CN116938606B - Network traffic detection method and device - Google Patents
Network traffic detection method and device Download PDFInfo
- Publication number
- CN116938606B CN116938606B CN202311202547.5A CN202311202547A CN116938606B CN 116938606 B CN116938606 B CN 116938606B CN 202311202547 A CN202311202547 A CN 202311202547A CN 116938606 B CN116938606 B CN 116938606B
- Authority
- CN
- China
- Prior art keywords
- detection
- network traffic
- scene
- alarm
- operator set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 289
- 238000004458 analytical method Methods 0.000 claims abstract description 24
- 238000000034 method Methods 0.000 claims abstract description 13
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a network traffic detection method and device, belonging to the technical field of network security, wherein the method comprises the following steps: acquiring network traffic and a detection scene; grouping the network traffic according to the detection scene to obtain a first group of network traffic and a second group of network traffic; determining a first operator set under a first detection scene and a second operator set under a second detection scene; in a first detection scene, detecting a first group of network traffic by operating operators in a first operator set one by one to obtain first alarm detection information; in a second detection scene, acquiring a detection result of operators in a second operator set, which are repeated with the first operator set, and running the rest operators in the second operator set one by one to detect a second group of network traffic so as to acquire second alarm detection information; summarizing and analyzing the first alarm detection information and the second alarm detection information; and executing a corresponding safety protection strategy according to the summarized analysis result.
Description
Technical Field
The embodiments of the application belong to the technical field of network security, and in particular relate to a network traffic detection method and device.
Background
The intrusion detection system collects network flow data and analyzes whether intrusion attack exists in the flow. When analyzing whether a certain specific type of intrusion attack exists in the traffic, a plurality of operators special for the specific type of intrusion attack are often adopted to detect the network traffic, and whether the specific type of intrusion attack exists is determined according to the detection result of each operator.
However, there is a partial duplication of operators used in the detection of different types of intrusion attacks, and it is possible that multiple types of intrusion attacks may all use a certain operator in the detection. In the current intrusion detection method, all operators in the detection scene are only mechanically operated in sequence when the intrusion attack behavior of each type is detected. Even the operators which are repeatedly used can be operated once in each detection scene, so that the waste of calculation resources is caused, and the efficiency of network flow detection is reduced.
Disclosure of Invention
The application provides a network flow detection method and device for solving the technical problems of the prior art that computing resources are wasted and the efficiency of network flow detection is reduced.
In a first aspect, the present application provides a network traffic detection method, including:
acquiring network traffic and detection scenes, wherein the detection scenes comprise a first detection scene and a second detection scene;
grouping the network flows according to detection scenes to obtain a first group of network flows and a second group of network flows, wherein the first group of network flows corresponds to the first detection scenes, and the second group of network flows corresponds to the second detection scenes;
determining a first operator set in the first detection scene and a second operator set in the second detection scene;
in the first detection scene, detecting the first group of network traffic by operating operators in the first operator set one by one to obtain first alarm detection information;
in the second detection scene, acquiring a detection result of operators in a second operator set, which are repeated with the first operator set, and running the rest operators in the second operator set one by one, and detecting a second group of network traffic to acquire second alarm detection information;
performing summarized analysis on the first alarm detection information and the second alarm detection information;
and executing a corresponding safety protection strategy according to the summarized analysis result.
In a second aspect, the present application provides a network traffic detection apparatus, including:
the acquisition module is used for acquiring network traffic and detection scenes, wherein the detection scenes comprise a first detection scene and a second detection scene;
the grouping module is used for grouping the network traffic according to the detection scene to obtain a first group of network traffic and a second group of network traffic, wherein the first group of network traffic corresponds to the first detection scene, and the second group of network traffic corresponds to the second detection scene;
a first determining module, configured to determine a first operator set in the first detection scene and a second operator set in the second detection scene;
the first detection module is used for detecting the first group of network traffic by running operators in the first operator set one by one in the first detection scene to obtain first alarm detection information;
the second detection module is used for acquiring detection results of operators which are repeated with the first operator set in a second operator set in the second detection scene, running the rest operators in the second operator set one by one, and detecting a second group of network traffic to obtain second alarm detection information;
the summarizing module is used for summarizing and analyzing the first alarm detection information and the second alarm detection information;
and the execution module is used for executing the corresponding safety protection strategy according to the summarized analysis result.
Compared with the prior art, the application has at least the following beneficial effects:
in the application, in the subsequent detection scene, the detection result of the repeated operator with the previous detection scene can be acquired first, and then the rest operators are operated without recalculating the repeated operators, so that the calculation resources are saved, and the efficiency of network flow detection is improved.
Drawings
Fig. 1 is a flow chart of a network traffic detection method provided by the present application.
Fig. 2 is a schematic structural diagram of a network traffic detection method according to the present application.
Fig. 3 is a schematic structural diagram of a network traffic detection device according to the present application.
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. Some specific embodiments of the application will be described in detail hereinafter by way of example and not by way of limitation with reference to the accompanying drawings.
Detailed Description
In order to enable those skilled in the art to better understand the present application, the following description will make clear and complete descriptions of the technical solutions according to the embodiments of the present application with reference to the accompanying drawings. It will be apparent that the described embodiments are merely some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
In a first aspect, referring to fig. 1, a flow chart of a network traffic detection method according to an embodiment of the present application is shown.
The application provides a network flow detection method, which comprises the following steps:
s101: and acquiring network traffic and detecting a scene.
The detection scenario may be understood as a type of network attack to be detected, where one detection scenario corresponds to detection of a type of network attack, for example, a first detection scenario corresponds to detection of DoS attack, a second detection scenario corresponds to detection of a malware propagation attack, a third detection scenario corresponds to detection of a virus attack, and so on.
The detection scenes comprise a first detection scene and a second detection scene. In the present application, the specific number of detection scenes is not limited, and only two detection scenes, i.e., a first detection scene and a second detection scene, may be included, and other detection scenes, i.e., a third detection scene, a fourth detection scene, a fifth detection scene, and the like, may be included.
Specifically, network data packets on a computer may be acquired by network traffic monitoring tools Wireshark, tcpdump and tshark et al to analyze and monitor network traffic.
In the actual application process, a specific detection scene can be determined according to actual needs, and the application is not limited.
S102: and grouping the network traffic according to the detection scene to obtain a first group of network traffic and a second group of network traffic.
The first group of network traffic corresponds to a first detection scene, and the second group of network traffic corresponds to a second detection scene.
It will be appreciated that in some detection scenario, only the portion of the network traffic that is relevant to the detection scenario needs to be detected, so the network traffic needs to be grouped according to the detection scenario.
In one possible implementation, S102 specifically includes:
dividing the network traffic into groups corresponding to the first detection scene and the second detection scene according to the subscription list configuration files of the first detection scene and the second detection scene, and obtaining a first group of network traffic and a second group of network traffic.
Specifically, the subscription list profile defines the mapping relationship between different detection scenarios and KafkaTopic. According to the different inspection scenes, the log copies of the network data are written into different kafkatopics. The consumer application may subscribe to multiple topics and then group network traffic according to the detection scenario.
The subscription list configuration file can adopt various formats, such as JSON, YAML and the like, and the specific format of the subscription list configuration file is not limited by the application.
S103: a first set of operators in a first detection scenario and a second set of operators in a second detection scenario are determined.
It should be noted that, the operators used in the present application include: intrusion detection rules, pattern matching engines, machine learning models, statistical analysis tools, etc.
Specifically, the required operators can be determined according to the requirements of the detection scene, the specific threat types, attack modes and abnormal behaviors to be detected, and the operators are combined into an operator set.
S104: in a first detection scene, operators in a first operator set are operated one by one, and first group of network traffic is detected to obtain first alarm detection information.
Wherein the first alert detection information may determine whether the system is subject to a network attack corresponding to the first inspection scenario.
S105: in a second detection scene, acquiring a detection result of operators in the second operator set, which are repeated with the first operator set, and running the rest operators in the second operator set one by one to detect the second group of network traffic so as to acquire second alarm detection information.
Referring to fig. 2, a schematic structural diagram of a network traffic detection method according to an embodiment of the present application is shown.
In fig. 2, in a first detection scenario, a first operator set includes an operator a, an operator B, and an operator C. And in a second detection scenario, the second set of operators includes operator a, operator B, and operator D. It can be seen that there are repeated parts of the first operator set and the second operator set, that is, the operators a and B, so in the second detection scenario, the detection results of the operators a and B are first obtained from the first detection scenario, and then the remaining operators D are run to complete the detection of the second set of network traffic.
Wherein the second alarm detection information may determine whether the system is subject to a network attack corresponding to the second inspection scenario.
S106: and carrying out summarization analysis on the first alarm detection information and the second alarm detection information.
It should be noted that, by summarizing and analyzing the alarm information of the first and second detection scenarios, a more comprehensive threat view may be obtained. This helps identify complex attacks across multiple detection scenarios, as an attacker may take multiple steps or multiple ways to invade the system. Further, comprehensive analysis can enhance the accuracy of the detection. By cross-verifying the alarm information in different scenarios, it can be more reliably determined whether the system is under network attack. For example, if a first scene detects some anomaly and operators in a second scene also detect the same anomaly, then the presence of a potential threat may be determined with more confidence.
In one possible implementation, before S106, the method further includes:
a third detection scene is added.
A third set of operators under a third detection scenario is determined.
Determining whether there is a duplication of operators in the third operator set with operators in the existing first operator set and second operator set.
In a third detection scene, operator detection results which are repeated with a third operator set in the existing first operator set and second operator set are obtained, and remaining operators in the third operator set are operated one by one, so that network traffic can be detected, and third alarm detection information is obtained.
When the third detection scene is newly added, the previous processing logic is still used, the detection results of the repeated operators of the previous first operator set, the previous second operator set and the previous third operator set are obtained, the remaining operators in the third operator set are operated one by one, the repeated operators are not required to be recalculated, the calculation resources can be saved, and the network flow detection efficiency is improved.
With continued reference to fig. 2, a schematic structural diagram of a network traffic detection method according to an embodiment of the present application is shown.
In fig. 2, in a first detection scenario, a first operator set includes an operator a, an operator B, and an operator C. In a second detection scenario, the second set of operators includes operator a, operator B, and operator D. And in a third detection scenario, the third set of operators includes operator C, operator D, and operator E. It can be seen that the third operator set and the previous first operator set and second operator set have repeated parts, namely an operator C and an operator D, so in the third detection scene, the detection result of the operator C is firstly obtained from the first detection scene and the detection result of the operator D is obtained from the second detection scene, and then the remaining operator E is operated to complete the detection of the third group of network traffic.
S106 specifically comprises the following steps: and carrying out summarization analysis on the first alarm detection information, the second alarm detection information and the third alarm detection information.
It should be noted that, by summarizing and analyzing the alarm information of the first, second and third detection scenarios, a more comprehensive threat view may be obtained. This helps identify complex attacks across multiple detection scenarios, as an attacker may take multiple steps or multiple ways to invade the system. Further, comprehensive analysis can enhance the accuracy of the detection. By cross-verifying the alarm information in different scenarios, it can be more reliably determined whether the system is under network attack. For example, if a first detection scenario detects some anomaly and an operator in a second or third detection scenario also detects the same anomaly, then the presence of a potential threat may be determined with more confidence.
