WO2017206499A1 - Procédé de détection d'attaque réseau, et appareil de détection d'attaque - Google Patents

Procédé de détection d'attaque réseau, et appareil de détection d'attaque Download PDF

Info

Publication number
WO2017206499A1
WO2017206499A1 PCT/CN2016/112155 CN2016112155W WO2017206499A1 WO 2017206499 A1 WO2017206499 A1 WO 2017206499A1 CN 2016112155 W CN2016112155 W CN 2016112155W WO 2017206499 A1 WO2017206499 A1 WO 2017206499A1
Authority
WO
WIPO (PCT)
Prior art keywords
objects
attack
network
sessions
attack detection
Prior art date
Application number
PCT/CN2016/112155
Other languages
English (en)
Chinese (zh)
Inventor
周冲
付天福
刘金华
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201610495352.8A external-priority patent/CN107454052A/zh
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017206499A1 publication Critical patent/WO2017206499A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of data processing, and in particular, to a network attack detection method and an attack detection apparatus.
  • the existing packet sampling technology can analyze the obtained data traffic with very few features, and can only detect simple known network anomalies such as data traffic bursts. Because of the inability to perform in-depth analysis of the characteristics of data traffic, it is difficult to provide more useful information for the detection of network attacks, resulting in inefficient detection of attacks.
  • the present application provides a network attack detection method for providing more useful information for network attack detection.
  • the first aspect of the present application provides a network attack detection method, including: acquiring information of P sessions forwarded by a forwarding device in a network in a first time period.
  • Each of the P sessions belongs to one of the Q objects, where P and Q are integers greater than or equal to 1, and P is greater than or equal to Q.
  • the amount of data of each of the Q objects is determined.
  • the data flow is deeply analyzed, and the obtained statistical information can reflect the more diverse, deep, complex and accurate characteristics of the network data traffic, which is beneficial to the attack detection device to the unknown attack and hiding in the network. Deep attacks are detected.
  • the amount of data of each of the Q objects may be calculated accurately or may be estimated.
  • the second time period may be the same time period as the first time period, or may be a different time period.
  • the data volume of each of the Q objects includes: the number of sessions of the session included in the first time period, or the data traffic of the session included in the first time period. The size, or the number of messages in the session included in the first time period.
  • the attack detecting device may sort the Q objects according to the order of the data amount, and determine the first object, where the first object is: the sorted Q objects are sorted by the top N objects.
  • the attack detection device may remove the preset M objects from the Q objects, and sort the remaining QM objects according to the data amount from large to small, and determine that the first object is: The preset M objects, and the sorted QM objects, sort the objects located in the top N objects, wherein the preset M objects can be set by the artificial designated or attack detection device, wherein M is smaller than An integer of Q, where N is an integer less than QM.
  • the attack detection device may further input the obtained statistical result into a preset machine model, where the machine model is a classifier, and can determine whether there is an attack in the network according to the statistical result.
  • the machine model is a classifier
  • the attack detection device may further compare the obtained statistical result with a preset baseline, where the baseline may be regarded as a boundary line of a normal or abnormal statistical result of the first object, or whether the statistical result of the first object is normal.
  • the criteria or rules by comparing the statistical results with the baseline, can determine whether there is an attack in the network.
  • the attack detection device may also modify the preset baseline according to the statistical result to adapt to the changed network environment.
  • the second aspect of the present application provides an attack detection apparatus, including: an information acquisition module, configured to acquire information of P sessions forwarded by a forwarding device in a first time period, where each session of the P sessions belongs to Q One of the objects. a data amount determining module for using the P sessions Information that determines the amount of data for each of the Q objects. And an object determining module, configured to determine the first object according to the data amount of each of the Q objects.
  • the eigenvalue statistic module is configured to collect the eigenvalues of the plurality of sessions of the first object that are forwarded by the forwarding device in the second time period, and obtain the statistic result, where the statistic result is used to determine whether there is an attack in the network where the forwarding device is located.
  • the attack detection device provided by the present application can perform deep analysis on the data flow, and the obtained statistical information can reflect more diverse, deep, complex, and accurate characteristics of the network data traffic, and is beneficial to unknown attacks and deep hidden in the network. The attack is detected.
  • the data volume of each of the Q objects includes: the number of sessions of the session included in the first time period, or the data traffic of the session included in the first time period. The size, or the number of messages in the session included in the first time period.
  • the object determining module is specifically configured to: sort the Q objects according to the order of the data amount, and determine the first object, where the first object is: the sorted Q objects are ranked in the front An object among N objects, where N is an integer less than Q. This is advantageous for selecting an object with a large amount of data as the first object.
  • the object determining module is further configured to: remove the preset M objects from the Q objects, and sort the remaining QM objects according to the data amount in descending order, and determine the first object.
  • the first object is: the preset M objects, and the sorted QM objects among the objects located in the top N objects.
  • the attack detection device may further include an attack determination module, where the attack determination module may be configured to input the obtained statistical result into a preset machine model, and determine, by the machine module, whether there is an attack in the network.
  • the machine model is a classifier that can determine whether there is an attack in the network based on statistical results.
  • the attack judging module may further compare the obtained statistical result with a preset baseline, where the baseline may be regarded as a boundary line of a normal or abnormal statistical result of the first object, or whether the statistical result of the first object is normal.
  • the criteria or rules by comparing the statistical results with the baseline, can determine whether there is an attack in the network.
  • the attack judging module may also modify the preset baseline according to the statistical result to adapt to the changed network environment.
  • a third aspect of the present application provides another attack detection apparatus including a processor and a communication interface.
  • the communication interface is configured to obtain information about P sessions forwarded by the forwarding device in the network in the first time period, and each of the P sessions belongs to one of the Q objects, where P and Q are both Is an integer greater than or equal to 1, and P is greater than or equal to Q.
  • the processor is configured to: determine, according to information about the P sessions acquired by the communication interface, a data amount of each object in the Q objects; determine a first object according to a data volume of each object in the Q objects, and then determine The statistic value of the plurality of sessions of the first object forwarded by the forwarding device in the second time period is obtained, and a statistical result is obtained.
  • FIG. 1 is a schematic structural diagram of an available system according to an embodiment of the present application.
  • FIG. 2 is a structural diagram of an attack detection apparatus according to an embodiment of the present application.
  • FIG. 3 is a flowchart of a network attack detection method according to an embodiment of the present application.
  • FIG. 4 is a structural diagram of another attack detection apparatus according to an embodiment of the present application.
  • the present application provides an attack detection method for improving attack detection efficiency of a data stream.
  • the present application also provides related attack detection devices, which will be separately described below.
  • FIG. 1 is a diagram of an available system architecture provided by the present application.
  • the network may include multiple forwarding devices, such as the forwarding device 101, the forwarding device 102, and the forwarding device 103.
  • Each forwarding device can be a router, a switch, a firewall, a packet transport network device, a wavelength division multiplexing device, an optical transport network device, a base station, or a base station controller.
  • the attack detection device 104 is configured to couple with one or more forwarding devices in the internetwork, and detect whether there is an attack in the packet sent and received by the forwarding device.
  • the attack detection device 104 is coupled to the forwarding device 103 for detecting whether there is an attack in the packet sent and received by the forwarding device 103.
  • the attack detection device 104 may be an independent physical device, such as a server.
  • the attack detection device 104 may also be a function module deployed on a physical device, which is not limited in this application.
  • a session refers to a communication interaction between two devices in a network during a specific uninterrupted operation time.
  • the packets belonging to the same session have matching address signals, for example, in the Transmission Control Protocol (English: Transmission Control Protocol; TCP) or User Datagram Protocol (English: User Datagram Protocol; UDP).
  • the packets in a session can be identified by the quintuple information, that is, the packets of the same session have the same quintuple information, including the same source IP address, destination IP address, source port number, and destination. Port number and transport layer protocol number.
  • ICMP Internet Control Message Protocol
  • a message belonging to a session can be identified by a binary group information, and a message of the same session has the same binary group information, that is, The same source IP address and destination IP address.
  • a session refers to a communication interaction between two devices in a network during an uninterrupted, specific operational time. During a session, all messages transmitted between the two devices belong to the session.
