CN1330131C - System and method for detecting network worm in interactive mode - Google Patents

System and method for detecting network worm in interactive mode Download PDF

Info

Publication number
CN1330131C
CN1330131C CNB2005100753416A CN200510075341A CN1330131C CN 1330131 C CN1330131 C CN 1330131C CN B2005100753416 A CNB2005100753416 A CN B2005100753416A CN 200510075341 A CN200510075341 A CN 200510075341A CN 1330131 C CN1330131 C CN 1330131C
Authority
CN
China
Prior art keywords
network
worm
terminal
network worm
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2005100753416A
Other languages
Chinese (zh)
Other versions
CN1697404A (en
Inventor
庄一嵘
陈珣
金华敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GUANGDONG TELECOMMUNICATION CO Ltd INST
Original Assignee
GUANGDONG TELECOMMUNICATION CO Ltd INST
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GUANGDONG TELECOMMUNICATION CO Ltd INST filed Critical GUANGDONG TELECOMMUNICATION CO Ltd INST
Priority to CNB2005100753416A priority Critical patent/CN1330131C/en
Publication of CN1697404A publication Critical patent/CN1697404A/en
Application granted granted Critical
Publication of CN1330131C publication Critical patent/CN1330131C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a distributed network worm detecting system which is composed of network flow collecting units arranged in all terminals in a network system in a distributed mode and network worm analyzing units arranged in a server, wherein the network flow collecting units are used for collecting transmitted and received data flow information in real time, transferring snapshot and standardized data to the network worm analyzing units and supplying attack samples of suspicious network worms and the basic state information of the terminals; the network worm analyzing units are used for collecting and analyzing data flow provided by the network flow collecting units and judging whether the terminals are attacked by worms or become attacking sources according to flow threshold values; according to the judged result, interaction is carried out between the network flow collecting units and the network worm analyzing units, and a request for the supply of the data of the attack samples and the basic state information of the terminals is made so as to carry out query and matching; network worms are found and whether the terminals become attacking sources is judged, both warnings are simultaneously given. The method has the advantages that the attack of network worms is found and identified in time, and warnings are given in time, so the network security is guaranteed.

Description

A kind of interactively network worm detection system and method
Technical field
The present invention relates to a kind of safety detecting system and method that is used for computer network.Exactly, relate to a kind of interactively network worm detection system and method, belong to the network equipment safe practice field in the data communication.
Background technology
Along with popularizing rapidly and the continuous rise of diverse network new business of computer network, network security problem has been penetrated into the every field of social life gradually, and becomes more and more severeer.Network worm is need not the computer user to intervene the stand-alone program that can move, and it is propagated by the part or all of control on the computer that ceaselessly obtains to exist in the network leak.The maximum of worm and virus is not both it does not need human intervention, and can independently constantly duplicate and propagate.The outburst of network worm each time all can bring tremendous loss to society.On November 2nd, 1988 for example, the outbreak of Morris worm, the Internet Server more than 6000 is infected and paralyse within these few days, and loss is above 10,000,000 dollars.On July 19 calendar year 2001, the CodeRed internet worm eruption has just been attacked 250,000 computers in 9 hours after outburst, and the estimated amount of damage that causes is above 2,000,000,000 dollars.Produced the stronger several mutation of power subsequently in the some months, wherein the estimated amount of damage that causes of CodeRed II is above 1,200,000,000 dollars.September 18 calendar year 2001 found Nimda network worm, the loss assessment data that it caused from 500,000,000 dollars soaring to 2,600,000,000 dollars, and continue soaringly afterwards, be unable to estimate so far.The frequency of worm outburst at present is more and more faster, especially over the past two years, increasing network worm (as network worms such as shock wave, the waves of oscillation) has appearred, therefore, press for a kind of effective detection means and in time find the attack of network worm, and take spreading of corresponding measure containment worm attack.In sum, network worm detects one of important step that becomes the network worm control.
At present, the detection system of network worm mainly contains two types:
(1) bears by intruding detection system (IDS, Intrusion Detection System).The working method of this class detection system has two kinds:
Intrusion detection system based on network, it need be analyzed and characteristic matching the IP packet with all traffic mirrorings in the IDS system then, attacks to find the diverse network that comprises network worm.Because this system need do traffic mirroring and handle on the network equipment, increased the burden of the network equipment, the IDS of network-type also not have to set up and the interaction mechanism of main frame under fire at present simultaneously, has certain wrong report;
Host Based IDS, it need catch all IP packets of host computer system network interface card, and on this machine, The matching analysis is carried out in attack according to the network attack characteristic database, because this system need handle and analyze all packets that passes in and out main frame, increase the burden of host computer system greatly, caused the host computer system operational efficiency to reduce.
(2) bear by the abnormal flow detection system.The main dependency network equipment of this type systematic provides the snapshot (Snapshot) of IP packet to realize (for example network flow technology Netflow of Cisco) at present, the data of this type systematic elder generation collection network equipment are carried out statistics and analysis, judge whether to have network worm according to certain threshold value again and attack.The packet snapshot functions that this type systematic is opened the network equipment on the one hand can cause certain burden to the network equipment, and network equipment that simultaneously neither be all can both provide the snapshot functions of IP packet, makes the application of this type systematic that certain limitation be arranged; On the other hand because this type systematic lacks mutual with host computer system under fire, can only judge the attack of network worm from the variation of flow size, can not carry out characteristic matching and confirm the existence of attacking according to the state of host computer system under fire and to attacking packet, so also there is certain wrong report problem in this type systematic.
In sum, existing network worm detection method, perhaps the network equipment, host computer system have been caused certain burden, influence the efficient of equipment operation, perhaps there is certain wrong report problem owing to lacking necessary information interaction with main frame under fire, therefore how network worm detection system and method are carried out necessary improvement, just become the new problem of insider's research, exploitation.
Summary of the invention
The purpose of this invention is to provide a kind of interactively network worm detection system and method, detect existing technical problem so that solve existing network worm, the attack of discovery and recognition network worm in time, concurrent cloth alarm, cause safety officer's close attention and take the respective handling measure, guarantee network security.
In order to achieve the above object, the invention provides a kind of distributed network worm detection system, it is characterized in that: this system comprises following assembly:
The network traffics collecting unit, distributed earth is arranged in each terminal equipment that needs protection in the network system, be responsible for gathering inflow in real time and flowing out the described data traffic information that the terminal equipment of network traffics collecting unit is installed, and these packet headers are carried out snapshot handle, extract the relevant information in the header and carry out standardization, by the Transmission Control Protocol in the transmission control protocol TCP/ Internet protocol IP SNAPSHOT INFO of these terminal equipment network traffics is passed to the network worm analytic unit again and carry out statistics and analysis; And under the request of network worm analytic unit, submit the attack sample of suspicious network worm and the basic status information of this terminal to it by the Transmission Control Protocol of TCP/IP;
The network worm analytic unit, be arranged in the high performance server, be responsible for the data on flows that the network traffics collecting unit is provided is carried out based on the analysis of statistics with based on the analysis of characteristic matching, and according to the network traffics threshold value of setting, judge that whether this terminal equipment might suffer the network worm attack, perhaps becomes the attack source of network worm; Again according to the result who judges, carry out alternately with the network traffics collecting unit, ask this unit in chain type user growth data, to submit to network worm to attack the basic status information of sample data and this terminal to it, so that carry out match query with the network worm characteristic quantity of storing in the database, find network worm, judge that according to the basic status information of this terminal whether this terminal has become the attack source of network worm, sends alarm simultaneously again.
The terminal equipment that needs protection in the described network system includes but not limited to other terminal equipment of PC main frame, server, mobile phone or IP network.
Described network traffics collecting unit is to utilize the packet-capturing program to gather in real time to flow into and flow out the described flow information that the terminal equipment of network traffics collecting unit is installed.
The flow information that described network traffics collecting unit extracts and carry out the standardized information content and comprise at least: source IP address, purpose IP address, source port, destination interface, protocol type, the data flow flow direction, data flow number, chain type user's growth data.
The basic status information of described terminal includes but not limited to version information, operation information patch information, the open network service port information of operating system of OS Type, operating system; The basic status information of described terminal is to obtain by the configuration file of reading terminals operating system and status file, whether the operating system of analyzing this terminal for the network worm analytic unit by this is identical with the characteristic parameter of network worm object of attack, whether may become the attack source of network worm.
In order to achieve the above object, the present invention also provides a kind of detection method of distributed network worm detection system, it is characterized in that: it is as follows to comprise step:
(1) the turnover data traffic information of the terminal equipment that needs protection of network traffics collecting unit collection, and with after this flow information standardization, send the network worm analytic unit to and carry out statistics and analysis; Also under the request of network worm analytic unit, submit to suspicious network worm to attack the basic status information of sample and this terminal to it;
(2) data on flows that provided according to the network traffics collecting unit of network worm analytic unit is carried out based on the analysis of statistics with based on the analysis of characteristic matching the flow of the terminal equipment at its place, according to preset threshold, judge whether this terminal might suffer that network worm attacks or become the attack source of network worm; Again under the requirement of network worm parser, carry out alternately with the network traffics collecting unit, ask this unit after it submits to network worm to attack the basic status information of sample data and this terminal, carry out match query with the network worm characteristic quantity of storing in the database, find network worm, judge that according to the basic status information of this terminal whether this terminal becomes the attack source of network worm, sends alarm simultaneously again.
Described step (1) further comprises following operation:
(11) the log-on data bag is caught program;
(12) after capturing packet, in buffering area, search for source IP address, purpose IP address, source port, destination interface, packet that protocol type is all identical with flux and flow direction, the packet identical to these features merges, and it is handled as a data flow;
(13) packet header is write in the data packet buffer according to the flow information reference format;
(14) regularly submit buffer data to the network worm analytic unit;
(15) submit the basic status information of attacking sample and this terminal to according to the request of network worm analytic unit.
Described step (1) further comprises following initialization operation:
(10) before each image data, carry out initialization to the packet-capturing program, empty data pack buffer district and opening timing device.
Described step (2) further comprises following operation:
When (21) receiving the data of network traffics collecting unit, the data flow of this terminal equipment of turnover in the unit interval is added up;
(22) according to the set threshold value of the statistical parameter of each data flow, judge whether this terminal equipment has flow information to surpass threshold value, whether ask this terminal equipment to submit the basic status information of attacking sample and this terminal to decision;
(23) after the basic status information of the attack sample that receives the terminal equipment submission and this terminal, known network worm characteristic information according to the databases storage, sample is carried out match query, find network worm, judge that according to the basic status information of this terminal whether this terminal has become the attack source of network worm, sends alarm simultaneously again.
Described step (2) further comprises following initialization operation:
(20) flow threshold of data flow is set.
The present invention is a kind of interactively network worm detection system, and this system is made up of the distributed interactive network worm analytic unit that is installed in the network traffics collecting unit in shielded each network-termination device and is installed in the high-performance server.The network traffics collecting unit carries out distributed multiple spot and detects, and utilizes the packet-capturing program to gather the flow information that flows into and flow out this terminal equipment in real time, and the data header is carried out snapshot handle.Compare with the IDS system is installed in terminal, this system is less to the performance impact of terminal; Compare with the mode (for example based on the Netflow monitoring technique) of equipment traffic monitoring Network Based, have good versatility and applicability, and the scope of monitoring has been extended on each terminal by the network equipment, widened the field that system detects and uses.In addition, adopt interactive mode to communicate by the Transmission Control Protocol of TCP/IP between network worm analytic unit and the network traffics collecting unit: the network worm analytic unit carries out statistics and analysis to the network traffics SNAPSHOT INFO that receives, and the network traffics collecting unit is sent submit to suspicious network worm to attack the request of the basic status information of sample and this terminal where necessary.This basic status information of attacking sample and this terminal of directly submitting to by terminal equipment, confirm the mode of attacking so that carry out characteristic matching, not only improved network worm has been attacked the efficient of analyzing and judging, and improved accuracy, avoided the wrong report problem of problem in the prior art preferably.
Description of drawings
Fig. 1 is the detection method flow chart of the interactively network worm detection system of the present invention.
Fig. 2 is the network traffics collecting unit carries out standardization to the data packet head a form schematic diagram.
Fig. 3 is the operational flowchart of the network traffics collecting unit embodiment in the system of the present invention.
Fig. 4 is the operational flowchart of the network worm analytic unit embodiment in the system of the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
When network worm is attacked, possess certain behavioural characteristic, whether meeting scans the computer system of present networks section earlier usually, survey the system vulnerability relevant with worm attack and exist.The object that network worm is attacked mostly is terminal equipment, comprises PC main frame and server host.This behavioural characteristic of worm Network Based, system of the present invention adopts distributed installation network traffics collecting unit on each terminal equipment, carrying out multiple spot detects, and flow information concentrated deliver to the network worm analytic unit that is arranged in high-performance server and carry out based on the analysis of statistics with based on the analysis of characteristic matching, finding that some computer or server are received or when sending specific packet and surpassing certain threshold value in a period of time, can judge that this computer or server may be subjected to the attack of network worm or become the source of worm attack.At this moment, for further affirmation, network worm analytic unit of the present invention and network traffics collecting unit carry out alternately, ask this computer or server submit to attack the basic status information of sample and this terminal as terminal equipment, with the particular type of confirming network worm with send alarm.The basic status information here includes but not limited to the network service port information that version information, operation information patch information, the operating system of OS Type, operating system is open etc.Because the object of attack of network worm generally is at some specific operating system (characteristic that its object of attack is arranged in the network worm property data base), when judging whether this terminal becomes the attack source of network worm, should check the basic status information of this terminal earlier, whether look to coincide with the characteristic parameter of network worm object of attack, judgement could be more accurate like this.In addition, can obtain these basic status information at an easy rate by configuration file and the status file that reads this terminal operating system.
Referring to Fig. 1, introduce the detection method of the distributed network worm detection system of the present invention, it is undertaken alternately, is cooperated and finish jointly by network traffics collecting unit and network worm analytic unit, and concrete steps are:
(1) network traffics collecting unit log-on data is caught program, gathers the turnover data traffic information of the terminal equipment that needs protection;
(2) after capturing packet, in buffering area, search for source IP address, purpose IP address, source port, destination interface, data flow that protocol type is all identical with flux and flow direction, merge the identical data flow of these features, flow to the column criterion processing as data, and it is write in the data packet buffer according to flow information reference format (referring to Fig. 2);
(3) the network traffics collecting unit is regularly submitted standardized data on flows to the network worm analytic unit;
(4) the network traffics collecting unit submits to network worm to attack the basic status information of sample and this terminal according to the request of network worm analytic unit to it;
(5) after interactively network worm analytic unit receives the data of network traffics collecting unit, the data flow situation of this terminal of turnover in the unit interval is carried out statistics and analysis;
(6) according to the set threshold value of each data stream statistics parameter, judge whether this terminal has flow information to surpass threshold value, whether decision asks this terminal to submit the basic status information of attacking sample and this terminal to;
(7) after the basic status information of the attack sample that receives the terminal equipment submission and this terminal, known network worm characteristic information according to the databases storage, sample is carried out match query, whether decision finds network worm, judge according to the basic status information of this terminal whether this terminal has become the attack source of network worm again, issue alarm simultaneously.
Below in conjunction with two embodiment, the flow process of the concrete operations of two assemblies of system of the present invention is described respectively:
Referring to Fig. 3, introduce the wherein operating process of network traffics collecting unit earlier, implementation step is as follows:
(301) initialization package is caught program, and data packet buffer empties, the opening timing device;
(302) after capturing first packet, datagram header is write in the data packet buffer according to the flow information reference format;
(303) when capturing next data, first scan-data bag buffering area, whether have identical data package informatin, if having, then merge processing if searching, the data flow number is added 1; If no, then in buffering area, increase this traffic flow information, and write in the data packet buffer according to the flow information reference format; Whether the basis for estimation of the packet that wherein so-called flow is identical is that source IP address, purpose IP address, source port, destination interface, protocol type, data flow flow in full accord;
(304) judge whether timer arrives setting-up time, when timer arrives setting-up time, then submit the data of being gathered in this setting-up time to interactive network worm analytic unit; Then data packet buffer is emptied again, again the opening timing device; Return step (302), proceed the data acquisition of a new round;
(305) when receiving the basic status information of interactively network worm analytic unit request submission attack sample and this terminal, requirement according to its application, catch such packet, and add in the flow information standardized format packet, the Transmission Control Protocol by TCP/IP sends to interactively network worm analytic unit.
Referring to Fig. 4, introduce the wherein operating process of network worm analytic unit again, implementation step is as follows:
(401) definition of data flow threshold, this flow threshold are empirical data, need adjust according to the environment of real network; Usually be defined as follows condition: in 5 minutes, the number of the tcp data stream of turnover host computer system is no more than 200, UDP message stream number and is no more than 80, ICMP data flow number and is no more than 50;
(402) receive the data of network traffics collecting unit, and write database, the database table form is sequence number, timestamp, source IP address, purpose IP address, source port, destination interface, protocol type, the data flow flow direction, data flow number;
(403) call data base querying and statistical function, statistics passes in and out tcp data stream number, UDP message stream number, the ICMP data flow number of this main frame in setting-up time;
(404) result who adds up according to data base querying, compare with the flow threshold of predefined, judge which parameter this main frame has surpassed threshold value, if surpassed threshold value, then the Transmission Control Protocol by TCP/IP proposes the sample application to this main frame, to comprise the application condition of information such as source IP address, purpose IP address, protocol type, source port, destination interface, flux and flow direction above the data flow feature of threshold value flow, require to provide the basic status information of this terminal simultaneously as the flow sample;
(405) when the basic status information of the attack sample that receives the main frame submission and this main frame, the property data base of inquiry known network worm, sample is mated, judge whether to exist network worm to attack, judge according to the basic status information of this main frame whether it has become the attack source of network worm again, according to judged result, whether decision issues alarm simultaneously.

Claims (10)

1, a kind of distributed network worm detection system, it is characterized in that: this system comprises following assembly:
The network traffics collecting unit, distributed earth is arranged in each terminal equipment that needs protection in the network system, be responsible for gathering inflow in real time and flowing out the described data traffic information that the terminal equipment of network traffics collecting unit is installed, and these packet headers are carried out snapshot handle, extract the relevant information in the header and carry out standardization, by the Transmission Control Protocol in the transmission control protocol TCP/ Internet protocol IP SNAPSHOT INFO of these terminal equipment network traffics is passed to the network worm analytic unit again and carry out statistics and analysis; And under the request of network worm analytic unit, submit the attack sample of suspicious network worm and the basic status information of this terminal to it by the Transmission Control Protocol of TCP/IP;
The network worm analytic unit, be arranged in the high performance server, be responsible for the data on flows that the network traffics collecting unit is provided is carried out based on the analysis of statistics with based on the analysis of characteristic matching, and according to the network traffics threshold value of setting, judge that whether this terminal equipment might suffer the network worm attack, perhaps becomes the attack source of network worm; Again according to the result who judges, carry out alternately with the network traffics collecting unit, ask this unit in chain type user growth data, to submit to network worm to attack the basic status information of sample data and this terminal to it, so that carry out match query with the network worm characteristic quantity of storing in the database, find network worm, judge that according to the basic status information of this terminal whether this terminal has become the attack source of network worm, sends alarm simultaneously again.
2, distributed network worm detection system according to claim 1, it is characterized in that: the terminal equipment that needs protection in the described network system includes but not limited to other terminal equipment of PC main frame, server, mobile phone or IP network.
3, distributed network worm detection system according to claim 1 is characterized in that: described network traffics collecting unit is to utilize the packet-capturing program to gather in real time to flow into and flow out the described flow information that the terminal equipment of network traffics collecting unit is installed.
4, distributed network worm detection system according to claim 1 is characterized in that: the flow information that described network traffics collecting unit extracts and carry out the standardized information content and comprise at least: source IP address, purpose IP address, source port, destination interface, protocol type, the data flow flow direction, data flow number, chain type user's growth data.
5, distributed network worm detection system according to claim 1 is characterized in that: the basic status information of described terminal includes but not limited to version information, operation information patch information, the open network service port information of operating system of OS Type, operating system; The basic status information of described terminal is to obtain by the configuration file of reading terminals operating system and status file, whether the operating system of analyzing this terminal for the network worm analytic unit by this is identical with the characteristic parameter of network worm object of attack, whether may become the attack source of network worm.
6, a kind of detection method of using the described distributed network worm detection system of claim 1, it is characterized in that: it is as follows to comprise step:
(1) the turnover data traffic information of the terminal equipment that needs protection of network traffics collecting unit collection, and with after this flow information standardization, send the network worm analytic unit to and carry out statistics and analysis; Also under the request of network worm analytic unit, submit to suspicious network worm to attack the basic status information of sample and this terminal to it;
(2) data on flows that provided according to the network traffics collecting unit of network worm analytic unit is carried out based on the analysis of statistics with based on the analysis of characteristic matching the flow of the terminal equipment at its place, according to preset threshold, judge whether this terminal might suffer that network worm attacks or become the attack source of network worm; Again under the requirement of network worm parser, carry out alternately with the network traffics collecting unit, ask this unit after it submits to network worm to attack the basic status information of sample data and this terminal, carry out match query with the network worm characteristic quantity of storing in the database, find network worm, judge that according to the basic status information of this terminal whether this terminal becomes the attack source of network worm, sends alarm simultaneously again.
7, detection method according to claim 6 is characterized in that: described step (1) further comprises following operation:
(11) the log-on data bag is caught program;
(12) after capturing packet, in buffering area, search for source IP address, purpose IP address, source port, destination interface, packet that protocol type is all identical with flux and flow direction, the packet identical to these features merges, and it is handled as a data flow;
(13) packet header is write in the data packet buffer according to the flow information reference format;
(14) regularly submit buffer data to the network worm analytic unit;
(15) submit the basic status information of attacking sample and this terminal to according to the request of network worm analytic unit.
8, according to claim 6 or 7 described methods, it is characterized in that: described step (1) further comprises following initialization operation:
(10) before each image data, carry out initialization to the packet-capturing program, empty data pack buffer district and opening timing device.
9, method according to claim 6 is characterized in that: described step (2) further comprises following operation:
When (21) receiving the data of network traffics collecting unit, the data flow of this terminal equipment of turnover in the unit interval is added up;
(22) according to the set threshold value of the statistical parameter of each data flow, judge whether this terminal equipment has flow information to surpass threshold value, whether ask this terminal equipment to be submitted to decision and attack sample and this terminal basic status information;
(23) behind the attack sample and this terminal basic status information that receive the terminal equipment submission, known network worm characteristic information according to the databases storage, sample is carried out match query, find network worm, judge that according to the basic status information of this terminal whether this terminal has become the attack source of network worm, sends alarm simultaneously again.
10, according to claim 6 or 9 described methods, it is characterized in that: described step (2) further comprises following initialization operation:
(20) flow threshold of data flow is set.
CNB2005100753416A 2005-06-10 2005-06-10 System and method for detecting network worm in interactive mode Expired - Fee Related CN1330131C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005100753416A CN1330131C (en) 2005-06-10 2005-06-10 System and method for detecting network worm in interactive mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100753416A CN1330131C (en) 2005-06-10 2005-06-10 System and method for detecting network worm in interactive mode

Publications (2)

Publication Number Publication Date
CN1697404A CN1697404A (en) 2005-11-16
CN1330131C true CN1330131C (en) 2007-08-01

Family

ID=35349940

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100753416A Expired - Fee Related CN1330131C (en) 2005-06-10 2005-06-10 System and method for detecting network worm in interactive mode

Country Status (1)

Country Link
CN (1) CN1330131C (en)

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100377534C (en) * 2006-02-20 2008-03-26 华为技术有限公司 System and method for detecting network worm
US7948977B2 (en) * 2006-05-05 2011-05-24 Broadcom Corporation Packet routing with payload analysis, encapsulation and service module vectoring
US8020207B2 (en) * 2007-01-23 2011-09-13 Alcatel Lucent Containment mechanism for potentially contaminated end systems
CN101383722B (en) * 2007-09-05 2011-04-06 大唐移动通信设备有限公司 Time variant performance data collecting method and device
CN101184094B (en) * 2007-12-06 2011-07-27 北京启明星辰信息技术股份有限公司 Network node scanning detection method and system for LAN environment
CN101227331B (en) * 2008-01-25 2010-06-09 华中科技大学 Method for reducing mis-alarm of network attack detection system
CN101355463B (en) * 2008-08-27 2011-04-20 成都市华为赛门铁克科技有限公司 Method, system and equipment for judging network attack
CN101895521B (en) * 2009-05-22 2013-09-04 中国科学院研究生院 Network worm detection and characteristic automatic extraction method and system
CN101778011B (en) * 2009-12-31 2012-10-10 候万春 Method for monitoring internet-based data output of network computer terminal
CN102413201B (en) * 2011-11-10 2015-03-04 上海牙木通讯技术有限公司 Processing method and equipment for domain name system (DNS) query request
CN102708313B (en) * 2012-03-08 2015-04-22 珠海市君天电子科技有限公司 Virus detection system and method for large files
CN103916376A (en) * 2013-01-09 2014-07-09 台达电子工业股份有限公司 Cloud system with attract defending mechanism and defending method thereof
CN105207829B (en) * 2014-06-04 2020-08-04 腾讯科技(深圳)有限公司 Intrusion detection data processing method, device and system
CN104539471B (en) * 2014-12-01 2018-02-23 北京百度网讯科技有限公司 Bandwidth measures method, apparatus and computer equipment
CN105007175A (en) * 2015-06-03 2015-10-28 北京云杉世纪网络科技有限公司 Openflow-based flow depth correlation analysis method and system
CN105915516B (en) * 2016-04-15 2020-01-03 新华三技术有限公司 Data stream acquisition method and device based on security detection
CN107659540B (en) * 2016-07-25 2021-01-26 中兴通讯股份有限公司 Dynamic behavior analysis method, device, system and equipment
CN107332832A (en) * 2017-06-21 2017-11-07 北京东方棱镜科技有限公司 Mobile Internet distribution corpse wooden horse Worm detection method and device
CN107277073A (en) * 2017-08-16 2017-10-20 北京新网数码信息技术有限公司 A kind of method for monitoring network and device
CN108683681A (en) * 2018-06-01 2018-10-19 杭州安恒信息技术股份有限公司 A kind of smart home intrusion detection method and device based on traffic policy
CN112073209A (en) * 2019-06-10 2020-12-11 中兴通讯股份有限公司 Data packet processing method and device
CN112615857B (en) * 2020-12-17 2023-02-17 杭州迪普科技股份有限公司 Network data processing method, device and system
CN115396212A (en) * 2022-08-26 2022-11-25 国科华盾(北京)科技有限公司 Training method and device for detection model, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003088017A2 (en) * 2002-04-09 2003-10-23 Cisco Technology, Inc. System and method for detecting an infective element in a network environment
CN1529462A (en) * 2003-10-21 2004-09-15 中兴通讯股份有限公司 Device and method for realizing abnormal flow control
CN1549126A (en) * 2003-05-16 2004-11-24 北京爱迪安网络技术有限公司 Method for detecting worm virus and delaying virus spreading
WO2005006710A1 (en) * 2003-07-03 2005-01-20 Arbor Networks, Inc. Method and system for reducing scope of self-propagating attack code in network
CN1571362A (en) * 2004-05-14 2005-01-26 清华大学 Early stage prewarning method for Internet worm virus

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003088017A2 (en) * 2002-04-09 2003-10-23 Cisco Technology, Inc. System and method for detecting an infective element in a network environment
CN1549126A (en) * 2003-05-16 2004-11-24 北京爱迪安网络技术有限公司 Method for detecting worm virus and delaying virus spreading
WO2005006710A1 (en) * 2003-07-03 2005-01-20 Arbor Networks, Inc. Method and system for reducing scope of self-propagating attack code in network
CN1529462A (en) * 2003-10-21 2004-09-15 中兴通讯股份有限公司 Device and method for realizing abnormal flow control
CN1571362A (en) * 2004-05-14 2005-01-26 清华大学 Early stage prewarning method for Internet worm virus

Also Published As

Publication number Publication date
CN1697404A (en) 2005-11-16

Similar Documents

Publication Publication Date Title
CN1330131C (en) System and method for detecting network worm in interactive mode
US9848004B2 (en) Methods and systems for internet protocol (IP) packet header collection and storage
US7903566B2 (en) Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data
Yegneswaran et al. Using honeynets for internet situational awareness
US8726382B2 (en) Methods and systems for automated detection and tracking of network attacks
US7623466B2 (en) Symmetric connection detection
US7995496B2 (en) Methods and systems for internet protocol (IP) traffic conversation detection and storage
Shanmugasundaram et al. ForNet: A distributed forensics network
CN101656634B (en) Intrusion detection method based on IPv6 network environment
US8762515B2 (en) Methods and systems for collection, tracking, and display of near real time multicast data
CN101789931B (en) Network intrusion detection system and method based on data mining
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
CN101001242B (en) Method of network equipment invaded detection
CN101217547B (en) A flood request attaching filtering method based on the stateless open source core
CN108931968A (en) A kind of network security protection system and its means of defence applied in industrial control system
GB2382261A (en) Inserting an intrusion prevention system into a network stack
CN104135474A (en) Network anomaly behavior detection method based on out-degree and in-degree of host
CN102130920A (en) Botnet discovery method and system thereof
CN114124516A (en) Situation awareness prediction method, device and system
Kaushik et al. Network forensic system for ICMP attacks
CN101582880B (en) Method and system for filtering messages based on audited object
Mai et al. J-Honeypot: a Java-based network deception tool with monitoring and intrusion detection
CN113377051B (en) Network safety protection equipment based on FPGA
CN101197810A (en) Method for real-time detection of worm
Benferhat et al. Preprocessing rough network traffic for intrusion detection purposes

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20070801

Termination date: 20150610

EXPY Termination of patent right or utility model