In one possible embodiment, S106 specifically includes S1061 and S1062:
s1061: combining and counting the first alarm detection information and the second alarm detection information which are of the same source and attack mode in the first detection scene;
in the application, the noise level can be reduced by combining alarms counting the same sources and attack modes. For example, in some network environments, a number of similar alarms may be generated, which may be caused by the same attacker or the same malicious activity. The merge count may filter out these redundant alarms, enabling the security team to focus more on important threats.
Furthermore, alarm detection information with the same source and the same attack mode under each detection scene is combined and counted, so that each attack event is ensured to be counted only once, and the accuracy of the follow-up statistics of the frequency of network attack can be improved.
In one possible implementation, substep S1061 specifically includes Sun Buzhou S10611 and S10612:
s10611: the source information and attack mode information in the detection information are combined and recorded in the target field.
In the application, the source information and the attack mode information in the detection information are combined and recorded in the target field, so that the data can be clearer and easier to understand, key information of each alarm, including the attack source and the attack mode, can be easily checked, and the network attack can be more deeply analyzed and understood.
S10612: and merging repeated values in the target field, and counting the number of merging.
In the application, by combining repeated values and counting the combined quantity, the attack frequency of specific attack sources and attack modes can be accurately determined, which attacks are most frequent and which are likely to form larger threats can be helped to take corresponding defending measures.
S1062: and counting the frequency of network attacks from the target sources within a preset time range.
The frequency of network attacks refers to the number of network attack events occurring within a certain time range, and is used for measuring the threat level faced by a specific network or system and the frequency of attack activities.
In the application, by counting the attack frequency, a clearer threat view can be obtained, which is helpful for determining which attack sources are most active, and the attack which is likely to form a larger threat can be identified, and further, the optimization of security policies and response measures is helpful.
In one possible implementation, after S1061, S106 further includes:
s1063: and adding a mark in the alarm detection information subjected to the combination counting, wherein the mark is used for indicating that the alarm detection information is subjected to the combination counting.
Alternatively, the mark may be a "processed" text mark, a "code" symbol mark, or a "blue" color mark.
In the application, the added mark can clearly indicate which alarm detection information is subjected to the combination counting, which is helpful for identifying and distinguishing the unprocessed original alarm and the processed alarm subjected to the combination counting in the data set, thereby improving the readability and manageability of the data. Further, after the alarm detection information is marked, the same merging operation can be prevented from being repeatedly performed on the data which have been counted in a merging manner. This helps to save computational resources and reduce processing time, particularly in large-scale network traffic monitoring systems, where avoiding duplicate processing can improve efficiency.
S107: and executing a corresponding safety protection strategy according to the summarized analysis result.
Specifically, the threats need to be classified and prioritized according to the results of the summary analysis. Based on threat classification, a series of security policies and rules are established, for example, as follows: (1) defensive measures: such as blocking particular attack sources, restricting access to particular traffic or protocols, closing vulnerabilities or vulnerabilities, and the like. (2) alerts and notifications: conditions are defined that trigger an alarm to send a notification to the relevant personnel when a threat is detected. (3) automated response: automated response rules are established, such as automatically blocking or quarantining the attacked system or host to prevent further threat propagation. (4) upgrading and maintaining: ensuring that security policies are updated and reviewed regularly to accommodate new threats and vulnerabilities.
Further, the threat level (e.g., low, medium, high) may be defined or prioritized based on specific attributes of the threat (e.g., attack type, attack source, attack target).
In one possible implementation, S107 is specifically: when the frequency of network attack by the target source is greater than the preset frequency, intercepting the network traffic initiated by the target source.
The size of the preset frequency can be set by a person skilled in the art according to practical situations, and the application is not limited.
In the application, the ongoing attack can be quickly prevented by automatically intercepting the target source of the frequent attack, thereby reducing the influence of the potential threat on the system and the network and being beneficial to reducing the damage of the attacker on the attacked system.
In one possible implementation, S106 further includes:
s1064: and determining the attack type, the attack stage and the threat type of the current network attack.
The attack type refers to a specific attack technology or method used by an attacker to achieve the malicious purpose. Different attack types are typically implemented with different vulnerabilities, or attack vectors. For example, attack types may include: doS, DDoS, malware attacks, virus attacks, etc.
Wherein the attack stage refers to different execution steps or stages of the network attack. An attacker typically takes a series of steps during the attack to reach their goal. For example, the attack phase may include: scouting, intrusion, flooding, execution, maintenance, cleaning, and the like.
Where threat types refer to the nature or classification of network threats, typically classified based on the intent and motivation of the attacker. Threat types may include, for example: malicious threats, spyware threats, and the like.
S107 specifically is: and executing a corresponding security protection strategy according to the attack type, the attack stage, the threat type and the attack frequency of the current network attack.
In the present application, by knowing the specific type, stage and threat attributes of an attack, the appropriate protection strategy can be more precisely selected. By tailoring the customized security policy based on threat type and attack attributes, the potential risk can be minimized, helping to mitigate the impact of attacks on the system and data.
In one possible embodiment, S107 specifically includes substeps S1071 to S1072:
s1071: and sending a safety protection instruction to the linkage safety equipment and the firewall equipment.
S1072: and executing corresponding security protection strategies by the combined linkage security equipment and the firewall equipment.
In the application, the security protection strategy is executed by the linkage security equipment and the firewall equipment, so that the automatic security control and protection can be realized. The linkage safety device and the firewall device are cooperated to ensure comprehensive network protection. Different devices can provide security protection of different levels, and build a multi-level defense system together. And the design of the linkage system optimizes the use of network resources and ensures that the performance of network equipment is optimally utilized. This may increase the efficiency of overall network resource usage, making the network more efficient.
Further, blocking devices (e.g., firewalls) and detection devices (e.g., intrusion detection systems) require significant computational and network resources to be expended in handling large amounts of network traffic. If alarms are triggered frequently, these devices may degrade or even crash due to high loads. The linkage system provided by the application can process the alarm more intelligently, and concentrate the resources for real threat, thereby reducing the problem of resource occupation.
Compared with the prior art, the application has at least the following beneficial effects:
in the application, in the subsequent detection scene, the detection result of the repeated operator with the previous detection scene can be acquired first, and then the rest operators are operated without recalculating the repeated operators, so that the calculation resources are saved, and the efficiency of network flow detection is improved.
In a second aspect, referring to fig. 3, a schematic structural diagram of a network traffic detection device according to an embodiment of the present application is shown.
The present application provides a network traffic detection device 30, comprising:
the acquiring module 301 is configured to acquire a network traffic and a detection scenario, where the detection scenario includes a first detection scenario and a second detection scenario;
the grouping module 302 is configured to group network traffic according to a detection scenario, so as to obtain a first group of network traffic and a second group of network traffic, where the first group of network traffic corresponds to a first detection scenario and the second group of network traffic corresponds to a second detection scenario;
a first determining module 303, configured to determine a first operator set in a first detection scenario and a second operator set in a second detection scenario;
a first detection module 304, configured to detect, in a first detection scenario, a first group of network traffic by running operators in a first operator set one by one, to obtain first alarm detection information;
the second detection module 305 is configured to obtain, in a second detection scenario, a detection result of an operator in the second operator set, which is repeated with the first operator set, and operate remaining operators in the second operator set one by one, and detect a second group of network traffic, so as to obtain second alarm detection information;
the summarizing module 306 is configured to perform summarizing analysis on the first alarm detection information and the second alarm detection information;
and the execution module 307 is configured to execute a corresponding security protection policy according to the summary analysis result.
In one possible implementation, the grouping module 302 is specifically configured to:
dividing the network traffic into groups corresponding to the first detection scene and the second detection scene according to the subscription list configuration files of the first detection scene and the second detection scene, and obtaining a first group of network traffic and a second group of network traffic.
In one possible implementation, the network traffic detection device 30 further includes:
the new adding module is used for adding a third detection scene;
the analysis module is used for analyzing a third operator set of a third detection scene;
a second determining module for determining whether an operator in the third operator set is duplicated with an existing operator between the first operator set and the second operator set;
the third detection module is used for acquiring operator detection results which are repeated with the third operator set in the existing first operator set and second operator set in a third detection scene, running the rest operators in the third operator set one by one, and detecting network traffic to obtain third alarm detection information;
the summarizing module 306 specifically is configured to:
and carrying out summarization analysis on the first alarm detection information, the second alarm detection information and the third alarm detection information.
In one possible implementation, the summarization module 306 is specifically configured to:
combining and counting alarm detection information with the same source and the same attack mode under each detection scene;
and counting the frequency of network attacks from the target sources within a preset time range.
In one possible implementation, the summarization module 306 is specifically configured to:
combining source information and attack mode information in the detection information and recording the source information and the attack mode information in a target field;
and merging repeated values in the target field, and counting the number of merging.
In one possible implementation, the summarization module 306 is specifically configured to:
and adding a mark in the alarm detection information subjected to the combination counting, wherein the mark is used for indicating that the alarm detection information is subjected to the combination counting.
In one possible implementation, the execution module 307 is specifically configured to:
when the frequency of network attack by the target source is greater than the preset frequency, intercepting the network traffic initiated by the target source.
In one possible implementation, the network traffic detection device 30 further includes:
the third determining module is used for determining the attack type, the attack stage and the threat type of the current network attack;
the execution module 307 is specifically configured to execute a corresponding security protection policy according to an attack type, an attack stage, a threat type, and an attack frequency of the current network attack.
In one possible implementation, the execution module 307 is specifically configured to:
sending a safety protection instruction to the linkage safety equipment and the firewall equipment;
and executing corresponding security protection strategies by the combined linkage security equipment and the firewall equipment.
The network flow detection device 30 provided by the present application can implement each process implemented in the above method embodiment, and in order to avoid repetition, a description is omitted here.
The virtual device provided by the application can be a device, and can also be a component, an integrated circuit or a chip in a terminal.
Compared with the prior art, the application has at least the following beneficial effects:
in the application, in the subsequent detection scene, the detection result of the repeated operator with the previous detection scene can be acquired first, and then the rest operators are operated without recalculating the repeated operators, so that the calculation resources are saved, and the efficiency of network flow detection is improved.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.
Claims (10)
1. A method for detecting network traffic, comprising:
acquiring network traffic and detection scenes, wherein the detection scenes comprise a first detection scene and a second detection scene;
grouping the network flows according to detection scenes to obtain a first group of network flows and a second group of network flows, wherein the first group of network flows corresponds to the first detection scenes, and the second group of network flows corresponds to the second detection scenes;
determining a first operator set in the first detection scene and a second operator set in the second detection scene, and determining required operators according to requirements of the detection scenes, specifically detected threat types, attack modes and abnormal behaviors, wherein the required operators form an operator set;
in the first detection scene, detecting the first group of network traffic by operating operators in the first operator set one by one to obtain first alarm detection information;
in the second detection scene, acquiring a detection result of operators in a second operator set, which are repeated with the first operator set, and running the rest operators in the second operator set one by one, and detecting a second group of network traffic to acquire second alarm detection information;
performing summarized analysis on the first alarm detection information and the second alarm detection information;
and executing a corresponding safety protection strategy according to the summarized analysis result.
2. The method for detecting network traffic according to claim 1, wherein the grouping the network traffic according to a detection scenario specifically comprises:
dividing the network traffic into packets corresponding to the first detection scene and the second detection scene according to subscription list configuration files of the first detection scene and the second detection scene, and obtaining the first group of network traffic and the second group of network traffic.
3. The network traffic detection method according to claim 1, further comprising, before performing a summary analysis on the detection information in each detection scenario:
adding a third detection scene;
determining a third operator set under the third detection scene;
determining whether an operator in the third operator set is duplicated with an operator in the existing first operator set and the second operator set;
in the third detection scene, acquiring operator detection results which are repeated with the third operator set in the existing first operator set and second operator set, and running the rest operators in the third operator set one by one, and detecting a third group of network traffic corresponding to the third detection scene to obtain third alarm detection information;
the summary analysis of the first alarm detection information and the second alarm detection information specifically includes:
and carrying out summarization analysis on the first alarm detection information, the second alarm detection information and the third alarm detection information.
4. The network traffic detection method according to claim 1, wherein the performing a summary analysis on the first alarm detection information and the second alarm detection information specifically includes:
combining and counting the first alarm detection information and the second alarm detection information which are of the same source and attack mode in the first detection scene;
and counting the frequency of network attacks from the target sources within a preset time range.
5. The method for detecting network traffic according to claim 4, wherein the merging and counting the first alarm detection information and the second alarm detection information which are of the same source and attack mode in the first detection scene specifically includes:
combining source information and attack mode information in the detection information and recording the source information and the attack mode information in a target field;
and merging repeated values in the target field, and counting the number of merging.
6. The method of claim 4, wherein after the first alarm detection information and the second alarm detection information that are of the same source and attack mode in the first detection scene are combined and counted, further comprising:
adding a mark in the first alarm detection information and the second alarm detection information which are subjected to the combination counting, wherein the mark is used for indicating that the first alarm detection information and the second alarm detection information are subjected to the combination counting.
7. The method for detecting network traffic according to claim 4, wherein the executing the corresponding security protection policy according to the summary analysis result specifically comprises:
when the frequency of network attack by the target source is greater than a preset frequency, intercepting the network traffic initiated by the target source.
8. The method for detecting network traffic according to claim 4, wherein the performing the summary analysis on the first alarm detection information and the second alarm detection information specifically further comprises:
determining the attack type, attack stage and threat type of the current network attack;
and executing a corresponding safety protection strategy according to the summarized analysis result, wherein the safety protection strategy comprises the following specific steps:
and executing a corresponding security protection strategy according to the attack type, the attack stage, the threat type and the attack frequency of the current network attack.
9. The network traffic detection method according to claim 1, wherein the executing the corresponding security protection policy specifically includes:
sending a safety protection instruction to the linkage safety equipment and the firewall equipment;
and executing corresponding security protection strategies by combining the linkage security equipment and the firewall equipment.
10. A network traffic detection device, comprising:
the acquisition module is used for acquiring network traffic and detection scenes, wherein the detection scenes comprise a first detection scene and a second detection scene;
the grouping module is used for grouping the network traffic according to the detection scene to obtain a first group of network traffic and a second group of network traffic, wherein the first group of network traffic corresponds to the first detection scene, and the second group of network traffic corresponds to the second detection scene;
the first determining module is used for determining a first operator set in the first detection scene and a second operator set in the second detection scene, and determining required operators according to requirements of the detection scene, specific threat types to be detected, attack modes and abnormal behaviors, and forming an operator set;
the first detection module is used for detecting the first group of network traffic by running operators in the first operator set one by one in the first detection scene to obtain first alarm detection information;
the second detection module is used for acquiring detection results of operators which are repeated with the first operator set in a second operator set in the second detection scene, running the rest operators in the second operator set one by one, and detecting a second group of network traffic to obtain second alarm detection information;
the summarizing module is used for summarizing and analyzing the first alarm detection information and the second alarm detection information;
and the execution module is used for executing the corresponding safety protection strategy according to the summarized analysis result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311202547.5A CN116938606B (en) | 2023-09-18 | 2023-09-18 | Network traffic detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311202547.5A CN116938606B (en) | 2023-09-18 | 2023-09-18 | Network traffic detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116938606A CN116938606A (en) | 2023-10-24 |
| CN116938606B true CN116938606B (en) | 2023-12-12 |
Family
ID=88390097
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311202547.5A Active CN116938606B (en) | 2023-09-18 | 2023-09-18 | Network traffic detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116938606B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101800674A (en) * | 2010-02-21 | 2010-08-11 | 浪潮通信信息系统有限公司 | Bypass type flow detection model based on split-flow direction |
| US11003773B1 (en) * | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
| CN114363044A (en) * | 2021-12-30 | 2022-04-15 | 深信服科技股份有限公司 | Layered alarm method, system, storage medium and terminal |
| CN116389099A (en) * | 2023-03-29 | 2023-07-04 | 北京明朝万达科技股份有限公司 | Threat detection method, threat detection device, electronic equipment and storage medium |
| CN116483822A (en) * | 2023-06-21 | 2023-07-25 | 建信金融科技有限责任公司 | Service data early warning method, device, computer equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8474043B2 (en) * | 2008-04-17 | 2013-06-25 | Sourcefire, Inc. | Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing |
-
2023
- 2023-09-18 CN CN202311202547.5A patent/CN116938606B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101800674A (en) * | 2010-02-21 | 2010-08-11 | 浪潮通信信息系统有限公司 | Bypass type flow detection model based on split-flow direction |
| US11003773B1 (en) * | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
| CN114363044A (en) * | 2021-12-30 | 2022-04-15 | 深信服科技股份有限公司 | Layered alarm method, system, storage medium and terminal |
| CN116389099A (en) * | 2023-03-29 | 2023-07-04 | 北京明朝万达科技股份有限公司 | Threat detection method, threat detection device, electronic equipment and storage medium |
| CN116483822A (en) * | 2023-06-21 | 2023-07-25 | 建信金融科技有限责任公司 | Service data early warning method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116938606A (en) | 2023-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3356985B1 (en) | Detection of security incidents with low confidence security events | |
| US10122748B1 (en) | Network protection system and threat correlation engine | |
| EP1708114B1 (en) | Aggregating the knowledge base of computer systems to proactively protect a computer from malware | |
| US9419996B2 (en) | Detection and prevention for malicious threats | |
| US11010472B1 (en) | Systems and methods for signature-less endpoint protection against zero-day malware attacks | |
| AU2016333461B2 (en) | Non-intrusive digital agent for behavioral monitoring of cybersecurity-related events in an industrial control system | |
| EP2788913B1 (en) | Data center infrastructure management system incorporating security for managed infrastructure devices | |
| CN114143064A (en) | Multi-source network security alarm event tracing and automatic processing method and device | |
| CN116938606B (en) | Network traffic detection method and device | |
| JP5752020B2 (en) | Attack countermeasure device, attack countermeasure method, and attack countermeasure program | |
| CN115632884B (en) | Network security situation perception method and system based on event analysis | |
| CN110460558B (en) | Method and system for discovering attack model based on visualization | |
| JP2017211806A (en) | Communication monitoring method, security management system, and program | |
| CN112468516A (en) | Security defense method and device, electronic equipment and storage medium | |
| WO2020136009A1 (en) | Threat forecasting | |
| EP4258147A1 (en) | Network vulnerability assessment | |
| CN114640529B (en) | Attack protection method, apparatus, device, storage medium and computer program product | |
| TWI835113B (en) | System for executing task based on an analysis result of records for achieving device joint defense and method thereof | |
| CN116886361A (en) | Automatic response method and system based on safety big data analysis platform | |
| Miciolino et al. | Preemptive: an integrated approach to intrusion detection and prevention in industrial control systems | |
| TW202340988A (en) | System for executing task based on an analysis result of records for achieving device joint defense and method thereof | |
| CN117834198A (en) | Analysis method and system for detecting abnormal program of host | |
| CN118018231A (en) | Security policy management method, device, equipment and storage medium for isolation area | |
| CN117914582A (en) | Method, device, equipment and storage medium for detecting process hollowing attack | |
| CN115333874A (en) | Industrial terminal host monitoring method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |