CN116760624B - Network worm detection method, system, storage medium and electronic equipment - Google Patents
Network worm detection method, system, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN116760624B CN116760624B CN202310873286.3A CN202310873286A CN116760624B CN 116760624 B CN116760624 B CN 116760624B CN 202310873286 A CN202310873286 A CN 202310873286A CN 116760624 B CN116760624 B CN 116760624B
- Authority
- CN
- China
- Prior art keywords
- worm
- feature generator
- worm feature
- determining
- generator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 92
- 238000011156 evaluation Methods 0.000 claims abstract description 31
- 238000000034 method Methods 0.000 claims abstract description 26
- 239000000284 extract Substances 0.000 claims abstract description 10
- 230000004044 response Effects 0.000 claims abstract description 3
- 238000012545 processing Methods 0.000 claims description 46
- 238000004891 communication Methods 0.000 claims description 42
- 238000004422 calculation algorithm Methods 0.000 claims description 23
- 238000013468 resource allocation Methods 0.000 claims description 22
- 238000004458 analytical method Methods 0.000 claims description 4
- 239000002131 composite material Substances 0.000 claims description 2
- 238000012423 maintenance Methods 0.000 description 11
- 238000004590 computer program Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 5
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 230000002354 daily effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a system, a storage medium and electronic equipment for detecting network worms, wherein the method comprises the following steps: the worm flow detection engine extracts suspected network worm flow from the network data flow, generates a flow request and sends the flow request to the scheduling engine; in response to receiving the flow request, the scheduling engine performs matching of service resources, determines a target worm feature generator corresponding to the flow request, and returns feature information associated with the target worm feature generator to the worm flow detection engine; the worm flow detection engine determines a target worm feature generator based on the feature information and sends suspected network worm flow to the target worm feature generator; the target worm feature generator analyzes suspected network worm traffic to generate worm traffic features and sends the worm traffic features to the evaluation engine; the evaluation engine evaluates based on worm flow characteristics and determines a detection result.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, a system, a storage medium, and an electronic device for detecting a network worm.
Background
Since the outbreak of the network worm (Morris), the network worm is constantly threatening the security of the network. However, as networks are closely tied to people's economies and everyday life, outbreaks of network worms often pose a significant hazard to people's economies and lives.
In order to effectively inhibit the spread of network worms, a detection method for network worms is urgently needed.
Disclosure of Invention
The invention provides a method, a system, a storage medium and electronic equipment for detecting network worms, which are used for solving the problem of how to efficiently and accurately detect the network worms. The invention detects the suspected network worm flow to determine the detection result, and determines that the detected flow is the flow associated with the network worm according to the detection result.
In order to solve the above-mentioned problems, according to an aspect of the present invention, there is provided a method for detecting a network worm, the method comprising:
the worm flow detection engine extracts suspected network worm flow from the network data flow, generates a flow request and sends the flow request to the scheduling engine;
in response to receiving the traffic request, the scheduling engine performs matching of service resources, thereby determining a target worm feature generator corresponding to the traffic request, and returning feature information associated with the target worm feature generator to the worm traffic detection engine;
the worm flow detection engine determines the target worm feature generator based on the feature information and sends the suspected network worm flow to the target worm feature generator;
the target worm feature generator analyzes the suspected network worm traffic to generate worm traffic features and sends the worm traffic features to an evaluation engine; and
the evaluation engine evaluates based on the worm flow characteristics and determines a detection result;
wherein the scheduling engine performs matching of service resources to determine a target worm feature generator corresponding to the traffic request, comprising:
the dispatching engine searches a plurality of worm feature generators to be selected which can provide service in a resource information database according to the resource demand description information; and
and selecting the target worm feature generator from the plurality of worm feature generators to be selected according to a preset resource allocation algorithm, and determining the target worm feature generator.
In one example, wherein the worm traffic detection engine extracts suspected network worm traffic from the network data stream, comprising:
the worm traffic detection engine extracts suspected network worm traffic from the network data stream based on at least one underlying feature of the network worm.
In one example, the selecting the target worm feature generator from the plurality of candidate worm feature generators according to a preset resource allocation algorithm, and determining the target worm feature generator includes:
and determining the comprehensive index value of each worm feature selector to be selected according to a preset resource allocation algorithm, and selecting the worm feature selector to be selected corresponding to the largest comprehensive evaluation index value from the worm feature generators to be selected as the target worm feature generator.
In one example, the determining the comprehensive index value of each candidate worm feature selector according to the preset resource allocation algorithm includes:
determining the processing capacity, the communication capacity and the storage capacity of each worm feature selector to be selected according to a preset resource allocation algorithm, and determining experience coefficients corresponding to the processing capacity, the communication capacity and the storage capacity of each worm feature selector to be selected respectively;
determining the reliability of each worm feature generator to finish the task based on the task completion rate and the online rate of each worm feature generator to be selected;
determining the availability of each worm feature generator to be selected, and acquiring the detection accuracy of each worm feature generator to be selected;
determining the resource computing capacity of each worm feature generator to be selected based on the processing capacity, the communication capacity and the storage capacity of each worm feature selector to be selected, the reliability of the task completion of each worm feature generator to be selected, and the experience coefficients corresponding to the processing capacity, the communication capacity and the storage capacity of each worm feature selector to be selected respectively; and
and determining the comprehensive index value of each worm feature generator to be selected based on the resource computing capability, availability and detection accuracy of each worm feature generator to be selected.
In one example, wherein determining the processing capability, the communication capability, and the storage capability of each candidate worm feature selector according to a preset resource allocation algorithm comprises:
the processing power, communication power, and storage power of each candidate worm feature selector are calculated based on the following formulas:
wherein Dlt i Processing power of the ith candidate worm feature generator; com i The communication capability of the feature generator for the ith candidate worm; sto (Sto) i The storage capacity of the ith candidate worm feature generator;
wherein i is more than or equal to 1 and less than or equal to Ng, i and Ng are natural numbers, and Ng is the number of worm feature generators to be selected;
Dgre ij a j-th processing capability attribute on the i-th candidate worm feature generator; n (N) 1 A number of processing capability attributes; w (w) j The weight occupied by the j-th attribute; j is more than or equal to 1 and N is more than or equal to 1 1 J and N 1 Is a natural number;
Cgre is an ith communication capability attribute on the ith candidate worm feature generator; n (N) 2 A number of communication capability attributes; w (w) s The weight occupied by the s-th attribute; s is more than or equal to 1 and less than or equal to N 2 S and N 2 Is a natural number;
Sgre ih an h storage capability attribute on an i-th candidate worm feature generator; n (N) 3 To the number of storage capability attributes; w (w) h The weight occupied by the h attribute; h is more than or equal to 1 and N is more than or equal to 1 3 H and N 3 Is a natural number.
In one example, wherein determining the reliability of each worm feature generator to complete a task based on the task completion rate and the online rate of each worm feature generator comprises:
the reliability of each candidate worm feature generator to complete the task is calculated based on the following formula:
aug i =d 1 ×Ov i +d 2 ×OL i
wherein, aug i The reliability of the task for the ith candidate worm feature generator; ov i The task completion rate of the ith candidate worm feature generator; OL (OL) i The online rate, d, of the feature generator for the ith candidate worm 1 And d 2 The experience coefficients corresponding to the task completion rate and the online rate are respectively.
In one example, wherein determining the availability of each candidate worm feature generator comprises:
the availability of each candidate worm feature generator is determined based on the following formula:
wherein U is i For the availability of the ith candidate worm feature generator, U ip The p-th class resource usage amount on the ith candidate worm feature generator; n (N) 4 Is the number of resource classes;
T ip the total amount of the p-th class resources on the ith candidate worm feature generator; w (w) p Weight for p-th class resource usage;
1≤p≤N 4 p and N 4 Is a natural number.
In one example, the determining the resource computing capability of each candidate worm feature generator based on the processing capability, the communication capability, and the storage capability of each candidate worm feature selector, the reliability of each daixuan worm feature generator to complete the task, and the empirical coefficients corresponding to the processing capability, the communication capability, and the storage capability of each candidate worm feature selector, respectively, includes:
the resource computing capabilities of each candidate worm feature generator are determined based on the following formula:
wherein P is i The resource computing power, ag, of the ith candidate worm feature generator 1 、ag 2 Sum ag 3 Experience coefficients corresponding to the processing capacity, the communication capacity and the storage capacity respectively;
aug i the reliability of the task for the ith candidate worm feature generator is achieved.
In one example, determining the composite index value for each candidate worm feature generator based on the resource computing capabilities, availability, and detection accuracy of each candidate worm feature generator includes:
determining the comprehensive index value corresponding to each candidate worm feature generator by the following method comprises the following steps:
Div i =P i *U i *A i ,
wherein Div is i A comprehensive index value of the ith candidate worm feature generator; p (P) i Resource computing capability of the ith candidate worm feature generator; u (U) i Availability of the feature generator for the ith candidate worm; a is that i The detection accuracy of the ith candidate worm feature generator is obtained.
According to another aspect of the present invention, there is provided a system for detecting network worms, the system comprising:
the detection module is used for enabling the worm flow detection engine to extract suspected network worm flow from the network data flow, generating a flow request and sending the flow request to the scheduling engine;
the matching module is used for enabling the dispatching engine to match service resources, determining a target worm feature generator corresponding to the flow request, and returning feature information associated with the target worm feature generator to the worm flow detection engine;
a target worm feature generator determination module configured to cause the worm traffic detection engine to determine the target worm feature generator based on the feature information and send the suspected network worm traffic to the target worm feature generator;
the analysis module is used for enabling the target worm feature generator to analyze the suspected network worm flow, obtaining worm flow features and sending the worm flow features to an evaluation engine;
and the evaluation module is used for enabling the evaluation engine to evaluate based on the worm flow characteristics and determining a detection result.
Based on a further aspect of the present invention, the present invention provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of any one of the methods of detecting a network worm.
Based on still another aspect of the present invention, the present invention provides an electronic device, including:
the computer readable storage medium as described above; and
one or more processors configured to execute the programs in the computer-readable storage medium.
The invention provides a method, a system, a storage medium and electronic equipment for detecting network worms, wherein the method comprises the following steps: the worm flow detection engine extracts suspected network worm flow from the network data flow, generates a flow request and sends the flow request to the scheduling engine; the dispatching engine performs service resource matching, determines a target worm feature generator corresponding to the flow request, and returns feature information associated with the target worm feature generator to the worm flow detection engine; the worm traffic detection engine determines the target worm feature generator based on the feature information and sends the suspected network worm traffic to the target worm feature generator; the target worm feature generator analyzes the suspected network worm flow, acquires worm flow features, and sends the worm flow features to an evaluation engine; the evaluation engine evaluates based on the worm flow characteristics and determines a detection result. The invention aims to solve the defects of the existing network worm behavior trace clustering technology, and can efficiently and accurately detect the network worm so as to achieve the aim of protecting the network security.
Drawings
Exemplary embodiments of the present invention may be more completely understood in consideration of the following drawings:
fig. 1 is a flow chart of a method 100 of detecting a network worm according to an embodiment of the present invention;
fig. 2 is a system architecture diagram for implementing network worm detection according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network worm detection system 300 according to an embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Fig. 1 is a flow chart of a method 100 of detecting a network worm according to an embodiment of the invention. As shown in fig. 1, the method for detecting network worms provided by the embodiment of the invention aims to solve the defects of the existing network worm behavior trace clustering technology, and can efficiently and accurately detect the network worms so as to achieve the aim of protecting network safety. In the method 100 for detecting a network worm provided in the embodiment of the present invention, starting from step 101, in step 101, a worm traffic detection engine extracts suspected network worm traffic from a network data stream, and generates a traffic request and sends the traffic request to a scheduling engine.
In step 102, the scheduling engine performs matching of service resources, determines a target worm feature generator corresponding to the traffic request, and returns feature information associated with the target worm feature generator to the worm traffic detection engine.
Preferably, the scheduling engine performs service resource matching, determines a target worm feature generator corresponding to the flow request, and includes:
the scheduling engine searches a to-be-selected worm feature generator capable of providing service in a resource information database according to the resource demand description information, selects a target worm feature generator from the to-be-selected worm feature generators according to a preset resource allocation algorithm, and determines the target worm feature generator.
Preferably, wherein the selecting the target worm feature generator from the candidate worm feature generators according to the preset resource allocation algorithm, determining the target worm feature generator includes:
determining the comprehensive index value of each worm feature selector to be selected, and selecting the worm feature selector to be selected corresponding to the largest comprehensive evaluation index value as a target worm feature generator;
the method for determining the comprehensive index value corresponding to each worm feature generator to be selected comprises the following steps:
Div i =P i *U i *A i ,
aug i =d 1 ×Ov i +d 2 ×OL i ,
wherein Div is i A comprehensive index value of the ith candidate worm feature generator; p (P) i Resource computing capability of the ith candidate worm feature generator; u (U) i Availability of the feature generator for the ith candidate worm; a is that i The detection accuracy of the ith worm feature generator to be selected is determined; dlt i 、Com i And Sto i Processing capacity, communication capacity and storage capacity of the ith candidate worm feature generator respectively; ag 1 、ag 2 Sum ag 3 Experience coefficients corresponding to the processing capacity, the communication capacity and the storage capacity respectively; aug (aug) i The reliability of the task for the ith candidate worm feature generator; ov i The task completion rate of the ith candidate worm feature generator; OL (OL) i The online rate, d, of the feature generator for the ith candidate worm 1 And d 2 Experience coefficients corresponding to the task completion rate and the online rate respectively; dgre ij A j-th processing capability attribute on the i-th candidate worm feature generator; n (N) 1 A number of processing capability attributes; w (w) j The weight occupied by the j-th attribute; cgre (Cgre) is An ith communication capability attribute on the ith candidate worm feature generator; n (N) 2 A number of communication capability attributes; w (w) s The weight occupied by the s-th attribute; sgre ih The h storage capability on the ith candidate worm feature generatorSex; n (N) 3 To the number of storage capability attributes; w (w) h The weight occupied by the h attribute; u (U) ip The p-th class resource usage amount on the ith candidate worm feature generator; n (N) 4 Is the number of resource classes; t (T) ip The total amount of the p-th class resources on the ith candidate worm feature generator; w (w) p And (5) weighting the p-type resource usage amount.
In step 103, the worm traffic detection engine determines a target worm feature generator based on the feature information and sends suspected network worm traffic to the target worm feature generator.
In step 104, the target worm feature generator analyzes the suspected network worm traffic, obtains worm traffic features, and sends the worm traffic features to the evaluation engine. Specifically, the target worm feature generator analyzes the flow based on the access number features of different IP addresses in unit time through a cusum algorithm, submits the analyzed suspected network worm flow to the feature generator, and generates worm flow features through a power series RNN method and sends the worm features to the evaluation engine.
In step 105, the evaluation engine evaluates based on the worm traffic characteristics to determine a detection result. Specifically, the evaluation engine deploys worm features into the intrusion detection system or the antivirus software, and the detection result of the suspected network worm traffic is determined through the recognition accuracy of the intrusion detection system or the antivirus software on the worm traffic features. For example, when the threshold of the identification accuracy is 95% and the identification accuracy of the intrusion detection system or the antivirus software to the worm traffic feature is 98%, the suspected network worm traffic is determined as the network worm traffic as the detection result is determined as 98% is greater than 95%. For example, when the threshold of the identification accuracy is 95% and the identification accuracy of the intrusion detection system or the antivirus software to the worm traffic feature is 90%, since 90% is smaller than 95%, the determination result is that the suspected network worm traffic is determined as the non-network worm traffic, or the suspected network worm traffic is not determined as the network worm traffic. And detecting the suspected network worm traffic to determine a detection result, and determining that the detected traffic is the traffic associated with the network worm according to the detection result. Preferably, the method further comprises: and carrying out daily maintenance on each engine by using the maintenance engine.
In connection with fig. 2, in the present invention, a system for implementing network worm detection is composed of a worm traffic detection engine, a worm feature generator, a scheduling engine, a maintenance engine, and an evaluation engine. In the system framework, a worm flow detection engine can collect network data flows and extract suspicious network worm flows from the network data flows; wherein the worm traffic detection engine needs to register with a maintenance engine in the cloud to be used. The worm flow detection engine is equivalent to a user initiating a resource request in the whole grid, and when the worm flow of the network is detected, a flow request to be processed is generated and submitted to the scheduling engine. The scheduling engine plays a role of a resource manager and is responsible for matching the requests of the worm flow detection engine with the resource information and selecting the resources meeting the requirements according to the corresponding strategies. When worm flow detection engines in different subnets recognize suspicious flows of worms, simultaneously submitting requests to a scheduling engine, searching resources for providing corresponding services in a resource information database by the scheduling engine according to resource demand description information, determining worm feature generators for providing the services according to a certain resource allocation algorithm, and returning relevant information to the worm flow detection engines. The worm flow detection engine transmits the flow to be processed to the corresponding worm characteristic generator for processing. The worm feature generator receives worm flow transmitted by the worm flow detection engine, analyzes the worm flow, submits the generated features to the evaluation engine for comprehensive evaluation, and finally determines the features of the network worm. The maintenance engine is responsible for operations such as daily maintenance of the system, such as deployment, reverse deployment, maintenance, etc.
In the invention, the functions of a worm flow detection engine, a worm characteristic generator, a maintenance engine and an evaluation engine can be realized through the prior art. And thus will not be described in detail. In the invention, for a dispatching engine, in a cloud-based network worm detection system, a task completed by a dispatching module of the dispatching engine mainly receives a file processing request of a worm flow detection engine; the pending file requests are then assigned to the appropriate worm feature generator based on the current loading conditions and selection policy of the respective worm feature generator. In aspects, the decision basis for the scheduling engine to go to the target worm feature generator is a comprehensive index value of the worm feature generator (i.e. the host with the largest Div in the cloud accepts the task), including the resource computing capability P, the resource availability U, the detection accuracy a, and the target worm feature generator is determined by calculating the comprehensive index value and according to the largest comprehensive index value.
Specifically, in the present invention, the integrated index value of the ith worm feature generator is Div i The representation is:
Div i =P i *U i *A i ,
wherein P is i Resource computing power for the ith worm feature generator; u (U) i Availability U for the ith worm feature generator i ;A i The detection accuracy of the ith worm feature generator.
The resource computing power of the ith worm feature generator is determined by the following formula:
wherein Dlt i ,Com i ,Sto i Processing power, communication power and storage power of the ith worm feature generator, respectively; ag 1 ,ag 2 ,ag 3 Respectively Dlt i ,Com i ,Sto i Corresponding empirical coefficients, aug i The reliability parameter for completing the task for the node is calculated by the following formula:
aug i =d 1 ×Ov i +d 2 ×OL i ,
wherein Ov i For the task completion rate of the node, OL i For the online rate of the node, d1 and d2 are respectively Ov i And OL (OL) i Corresponding empirical coefficients.
Processing power Dlt of ith worm feature generator i The calculation method of (2) is as follows:
wherein Dgre is ij The j-th processing capability attribute on the i-th worm feature generator, such as main frequency size, CPU number, CPU model and the like; n (N) 1 A number of processing capability attributes; w (w) j The weight occupied by the j-th attribute represents the importance degree of each attribute. Once determined by the analysis engine, dlt i No change is generally required.
Communication capability Com of ith worm feature generator i The calculation method of (2) is as follows:
wherein Cgre is is The ith communication capability attribute such as communication bandwidth, delay, stability and the like on the ith worm feature generator; n (N) 2 A number of communication capability attributes; w (w) s The weight of the s-th attribute represents the importance of each attribute.
Storage capability Sto of ith worm feature generator i The calculation method of (2) is as follows:
wherein Sgre is ih The ith storage capability attribute on the ith worm feature generator, such as memory size, hard disk size and the like; n (N) 3 To the number of storage capability attributes; w (w) h The weight of the h attribute represents the importance of each attribute.
Availability U of ith worm feature generator i The calculation method of (1) comprises the following formula:
wherein U is ip The p-th resource usage amount on the ith worm feature generator, such as CPU usage amount, physical memory usage amount, etc.; n (N) 4 Is the number of resource classes; t (T) ip The total amount of p-th class resources on the ith worm feature generator; w (w) p And (5) weighting the p-type resource usage amount. U (U) i Is constantly changing over time, so the scheduler engine needs to query the usage of various resources on each worm feature generator on a regular basis, which can be obtained from the MDS by using the lightweight data access protocol LDAP.
Fig. 3 is a schematic structural diagram of a network worm detection system 300 according to an embodiment of the present invention. As shown in fig. 3, a network worm detection system 300 provided in an embodiment of the present invention includes: a detection module 301, a matching module 302, a target worm feature generator determination module 303, an analysis module 304, and an evaluation module 305.
Preferably, the detection module 301 is configured to enable the worm traffic detection engine to extract suspected network worm traffic from the network data stream, and generate a traffic request and send the traffic request to the scheduling engine.
Preferably, the matching module 302 is configured to enable the scheduling engine to perform matching of service resources, determine a target worm feature generator corresponding to the traffic request, and return feature information associated with the target worm feature generator to the worm traffic detection engine.
Preferably, the matching module 302, the scheduling engine performs matching of service resources, determines a target worm feature generator corresponding to the flow request, and includes:
the scheduling engine searches a to-be-selected worm feature generator capable of providing service in a resource information database according to the resource demand description information, selects a target worm feature generator from the to-be-selected worm feature generators according to a preset resource allocation algorithm, and determines the target worm feature generator.
Preferably, the matching module 302 performs selection of the target worm feature generator from the worm feature generators to be selected according to a preset resource allocation algorithm, and determines the target worm feature generator, including:
determining the comprehensive index value of each worm feature selector to be selected, and selecting the worm feature selector to be selected corresponding to the largest comprehensive evaluation index value as a target worm feature generator;
the method for determining the comprehensive index value corresponding to each worm feature generator to be selected comprises the following steps:
Div i =P i *U i* A i ,
aug i =d 1 ×Ov i +d 2 ×OL i ,
wherein Div is i A comprehensive index value for the ith worm feature generator; p (P) i Resource computing power for the ith worm feature generator; u (U) i Availability for the ith worm feature generator; a is that i The detection accuracy of the ith worm feature generator is obtained; dlt i 、Com i And Sto i Processing power, communication power and communication power of the ith worm feature generator, respectivelyStorage capacity; ag 1 、ag 2 Sum ag 3 Experience coefficients corresponding to the processing capacity, the communication capacity and the storage capacity respectively; aug (aug) i The reliability of the task for the ith worm feature generator; ov i Task completion rate for the ith worm feature generator; OL (OL) i For the presence rate of the ith worm feature generator, d 1 And d 2 Experience coefficients corresponding to the task completion rate and the online rate respectively; dgre ij A j-th processing capability attribute on the i-th worm feature generator; n (N) 1 A number of processing capability attributes; w (w) j The weight occupied by the j-th attribute; cgre (Cgre) is An ith communication capability attribute on the ith worm feature generator; n (N) 2 A number of communication capability attributes; w (w) s The weight occupied by the s-th attribute; sgre ih An ith storage capability attribute on the ith worm feature generator; n (N) 3 To the number of storage capability attributes; w (w) h The weight occupied by the h attribute; u (U) ip The method comprises the steps of using p-th type resources on an i-th worm feature generator; n (N) 4 Is the number of resource classes; t (T) ip The total amount of p-th class resources on the ith worm feature generator; w (w) p And (5) weighting the p-type resource usage amount.
Preferably, the target worm feature generator determining module 303 is configured to cause the worm traffic detection engine to determine a target worm feature generator based on the feature information, and send the suspected network worm traffic to the target worm feature generator.
Preferably, the analyzing module 304 is configured to enable the target worm feature generator to analyze the suspected network worm traffic, obtain worm traffic features, and send the worm traffic features to the evaluation engine.
Preferably, the evaluation module 305 is configured to enable the evaluation engine to evaluate based on the worm traffic characteristics, and determine the detection result.
Preferably, wherein the system further comprises:
and the maintenance module is used for carrying out daily maintenance on each engine by utilizing the maintenance engine.
The network worm detection system 300 according to the embodiment of the present invention corresponds to the network worm detection method 100 according to another embodiment of the present invention, and will not be described herein.
Based on another aspect of the present invention, the present invention provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of any one of the methods for detecting a network worm.
Based on another aspect of the present invention, the present invention provides an electronic device, including:
the computer readable storage medium as described above; and
one or more processors configured to execute the programs in the computer-readable storage medium.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, and any modifications and equivalents are intended to be included within the scope of the invention.
Claims (8)
1. A method for detecting a network worm, the method comprising:
the worm flow detection engine extracts suspected network worm flow from the network data flow, generates a flow request and sends the flow request to the scheduling engine;
in response to receiving the traffic request, the scheduling engine performs matching of service resources, thereby determining a target worm feature generator corresponding to the traffic request, and returning feature information associated with the target worm feature generator to the worm traffic detection engine;
the worm flow detection engine determines the target worm feature generator based on the feature information and sends the suspected network worm flow to the target worm feature generator;
the target worm feature generator analyzes the suspected network worm traffic to generate worm traffic features and sends the worm traffic features to an evaluation engine; and
the evaluation engine evaluates based on the worm flow characteristics and determines a detection result;
wherein the scheduling engine performs matching of service resources to determine a target worm feature generator corresponding to the traffic request, comprising:
the dispatching engine searches a plurality of worm feature generators to be selected which can provide service in a resource information database according to the resource demand description information; and
selecting a target worm feature generator from the plurality of worm feature generators to be selected according to a preset resource allocation algorithm, and determining the target worm feature generator;
the selecting the target worm feature generator from the plurality of worm feature generators to be selected according to a preset resource allocation algorithm, and determining the target worm feature generator comprises the following steps:
determining the comprehensive index value of each worm feature generator to be selected according to a preset resource allocation algorithm, and selecting the worm feature generator to be selected corresponding to the largest comprehensive evaluation index value from the worm feature generators to be selected as the target worm feature generator;
wherein, determining the comprehensive index value of each worm feature generator to be selected according to a preset resource allocation algorithm comprises the following steps:
determining the processing capacity, the communication capacity and the storage capacity of each worm feature generator to be selected according to a preset resource allocation algorithm, and determining experience coefficients corresponding to the processing capacity, the communication capacity and the storage capacity of each worm feature generator to be selected respectively;
determining the reliability of each worm feature generator to finish the task based on the task completion rate and the online rate of each worm feature generator to be selected;
determining the availability of each worm feature generator to be selected, and acquiring the detection accuracy of each worm feature generator to be selected;
determining the resource computing capacity of each worm feature generator to be selected based on the processing capacity, the communication capacity and the storage capacity of each worm feature generator to be selected, the reliability of the task completion of each worm feature generator to be selected, and the experience coefficients corresponding to the processing capacity, the communication capacity and the storage capacity of each worm feature generator to be selected respectively; and
and determining the comprehensive index value of each worm feature generator to be selected based on the resource computing capability, availability and detection accuracy of each worm feature generator to be selected.
2. The detection method of claim 1, wherein the worm traffic detection engine extracts suspected network worm traffic from the network data stream, comprising:
the worm traffic detection engine extracts suspected network worm traffic from the network data stream based on at least one underlying feature of the network worm.
3. The detection method according to claim 1, wherein determining the processing capability, the communication capability, and the storage capability of each candidate worm feature generator according to a preset resource allocation algorithm comprises:
the processing power, communication power and storage power of each candidate worm feature generator are calculated based on the following formulas:
wherein Dlt i Processing power of the ith candidate worm feature generator; com i The communication capability of the feature generator for the ith candidate worm; sto (Sto) i The storage capacity of the ith candidate worm feature generator;
wherein i is more than or equal to 1 and less than or equal to Ng, i and Ng are natural numbers, and Ng is the number of worm feature generators to be selected;
Dgre ij a j-th processing capability attribute on the i-th candidate worm feature generator; n (N) 1 A number of processing capability attributes; w (w) j The weight occupied by the j-th attribute; j is more than or equal to 1 and N is more than or equal to 1 1 J and N 1 Is a natural number;
Cgre is an ith communication capability attribute on the ith candidate worm feature generator; n (N) 2 A number of communication capability attributes; w (w) s The weight occupied by the s-th attribute; s is more than or equal to 1 and less than or equal to N 2 S and N 2 Is a natural number;
Sgre ih an h storage capability attribute on an i-th candidate worm feature generator; n (N) 3 To the number of storage capability attributes; w (w) h The weight occupied by the h attribute; h is more than or equal to 1 and N is more than or equal to 1 3 H and N 3 Is a natural number.
4. The detection method of claim 3, wherein determining the reliability of each worm feature generator to complete a task based on the task completion rate and the online rate of each worm feature generator comprises:
the reliability of each candidate worm feature generator to complete the task is calculated based on the following formula:
aug i =d 1 ×Ov i +d 2 ×OL i
wherein, aug i The reliability of the task for the ith candidate worm feature generator; ov i The task completion rate of the ith candidate worm feature generator; OL (OL) i The online rate, d, of the feature generator for the ith candidate worm 1 And d 2 The experience coefficients corresponding to the task completion rate and the online rate are respectively.
5. The detection method of claim 4, wherein determining the availability of each candidate worm feature generator comprises:
the availability of each candidate worm feature generator is determined based on the following formula:
wherein U is i For the availability of the ith candidate worm feature generator, U ip The p-th class resource usage amount on the ith candidate worm feature generator; n (N) 4 Is the number of resource classes;
T ip the total amount of the p-th class resources on the ith candidate worm feature generator; wp is the weight of the p-th type resource usage;
1≤p≤N 4 p and N 4 Is a natural number.
6. The detection method according to claim 5, wherein determining the resource computing capability of each candidate worm feature generator based on the processing capability, the communication capability, and the storage capability of each candidate worm feature generator, the reliability of each candidate worm feature generator to complete the task, and the empirical coefficients corresponding to the processing capability, the communication capability, and the storage capability of each candidate worm feature generator, respectively, comprises:
the resource computing capabilities of each candidate worm feature generator are determined based on the following formula:
wherein P is i The resource computing power, ag, of the ith candidate worm feature generator 1 、ag 2 Sum ag 3 Experience coefficients corresponding to the processing capacity, the communication capacity and the storage capacity respectively;
aug i the reliability of the task for the ith candidate worm feature generator is achieved.
7. The detection method according to claim 6, wherein determining the composite index value of each candidate worm feature generator based on the resource computing capability, availability and detection accuracy of each candidate worm feature generator comprises:
determining the comprehensive index value corresponding to each candidate worm feature generator by the following method comprises the following steps:
Div i =P i *U i *A i ,
wherein Div is i A comprehensive index value of the ith candidate worm feature generator; p (P) i Resource computing capability of the ith candidate worm feature generator; u (U) i Availability of the feature generator for the ith candidate worm; a is that i The detection accuracy of the ith candidate worm feature generator is obtained.
8. A system for detecting a network worm, the system comprising:
the detection module is used for enabling the worm flow detection engine to extract suspected network worm flow from the network data flow, generating a flow request and sending the flow request to the scheduling engine;
the matching module is used for responding to the received flow request, enabling the scheduling engine to match service resources, determining a target worm feature generator corresponding to the flow request, and returning feature information associated with the target worm feature generator to the worm flow detection engine;
a target worm feature generator determination module configured to cause the worm traffic detection engine to determine the target worm feature generator based on the feature information and send the suspected network worm traffic to the target worm feature generator;
the analysis module is used for enabling the target worm feature generator to analyze the suspected network worm traffic to generate worm traffic features and sending the worm traffic features to an evaluation engine;
the evaluation module is used for enabling the evaluation engine to evaluate based on the worm flow characteristics and determining a detection result;
wherein the scheduling engine performs matching of service resources to determine a target worm feature generator corresponding to the traffic request, comprising:
the dispatching engine searches a plurality of worm feature generators to be selected which can provide service in a resource information database according to the resource demand description information; and
selecting a target worm feature generator from the plurality of worm feature generators to be selected according to a preset resource allocation algorithm, and determining the target worm feature generator;
the selecting the target worm feature generator from the plurality of worm feature generators to be selected according to a preset resource allocation algorithm, and determining the target worm feature generator comprises the following steps:
determining the comprehensive index value of each worm feature generator to be selected according to a preset resource allocation algorithm, and selecting the worm feature generator to be selected corresponding to the largest comprehensive evaluation index value from the worm feature generators to be selected as the target worm feature generator;
wherein, determining the comprehensive index value of each worm feature generator to be selected according to a preset resource allocation algorithm comprises the following steps:
determining the processing capacity, the communication capacity and the storage capacity of each worm feature generator to be selected according to a preset resource allocation algorithm, and determining experience coefficients corresponding to the processing capacity, the communication capacity and the storage capacity of each worm feature generator to be selected respectively;
determining the reliability of each worm feature generator to finish the task based on the task completion rate and the online rate of each worm feature generator to be selected;
determining the availability of each worm feature generator to be selected, and acquiring the detection accuracy of each worm feature generator to be selected;
determining the resource computing capacity of each worm feature generator to be selected based on the processing capacity, the communication capacity and the storage capacity of each worm feature generator to be selected, the reliability of the task completion of each worm feature generator to be selected, and the experience coefficients corresponding to the processing capacity, the communication capacity and the storage capacity of each worm feature generator to be selected respectively; and
and determining the comprehensive index value of each worm feature generator to be selected based on the resource computing capability, availability and detection accuracy of each worm feature generator to be selected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310873286.3A CN116760624B (en) | 2023-07-17 | 2023-07-17 | Network worm detection method, system, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310873286.3A CN116760624B (en) | 2023-07-17 | 2023-07-17 | Network worm detection method, system, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116760624A CN116760624A (en) | 2023-09-15 |
| CN116760624B true CN116760624B (en) | 2024-02-27 |
Family
ID=87951409
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310873286.3A Active CN116760624B (en) | 2023-07-17 | 2023-07-17 | Network worm detection method, system, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116760624B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895521A (en) * | 2009-05-22 | 2010-11-24 | 中国科学院研究生院 | Network worm detection and characteristic automatic extraction method and system |
| CN105743880A (en) * | 2016-01-12 | 2016-07-06 | 西安科技大学 | Data analysis system |
| CN106790175A (en) * | 2016-12-29 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | The detection method and device of a kind of worm event |
| CN108462633A (en) * | 2016-12-09 | 2018-08-28 | 中兴通讯股份有限公司 | Network security routing scheduling method based on SDN and system |
| CN110602044A (en) * | 2019-08-12 | 2019-12-20 | 贵州电网有限责任公司 | Network threat analysis method and system |
| CN112272166A (en) * | 2020-09-30 | 2021-01-26 | 新华三信息安全技术有限公司 | Traffic processing method, device, equipment and machine readable storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI435235B (en) * | 2010-11-04 | 2014-04-21 | Inst Information Industry | Computer worm curing system and method and computer readable storage medium for storing computer worm curing system and method |
-
2023
- 2023-07-17 CN CN202310873286.3A patent/CN116760624B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895521A (en) * | 2009-05-22 | 2010-11-24 | 中国科学院研究生院 | Network worm detection and characteristic automatic extraction method and system |
| CN105743880A (en) * | 2016-01-12 | 2016-07-06 | 西安科技大学 | Data analysis system |
| CN108462633A (en) * | 2016-12-09 | 2018-08-28 | 中兴通讯股份有限公司 | Network security routing scheduling method based on SDN and system |
| CN106790175A (en) * | 2016-12-29 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | The detection method and device of a kind of worm event |
| CN110602044A (en) * | 2019-08-12 | 2019-12-20 | 贵州电网有限责任公司 | Network threat analysis method and system |
| CN112272166A (en) * | 2020-09-30 | 2021-01-26 | 新华三信息安全技术有限公司 | Traffic processing method, device, equipment and machine readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116760624A (en) | 2023-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111614690A (en) | Abnormal behavior detection method and device | |
| CN106874253A (en) | Recognize the method and device of sensitive information | |
| US11223642B2 (en) | Assessing technical risk in information technology service management using visual pattern recognition | |
| WO2021068563A1 (en) | Sample date processing method, device and computer equipment, and storage medium | |
| CN110855648B (en) | Early warning control method and device for network attack | |
| CN112435137B (en) | Cheating information detection method and system based on community mining | |
| CN111159413A (en) | Log clustering method, device, equipment and storage medium | |
| JP2018509664A (en) | Model generation method, word weighting method, apparatus, device, and computer storage medium | |
| CN111581258A (en) | Safety data analysis method, device, system, equipment and storage medium | |
| CN110943974A (en) | DDoS (distributed denial of service) anomaly detection method and cloud platform host | |
| CN114360027A (en) | Training method and device for feature extraction network and electronic equipment | |
| US8918406B2 (en) | Intelligent analysis queue construction | |
| CN116760624B (en) | Network worm detection method, system, storage medium and electronic equipment | |
| CN115269712A (en) | User interest mining method and system combined with meta-universe interaction service | |
| CN110197066B (en) | Virtual machine monitoring method and system in cloud computing environment | |
| CN114385436A (en) | Server grouping method and device, electronic equipment and storage medium | |
| CN115392238A (en) | Equipment identification method, device, equipment and readable storage medium | |
| CN113468540A (en) | Security portrait processing method based on network security big data and network security system | |
| CN111475380A (en) | Log analysis method and device | |
| CN115049290A (en) | User classification method, user risk behavior identification method, device and computer equipment | |
| Portier et al. | Improving search engine ranking prediction based on a new feature engineering tool | |
| US11714997B2 (en) | Analyzing sequences of interactions using a neural network with attention mechanism | |
| Zhang et al. | Design and analysis of an effective two-step clustering scheme to optimize prefetch cache technology | |
| JP7401747B2 (en) | Sorting program, sorting device and sorting method | |
| CN115048999A (en) | Label optimization method and device, electronic equipment and readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |