CN107733837A - Method for detecting abnormality and device based on application layer Network Abnormal message - Google Patents
Method for detecting abnormality and device based on application layer Network Abnormal message Download PDFInfo
- Publication number
- CN107733837A CN107733837A CN201610658106.XA CN201610658106A CN107733837A CN 107733837 A CN107733837 A CN 107733837A CN 201610658106 A CN201610658106 A CN 201610658106A CN 107733837 A CN107733837 A CN 107733837A
- Authority
- CN
- China
- Prior art keywords
- application layer
- layer network
- network abnormal
- abnormal message
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a kind of method for detecting abnormality and device based on application layer Network Abnormal message, and methods described includes:Abnormality detecting apparatus creates the addressable shared drive of User space process in kernel, wherein, the shared drive is used to store application layer Network Abnormal message;Kernel state process stores the application layer Network Abnormal message for meeting preparatory condition collected to the shared drive;Physical address of the User space process based on the shared drive accesses the application layer Network Abnormal message stored in the shared drive, carries out abnormality detection analysis.Using the embodiment of the present invention, abnormality detecting apparatus can be accurately obtained complete application layer Network Abnormal message, so as to reduce the difficulty of the abnormality detection based on application layer Network Abnormal message.
Description
Technical field
The application is related to computer communication field, more particularly to the method for detecting abnormality based on application layer Network Abnormal message
And device.
Background technology
With the high speed development of internet, the message form of application layer is more changeable in network, along with being constructed in network
The abnormal flows such as message occur now and then, to generating larger based on application layer Network Abnormal message, progress abnormality detection analysis
Influence.
However, the method due to being analyzed using traditional abnormality detection, is tended not to complete application layer original message
Analyzed, therefore add the difficulty that abnormality detection analysis is carried out based on application layer Network Abnormal message.
The content of the invention
In view of this, the application provides a kind of method for detecting abnormality and device based on application layer Network Abnormal message, uses
By accurately acquiring complete application layer Network Abnormal message, to reduce the difficulty of abnormality detection.
A kind of first aspect according to embodiments of the present invention, there is provided abnormality detection side based on application layer Network Abnormal message
Method, methods described are applied to abnormality detecting apparatus, including:
The addressable shared drive of User space process is created in kernel, wherein, the shared drive, which is used to store, to be applied
Layer network exception message;
Kernel state process stores the application layer Network Abnormal message for meeting preparatory condition collected to described shared interior
Deposit;
Physical address of the User space process based on the shared drive accesses the application layer net stored in the shared drive
Network exception message, carry out abnormality detection analysis.
A kind of second aspect according to embodiments of the present invention, there is provided abnormality detection dress based on application layer Network Abnormal message
Put, described device includes:
Creating unit, for creating the addressable shared drive of User space process in kernel, wherein, the shared drive
For storing application layer Network Abnormal message;
First storage element, the application layer Network Abnormal message for meeting preparatory condition that will be collected for kernel state process
Store to the shared drive;
Access unit, access in the shared drive and store up for physical address of the User space process based on the shared drive
The application layer Network Abnormal message deposited, carry out abnormality detection analysis.
The embodiment of the present application provides a kind of new method for detecting abnormality based on application layer Network Abnormal message, by obtaining
The improvement of the mechanism of application layer Network Abnormal message is taken, abnormality detecting apparatus can create User space process in kernel and may have access to
Shared drive;Kernel state process can store the application layer Network Abnormal message for meeting preparatory condition collected to described
Shared drive.User space process can access the application layer net stored in the shared drive based on the physical address of the shared drive
Network exception message, carry out abnormality detection analysis.
On the one hand, because abnormality detecting apparatus can be answered by way of shared drive by what kernel state process collected
User space process is shared to layer network exception message, and no longer needs User space process to be communicated with kernel state and is answered to obtain
With layer network exception message, therefore read-write efficiency of the User space process for application layer Network Abnormal message can be lifted, increased
The amount to obtain of application layer Network Abnormal message, so that User space process can get complete application layer Network Abnormal report
Text, rather than the shorthand information of the application layer Network Abnormal message.
On the other hand, the application layer Network Abnormal message in kernel is gathered by kernel state process, rather than passes through core
Piece acquisition applications layer network exception message, therefore, application layer Network Abnormal can more accurately be completed based on application layer feature
The collection of message.
In summary, complete application layer Network Abnormal report can accurately be obtained using the method for the embodiment of the present invention
Text, application layer Network Abnormal message is based on so as to reduce, carries out the difficulty of abnormality detection analysis.
Brief description of the drawings
Fig. 1 is a kind of abnormality detection side based on application layer Network Abnormal message shown in the exemplary embodiment of the application one
The flow chart of method;
Fig. 2 is another abnormality detection based on application layer Network Abnormal message shown in the exemplary embodiment of the application one
The flow chart of method;
Fig. 3 is a kind of abnormality detection dress based on application layer Network Abnormal message shown in the exemplary embodiment of the application one
A kind of hardware structure diagram of equipment where putting;
A kind of abnormal detector based on application layer Network Abnormal message shown in the exemplary embodiment of Fig. 4 the application one
Block diagram.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects be described in detail in claims, the application.
It is only merely for the purpose of description specific embodiment in term used in this application, and is not intended to be limiting the application.
" one kind " of singulative used in the application and appended claims, " described " and "the" are also intended to including majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wrapped
Containing the associated list items purpose of one or more, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, do not departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
In the related art, typically by way of Netlink (socket) or ACL (Access Control are passed through
List, accesses control list), realized using exchange chip and obtain application layer Network Abnormal message.
By acl list, realized using exchange chip in the mechanism for obtaining application layer Network Abnormal message, normal conditions
Under, the port of abnormality detecting apparatus can set acl list, can be included in the acl list set in advance based on acl rule
Packet capturing condition (i.e. preparatory condition), when the message that port receives meets acl list packet capturing condition set in advance (i.e. default bar
Part) when, it is determined that the message is application layer Network Abnormal message.
The forwarding chip can be with the mirror image application layer Network Abnormal message, and can send out the application layer Network Abnormal message
Deliver to the abnormality detection analytical equipment specified.The abnormality detection analytical equipment specified receives the application layer Network Abnormal message
Afterwards, the application layer Network Abnormal message can be analyzed.
However, chip in acquisition applications layer network message, it is necessary to the regular packet capturing condition set in advance based on ACL
(i.e. preparatory condition) is acquired.But based on acl rule, the packet capturing bar of matching network application of electronic report layer feature difficult to realize
The setting of part (i.e. preparatory condition).Due to being difficult the accurate setting for accomplishing packet capturing condition (i.e. preparatory condition) so that exchange chip
The interference message for widely applying layer network exception message is collected, and will largely disturb message to send to specified abnormality detection and analyze
Equipment, application layer Network Abnormal message is based on for the abnormality detection analytical equipment, carries out abnormality detection analysis and add difficulty.
Certainly, in the related art, application layer net can be obtained using exchange chip by acl list except above-mentioned
Outside network exception message.Application layer Network Abnormal message can also be obtained by Netlink.
In the mechanism of application layer Network Abnormal message is obtained by Netlink, generally, kernel state process can pass through
Sniffer (sniffer) monitors the message that abnormality detecting apparatus each port receives, when listen to the message that receives meet it is pre-
The packet capturing condition (i.e. preparatory condition) first set, it is determined that the message is application layer Network Abnormal message.Kernel state process can be with
The mirror image application layer Network Abnormal message.The setting of the packet capturing condition (i.e. preparatory condition) can the application layer based on network message
Feature is configured.
Kernel state process can by Netlink establish and User space process between session, realize kernel state process with
Communication between User space process.Under normal circumstances, kernel state process can lead to the application layer Network Abnormal message after mirror image
Netlink sessions are crossed to send to User space process.After User space process receives the application layer Network Abnormal message, Ke Yi
Locally by analyzing the application layer Network Abnormal message having access to, to carry out the abnormality detection of relevant device or business
Analysis.
Although obtaining network message using Netlink, when setting packet capturing condition (i.e. preparatory condition), can break away from
The limitation of the acl rule in scheme is stated, more precisely the feature according to application layer Network Abnormal application of electronic report layer, set packet capturing
Condition (i.e. preparatory condition), be not in the situation that mirror image goes out a large amount of interference messages.
But communication between User space process and kernel state process is realized by Netlink sessions, only it is applicable decimal
Transmitted according to amount.When kernel state process transmits application layer Network Abnormal message to User space process in this way, User space
Process can only often obtain the shorthand information of the application layer Network Abnormal message, and can not obtain complete original application layer network
Exception message, therefore, add the difficulty that abnormality detection analysis is carried out based on application layer Network Abnormal message.
In summary, by acl list, realized using exchange chip and obtain application layer Network Abnormal message, abnormality detection
It is (i.e. default presetting packet capturing condition although analytical equipment can get complete application layer Network Abnormal message
Condition) when, because packet capturing condition (i.e. preparatory condition) is set based on acl list, thus it is difficult setting matching network message
The packet capturing condition (i.e. preparatory condition) of application layer feature., therefore, will because the setting of packet capturing condition (i.e. preparatory condition) is inaccurate
The interference message of substantial amounts of application layer Network Abnormal message can be collected.
And application layer Network Abnormal message is obtained by Netlink, although kernel state acquisition applications layer network exception message
Preparatory condition it is more accurate, be not in the situations for collecting a large amount of interference messages.But Netlink communication mechanisms, it is only suitable
For the transmission of small data quantity, therefore User space process can only receive the application layer Network Abnormal message of kernel state process transmission
Shorthand information.
Therefore, the related scheme of above two can be all added based on application layer Network Abnormal message, carry out abnormality detection
The difficulty of analysis.
The embodiment of the present application provides a kind of new method for detecting abnormality based on application layer Network Abnormal message, by obtaining
The improvement of the mechanism of application layer Network Abnormal message is taken, abnormality detecting apparatus can create User space process in kernel and may have access to
Shared drive;Kernel state process can store the application layer Network Abnormal message for meeting preparatory condition collected to described
Shared drive.User space process can access the application layer net stored in the shared drive based on the physical address of the shared drive
Network exception message, carry out abnormality detection analysis.
On the one hand, because abnormality detecting apparatus can be answered by way of shared drive by what kernel state process collected
User space process is shared to layer network exception message, and no longer needs User space process to be communicated with kernel state and is answered to obtain
With layer network exception message, therefore read-write efficiency of the User space process for application layer Network Abnormal message can be lifted, increased
The amount to obtain of application layer Network Abnormal message, so as to which User space process can get complete application layer Network Abnormal message,
Rather than the shorthand information of the application layer Network Abnormal message.
On the other hand, the application layer Network Abnormal message in kernel is gathered by kernel state process, rather than passes through core
Piece acquisition applications layer network exception message, therefore, application layer Network Abnormal can more accurately be completed based on application layer feature
The collection of message.
In summary, complete application layer Network Abnormal report can accurately be obtained using the method for the embodiment of the present invention
Text, application layer Network Abnormal message is based on so as to reduce, carries out the difficulty of abnormality detection analysis.
Referring to Fig. 1, Fig. 1 is a kind of based on the different of application layer Network Abnormal message shown in the exemplary embodiment of the application one
The flow chart of normal detection method, methods described are applied to abnormality detecting apparatus, comprise the following steps that shown:
Step 101:The addressable shared drive of User space process is created in kernel, wherein, the shared drive is used for
Store application layer Network Abnormal message.
In the related art, because User space process does not obtain the authority of original application layer Network Abnormal message, because
And User space process, typically by being communicated with kernel state, is entered when obtaining application layer Network Abnormal message by kernel state
The application layer Network Abnormal message got is passed to User space process by journey.
For example, in the mechanism of the acquisition application layer Network Abnormal message of correlation, kernel state process can pass through Netlink
(socket) technology, realize the communication with User space process.
Kernel state process can establish session by Netlink and User space process, and will be obtained by the session of the foundation
The application layer Network Abnormal message transmissions got give User space process, and User space process can be directed to the net of kernel state process transmission
Network exception message is locally carrying out abnormality detection analysis.
However, due to kernel state process and the communication mechanism of User space process based on Netlink, small data is only suitable only for
The transmission of amount;Therefore, if kernel state process by Netlink to User space process transmission application layer Network Abnormal message, use
Family state process can only often receive the shorthand information of the application layer Network Abnormal message, and can not receive the complete application
Layer network exception message.Application layer Network Abnormal message is based on so as to add, carries out the difficulty of abnormality detection analysis.
In the present embodiment, the network equipment can be by way of shared drive, application layer that kernel state process is gathered
Network Abnormal message shares to User space process, and no longer needs User space process to be communicated with kernel state to obtain application layer
Network Abnormal message, therefore read-write efficiency of the User space process for application layer Network Abnormal message can be lifted, increase application
The amount to obtain of layer network exception message so that User space process can get complete application layer Network Abnormal message.
When realizing, one section of physical memory for being used to store application layer Network Abnormal message can be applied in kernel state,
The address information of the physical memory can be passed to User space process by kernel state process by proc files.User space process can
By mmap () function, to establish in the physical address of the physical memory and the logical address space of User space process logically
The mapping relations of location, the shared drive that User space process is established in kernel and can be accessed is realized with this.
Wherein, above-mentioned proc files are a pseudo file systems in linux system, and it is visit in a manner of file system
Ask that the operation of kernel data provides interface.User space process can by the related datas of proc file acquisition kernel state processes and
Parameter.
Above-mentioned shared drive, it can be used for storing application layer Network Abnormal message, will not be by the business datum of other purposes
Covering.
Address above mentioned information includes the start physical address of above-mentioned physical memory and the length of above-mentioned physical memory.
Step 102:Kernel state process stores the application layer Network Abnormal message for meeting preparatory condition collected to institute
State shared drive;
In the related art, to the collection of Network Abnormal message, typically by configuring acl rule on forwarding chip,
And packet capturing condition (i.e. preparatory condition) is set in acl rule, carry out mirror image crawl Network Abnormal message.Wherein, mirror image packet capturing, it is
The Network Abnormal message for referring to the packet capturing condition to meeting to set in acl rule replicates, to complete to be directed to the Network Abnormal report
The packet capturing of text.
However, mirror image packet capturing is carried out by acl rule, when setting packet capturing condition (i.e. preparatory condition), due to forwarding
The original application layer Network Abnormal message that chip generally can not be directly had access in kernel, therefore packet capturing condition is being set (i.e.
Preparatory condition) when, it is difficult to set accurate application layer Network Abnormal message characteristic in packet capturing condition (i.e. preparatory condition) so that
Exchange chip can grab the Network Abnormal message of a large amount of non-application layers based on acl rule;Now these messages are interference message,
, will be to application layer network abnormality detection message if these interference messages also sent to specified abnormality detecting apparatus in the lump
Abnormality detection analysis increase difficulty.
In the present embodiment, abnormality detecting apparatus will no longer pass forwarding chip and carry out acquisition applications layer network exception message,
But by kernel state process come acquisition applications layer network exception message;Because kernel state process has original application layer network
The access rights of exception message, therefore, application layer feature-set more accurately packet capturing condition (i.e. preparatory condition) can be based on,
Complete the collection of application layer Network Abnormal message.
In the present embodiment, after the above-mentioned shared drive of kernel state process creation, kernel state process can be based on setting in advance
The packet capturing condition (i.e. conditions mirror) for the matching network exception message application layer feature put, mirror image meet the application of the preparatory condition
Layer network exception message, and the application layer Network Abnormal message that mirror image goes out is stored in above-mentioned shared drive so that User space
Process can access the application layer Network Abnormal message in the shared drive, and can be based on to application layer network exception message
Analysis, carry out abnormality detection analysis.
When realizing, kernel state can packet capturing condition (the i.e. mirror image bar based on matching network exception message application layer feature
Part), the message that port receives is judged.If the application layer message of the message received meets the packet capturing condition (i.e.
Conditions mirror), then can be with the mirror image application layer Network Abnormal message, and the application layer Network Abnormal message after mirror image is stored in
In above-mentioned shared drive.
In addition, when packet capturing condition (i.e. preparatory condition) is pre-set, application layer feature that packet capturing condition is included
Particular content, specific application layer protocol is generally depended on, in this example without being particularly limited to.
Step 103:Physical address of the User space process based on the shared drive accesses what is stored in the shared drive
Application layer Network Abnormal message, carry out abnormality detection analysis.
In the present embodiment, User space process can access the application layer Network Abnormal message in above-mentioned shared drive.
When realizing, User space process can be based on above-mentioned mapping relations, find and the logic in above-mentioned User space process
Physical address corresponding to address, and the physical address can be based on, find physical memory corresponding with the physical address.
After the physical memory is found, User space process can access the above-mentioned application layer Network Abnormal in the physical memory
Message.And can by the application layer Network Abnormal message with pcap forms it is locally stored in, so that User space process is in local
By the application layer Network Abnormal message, abnormality detection analysis is carried out.
Above-mentioned application layer Network Abnormal message is stored into pcap forms, on the one hand, be to can intactly store original
The application layer Network Abnormal message of beginning;On the other hand, it is that (network package analysis is soft in order to use wireshark in local
Part) instrument is to above-mentioned application layer Network Abnormal message progress visual analyzing, so that the analysis of application layer Network Abnormal message is more
Add clearly directly perceived.
In order to increase the stability of local system, reduce the load of local system operation.Kernel state process will can collect
Application layer Network Abnormal message send to specified abnormality detection analytical equipment, the abnormality detection analytical equipment receives the application
After layer network exception message, the application layer Network Abnormal message can be analyzed.
When realizing, in order that the transmission of message is more convenient, safety, kernel state process can be by tunneling technique, will
The application layer Network Abnormal message is sent to specified abnormality detection analytical equipment.
When kernel state local system abnormality detection analyzes inadequate resource, or specified abnormality detection analytical equipment is to local
When abnormality detecting apparatus sends the access request for application layer Network Abnormal message, kernel state process can be based on IP tunnel skill
Art, by above-mentioned application layer Network Abnormal message, process encapsulates in the form of IPIP packages, and can will apply layer network after encapsulation
Exception message is sent to specified abnormality detection analytical equipment by IP tunnel.
This is specified after abnormality detection analytical equipment receives the application layer Network Abnormal message, can according to IPIP packages
It is regular corresponding to form, the application layer Network Abnormal message received is decapsulated, and can be to the application after decapsulation
Layer network exception message is analyzed, with this come reduce local to application layer network exception message analysis pressure.
The embodiment of the present application provides a kind of new method for detecting abnormality based on application layer Network Abnormal message, by obtaining
The improvement of the mechanism of application layer Network Abnormal message is taken, abnormality detecting apparatus can create User space process in kernel and may have access to
Shared drive;Kernel state process can store the application layer Network Abnormal message for meeting preparatory condition collected to described
Shared drive.User space process can access the application layer net stored in the shared drive based on the physical address of the shared drive
Network exception message, and can by the application layer Network Abnormal message with pcap file formats locally stored, so as to
Locally based on the analysis to the application layer Network Abnormal message, abnormality detection analysis is carried out.
Set in addition, kernel state process can also send the application layer Network Abnormal message to specified abnormality detection analysis
It is standby so that the abnormality detection analytical equipment can carry out abnormality detection point based on the analysis to the application layer Network Abnormal message
Analysis.
On the one hand, because abnormality detecting apparatus can be answered by way of shared drive by what kernel state process collected
User space process is shared to layer network exception message, and no longer needs User space process to be communicated with kernel state and is answered to obtain
With layer network exception message, therefore read-write efficiency of the User space process for application layer Network Abnormal message can be lifted, increased
The amount to obtain of application layer Network Abnormal message, so as to which User space process can get complete application layer Network Abnormal message,
Rather than the shorthand information of the application layer Network Abnormal message.
On the other hand, the application layer Network Abnormal message in kernel is gathered by kernel state process, rather than passes through core
Piece acquisition applications layer network exception message, therefore, application layer Network Abnormal can more accurately be completed based on application layer feature
The collection of message.
In addition, kernel state process can also send the application layer Network Abnormal message got to specified abnormality detection point
Desorption device is analyzed, it is possible to reduce the system operation load of the local analytics application layer Network Abnormal message.
Meanwhile User space process stores the application layer Network Abnormal message into pcap file formats, it is possible to achieve to this
The visual analyzing of application layer Network Abnormal message so that the analysis of message becomes apparent from, intuitively, and then is analyzed for abnormality detection
Provide convenience.
Referring to Fig. 2, Fig. 2 is another based on application layer Network Abnormal message shown in the exemplary embodiment of the application one
The flow chart of method for detecting abnormality;Methods described is applied to abnormality detecting apparatus, comprises the following steps that shown:
Step 201:Apply for the physical memory for storing application layer Network Abnormal message in kernel state, it is intended to create altogether
Enjoy internal memory.
Step 202:The start physical address of the physical memory and length are sent to by kernel state process by proc files
User space process.
Step 203:User space process is based on the start physical address and length, establish the physical memory physical address and
The mapping relations of logical address in the logical address space of User space process.
In the related art, because User space process does not obtain the authority of original application layer Network Abnormal message, because
And User space process, typically by being communicated with kernel state, is entered when obtaining application layer Network Abnormal message by kernel state
The application layer Network Abnormal message got is passed to User space process by journey.
For example, in the mechanism of the acquisition application layer Network Abnormal message of correlation, kernel state process can pass through Netlink
(socket) technology, realize the communication with User space process.
Kernel state process can establish session by Netlink and User space process, and will be obtained by the session of the foundation
The application layer Network Abnormal message transmissions got give User space process, and User space process can be directed to the net of kernel state process transmission
Network exception message is locally carrying out abnormality detection analysis.
However, due to kernel state process and the communication mechanism of User space process based on Netlink, small data is only suitable only for
The transmission of amount;Therefore, if kernel state process by Netlink to User space process transmission application layer Network Abnormal message, use
Family state process can only often receive the shorthand information of the application layer Network Abnormal message, and can not receive the complete application
Layer network exception message.Application layer Network Abnormal message is based on so as to add, carries out the difficulty of abnormality detection analysis.
In the present embodiment, the network equipment can be by way of shared drive, application layer that kernel state process is gathered
Network Abnormal message shares to User space process, and no longer needs User space process to be communicated with kernel state to obtain application layer
Network Abnormal message, therefore read-write efficiency of the User space process for application layer Network Abnormal message can be lifted, increase application
The amount to obtain of layer network exception message so that User space process can get complete application layer Network Abnormal message.
When realizing, one section of physical memory for being used to store application layer Network Abnormal message can be applied in kernel state,
Kernel state process can be passed to the length of the start physical address of the physical memory He the physical memory by proc files
User space process.User space process by mmap () function, can establish the physical address and User space process of the physical memory
Logical address space in logical address mapping relations, realize that User space process is established in kernel state to visit with this
The shared drive asked.
Wherein, above-mentioned proc files are a pseudo file systems in linux system, and it is visit in a manner of file system
Ask that the operation of kernel data provides interface.User space process can by the related datas of proc file acquisition kernel state processes and
Parameter.
Above-mentioned shared drive, it can be used for storing application layer Network Abnormal message, will not be by the business datum of other purposes
Covering.
Step 204:Kernel state process is based on preparatory condition, the mirror image application layer Network Abnormal message.
Step 205:Kernel state process stores the application layer Network Abnormal message into the physical memory.
In the related art, to the collection of Network Abnormal message, typically by configuring acl rule on forwarding chip,
And packet capturing condition (i.e. preparatory condition) is set in acl rule, carry out mirror image crawl Network Abnormal message.Wherein, mirror image packet capturing, it is
The Network Abnormal message for referring to the packet capturing condition to meeting to set in acl rule replicates, to complete to be directed to the Network Abnormal report
The packet capturing of text.
However, mirror image packet capturing is carried out by acl rule, when setting packet capturing condition (i.e. preparatory condition), due to forwarding
The original application layer Network Abnormal message that chip generally can not be directly had access in kernel, therefore packet capturing condition is being set (i.e.
Preparatory condition) when, it is difficult to set accurate application layer Network Abnormal message characteristic in packet capturing condition (i.e. preparatory condition) so that
Exchange chip can grab the Network Abnormal message of a large amount of non-application layers based on acl rule;Now these messages are interference message,
, will be to application layer network abnormality detection message if these interference messages also sent to specified abnormality detecting apparatus in the lump
Abnormality detection analysis increase difficulty.
In the present embodiment, abnormality detecting apparatus will no longer pass forwarding chip and carry out acquisition applications layer network exception message,
But by kernel state process come acquisition applications layer network exception message;Because kernel state process has original application layer network
The access rights of exception message, therefore, application layer feature-set more accurately packet capturing condition (i.e. preparatory condition) can be based on,
Complete the collection of application layer Network Abnormal message.
In the present embodiment, after the above-mentioned shared drive of kernel state process creation, kernel state process can be based on setting in advance
The packet capturing condition (i.e. conditions mirror) for the matching network exception message application layer feature put, mirror image meet the application of the preparatory condition
Layer network exception message, and the application layer Network Abnormal message that mirror image goes out is stored in above-mentioned shared drive so that User space
Process can access the application layer Network Abnormal message in the shared drive, and can be based on to application layer network exception message
Analysis, carry out abnormality detection analysis.
When realizing, kernel state can packet capturing condition (the i.e. mirror image bar based on matching network exception message application layer feature
Part), the message that port receives is judged.If the application layer message of the message received meets the packet capturing condition (i.e.
Conditions mirror), then can be with the mirror image application layer Network Abnormal message, and the application layer Network Abnormal message after mirror image is stored in
In above-mentioned shared drive.
In addition, when packet capturing condition (i.e. preparatory condition) is preset, application layer feature that packet capturing condition is included
Particular content, specific application layer protocol is generally depended on, in this example without being particularly limited to.
In order to reduce the system loading of the local analytics application layer Network Abnormal message, kernel state process can also carry out step
Rapid 208, the application layer Network Abnormal message after mirror image is sent to the abnormality detection analytical equipment specified by IP tunnel.This refers to
Determine after abnormality detection analytical equipment receives the application layer Network Abnormal message, the message can be analyzed.
Wherein, step 205 and step 208 are not limited by sequential.
Step 206:User space process accesses the application layer Network Abnormal message stored in the shared drive.
Step 207:The application layer Network Abnormal message having access to is stored in this by User space process with pcap file formats
Ground.
In the present embodiment, User space process can access the application layer Network Abnormal message in above-mentioned shared drive.
When realizing, User space process can be based on above-mentioned mapping relations, find and the logic in above-mentioned User space process
Physical address corresponding to address, and the physical address can be based on, find physical memory corresponding with the physical address.
After the physical memory is found, User space process can access the above-mentioned application layer Network Abnormal in the physical memory
Message.And can by the application layer Network Abnormal message with pcap forms it is locally stored in, so that User space process can be
Locally carry out the abnormality detection based on application layer Network Abnormal message.
Above-mentioned application layer Network Abnormal message is stored into pcap forms, on the one hand, be to can intactly store original
The application layer Network Abnormal message of beginning;On the other hand, it is to can locally use wireshark instruments to above-mentioned application layer
Network Abnormal message carries out visual analyzing, so that the analysis of application layer Network Abnormal message is more clear directly perceived.
Step 208:Kernel state process is packaged in the form of IPIP packages to the application layer Network Abnormal message.
Step 209:Application layer Network Abnormal message after encapsulation is sent to specified abnormality detection and analyzed by kernel state process
Equipment.
In the present embodiment, in order to increase the stability of local system, the load of local system operation is reduced.Kernel state enters
Journey can send the application layer Network Abnormal message got to specified abnormality detection analytical equipment, and this specifies abnormality detection analysis
After equipment receives the application layer Network Abnormal message, the application layer Network Abnormal message can be analyzed.
When realizing, in order that the transmission of message is more convenient, safety, kernel state process can be by tunneling technique, will
The application layer Network Abnormal message is sent to specified abnormality detection analytical equipment.
When kernel state local system abnormality detection analyzes inadequate resource, or specified abnormality detection analytical equipment is to local
When abnormality detecting apparatus sends the access request for application layer Network Abnormal message, kernel state process can be based on IP tunnel skill
Art, by above-mentioned application layer Network Abnormal message, process encapsulates in the form of IPIP packages, and can will apply layer network after encapsulation
Exception message is sent to specified abnormality detection analytical equipment by IP tunnel.
This is specified after abnormality detection analytical equipment receives the application layer Network Abnormal message, can according to IPIP packages
It is regular corresponding to form, the application layer Network Abnormal message received is decapsulated, and can be to the application after decapsulation
Layer network exception message is analyzed, with this come reduce local to application layer network exception message analysis pressure.
The embodiment of the present application provides a kind of new method for detecting abnormality based on application layer Network Abnormal message, by obtaining
The improvement of the mechanism of application layer Network Abnormal message is taken, abnormality detecting apparatus can create User space process in kernel and may have access to
Shared drive;Kernel state process can store the application layer Network Abnormal message for meeting preparatory condition collected to described
Shared drive.User space process can access the application layer net stored in the shared drive based on the physical address of the shared drive
Network exception message, and can by the application layer Network Abnormal message with pcap file formats locally stored, so as to
Locally based on the analysis to the application layer Network Abnormal message, abnormality detection analysis is carried out.
Set in addition, kernel state process can also send the application layer Network Abnormal message to the analysis of specified abnormality detection
It is standby so that the abnormality detection analytical equipment can carry out abnormality detection point based on the analysis to the application layer Network Abnormal message
Analysis.
On the one hand, because abnormality detecting apparatus can be answered by way of shared drive by what kernel state process collected
User space process is shared to layer network exception message, and no longer needs User space process to be communicated with kernel state and is answered to obtain
With layer network exception message, therefore read-write efficiency of the User space process for application layer Network Abnormal message can be lifted, increased
The amount to obtain of application layer Network Abnormal message, so as to which User space process can get complete application layer Network Abnormal message,
Rather than the shorthand information of the application layer Network Abnormal message.
On the other hand, the application layer Network Abnormal message in kernel is gathered by kernel state process, rather than passes through core
Piece acquisition applications layer network exception message, therefore, application layer Network Abnormal can more accurately be completed based on application layer feature
The collection of message.
In addition, kernel state process can also send the application layer Network Abnormal message got to specified abnormality detection point
Desorption device is analyzed, it is possible to reduce the system operation load of the local analytics application layer Network Abnormal message.
Meanwhile User space process stores the application layer Network Abnormal message into pcap file formats, it is possible to achieve to this
The visual analyzing of application layer Network Abnormal message so that the analysis of message becomes apparent from, intuitively, and then is analyzed for abnormality detection
Provide convenience.
Corresponding with the embodiment of the foregoing method for detecting abnormality based on application layer Network Abnormal message, the application also provides
The embodiment of abnormal detector based on application layer Network Abnormal message.
The embodiment of abnormal detector of the application based on application layer Network Abnormal message can be applied in abnormality detection
In equipment.Device embodiment can be realized by software, can also be realized by way of hardware or software and hardware combining.With soft
Exemplified by part is realized, as the device on a logical meaning, being will be non-volatile by the processor of abnormality detecting apparatus where it
Property memory in corresponding computer program instructions have access in internal memory what operation was formed.For hardware view, such as Fig. 3 institutes
Show, be a kind of hardware configuration of abnormality detecting apparatus where abnormal detector of the application based on application layer Network Abnormal message
Figure, in addition to the processor shown in Fig. 3, internal memory, network interface and nonvolatile memory, in embodiment where device
Abnormality detecting apparatus generally according to the actual functional capability of the equipment, other hardware can also be included, this is repeated no more.
Fig. 4 is refer to, it is a kind of based on the different of application layer Network Abnormal message shown in the exemplary embodiment of Fig. 4 the application one
The block diagram of normal detection means.Described device includes:Creating unit 410, the first storage element 420 and access unit 430.
Wherein, creating unit 410, for creating the addressable shared drive of User space process in kernel, wherein, it is described
Shared drive is used to store application layer Network Abnormal message;
First storage element 420, the application layer Network Abnormal for meeting preparatory condition that will be collected for kernel state process
Message is stored to the shared drive;
Access unit 430, the shared drive is accessed for physical address of the User space process based on the shared drive
The application layer Network Abnormal message of middle storage, carry out abnormality detection analysis.
In another optional implementation, the creating unit 410, including:
Apply for list member, for applying for the physical memory for storing application layer Network Abnormal message in kernel;
List member is sent, the address information of the physical memory is sent to User space process for kernel state process;
Subelement is established, the address information is based on for User space process, establishes the physical address of the physical memory
With the mapping relations of the logical address in User space process logic address space.
In another optional implementation, the access unit 430, including:
List member is searched, the mapping relations is based on for User space process, searches institute corresponding with the logical address
State the physical address of shared drive;
Access subelement, be based on the physical address for User space process, access stored in the shared drive answer
With layer network exception message.
In another optional implementation, described device also includes (not shown in Fig. 4):
Encapsulation unit, for when local system abnormality detection analyzes inadequate resource, or receiving specified abnormality detection
Analytical equipment send for application layer Network Abnormal message access request when, kernel state process is by the application collected
Layer network exception message carries out tunnel encapsulation;
Transmitting element, the application layer Network Abnormal message after the tunnel encapsulation is sent to described for kernel state process
Specify abnormality detection analytical equipment so that the specified abnormality detection analytical equipment is carried out to the application layer Network Abnormal message
Analysis.
In another optional implementation, described device also includes (not shown in Fig. 4):
Second storage element, for User space process by the application layer Network Abnormal message having access to pcap file formats
Locally-stored.
The function of unit and the implementation process of effect specifically refer to and step are corresponded in the above method in said apparatus
Implementation process, it will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component
The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also
It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality
Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, not limiting the application, all essences in the application
God any modification, equivalent substitution and improvements done etc., should be included within the scope of the application protection with principle.
Claims (10)
1. a kind of method for detecting abnormality based on application layer Network Abnormal message, it is characterised in that methods described is applied to abnormal
Detection device, including:
The addressable shared drive of User space process is created in kernel, wherein, the shared drive is used to store application layer net
Network exception message;
Kernel state process stores the application layer Network Abnormal message for meeting preparatory condition collected to the shared drive;
It is different that physical address of the User space process based on the shared drive accesses the application layer network stored in the shared drive
Normal message, carry out abnormality detection analysis.
2. according to the method for claim 1, it is characterised in that the establishment User space process in kernel is addressable common
Internal memory is enjoyed, including:
Apply for the physical memory for storing application layer Network Abnormal message in kernel;
The address information of the physical memory is sent to User space process by kernel state process;
User space process is based on the address information, establishes physical address and the User space process logic address of the physical memory
The mapping relations of logical address in space.
3. according to the method for claim 2, it is characterised in that physical address of the User space process based on the shared drive
The application layer Network Abnormal message stored in the shared drive is accessed, including:
User space process is based on the mapping relations, searches the shared drive corresponding with the logical address physically
Location;
User space process is based on the physical address, accesses the application layer Network Abnormal message stored in the shared drive.
4. according to the method for claim 1, it is characterised in that methods described, in addition to:
When local system abnormality detection analyzes inadequate resource, or receive being directed to for specified abnormality detection analytical equipment transmission
During the access request of application layer Network Abnormal message, kernel state process carries out the application layer Network Abnormal message collected
Tunnel encapsulation;
Application layer Network Abnormal message after the tunnel encapsulation is sent to the specified abnormality detection and analyzed by kernel state process
Equipment so that the specified abnormality detection analytical equipment is analyzed the application layer Network Abnormal message.
5. according to the method for claim 1, it is characterised in that also include:
User space process is by the application layer Network Abnormal message having access to pcap file formats locally-stored.
6. a kind of abnormal detector based on application layer Network Abnormal message, it is characterised in that described device includes:
Creating unit, for creating the addressable shared drive of User space process in kernel, wherein, the shared drive is used for
Store application layer Network Abnormal message;
First storage element, the application layer Network Abnormal message for meeting preparatory condition collected is stored for kernel state process
To the shared drive;
Access unit, access what is stored in the shared drive for physical address of the User space process based on the shared drive
Application layer Network Abnormal message, carry out abnormality detection analysis.
7. device according to claim 6, it is characterised in that the creating unit, including:
Apply for list member, for applying for the physical memory for storing application layer Network Abnormal message in kernel;
List member is sent, the address information of the physical memory is sent to User space process for kernel state process;
Subelement is established, the address information is based on for User space process, establishes the physical address and use of the physical memory
The mapping relations of logical address in the state process logic address space of family.
8. device according to claim 7, it is characterised in that the access unit, including:
List member is searched, the mapping relations is based on for User space process, searches corresponding with the logical address described common
Enjoy the physical address of internal memory;
Subelement is accessed, the physical address is based on for User space process, accesses the application layer stored in the shared drive
Network Abnormal message.
9. device according to claim 6, it is characterised in that described device, in addition to:
Encapsulation unit, for when local system abnormality detection analyzes inadequate resource, or receive the analysis of specified abnormality detection
Equipment send for application layer Network Abnormal message access request when, kernel state process is by the application layer net collected
Network exception message carries out tunnel encapsulation;
Transmitting element, the application layer Network Abnormal message after the tunnel encapsulation is sent to described for kernel state process and specified
Abnormality detection analytical equipment so that the specified abnormality detection analytical equipment is divided the application layer Network Abnormal message
Analysis.
10. device according to claim 6, it is characterised in that described device also includes:
Second storage element, for User space process by the application layer Network Abnormal message having access to pcap file formats this
Ground stores.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610658106.XA CN107733837A (en) | 2016-08-11 | 2016-08-11 | Method for detecting abnormality and device based on application layer Network Abnormal message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610658106.XA CN107733837A (en) | 2016-08-11 | 2016-08-11 | Method for detecting abnormality and device based on application layer Network Abnormal message |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107733837A true CN107733837A (en) | 2018-02-23 |
Family
ID=61199656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610658106.XA Pending CN107733837A (en) | 2016-08-11 | 2016-08-11 | Method for detecting abnormality and device based on application layer Network Abnormal message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107733837A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110535790A (en) * | 2019-08-23 | 2019-12-03 | 天津芯海创科技有限公司 | Exchange chip exception message processing method based on semaphore |
| CN110765464A (en) * | 2019-10-30 | 2020-02-07 | 深圳前海微众银行股份有限公司 | Vulnerability detection method, device, equipment and computer storage medium |
| CN113872918A (en) * | 2020-06-30 | 2021-12-31 | 苏州三六零智能安全科技有限公司 | Network traffic classification method, equipment, storage medium and device |
| CN114301644A (en) * | 2021-12-17 | 2022-04-08 | 中国科学院深圳先进技术研究院 | Network anomaly detection system and method |
| CN116069638A (en) * | 2023-01-19 | 2023-05-05 | 蔷薇大树科技有限公司 | Method for simulating distributed abnormal state based on kernel mode |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090013407A1 (en) * | 2007-02-14 | 2009-01-08 | Brad Doctor | Intrusion detection system/intrusion prevention system with enhanced performance |
| CN101478549A (en) * | 2009-01-20 | 2009-07-08 | 电子科技大学 | Operation method for memory sharing media server and functional module construction |
| CN101917350A (en) * | 2010-09-13 | 2010-12-15 | 南京中兴特种软件有限责任公司 | Network card drive-based zero copy Ethernet message capturing and transmitting implementation method under Linux |
| CN102163164A (en) * | 2011-05-06 | 2011-08-24 | 华为数字技术有限公司 | Processing method and processor for critical data in shared memory |
| CN102402487A (en) * | 2011-11-15 | 2012-04-04 | 北京天融信科技有限公司 | Zero copy message reception method and system |
| CN103034544A (en) * | 2012-12-04 | 2013-04-10 | 杭州迪普科技有限公司 | Management method and device for user mode and kernel mode to share memory |
| CN103942149A (en) * | 2014-03-27 | 2014-07-23 | 汉柏科技有限公司 | User mode application and kernel message interaction method and system |
| CN104796337A (en) * | 2015-04-10 | 2015-07-22 | 京信通信***(广州)有限公司 | Method and device for forwarding message |
-
2016
- 2016-08-11 CN CN201610658106.XA patent/CN107733837A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090013407A1 (en) * | 2007-02-14 | 2009-01-08 | Brad Doctor | Intrusion detection system/intrusion prevention system with enhanced performance |
| CN101478549A (en) * | 2009-01-20 | 2009-07-08 | 电子科技大学 | Operation method for memory sharing media server and functional module construction |
| CN101917350A (en) * | 2010-09-13 | 2010-12-15 | 南京中兴特种软件有限责任公司 | Network card drive-based zero copy Ethernet message capturing and transmitting implementation method under Linux |
| CN102163164A (en) * | 2011-05-06 | 2011-08-24 | 华为数字技术有限公司 | Processing method and processor for critical data in shared memory |
| CN102402487A (en) * | 2011-11-15 | 2012-04-04 | 北京天融信科技有限公司 | Zero copy message reception method and system |
| CN103034544A (en) * | 2012-12-04 | 2013-04-10 | 杭州迪普科技有限公司 | Management method and device for user mode and kernel mode to share memory |
| CN103942149A (en) * | 2014-03-27 | 2014-07-23 | 汉柏科技有限公司 | User mode application and kernel message interaction method and system |
| CN104796337A (en) * | 2015-04-10 | 2015-07-22 | 京信通信***(广州)有限公司 | Method and device for forwarding message |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110535790A (en) * | 2019-08-23 | 2019-12-03 | 天津芯海创科技有限公司 | Exchange chip exception message processing method based on semaphore |
| CN110535790B (en) * | 2019-08-23 | 2022-03-18 | 天津芯海创科技有限公司 | Method for processing abnormal message of exchange chip based on semaphore |
| CN110765464A (en) * | 2019-10-30 | 2020-02-07 | 深圳前海微众银行股份有限公司 | Vulnerability detection method, device, equipment and computer storage medium |
| CN113872918A (en) * | 2020-06-30 | 2021-12-31 | 苏州三六零智能安全科技有限公司 | Network traffic classification method, equipment, storage medium and device |
| CN114301644A (en) * | 2021-12-17 | 2022-04-08 | 中国科学院深圳先进技术研究院 | Network anomaly detection system and method |
| CN114301644B (en) * | 2021-12-17 | 2024-03-19 | 中国科学院深圳先进技术研究院 | Network anomaly detection system and method |
| CN116069638A (en) * | 2023-01-19 | 2023-05-05 | 蔷薇大树科技有限公司 | Method for simulating distributed abnormal state based on kernel mode |
| CN116069638B (en) * | 2023-01-19 | 2023-09-01 | 蔷薇大树科技有限公司 | Method for simulating distributed abnormal state based on kernel mode |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107733837A (en) | Method for detecting abnormality and device based on application layer Network Abnormal message | |
| US10733088B1 (en) | Methods, systems, and computer readable media for testing a network node or a related application programming interface using source code metadata | |
| US10686568B2 (en) | Active flow diagnostics for cloud-hosted networks | |
| CN104219316B (en) | A kind of call request processing method and processing device in distributed system | |
| CN104219330B (en) | It is a kind of that the method and system for carrying out record screen audit are acted on behalf of based on WEB | |
| CN107426077B (en) | Method and equipment for realizing intercommunication between physical network and virtual network | |
| CN107908545A (en) | Interface test method, device, computer equipment and storage medium | |
| WO2019099065A1 (en) | Logs to metrics synthesis | |
| CN105373471B (en) | Detection method and device for RAM leakage loophole | |
| CN106068627A (en) | For identifying the method and system of data session at vpn gateway | |
| CN109714221A (en) | The determination method, apparatus and system of network packet | |
| CN106878184A (en) | A kind of data message transmission method and device | |
| CN102420837B (en) | NDIS (Network Driver Interface Standard)-based method and system | |
| CN107102950A (en) | A kind of applied program testing method and device | |
| CN104734986B (en) | A kind of message forwarding method and device | |
| CN106506302A (en) | Support the communicator of dynamic MODBUS agreements mapping | |
| CN110224897A (en) | Vulnerable network test method, device, mobile device and the storage medium of application program | |
| CN106878106A (en) | A kind of accessible detecting method and device | |
| CN107360036A (en) | A kind of network failure locating method, terminal and server | |
| CN110581792B (en) | Message transmission method and device | |
| CN105553792A (en) | Home gateway access device type identifying system and method | |
| CN104992112A (en) | Method and device used for detecting sensitive information leakage of Android | |
| CN108011801A (en) | Method, unit and the system of data transfer | |
| US10476747B1 (en) | Loading a flow tracking autolearning match table | |
| CN107086960A (en) | A kind of message transmitting method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180223 |
|
| RJ01 | Rejection of invention patent application after publication |