  • the TCP report is carried in the text or UDP packet. Match the quintuple information of multiple messages in the same session. That is, in the quintuple information carried by the packet sent by the first device to the second device, the source IP address is the IP address of the first device, the source port number is the port number of the first device, and the destination IP address is the second.
  • the IP address of the device, the destination port number is the port number of the second device; the quintuple information carried in the packet sent by the second device to the first device, the source IP address is the IP address of the second device, and the source port number It is the port number of the second device.
  • the destination IP address is the IP address of the first device, and the destination port number is the port number of the first device.
  • the transport layer protocol numbers used by the two devices are the same. These messages belong to the same TCP/UDP session.
  • the message that is communicated between the first device and the second device is not a TCP message or a UDP message
  • the message that is communicated between the first device and the second device is an ICMP message.
  • multiple packets matching the two-group information belong to the same session. That is, in the binary information carried by the packet sent by the first device to the second device, the source IP address is the IP address of the first device, and the destination IP address is the IP address of the second device; the second device gives the first In the binary information carried in the packet sent by the device, the source IP address is the IP address of the second device, and the destination IP address is the IP address of the first device.
  • the transmission of the packets sent between the two devices is used. Layer protocol numbers are the same. These messages belong to the same ICMP session.
  • the attack detection device 104 shown in FIG. 1 can be implemented by the attack detection device 200 shown in FIG. 2, and includes a processor 201, a memory 202, and a communication interface 203.
  • a bus 204 is also included.
  • the processor 201, the memory 202, and the communication interface 203 can implement a communication connection with each other via the bus 204.
  • communication can also be achieved by other means such as wireless transmission.
  • the memory 202 can include a volatile memory, such as a random Access memory (English: random-access memory, abbreviation: RAM); may also include non-volatile memory (English: non-volatile memory), such as read-only memory (English: read-only memory, abbreviation: ROM), Flash memory (English: flash memory), hard disk (English: hard disk drive, abbreviated: HDD) or SSD; the memory 202 may also include a combination of the above types of memory.
  • a volatile memory such as a random Access memory (English: random-access memory, abbreviation: RAM); may also include non-volatile memory (English: non-volatile memory), such as read-only memory (English: read-only memory, abbreviation: ROM), Flash memory (English: flash memory), hard disk (English: hard disk drive, abbreviated: HDD) or SSD; the memory 202 may also include a combination of the above types of memory.
  • the program code for implementing the attack detection method provided in FIG. 3 of the present application
  • the communication interface 203 can be a wired interface, such as a Fiber Distributed Data Interface (FDDI) or an Ethernet (English) interface.
  • Network interface 503 can also be a wireless interface, such as a wireless local area network interface.
  • the communication interface 203 is configured to acquire information of P sessions forwarded by the forwarding device in the first time period, and feature values of the plurality of sessions of the first object forwarded in the second time period.
  • the processor 201 can be a central processing unit (English: central processing unit, CPU for short), a hardware chip or a combination of a CPU and a hardware chip.
  • the control communication interface 203 acquires information of the P sessions forwarded by the forwarding device in the first time period, and each session of the P sessions One of the Q objects, wherein P and Q are integers greater than or equal to 1, and P is greater than or equal to Q; determining the data amount of each of the Q objects according to the information of the P sessions Determining a first object according to the data amount of each object in the Q objects; collecting a feature value of the plurality of sessions of the first object forwarded by the forwarding device in the second time period, and obtaining a statistical result, the statistical result is used Determine whether there is an attack on the network where the forwarding device is located.
  • the data volume of each object is the number of sessions of the session included in the first time period of each object, or the data traffic size of the session included in the first time period, or The number of packets of the session included in a period of time.
  • the determining the first object according to the data volume of each of the Q objects includes: sorting the Q objects according to the order of the data amount, and determining that the first object is: An object that is located among the objects of the top N after sorting, where N is an integer smaller than the Q.
  • the determining the first object according to the data volume of each of the Q objects may further include: removing the preset M objects from the Q objects, and removing the remaining QM objects Sorting according to the order of the data amount, and determining that the first object is: the preset M objects, and the sorted QM objects among the objects in the top N, wherein M is less than Q An integer, N is an integer less than Q-M.
  • the processor 201 is further configured to input the statistical result into a preset machine model, and determine, by using the machine model, whether an attack exists in the network.
  • the processor 201 is further configured to compare the statistical result with a preset baseline to determine whether an attack exists in the network.
  • the processor 201 is further configured to: according to the statistical result, correct a preset baseline, where the preset baseline is used to determine whether an attack exists in the network.
  • FIG. 3 is a flowchart of a method for detecting network attacks provided by an embodiment of the present application.
  • the execution body of the method shown in FIG. 3 may be the attack detecting device 104 shown in FIG. 1.
  • the forwarding device in the embodiment shown in FIG. 3 may be one or more of the forwarding devices 101-103 shown in FIG. 1. See Figure 3 for the basic process, including:
  • S301 Acquire information about P sessions forwarded by the forwarding device in the first time period.
  • Each of the P sessions belongs to one of the Q objects, where P and Q are integers greater than or equal to 1, and P is greater than or equal to Q.
  • the forwarding device includes the P sessions in a large number of sessions forwarded in the first time period.
  • the attack detecting device acquires information of the P sessions.
  • the P sessions may be obtained by the forwarding device sampling according to a pre-sampling rule.
  • the information of the P sessions may be that, when the forwarding device receives each of the P sessions, the packet in the session is mirrored, and is saved in the forwarding device, and then in the mirrored packet. Obtained; it can also be obtained directly during the forwarding process.
  • the information of the P sessions is sent to the attack detection device according to the pre-established connection, so that the attack detection device acquires the information of the P sessions.
  • the information of the information obtained by the attack detection device may be in the form of the IPFIX data, or may be in the form of the NetFlow data, or other forms that the forwarding device or the attack detection device can support, which is not limited herein.
  • the session information can include many parameters, such as session identifier, source/destination IP address, source/destination port, protocol type, service type, and traffic size.
  • the information of the session can be reported to the attack detection device by the forwarding device.
  • the attack detection device may also send an indication to the forwarding device indicating that the forwarding device reports the session information, and actively acquire the session information.
  • the information of the P sessions may be sent by a forwarding device to the attack detection device.
  • it may be sent by multiple forwarding devices to the attack detection device.
  • the information of the P sessions may be sent by the forwarding device to the attack detection device at one time, or may be sent to the attack detection device multiple times.
  • the "object" is used to divide the session in the network.
  • a session in the network can be associated with an object, that is, the certain session belongs to the certain object.
  • a session belongs to an object, and it can be called an object including a session.
  • An object can include one or more sessions.
  • each session belongs to one of the Q objects.
  • the session is divided according to the destination IP address, and the attack detection device analyzes the P session information to obtain three destination IP addresses, which are respectively a first IP address, a second IP address, and a third IP address, and the three IP addresses are respectively Corresponding to the first object, the second object, and the third object, respectively.
  • the session with the first IP address as the destination address belongs to the first object
  • the session with the second IP address as the destination address belongs to the second object
  • the session with the third IP address as the destination address is Belongs to the third object.
  • the same session can belong to different objects.
  • the subnet segment of the destination IP is divided. Assume that the first IP address and the second IP address belong to the first subnet segment and the third IP address belongs to the second subnet segment.
  • the network segments correspond to the fourth object and the fifth object, respectively. Then, the session with the first IP address as the destination address and the session with the second IP address as the destination IP address belong to the fourth object; the session with the third IP address as the destination address belongs to the fifth object.
  • each of the P sessions belongs to one of Q objects, and the Q objects are objects divided according to a specific manner.
  • the object is not limited to the form of an IP address, and various parameters in the session information may be used as an object.
  • the object may be a network segment (English: segment), a URL (English: website),
  • the autonomous system (English: autonomous system, abbreviation: AS) can also be the physical address (such as city, province, or even country) or other address information determined by the geographic information system (English: geographic information system, abbreviation: GIS).
  • the address information of the IP address, the network segment, the autonomous system, and the physical address in the present application refers to the source address or destination address of the packet transmitted in one direction of the bidirectional packet in the session.
  • the IP address is used as the partitioning method, and then the IP address 1 corresponds to The object includes session 1, which means that the source IP address of the packet in one direction is IP address 1 and the destination address of the packet in the other direction is IP address 1.
  • the division of other address forms is the same as this example and will not be described again.
  • the object can also be in the form of a service type, such as a domain name system (English: domain name system, abbreviation: DNS) type, a file transfer protocol (English: file transfer protocol, abbreviation: FTP) type, a hypertext transfer protocol (English: Hypertext transfer protocol, abbreviation: HTTP) type and other business types.
  • a domain name system English: domain name system, abbreviation: DNS
  • a file transfer protocol English: file transfer protocol, abbreviation: FTP
  • HTTP Hypertext transfer protocol
  • the object can also be in other forms, which is not limited herein.
  • S302. Determine, according to the information of the P sessions, the amount of data of each of the Q objects.
  • the data amount of each object is the number of sessions of the session included in the first time period of the object, or the data of the session included in the first time period.
  • the amount of data of each of the Q objects is obtained from the information of the P sessions. Therefore, the information of the P sessions should include the amount of data of each of the Q objects. For example, if the amount of data refers to the number of sessions of each of the Q objects, the information of the P sessions should include at least the session identifier of each session. For another example, if the data volume refers to the data traffic of each of the Q objects, the information of the P sessions should include at least the traffic size of each session.
  • the amount of data for each of the Q objects can be accurately calculated.
  • the data volume as the data traffic as an example, for each object, the session belonging to the object in the P sessions is determined, and the data traffic of each session in the session belonging to the object is calculated, and the sum of the data flows is calculated.
  • the size of the data traffic can be expressed in bits (in English: bit) or in bytes (in English: Byte).
  • the amount of data for each of the Q objects may be estimated. Still taking the data volume as an example, if the first time period is a long time period, such as one day, then the number of sessions sampled is a large value. If the data traffic of each session is counted, the calculation amount is too large, especially for some of the Q objects, the amount of data is small, and the object determined to be less likely to be the first object does not need to be accurate. registration. For example, in S301, the information of the P sessions is an example in which the forwarding device sends the attack detection device multiple times.
  • the attack detecting device may have deleted the previous session information several times, so the total data amount of the object in the first time period can only be estimated. obtain.
  • Ld-Sketch A Distributed
  • Jn Huang Qun Huang
  • Patrick PCLee in 2014 at the Institute of Electrical and Electronics Engineers (abbreviation: IEEE).
  • the attack detecting device filters one or more objects from the Q objects and analyzes the selected objects.
  • the first object is included in the selected object.
  • the attack detecting device may sort the Q objects according to the order of the data amount, and determine the first object.
  • the first object is: the sorted objects among the Q objects are sorted among the objects of the top N, that is, the N objects having the largest amount of data among the Q objects. Where N is an integer less than Q.
  • the attack detection device may further include preset M objects.
  • the preset M objects can be set by the user.
  • the user can preset M objects to be observed.
  • the preset M objects may also be correspondingly determined by the attack detecting means before the first time period by using a method similar to determining the first object.
  • the attack detection device may also set a life cycle for the preset M objects, and the preset M objects are no longer set as preset objects after the end of the life cycle.
  • the preset M objects may be removed from the Q objects, and the remaining QM objects are sorted according to the order of the data amount, and determined.
  • the first object is: the preset M objects, and the sorted objects of the QM objects among the objects of the top N, that is, the N objects with the largest amount of data among the QM objects, where N Is an integer less than QM.
  • the attack detecting device may further determine, as the first object, the object whose data amount exceeds the threshold in the Q objects.
  • the feature value of the session refers to the value used to describe the feature of the session (English: feature).
  • the session may be characterized by the size of the session traffic, the average packet length in the session, the session termination reason, the session duration, the maximum packet length in the session, and the minimum packet length in the session.
  • the session may also be characterized by the number of packets whose value of a certain flag bit in the TCP session is equal to one.
  • the plurality of sessions of the first object refer to a plurality of sessions belonging to the first object.
  • the attack detection device acquires information of multiple sessions of the first object forwarded by the forwarding device in the second time period, where the information of each session includes the feature value of the session, or is included in the calculation Information about the feature value of the session.
  • the eigenvalue is the average packet length of the session
  • the information of the session obtained from the forwarding device may directly include the average packet length of each session, and may also include the total number of bytes of the session and the total number of packets.
  • the detecting device determines the average packet length of each session by the total number of bytes of the session and the total number of packets.
  • the attack detecting device acquires the feature value of each session of the first object in S304
  • the feature values of the plurality of sessions are further counted to obtain the statistical result.
  • the statistical result may be the sum of the feature values of the multiple sessions, or may be obtained by performing other statistical operations on the feature values of the multiple sessions.
  • the second time period can be the same time period as the first time period.
  • the information of the P sessions is acquired in S301, and the feature value of each session is already included, and the attack detecting device saves the feature value of the session.
  • the attack detection device may not save the information of the P sessions in the first time period.
  • the attack detection device needs to acquire the first object that the forwarding device forwards in the second time period.
  • the second time period can be after the first time period.
  • the attack detection device counts the feature values of the plurality of sessions of the first object forwarded by the forwarding device in the second time period, and obtains a statistical result.
  • the statistics are used to determine whether there is an attack in the network where the forwarding device is located.
  • the machine model is pre-stored in the attack detection device.
  • the machine model is also called a classifier (English: classifier), and its essence can be a classification function or a classification model.
  • the machine The model can be a back propagation (abbreviation: BP) neural network model. It can divide the current input statistics into existing attacks and not based on the historical statistical results and the historical network. There are two types of attacks to determine if there is an attack in the network.
  • the attack detection device may input the statistical result into a preset machine model to determine whether there is an attack in the network where the forwarding device is located through the machine model.
  • the attack detection device may be pre-configured with a baseline corresponding to the first object (English: baseline), and the baseline may be regarded as a standard or rule that the statistical result of the first object is normal or abnormal.
  • the baseline can be a numerical value or a judgment condition.
  • the baseline may be automatically generated by the attack detection device according to the statistics obtained in the previous attack detection process, which is not limited in this application.
  • the attack detecting device compares the statistical result of the first object with the corresponding baseline, and can obtain whether the statistical result of the first object has an abnormality, thereby determining whether there is an attack in the network, and determining the presence and the abnormality of the attack. The result is related to the session.
  • the attack detection device may adjust the baseline according to the determined statistical result.
  • the specific adjustment algorithm includes averaging, weighting, smoothing, prediction, correction, or other algorithms, which is not limited herein. For example, if the traffic size of the session of the website www.baidu.com is 5M per unit time in the second time period, and the baseline of the data traffic size is 7M per unit time, the attack detection device uses a first-order smoothing algorithm to adjust the baseline.
  • the smoothing coefficient is 0.4
  • the attack detection device may perform statistics on multiple feature values of the session included in the first object to obtain multiple baselines. Generate or modify a machine model based on multiple baselines.
  • the present invention provides an attack detection method, in which the attack detection device acquires information of P sessions forwarded by the forwarding device, wherein the P sessions belong to one of the Q objects, and then the attack detection device determines the Q objects.
  • the amount of data of each object in the object, and determining the first object according to the data volume of each object, and then counting the feature values of the session of the first object in the second time period to obtain a statistical result the statistical result is used to determine whether there is an attack in the network .
  • the present application selects the first object of main concern on the basis of extracting the session information in the network, and then determines the feature value of the selected first object session, and statistically obtains statistics on the feature value of the session of the first object. result.
  • This application performs a deep analysis of the data stream by such a method, and the obtained statistical information can reflect the number of networks. According to the more diverse, deep, complex and accurate traffic, the attack detection device can detect unknown attacks and deep hidden attacks in the network.
  • FIG. 3 provides a basic flow of the network attack detection method provided by the present application.
  • the following describes the attack detection apparatus provided by the present application for implementing the foregoing network attack detection method.
  • Figure 4 including:
  • the information obtaining module 401 is configured to obtain information about P sessions forwarded by the forwarding device in the first time period, and each of the P sessions belongs to one of the Q objects.
  • P and Q are integers greater than or equal to 1, and P is greater than or equal to Q.
  • the data amount determining module 402 is configured to determine, according to the information of the P sessions, the amount of data of each of the Q objects.
  • the object determining module 403 is configured to determine the first object according to the data amount of each of the Q objects.
  • the object determining module 403 sorts the Q objects according to the order of the data amount, and determines that the first object is the object that is ranked among the objects of the top N among the sorted Q objects. Where N is an integer less than Q.
  • the preset M objects are removed from the Q objects, and the remaining QM objects are sorted according to the data amount from large to small, and the first object is determined as: preset M objects. And sorting the objects among the top N objects among the sorted QM objects, M is an integer smaller than Q, and N is an integer smaller than QM.
  • the eigenvalue statistic module 404 is configured to count the eigenvalues of the plurality of sessions of the first object that are forwarded by the forwarding device in the second time period, and obtain a statistic result, where the statistic result is used to determine whether there is an attack in the network where the forwarding device is located. .
  • the attack detection device may further include an attack determination module 405, configured to input the statistical result into the machine model, and determine, by using the machine model, whether there is an attack in the network.
  • an attack determination module 405 configured to input the statistical result into the machine model, and determine, by using the machine model, whether there is an attack in the network.
  • the attack determining module 405 is configured to compare the statistical result with a preset baseline to determine whether an attack exists in the network.
  • the attack determination module 405 can also correct the preset baseline according to the statistical result.
  • attack detection apparatus shown in FIG. 4 and a specific application method, reference may be made to the method embodiment shown in FIG. 3, and details are not described herein.
  • each module shown in FIG. 4 is only a functional division of the attack detection device.
  • the attack detection device shown in FIG. 4 may be substantially a device with the attack detection device shown in FIG. 2, and FIG. 4 is The logical perspective is described, and Figure 2 is described from a structural perspective.
  • the information acquisition module 401 shown in FIG. 4 can be implemented by the communication interface 203 shown in FIG. 2, and the number shown in FIG.
  • the data determination module 402, the object determination module 403, the feature value statistics module 404, and the attack determination module 405 can be implemented by the processor 201 shown in FIG.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the modules is only a logical function division.
  • there may be another division manner for example, multiple modules or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or module, and may be electrical, mechanical or otherwise.
  • the modules described as separate components may or may not be physically separated.
  • the components displayed as modules may or may not be physical modules, that is, may be located in one place, or may be distributed to multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist physically separately, or two or more modules may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules if implemented in the form of software functional modules and sold or used as separate products, may be stored in a computer readable storage medium.
  • a computer readable storage medium A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes various media that can store program codes, such as a USB flash drive, a mobile hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé de détection d'attaque réseau, utilisé pour fournir des informations plus diversifiées et plus détaillées pour une détection d'attaque réseau. Le procédé de détection d'attaque réseau décrit dans la présente invention consiste à acquérir des informations concernant P sessions transférées par un dispositif de transfert, les P sessions appartenant respectivement à un objet de Q objets. Ensuite, un appareil de détection d'attaque : détermine une quantité de données de chaque objet des Q objets ; détermine un premier objet d'après la quantité de données de chaque objet ; et collecte de statistiques de valeurs caractéristiques de sessions du premier objet dans une seconde période de temps de sorte à obtenir un résultat statistique, le résultat statistique étant utilisé pour déterminer s'il existe ou non une attaque dans un réseau. L'invention concerne également un appareil de détection d'attaque pertinent.
PCT/CN2016/112155 2016-05-31 2016-12-26 Procédé de détection d'attaque réseau, et appareil de détection d'attaque WO2017206499A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201610380229.1 2016-05-31
CN201610380229 2016-05-31
CN201610495352.8A CN107454052A (zh) 2016-05-31 2016-06-28 网络攻击检测方法以及攻击检测装置
CN201610495352.8 2016-06-28

Publications (1)

Publication Number Publication Date
WO2017206499A1 true WO2017206499A1 (fr) 2017-12-07

Family

ID=60479704

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/112155 WO2017206499A1 (fr) 2016-05-31 2016-12-26 Procédé de détection d'attaque réseau, et appareil de détection d'attaque

Country Status (1)

Country Link
WO (1) WO2017206499A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111601309A (zh) * 2020-05-29 2020-08-28 广东工业大学 一种无线可充电传感器网络的监测方法和装置
CN115065568A (zh) * 2022-08-19 2022-09-16 北京珞安科技有限责任公司 一种工控网络入侵检测方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104283897A (zh) * 2014-10-29 2015-01-14 刘胜利 基于多数据流聚类分析的木马通信特征快速提取方法
CN104519031A (zh) * 2013-09-30 2015-04-15 西门子公司 一种用于恶意网络行为检测的方法和装置
CN104580173A (zh) * 2014-12-25 2015-04-29 广东顺德中山大学卡内基梅隆大学国际联合研究院 一种sdn异常检测与阻截方法及系统
CN104901953A (zh) * 2015-05-05 2015-09-09 中国科学院信息工程研究所 一种arp欺骗的分布式检测方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104519031A (zh) * 2013-09-30 2015-04-15 西门子公司 一种用于恶意网络行为检测的方法和装置
CN104283897A (zh) * 2014-10-29 2015-01-14 刘胜利 基于多数据流聚类分析的木马通信特征快速提取方法
CN104580173A (zh) * 2014-12-25 2015-04-29 广东顺德中山大学卡内基梅隆大学国际联合研究院 一种sdn异常检测与阻截方法及系统
CN104901953A (zh) * 2015-05-05 2015-09-09 中国科学院信息工程研究所 一种arp欺骗的分布式检测方法及系统

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111601309A (zh) * 2020-05-29 2020-08-28 广东工业大学 一种无线可充电传感器网络的监测方法和装置
CN115065568A (zh) * 2022-08-19 2022-09-16 北京珞安科技有限责任公司 一种工控网络入侵检测方法及系统
CN115065568B (zh) * 2022-08-19 2022-12-20 北京珞安科技有限责任公司 一种工控网络入侵检测方法及系统

Similar Documents

Publication Publication Date Title
JP6453976B2 (ja) ネットワークシステム、制御装置、通信制御方法および通信制御プログラム
CN108282497B (zh) 针对SDN控制平面的DDoS攻击检测方法
EP3073700B1 (fr) Procédé et appareil de détection d'attaque malveillante
JP4774357B2 (ja) 統計情報収集システム及び統計情報収集装置
KR101409563B1 (ko) 애플리케이션 프로토콜 식별 방법 및 장치
US7843827B2 (en) Method and device for configuring a network device
KR101295708B1 (ko) 트래픽 수집장치, 트래픽 분석장치, 시스템 및 그 분석방법
CN1953392B (zh) 异常通信量的检测方法和数据包中继装置
CN101729389B (zh) 基于流量预测和可信网络地址学习的流量控制装置和方法
US20090282478A1 (en) Method and apparatus for processing network attack
CN106416171A (zh) 一种特征信息分析方法及装置
RU2014124009A (ru) Метод и система потоковой передачи данных для обработки сетевых метаданных
WO2011131076A1 (fr) Procédé et dispositif de communication de données pour construire un élément de table ou d'acheminement de flux
US9992081B2 (en) Scalable generation of inter-autonomous system traffic relations
Afaq et al. Large flows detection, marking, and mitigation based on sFlow standard in SDN
Pekár et al. Adaptive aggregation of flow records
WO2017206499A1 (fr) Procédé de détection d'attaque réseau, et appareil de détection d'attaque
US11863584B2 (en) Infection spread attack detection device, attack origin specification method, and program
JP6317685B2 (ja) 通信監視システム、通信監視方法およびプログラム
JP2022515990A (ja) 通信ネットワークにおけるトラフィックフローをモニタリングするシステム及び方法
CN108667804B (zh) 一种基于SDN架构的DDoS攻击检测及防护方法和系统
CN114020734A (zh) 一种流量统计去重方法及装置
CN105099799B (zh) 僵尸网络检测方法和控制器
CN103139206B (zh) 一种僵尸主机的检测方法及装置
CN107454052A (zh) 网络攻击检测方法以及攻击检测装置

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16903879

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16903879

Country of ref document: EP

Kind code of ref document: A1