out secondary detection and classification on the flow data, so that the detection accuracy of the APT is improved.

Description

Abnormal flow detection method, device and computer readable storage medium
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method and apparatus for detecting abnormal traffic, and a computer readable storage medium.
Background
Currently, with the rapid popularity and development of computer communications and mobile networks, advanced long-lasting cyber threat (Advanced Persistent Threat, APT) cyber attacks are bringing significant economic and social security problems to us. Malicious software/payload in the APT attack process typically performs malicious communication actions in order to steal data, download new malicious software, and the like. In view of this, APT detection is generally performed by using a "sandbox scheme" or an abnormality-based detection scheme, but the conventional APT detection has low accuracy.
Disclosure of Invention
The embodiment of the application aims to solve the problem of low APT detection precision by providing a method, a device and a computer readable storage medium for detecting abnormal flow.
In order to achieve the above object, an aspect of the present application provides a method for detecting abnormal traffic, the method including:
acquiring flow data of a terminal;
comparing the flow data with preset features in a sand box model to obtain a first comparison result;
determining first normal flow data in the flow data according to the first comparison result, and classifying the first normal flow data;
screening the classified first normal flow data, and determining first abnormal flow data in the first normal flow data according to screening results.
Optionally, the step of determining first normal traffic data in the traffic data according to the first comparison result, and classifying the first normal traffic data includes:
determining first normal flow data and second abnormal flow data in the flow data according to the first comparison result;
storing the first normal flow data to a first virtual area, and storing the second abnormal flow data to a second virtual area;
and classifying the first normal flow data stored in the first virtual area.
Optionally, the step of classifying the first normal traffic data includes:
acquiring the flow type of the first normal flow data;
and classifying the first normal flow data according to the flow type.
Optionally, the step of screening the classified first normal traffic data includes:
acquiring the communication characteristics of the classified first normal flow data, and comparing the communication characteristics with the communication characteristics of the abnormal flow data;
and screening the first normal flow data according to the second comparison result.
Optionally, after the step of determining the first abnormal traffic data in the first normal traffic data according to the screening result, the method includes:
determining second normal flow data in the first normal flow data according to the screening result;
and storing the second normal flow data into a virtual safety area, storing the first abnormal flow data into a virtual recovery area, and outputting alarm information, wherein the virtual safety area and the virtual recovery area are all subareas of the first virtual area.
Optionally, after the step of determining the first abnormal traffic data in the first normal traffic data according to the screening result, the method includes:
acquiring a storage space of the virtual safety area and a storage time length of the second normal flow data in the virtual safety area;
and deleting the second normal flow data in the virtual safety area according to the storage space and/or the storage duration.
Optionally, the method further comprises:
constructing an attack scene graph;
acquiring a weight value of each attack stage in each attack scene graph and a score of each attack stage;
determining a score value of each attack scene graph according to the weight value and the score value of each attack stage;
and outputting alarm information when the score value is larger than a set threshold value.
In addition, in order to realize above-mentioned purpose, this application still provides a detection device of unusual flow on the other hand, detection device of unusual flow includes acquisition module, comparison module, classification module and screening module, wherein:
the acquisition module is used for acquiring the flow data of the terminal;
the comparison module is used for comparing the flow data with preset features in the sand box model to obtain a first comparison result;
the classification module is used for determining first normal flow data in the flow data according to the first comparison result and classifying the first normal flow data;
the screening module is used for screening the classified first normal flow data and determining first abnormal flow data in the first normal flow data according to a screening result.
In addition, in order to achieve the above object, another aspect of the present application further provides an abnormal flow detection device, where the device includes a memory, a processor, and a detection program stored in the memory and running on the processor, where the detection program of abnormal flow is executed by the processor to implement the steps of the abnormal flow detection method as described above.
In addition, in order to achieve the above object, another aspect of the present application provides a computer-readable storage medium having stored thereon a detection program of an abnormal flow rate, which when executed by a processor, implements the steps of the detection method of an abnormal flow rate as described above.
The application provides a detection method of abnormal flow, which comprises the steps of obtaining flow data of a terminal; comparing the flow data with preset features in the sand box model to obtain a first comparison result; determining first normal flow data in the flow data according to the first comparison result, and classifying the first normal flow data; and screening the classified first normal flow data, and determining first abnormal flow data in the first normal flow data according to a screening result. According to the method and the device, the abnormal flow data are determined by carrying out secondary detection and classification on the flow data, so that the detection accuracy of the APT is improved.
Drawings
Fig. 1 is a schematic diagram of a terminal structure of a hardware running environment according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of a first embodiment of a method for detecting abnormal traffic in the present application;
FIG. 3 is a schematic flow chart of a second embodiment of a method for detecting abnormal traffic in the present application;
FIG. 4 is a flow chart of an embodiment of a method for detecting abnormal traffic in the present application;
fig. 5 is a schematic block diagram of a method for detecting abnormal traffic in the present application.
The realization, functional characteristics and advantages of the present application will be further described with reference to the embodiments, referring to the attached drawings.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The main solutions of the embodiments of the present application are: acquiring flow data of a terminal; comparing the flow data with preset features in a sand box model to obtain a first comparison result; determining first normal flow data in the flow data according to the first comparison result, and classifying the first normal flow data; screening the classified first normal flow data, and determining first abnormal flow data in the first normal flow data according to screening results.
The detection accuracy is low when APT detection is performed by adopting a 'sand box scheme' or an abnormality-based detection scheme. Based on the above, the application proposes a solution by acquiring traffic data of a terminal; comparing the flow data with preset features in the sand box model to obtain a first comparison result; determining first normal flow data in the flow data according to the first comparison result, and classifying the first normal flow data; and screening the classified first normal flow data, and determining first abnormal flow data in the first normal flow data according to a screening result. According to the method and the device, the abnormal flow data are determined by carrying out secondary detection and classification on the flow data, so that the detection accuracy of the APT is improved.
As shown in fig. 1, fig. 1 is a schematic diagram of a terminal structure of a hardware running environment according to an embodiment of the present application.
As shown in fig. 1, the terminal may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
It will be appreciated by those skilled in the art that the terminal structure shown in fig. 1 is not limiting of the terminal device and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
As shown in fig. 1, a detection program of an abnormal flow rate may be included in a memory 1005 as one type of computer-readable storage medium.
In the terminal shown in fig. 1, the network interface 1004 is mainly used for data communication with a background server; the user interface 1003 is mainly used for data communication with a client (user side); the processor 1001 may be configured to call a detection program of abnormal traffic in the memory 1005 and perform the following operations:
acquiring flow data of a terminal;
comparing the flow data with preset features in a sand box model to obtain a first comparison result;
determining first normal flow data in the flow data according to the first comparison result, and classifying the first normal flow data;
screening the classified first normal flow data, and determining first abnormal flow data in the first normal flow data according to screening results.
Referring to fig. 2, fig. 2 is a flow chart of a first embodiment of a method for detecting abnormal traffic in the present application.
The embodiments of the present application provide a method for detecting abnormal traffic, and it should be noted that, although a logic sequence is shown in the flowchart, in some cases, the steps shown or described may be performed in a different sequence from that shown or described herein.
The abnormal flow detection method of the embodiment is applied to a video color ring platform and comprises the following steps:
step S10, acquiring flow data of a terminal;
it should be noted that, at present, a sandbox scheme and an anomaly-based detection scheme are generally adopted to realize the detection of the APT, however, the biggest difficulty of the sandbox scheme is the diversity of the test environment, and because the sandbox has limitations on the type of the operating system, the browser version and related plug-ins, if the appropriate test environment is lacking, malicious codes in the traffic can not be detected, and the condition of missing reports is caused. While anomaly-based detection schemes can only detect the behavior of known botnet, trojan communications. Therefore, most APT detection methods currently cannot detect abnormal traffic from a terminal, and the protection capability is reduced, and although there is a method of detecting abnormal traffic from a terminal, the detection accuracy is low. Based on this, the present application proposes a method for detecting abnormal traffic to solve the above-mentioned problems.
The embodiment mainly captures and stores the traffic data flowing through the network adapter.
Alternatively, because each user has different network usage habits over different time periods during the day, different acquisition time periods may be defined based on this: from 11 at night to 8 at work on the next day and from 12 at noon to 2 at afternoon, the overall flow is small due to rest; during the working time from 8 to 12 pm and the working time from 2 to 6 pm, more flow data can be generated due to the working requirement; from 6 pm to 11 pm, much traffic data may also be generated due to the evening entertainment activity. Thus, by collecting flow data in different time periods, the accuracy for different time periods can be improved.
Alternatively, the frequency of flow collection may be determined, as well as the collection frequency of different time periods, such as the two time periods of 11 pm to 8 pm and 12 pm to 2 pm, the collection frequency may be set to collect once every 15 minutes, and the collection frequency may be set to collect once every 5 minutes, during the two time periods of 8 pm to 12 pm and 2 pm to 6 pm.
Step S20, comparing the flow data with preset features in a sand box model to obtain a first comparison result;
the method and the device are used for establishing a sandbox model in advance and used for screening traffic data for the first time, wherein the sandbox model is constructed by adopting traffic generated by normal behaviors in a network, meanwhile, a malicious code library is stored in the sandbox model, and communication characteristics of abnormal traffic data are stored in the malicious code library.
After the flow data is input into the sandbox model, the sandbox model compares the flow data with the malicious code library, for example, extracts the communication characteristics of the flow data, and compares the communication characteristics with the communication characteristics of the abnormal flow data in the malicious code library to determine whether the abnormal flow data exists in the flow data. If the matching degree of the communication features of the flow data and the communication features of the abnormal flow data reaches a set threshold (such as 95%), the abnormal flow data exists in the flow data, and if the matching degree is smaller than the set threshold, the abnormal flow data does not exist in the flow data.
Optionally, a sandbox (also called sandbox or sandbox) is installed on the terminal, and a first virtual area (virtual temporary folder one) and a second virtual area (such as virtual temporary folder two) are created in the sandbox, then a plurality of virtual classification areas (such as virtual classification folders) are created in the first virtual area, and simultaneously a virtual security area (such as virtual security folder) and a virtual recycling area (such as virtual garbage folder) are created in the virtual classification areas. After the first normal flow data and the second abnormal flow data in the flow data are determined according to the first comparison result, the first normal flow data are stored in the first virtual area, the second abnormal flow data are stored in the second virtual area, and then the first normal flow data stored in the first virtual area are classified.
Optionally, the traffic type of the first normal traffic data is acquired, and the first normal traffic data is classified according to the traffic type. For example, the traffic types include video traffic, picture traffic, audio traffic, and the like, and video traffic data, picture traffic data, audio traffic data, web page traffic data, application traffic data, and the like are extracted from the traffic data based on the traffic types, while these different types of traffic data are stored to different virtual classification areas.
And S40, screening the classified first normal flow data, and determining first abnormal flow data in the first normal flow data according to a screening result.
In this embodiment, the classified first normal flow data is screened, and then, first abnormal flow data in the first normal flow data is determined according to the screening result. Specifically, the communication characteristics of the classified first normal flow data are obtained, then the communication characteristics are compared with the communication characteristics of the abnormal flow data, if the matching degree of the communication characteristics and the communication characteristics of the abnormal flow data reaches a set threshold (such as 95%), the existence of the abnormal flow data in the first normal flow data is indicated, and if the matching degree is smaller than the set threshold, the absence of the abnormal flow data in the first normal flow data is indicated.
Optionally, determining second normal traffic data in the first normal traffic data according to the screening result, then storing the second normal traffic data in the virtual security area, storing the first abnormal traffic data in the virtual recycling area, and outputting alarm information, for example, storing the second normal traffic data in the virtual security folder, and storing the first abnormal traffic data in the virtual garbage folder.
Alternatively, to save storage space in the virtual secure area, traffic data in the virtual secure area needs to be cleaned up periodically. Specifically, a storage space (remaining storage space) of the virtual safety area and a storage time length of the second normal flow data in the virtual safety area are obtained, whether the remaining storage space is smaller than a preset space value (such as 30%), and whether the storage time length is greater than or equal to a preset time length (such as 12 hours or 1 day) are judged, and if the remaining storage space is smaller than the preset space value and/or the storage time length is greater than or equal to the preset time length, the second normal flow data in the virtual safety area are deleted to release larger space.
The embodiment has the effects of improving the detection accuracy and improving the detection speed by classifying the flow; through carrying out secondary detection to the flow, have the effect that improves the detection accuracy once more to and have the condition that solves if lack suitable test environment, can lead to malicious code in the flow to be unable to be detected, cause the missing report.
Further, referring to fig. 3, fig. 3 is a flow chart of a second embodiment of the method for detecting abnormal traffic in the present application.
The method further comprises the steps of:
s50, constructing an attack scene graph;
step S60, obtaining a weight value of each attack stage in each attack scene graph and a score of each attack stage;
step S70, determining the score value of each attack scene graph according to the weight value and the score value of each attack stage;
and step S80, outputting alarm information when the score value is larger than a set threshold value.
It should be noted that, the purpose of constructing the attack scene graph in this embodiment is: tracking an attacker, and effectively identifying the APT attack organization of the event appearing later to defend against the new APT attack.
In this embodiment, a TTP rule (i.e., an attack scenario rule) is acquired, an APT attack scenario graph is constructed according to the TTP rule, and then a score value (i.e., a total score) of each APT attack scenario graph is determined, optionally, a total score T of each APT attack scenario graph is calculated according to the following formula:
Figure BDA0003386741480000081
wherein w is i Weight of ith attack stage in TTP specification for APT attack scene graph, n=7, S i And (5) scoring the ith attack stage in the TTP specification for the APT attack scene graph.
Further, the APT attack scene graphs are ordered according to the total score T of all the APT attack scene graphs so as to delete most nodes and edges irrelevant to the APT attack activities, and the attack and benign scenes can be effectively distinguished. In one embodiment, running the APT attack scene graph in benign activities, and defining the maximum value of total scores of the APT attack scene graph in running as benign scores; running the APT attack scene graph in a vicious activity, and defining the minimum value of total scores of the APT attack scene graph in running as a vicious score; and selecting a value between the benign score and the malignant score, defining the value as an alarm threshold, and outputting alarm information when the total score of the APT attack scene graph when the APT attack scene graph is detected to run in real time is greater than the alarm threshold.
Alternatively, referring to table 1, table 1 is a TTP rule example.
TABLE 1
Figure BDA0003386741480000082
/>
Figure BDA0003386741480000091
The TTP specification mainly adopts two methods to map the original audit log data to the attack step: first, a common rule map is formulated using expert experience. Second, use is made of the information flow (i.e. path association) mapping between the nodes involved in TTPs.
In table 1, the first column indicates the APT attack stage, the second column indicates the associated TTP name, and the third column indicates the severity level associated with each TTP: l, M, H and C respectively represent low, medium, high and extremely high; the fourth column shows TTP rules in which s.ip does not belong to { Trusted IP Addresses } and p0.Name belongs to { Sensitive Commands } using the first mapping method described above (common rule mapping formulated using expert experience). And path correlation (P0, F) <=path thres adopts the second mapping method (using the information flow mapping between nodes involved in the TT Ps), where path correlation is a path correlation calculation function, path thres is an empirical value, which may depend on the actual scenario test situation, and the last column is an explanation of TTP rules.
Alternatively, referring to table 2, table 2 is a parameter corresponding to the severity level.
TABLE 2
Severity level Score range Average value of
L [0.2,4.1) 2.0
M [5.0,7.0) 6.0
H [8.0,10.0) 9.0
C [9.0,11.0) 10.0
In the embodiment, by constructing an APT attack scene, attacks such as Trojan viruses, abnormal network behaviors and the like can be detected, and the detected malicious signals are alarmed, so that the malicious processes are stopped, and malicious software on the terminal is deleted, so that the system blocks the operation of the malicious software from the source, and the protection capability is improved.
In order to better explain the method for detecting abnormal traffic in the present application, referring to fig. 4, fig. 4 is a schematic flow chart of a specific embodiment of the method for detecting abnormal traffic in the present application.
In this example, the method for detecting abnormal traffic includes the following embodiments:
1. establishing a virtual folder: a sandbox is installed on the terminal, a first virtual temporary folder and a second virtual temporary folder are built in the sandbox, then a plurality of virtual classified folders are built in the first virtual temporary folder, and a virtual safe folder and a virtual garbage folder are built in the virtual classified folders.
2. And (3) establishing a model: a sandbox model is built by taking traffic generated by normal behavior in the network, wherein all changes in the sandbox do not cause any loss to the operating system.
The sandbox runs the software in a limited system environment, controlling the resources (e.g., file descriptors, memory, disk space, etc.) available to the program.
The following are specific implementations of some sandboxes:
software prison (Jail): limited network access, limited file system namespaces, alternatively, software prisons are most commonly used on virtual hosts.
Rule-based execution: through a system security mechanism, certain access rights are allocated to users and programs according to a series of preset rules, the starting, code injection and network access of the programs are completely controlled, meanwhile, the access of the programs to files and registries can be controlled, and the probability of virus Trojan horse infection of the system is reduced based on the control.
Virtual machine: simulating a complete host system.
Host local sandbox: security researchers rely heavily on sandbox technology to analyze the behavior of malware, and by creating an environment that simulates a real desktop, researchers can observe how malware infects a host, and sandbox technology is used by several malware analysis services.
An online question judging system: for program testing in programming contests.
Secure computing mode (seccomp): and a sandbox built in the Linux kernel, wherein after being started, the seccomp only allows the write (), read (), exit () and sigreturn () system call.
3. Primary screening: when a browser or other programs are operated in the sandbox environment, at the moment, the traffic is initially screened through the sandbox model, if the traffic contains malicious network information, the traffic enters the virtual temporary folder II and carries out accurate alarm, and if the traffic does not contain the malicious network information, the traffic enters the virtual temporary folder I and is temporarily stored.
4. Classification is carried out to improve accuracy: when the flow enters the temporary folder, the flow is monitored and analyzed through the network flow analysis software so as to obtain corresponding information, and then the flow is divided into corresponding virtual classification folders according to the corresponding information, wherein the classification standard such as pictures or videos can be used as a single classification, so that the fine classification of the flow is achieved, and the functions of improving the accuracy and the detection speed are achieved through monitoring and analyzing the flow after the fine classification.
5. Secondary screening: when the traffic enters the corresponding virtual classified folder, by monitoring the file system, the process, the registry, the network behavior and the like of the sandbox and monitoring Trojan viruses, abnormal network behaviors and the like, whether the traffic contains malicious network information or not is judged, secondary screening is realized, if the traffic contains the malicious network information, the malicious network information enters the virtual garbage folder, accurate alarm is performed, and if the traffic does not contain the malicious network information, the traffic enters the virtual safe folder.
6. Release space: and deleting the traffic entering the virtual security folder to release a larger space.
7. Finding the source: and constructing an attack scene, extracting alarm signals, finding out sources and deleting, wherein the sources and the deleting can be selectively deleted according to the total score of each APT attack scene graph.
According to the embodiment, the suspicious file samples are subjected to timing monitoring in different time periods and at different flow rates, so that dynamic analysis of the suspicious file samples is realized, malicious network information is obtained, and then strategy configuration for abnormal flow analysis is optimized according to the malicious network information obtained through analysis. According to the technical scheme, the accuracy of flow analysis and the accuracy and the effectiveness of APT detection are improved, meanwhile, when abnormal flow from the terminal is detected, related malicious network behaviors are processed according to malicious network information, so that malicious processes are stopped, malicious software on the terminal is deleted, the system blocks the operation of the malicious software from the source, and the detection accuracy and the protection capability are improved.
In addition, the application also provides a device for detecting abnormal flow, which comprises a memory, a processor and a detection program of the abnormal flow, wherein the detection program is stored in the memory and runs on the processor, and the device acquires flow data of a terminal; comparing the flow data with preset features in the sand box model to obtain a first comparison result; determining first normal flow data in the flow data according to the first comparison result, and classifying the first normal flow data; and screening the classified first normal flow data, and determining first abnormal flow data in the first normal flow data according to a screening result. According to the method and the device, the abnormal flow data are determined by carrying out secondary detection and classification on the flow data, so that the detection accuracy of the APT is improved.
Further, referring to fig. 5, fig. 5 is a schematic block diagram of a method for detecting abnormal traffic in the present application.
The abnormal flow detection device 100 includes an acquisition module 10, a comparison module 20, a classification module 30 and a screening module 40, wherein:
the acquiring module 10 is configured to acquire traffic data of a terminal;
the comparison module 20 is configured to compare the flow data with preset features in a sand box model to obtain a first comparison result;
the classification module 30 is configured to determine first normal flow data in the flow data according to the first comparison result, and classify the first normal flow data;
the screening module 40 is configured to screen the classified first normal traffic data, and determine first abnormal traffic data in the first normal traffic data according to a screening result.
Further, the classification module 30 includes a determination unit, a storage unit, and a classification unit;
the determining unit is used for determining first normal flow data and second abnormal flow data in the flow data according to the first comparison result;
the storage unit is used for storing the first normal flow data to a first virtual area and storing the second abnormal flow data to a second virtual area;
the classifying unit is used for classifying the first normal flow data stored in the first virtual area.
Further, the classification module 30 further includes an acquisition unit;
the acquisition unit is used for acquiring the flow type of the first normal flow data;
the classification unit is further configured to classify the first normal traffic data according to the traffic type.
Further, the screening module 40 includes an alignment unit and a screening unit;
the comparison unit is used for acquiring the communication characteristics of the classified first normal flow data and comparing the communication characteristics with the communication characteristics of the abnormal flow data;
and the screening unit is used for screening the first normal flow data according to the second comparison result.
Further, the screening module 40 further includes a first determining unit and a first storing unit;
the first determining unit is used for determining second normal flow data in the first normal flow data according to the screening result;
the first storage unit is configured to store the second normal traffic data to a virtual safety area, store the first abnormal traffic data to a virtual recovery area, and output alarm information, where the virtual safety area and the virtual recovery area are both sub-areas of the first virtual area.
Further, the first storage unit comprises an acquisition subunit and a deletion subunit;
the obtaining subunit is configured to obtain a storage space of the virtual security area, and a storage duration of the second normal flow data in the virtual security area;
and the deleting subunit is used for deleting the second normal flow data in the virtual safety area according to the storage space and/or the storage duration.
Further, the device 100 for detecting abnormal traffic further includes a construction module, a first acquisition module, a determination module, and a judgment module.
The construction module is used for constructing an attack scene graph;
the first acquisition module is used for acquiring a weight value of each attack stage in each attack scene graph and a score of each attack stage;
the determining module is used for determining the score value of each attack scene graph according to the weight value and the score value of each attack stage;
and the judging module is used for outputting alarm information when the score value is larger than a set threshold value.
The implementation of the functions of each module of the abnormal flow detection device is similar to the process in the embodiment of the method, and will not be described in detail herein.
In addition, the present application also provides a computer-readable storage medium having stored thereon a detection method program of an abnormal flow rate, which when executed by a processor, implements the steps of the detection method of an abnormal flow rate as above.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
While alternative embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following appended claims be interpreted as including alternative embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (10)

1. A method for detecting abnormal traffic, the method comprising:
acquiring flow data of a terminal;
comparing the flow data with preset features in a sand box model to obtain a first comparison result;
determining first normal flow data in the flow data according to the first comparison result, and classifying the first normal flow data;
screening the classified first normal flow data, and determining first abnormal flow data in the first normal flow data according to screening results.
2. The method of detecting abnormal traffic according to claim 1, wherein the step of determining first normal traffic data among the traffic data according to the first comparison result, and classifying the first normal traffic data includes:
determining first normal flow data and second abnormal flow data in the flow data according to the first comparison result;
storing the first normal flow data to a first virtual area, and storing the second abnormal flow data to a second virtual area;
and classifying the first normal flow data stored in the first virtual area.
3. The method of detecting abnormal traffic according to claim 1, wherein said step of classifying said first normal traffic data comprises:
acquiring the flow type of the first normal flow data;
and classifying the first normal flow data according to the flow type.
4. The method of detecting abnormal traffic according to claim 1, wherein the step of screening the classified first normal traffic data comprises:
acquiring the communication characteristics of the classified first normal flow data, and comparing the communication characteristics with the communication characteristics of the abnormal flow data;
and screening the first normal flow data according to the second comparison result.
5. The method for detecting abnormal traffic according to claim 1, wherein after the step of determining the first abnormal traffic data in the first normal traffic data according to the screening result, comprising:
determining second normal flow data in the first normal flow data according to the screening result;
and storing the second normal flow data into a virtual safety area, storing the first abnormal flow data into a virtual recovery area, and outputting alarm information, wherein the virtual safety area and the virtual recovery area are all subareas of the first virtual area.
6. The method for detecting abnormal traffic according to claim 5, wherein after the step of determining the first abnormal traffic data in the first normal traffic data according to the screening result, comprising:
acquiring a storage space of the virtual safety area and a storage time length of the second normal flow data in the virtual safety area;
and deleting the second normal flow data in the virtual safety area according to the storage space and/or the storage duration.
7. The method for detecting abnormal traffic according to claim 1, further comprising:
constructing an attack scene graph;
acquiring a weight value of each attack stage in each attack scene graph and a score of each attack stage;
determining a score value of each attack scene graph according to the weight value and the score value of each attack stage;
and outputting alarm information when the score value is larger than a set threshold value.
8. The abnormal flow detection device is characterized by comprising an acquisition module, a comparison module, a classification module and a screening module, wherein:
the acquisition module is used for acquiring the flow data of the terminal;
the comparison module is used for comparing the flow data with preset features in the sand box model to obtain a first comparison result;
the classification module is used for determining first normal flow data in the flow data according to the first comparison result and classifying the first normal flow data;
the screening module is used for screening the classified first normal flow data and determining first abnormal flow data in the first normal flow data according to a screening result.
9. An abnormal traffic detection device, characterized in that the device comprises a memory, a processor and a detection program stored on the memory and running on the processor, the processor implementing the steps of the method according to any one of claims 1 to 7 when executing the detection program of abnormal traffic.
10. A computer-readable storage medium, wherein a detection program of abnormal traffic is stored on the computer-readable storage medium, which when executed by a processor, implements the steps of the method according to any one of claims 1 to 7.
CN202111460698.1A 2021-12-01 2021-12-01 Abnormal flow detection method, device and computer readable storage medium Pending CN116232612A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111460698.1A CN116232612A (en) 2021-12-01 2021-12-01 Abnormal flow detection method, device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111460698.1A CN116232612A (en) 2021-12-01 2021-12-01 Abnormal flow detection method, device and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN116232612A true CN116232612A (en) 2023-06-06

Family

ID=86575463

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111460698.1A Pending CN116232612A (en) 2021-12-01 2021-12-01 Abnormal flow detection method, device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN116232612A (en)

Similar Documents

Publication Publication Date Title
US10218740B1 (en) Fuzzy hash of behavioral results
US10791133B2 (en) System and method for detecting and mitigating ransomware threats
US9237161B2 (en) Malware detection and identification
US8214905B1 (en) System and method for dynamically allocating computing resources for processing security information
CN109586282B (en) Power grid unknown threat detection system and method
US8209758B1 (en) System and method for classifying users of antivirus software based on their level of expertise in the field of computer security
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
US8214904B1 (en) System and method for detecting computer security threats based on verdicts of computer users
TW201712586A (en) Method and system for analyzing malicious code, data processing apparatus and electronic apparatus
CN106850647B (en) Malicious domain name detection algorithm based on DNS request period
CN110188538B (en) Method and device for detecting data by adopting sandbox cluster
RU2610395C1 (en) Method of computer security distributed events investigation
CN110135162A (en) The recognition methods of the back door WEBSHELL, device, equipment and storage medium
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
Zuo Defense of Computer Network Viruses Based on Data Mining Technology.
RU2481633C2 (en) System and method for automatic investigation of safety incidents
Baci et al. Machine learning approach for intrusion detection systems as a cyber security strategy for Small and Medium Enterprises
Baich et al. Machine Learning for IoT based networks intrusion detection: a comparative study
US11321453B2 (en) Method and system for detecting and classifying malware based on families
TWI640891B (en) Method and apparatus for detecting malware
CN115001789B (en) Method, device, equipment and medium for detecting collapse equipment
US20230315848A1 (en) Forensic analysis on consistent system footprints
KR101988747B1 (en) Ransomware dectecting method and apparatus based on machine learning through hybrid analysis
US20230214489A1 (en) Rootkit detection based on system dump files analysis
EP3361405B1 (en) Enhancement of intrusion detection systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination