CN116389088A - Attack detection rule matching method and device based on coordinate system - Google Patents

Attack detection rule matching method and device based on coordinate system Download PDF

Info

Publication number
CN116389088A
CN116389088A CN202310284331.1A CN202310284331A CN116389088A CN 116389088 A CN116389088 A CN 116389088A CN 202310284331 A CN202310284331 A CN 202310284331A CN 116389088 A CN116389088 A CN 116389088A
Authority
CN
China
Prior art keywords
hash
data
rule
coordinate system
array
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310284331.1A
Other languages
Chinese (zh)
Inventor
王方立
黄敏
龙国东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Winicssec Technologies Co Ltd
Original Assignee
Beijing Winicssec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Winicssec Technologies Co Ltd filed Critical Beijing Winicssec Technologies Co Ltd
Priority to CN202310284331.1A priority Critical patent/CN116389088A/en
Publication of CN116389088A publication Critical patent/CN116389088A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a coordinate system-based attack detection rule matching method and device. The method comprises the following steps: creating a rectangular coordinate system; reading rule files, carrying out hash calculation on characteristic data of each rule according to the offset and the data length of each rule corresponding to a midpoint of a rectangular coordinate system, storing a hash result into a hash bucket, and storing a corresponding coordinate Y into the hash bucket to obtain a hash table T; carrying out X-axis projection on the points of the rectangular coordinate system to obtain an array E; receiving a message, dividing the message into an array element according to the length of an array E, and carrying out hash calculation to obtain a hash value array H; the hash value array H is searched in the hash table T, if the hash table T is hit, the length value of the data is compared with the hit hash bucket Y coordinate, if the hash value array H is equal to the hit hash bucket Y coordinate, the real data is compared, and if the hash value array H is identical to the hit hash bucket Y coordinate, the corresponding rule is found, and the matching is successful. The invention analyzes the received message body without matching each other, thereby greatly improving the matching efficiency.

Description

Attack detection rule matching method and device based on coordinate system
Technical Field
The invention relates to the technical field of industrial control network security, in particular to a method and a device for matching attack detection rules based on a coordinate system.
Background
The attack detection is a common security means in the field of network security, and has the effects of finding threat and alarming through matching rules, one of the main difficulties of attack detection is that the rule data is large, the matching efficiency is low, and the influence is caused in the field with high network delay requirement. In rule matching, it is usually necessary to find out whether a network data packet contains some specific data, and the conventional method is to match the currently received packet according to the characteristic data in each rule, and if the rule data is many, such as hundreds of thousands, then a long time is required for matching a round. Based on the method and the device for matching the attack detection rules based on the coordinate system, the rule matching efficiency is improved, and the matching efficiency can be greatly improved.
Disclosure of Invention
The invention provides a coordinate system-based attack detection rule matching method, which comprises the following steps:
creating a rectangular coordinate system, wherein the X axis is the length of the regular characteristic data, the Y axis is the offset of the data, and the unit is bytes;
reading rule files, and executing the following operations on each rule in the rule files in turn: according to the offset and the data length of each rule, corresponding to the midpoint (X, Y) of a rectangular coordinate system, carrying out hash calculation on the characteristic data of each rule, storing a hash result into a hash bucket, storing the corresponding coordinate Y into the hash bucket, and summarizing the hash bucket to obtain a hash table T; carrying out X-axis projection on the points of the rectangular coordinate system to obtain a projection array E;
responding to the received message, starting from the first byte of the message, dividing according to all value lengths of the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H;
and searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing the length value of the data with the Y coordinate of the currently hit hash bucket, if the length value of the data is equal to the Y coordinate of the currently hit hash bucket, comparing whether the real data are identical, and if the real data are identical, finding out the corresponding rule, wherein the matching is successful.
The method for detecting rule matching of attack based on the coordinate system is characterized in that constraint conditions of rule feature data are set, namely the feature data have fixed offset and length.
In the method for matching attack detection rules based on the coordinate system, the byte bit n=1 is set to segment the effective data of the message, the segmentation mode is that the segmentation starts from the nth byte of the effective data and is performed according to the value of the array E, namely, the 1 st segmentation starting position is the 1 st byte, and the segmentation lengths respectively correspond to all values of the array E.
The method for matching attack detection rules based on the coordinate system comprises the steps that if no corresponding rule exists in the hash table T if hit cannot occur, the comparison of the hash table Y coordinates is unequal or the hash table Y coordinates and the real data are not identical, matching fails, and N=N+1 is continuously returned to perform matching.
The invention also provides a coordinate system-based attack detection rule matching device, which comprises:
the rectangular coordinate system creation module is used for creating a rectangular coordinate system, wherein the X axis is the length of the regular characteristic data, the Y axis is the offset of the data, and the unit is bytes;
the hash table construction module is used for reading the rule files and executing the following operations on each rule in the rule files in sequence: according to the offset and the data length of each rule, corresponding to the midpoint (X, Y) of a rectangular coordinate system, carrying out hash calculation on the characteristic data of each rule, storing a hash result into a hash bucket, storing the corresponding coordinate Y into the hash bucket, and summarizing the hash bucket to obtain a hash table T; carrying out X-axis projection on the points of the rectangular coordinate system to obtain a projection array E;
the message processing module is used for starting from the first byte of the message after responding to the received message, dividing the data according to all value lengths of the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H;
the rule matching module is used for searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, the length value of the data is compared with the Y coordinate of the currently hit hash bucket, if the length value of the data is equal to the Y coordinate of the currently hit hash bucket, whether the real data are identical is compared, and if the real data are identical, the corresponding rule is found, and the matching is successful.
The present invention also provides a computer readable storage medium containing one or more program instructions for executing a method of coordinate system based attack detection rule matching according to any one of the above.
The beneficial effects achieved by the invention are as follows: the method for matching the attack detection rule based on the coordinate system provided by the invention analyzes the received message body without matching the message body one by one, and can greatly improve the matching efficiency.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a flowchart of a method for matching attack detection rules based on a coordinate system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an apparatus for matching attack detection rules based on a coordinate system according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
As shown in fig. 1, a first embodiment of the present invention provides a method for matching attack detection rules based on a coordinate system, including:
step 110, creating a rectangular coordinate system, wherein the X axis and the Y axis represent the length of the regular characteristic data and the offset of the data;
alternatively, the length of the regular feature data is represented using the X-axis, and the Y-axis represents the offset of the data in bytes; alternatively, the length of the regular feature data may be represented by the Y-axis, and the offset of the data may be represented by the X-axis; the technical effects achieved in the two cases are the same.
Step 120, reading rule files, and executing the following operations on each rule in the rule files in turn: according to the offset and the data length of each rule, corresponding to the midpoint (X, Y) of a rectangular coordinate system, carrying out hash calculation on the characteristic data of each rule, storing a hash result into a hash bucket, storing the corresponding coordinate Y into the hash bucket, and summarizing the hash bucket to obtain a hash table T; carrying out X-axis projection on the points of the rectangular coordinate system to obtain a projection array E;
wherein, constraint conditions of regular characteristic data are set, namely, characteristic data have fixed offset and length.
Since the length of the regular data is mostly several bytes, the data in the coordinate system is projected on the X-axis to obtain a projected array E. While this data E will typically be small, most regular feature data will not exceed 10 bytes.
130, responding to the received message, starting from the first byte of the message, dividing according to all value lengths of the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H;
specifically, let byte bit n=1 (i.e., starting from the first byte);
the effective data of the message is segmented, the segmentation mode is that the effective data starts from the nth byte of the effective data and is carried out according to the numerical value of the array E, for example: the 1 st division starting position is the 1 st byte, the division length corresponds to all values of the array E respectively, and hash calculation is carried out on the divided data to obtain a hash value array H with the same array elements as the array E.
Step 140, searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing the length value of the data with the Y coordinate of the currently hit hash bucket, if the length value of the data is equal to the Y coordinate of the currently hit hash bucket, comparing whether the real data is identical, if the real data is identical, finding out the corresponding rule, and successfully matching; if any one of the conditions cannot be satisfied, the matching fails.
Searching the hash table T generated in the step 120 for the hash value in H, if the hash table T is hit, comparing the length value of the data with the Y coordinate of the currently hit hash bucket, if the length value of the data is equal to the Y coordinate of the currently hit hash bucket, comparing whether the real data are identical, if the real data are identical, finding out the corresponding rule, and finishing the matching; if the hit cannot be found, or the comparison with the Y coordinate of the hash bucket is not equal or not identical to the real data, it indicates that there is no corresponding rule in the hash table T, and the matching fails, so that n=n+1 continues to return to step 130 for matching.
Example two
Referring to fig. 2, a second embodiment of the present invention provides an apparatus for matching attack detection rules based on a coordinate system, including:
the rectangular coordinate system creating module 21 is configured to create a rectangular coordinate system, wherein an X axis is a length of the regular feature data, and a Y axis is an offset of the data, and a unit is a byte;
the hash table construction module 22 is configured to read rule files, and sequentially perform the following operations on each rule in the rule files: according to the offset and the data length of each rule, corresponding to the midpoint (X, Y) of a rectangular coordinate system, carrying out hash calculation on the characteristic data of each rule, storing a hash result into a hash bucket, storing the corresponding coordinate Y into the hash bucket, and summarizing the hash bucket to obtain a hash table T; carrying out X-axis projection on the points of the rectangular coordinate system to obtain a projection array E;
the message processing module 23 is configured to divide the first byte of the message according to all value lengths of the array E after receiving the message, where the divided data forms an array element, and hash the divided data to obtain a hash value array H;
the rule matching module 24 is configured to search in the hash table T according to the hash value in the hash value array H, compare the length value of the data with the Y coordinate of the currently hit hash bucket if the hash value is hit, compare whether the real data are identical if the length value of the data are identical, and find the corresponding rule if the real data are identical, and match successfully.
The invention utilizes the characteristic of limited data length of the matching rule data, and carries out quick matching by dividing the data which needs to be matched currently, the method can greatly reduce the matching times, for example, the method can be used for effectively matching data with the length of 100 bytes, the length of the data rule is 10, if the rule has 10 ten-thousand pieces, the matching is carried out for 10 ten-thousand pieces, and the invention only needs to be matched for 1000 times. If the scale of the rule data is continuously improved, for example, 50 ten thousand pieces of rule data are continuously improved, 50 ten thousand pieces of rule data are matched in the prior art, and the matching efficiency is greatly improved only by 1000 times.
Corresponding to the above embodiment, an embodiment of the present invention provides a device for matching attack detection rules based on a coordinate system, including: at least one memory and at least one processor;
the memory is used for storing one or more program instructions;
a processor for executing one or more program instructions for performing a coordinate system based method of attack detection rule matching.
In accordance with the foregoing embodiments, the embodiments of the present invention provide a computer readable storage medium having one or more program instructions embodied therein, the one or more program instructions configured to be executed by a processor to perform a method for coordinate system-based attack detection rule matching.
The disclosed embodiments provide a computer readable storage medium having stored therein computer program instructions that, when executed on a computer, cause the computer to perform a method of coordinate system based attack detection rule matching as described above.
In the embodiment of the invention, the processor may be an integrated circuit chip with signal processing capability. The processor may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP for short), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), a field programmable gate array (FieldProgrammable Gate Array, FPGA for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The processor reads the information in the storage medium and, in combination with its hardware, performs the steps of the above method.
The storage medium may be memory, for example, may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable ROM (Electrically EPROM, EEPROM), or a flash Memory.
The volatile memory may be a random access memory (Random Access Memory, RAM for short) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (Double Data RateSDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (directracram, DRRAM).
The storage media described in embodiments of the present invention are intended to comprise, without being limited to, these and any other suitable types of memory.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in a combination of hardware and software. When the software is applied, the corresponding functions may be stored in a computer-readable medium or transmitted as one or more instructions or code on the computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.

Claims (6)

1. A method for matching attack detection rules based on a coordinate system, comprising:
creating a rectangular coordinate system, wherein the X axis and the Y axis represent the length of the regular characteristic data and the offset of the data;
reading rule files, and executing the following operations on each rule in the rule files in turn: according to the offset and the data length of each rule, corresponding to the midpoint (X, Y) of a rectangular coordinate system, carrying out hash calculation on the characteristic data of each rule, storing a hash result into a hash bucket, storing the corresponding coordinate Y into the hash bucket, and summarizing the hash bucket to obtain a hash table T; carrying out X-axis projection on the points of the rectangular coordinate system to obtain a projection array E;
responding to the received message, starting from the first byte of the message, dividing according to all value lengths of the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H;
and searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing the length value of the data with the Y coordinate of the currently hit hash bucket, if the length value of the data is equal to the Y coordinate of the currently hit hash bucket, comparing whether the real data are identical, and if the real data are identical, finding out the corresponding rule, wherein the matching is successful.
2. A method of coordinate system based attack detection rule matching according to claim 1, wherein constraints on the rule feature data are set, i.e. the feature data has a fixed offset and length.
3. The method of claim 1, wherein the byte bit n=1 is set to segment the valid data of the message, the segmentation is performed from the nth byte of the valid data according to the value of the array E, i.e. the 1 st segmentation start position is the 1 st byte, and the segmentation lengths respectively correspond to all values of the array E.
4. A method of matching attack detection rules based on a coordinate system as claimed in claim 3, wherein if no hit or unequal comparison with the hash-bucket Y coordinate or non-identical comparison with the real data indicates no corresponding rule in the hash table T, the matching fails, and n=n+1 is continued to be returned for matching.
5. An apparatus for matching attack detection rules based on a coordinate system, comprising:
the rectangular coordinate system creation module is used for creating a rectangular coordinate system, wherein the X axis is the length of the regular characteristic data, the Y axis is the offset of the data, and the unit is bytes;
the hash table construction module is used for reading the rule files and executing the following operations on each rule in the rule files in sequence: according to the offset and the data length of each rule, corresponding to the midpoint (X, Y) of a rectangular coordinate system, carrying out hash calculation on the characteristic data of each rule, storing a hash result into a hash bucket, storing the corresponding coordinate Y into the hash bucket, and summarizing the hash bucket to obtain a hash table T; carrying out X-axis projection on the points of the rectangular coordinate system to obtain a projection array E;
the message processing module is used for starting from the first byte of the message after responding to the received message, dividing the data according to all value lengths of the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H;
the rule matching module is used for searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, the length value of the data is compared with the Y coordinate of the currently hit hash bucket, if the length value of the data is equal to the Y coordinate of the currently hit hash bucket, whether the real data are identical is compared, and if the real data are identical, the corresponding rule is found, and the matching is successful.
6. A computer readable storage medium having one or more program instructions embodied therein for execution by a processor of a method of coordinate system based attack detection rule matching according to any of claims 1-4.
CN202310284331.1A 2023-03-22 2023-03-22 Attack detection rule matching method and device based on coordinate system Pending CN116389088A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310284331.1A CN116389088A (en) 2023-03-22 2023-03-22 Attack detection rule matching method and device based on coordinate system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310284331.1A CN116389088A (en) 2023-03-22 2023-03-22 Attack detection rule matching method and device based on coordinate system

Publications (1)

Publication Number Publication Date
CN116389088A true CN116389088A (en) 2023-07-04

Family

ID=86972383

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310284331.1A Pending CN116389088A (en) 2023-03-22 2023-03-22 Attack detection rule matching method and device based on coordinate system

Country Status (1)

Country Link
CN (1) CN116389088A (en)

Similar Documents

Publication Publication Date Title
US10698885B2 (en) Method and device for writing service data in block chain system
CN108881120B (en) Data processing method and device based on block chain
WO2019148712A1 (en) Phishing website detection method, device, computer equipment and storage medium
US20150058356A1 (en) Rejecting rows when scanning a collision chain that is associated with a page filter
CN112363995A (en) Incremental data comparison method and device based on log analysis and electronic equipment
CN112579595A (en) Data processing method and device, electronic equipment and readable storage medium
CN113094742B (en) Data desensitizing method, data desensitizing device, electronic equipment and storage medium
CN112559529A (en) Data storage method and device, computer equipment and storage medium
CN110910249B (en) Data processing method and device, node equipment and storage medium
CN112447254A (en) Error detection method in ternary content addressable memory
CN111488371A (en) Data query method and device
CN110647746A (en) Malicious software detection method, system and storage medium
CN116389088A (en) Attack detection rule matching method and device based on coordinate system
CN113051569B (en) Virus detection method and device, electronic equipment and storage medium
CN116192776A (en) Message order-preserving method and device capable of self-repairing, terminal and storage medium
CN116074124A (en) Attack detection matching method and device for rule without fixed offset
CN114398518A (en) Method and system for rapidly matching normalization strategy for log
CN112667867B (en) Matching conflict checking method and equipment based on TCAM (ternary content addressable memory) feature code
CN113572747A (en) Method and device for processing IP address, storage medium and processor
CN110046180B (en) Method and device for locating similar examples and electronic equipment
CN113282800B (en) Dynamic multimode matching method and device based on information entropy
US8560981B2 (en) Segmenting integrated circuit layout design files using speculative parsing
CN111882310B (en) Data comparison method, device and equipment and computer readable storage medium
CN113723963B (en) Method and device for checking labels of transactions in blockchain and electronic equipment
CN112836693B (en) Repeated detection method and system for optical character recognition

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination