CN108092948B - Network attack mode identification method and device - Google Patents

Network attack mode identification method and device Download PDF

Info

Publication number
CN108092948B
CN108092948B CN201611062203.9A CN201611062203A CN108092948B CN 108092948 B CN108092948 B CN 108092948B CN 201611062203 A CN201611062203 A CN 201611062203A CN 108092948 B CN108092948 B CN 108092948B
Authority
CN
China
Prior art keywords
attack
network
attack behavior
behavior
value set
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611062203.9A
Other languages
Chinese (zh)
Other versions
CN108092948A (en
Inventor
姚子健
熊胜
吴勤华
杨晶蕾
田纪军
朱尧
程琨
吴人超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Hubei Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Hubei Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Hubei Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611062203.9A priority Critical patent/CN108092948B/en
Publication of CN108092948A publication Critical patent/CN108092948A/en
Application granted granted Critical
Publication of CN108092948B publication Critical patent/CN108092948B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and a device for identifying a network attack mode, relates to the technical field of communication, and can solve the problem of network attack under report. The network attack mode identification method comprises the following steps: acquiring log information of a service system to be tested and network flow forwarded to a high-interaction honeypot by a low-interaction honeypot preset in the service system to be tested; acquiring attack behavior characteristics from network flow and log information of a service system to be tested; judging whether the attack behavior characteristics accord with preset normal behavior conditions or not, and obtaining an attack behavior characteristic value set according to a judgment result; calculating the similarity between the attack behavior characteristic value set and the preset characteristic value sets of a plurality of known attack modes; and acquiring an attack mode corresponding to the characteristic value set of the known attack mode with the highest similarity to the attack behavior characteristic value set as the attack mode of the attack behavior characteristic value set.

Description

Network attack mode identification method and device
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for identifying a network attack mode.
Background
With the increasing importance of network applications in people's learning, work and life, in order to steal user information or destroy a network, a hacker may launch a network attack on the network, such as a 0day attack that attacks using a vulnerability without a patch in the network, or an APT (Advanced Persistent Threat) attack that attacks a specific target using an Advanced attack means for a long-term Persistent network attack, and the like.
In order to detect and identify various attack modes of network attacks of hackers, data is generally captured at a network boundary through a traditional boundary security gateway device, captured data is matched with data of an attack model of a database in a public cloud, the attack mode which can be matched with the captured data is arranged in the database of the public cloud and is used as the attack mode of the network attacks corresponding to the captured data, and the attack mode of the network attacks is identified. However, for captured data that cannot be matched with the attack model of the database in the public cloud, the attack mode of the network attack corresponding to the captured data cannot be identified, so that the situation that the network attack is missed is generated, and the security of the network is reduced.
Disclosure of Invention
The embodiment of the invention provides a method and a device for identifying a network attack mode, which can avoid the situation of network attack missing report and improve the security of a network.
In a first aspect, an embodiment of the present invention provides a method for identifying a network attack mode, including: acquiring log information of a service system to be tested and network flow forwarded to a high-interaction honeypot by a low-interaction honeypot preset in the service system to be tested; acquiring attack behavior characteristics from network flow and log information of a service system to be tested; judging whether the attack behavior characteristics accord with preset normal behavior conditions or not, and obtaining an attack behavior characteristic value set according to a judgment result, wherein the attack behavior characteristic value set comprises at least one attack behavior characteristic value; calculating the similarity between the characteristic value set of the attack behavior and the characteristic value set of a plurality of known attack modes; and acquiring an attack mode corresponding to the characteristic value set of the known attack mode with the highest similarity to the attack behavior characteristic value set as the attack mode of the attack behavior characteristic value set.
With reference to the first aspect, in a first possibility of the first aspect, the log information of the service system to be tested includes log information of the high-interaction honeypot.
With reference to the first aspect, in a second possibility of the first aspect, the log information of the service system to be tested includes log information of a high-interaction honeypot and an alarm log of a network boundary safety protection device in a network where the service system to be tested is located.
With reference to the first aspect, in a third possibility of the first aspect, the method for identifying a network attack mode further includes: and generating a corresponding safety protection strategy according to the attack mode of the attack behavior characteristic value set.
With reference to the third possibility of the first aspect, in a fourth possibility of the first aspect, after the step of generating the corresponding security protection policy according to the attack mode of the attack behavior feature value set, the method further includes: and issuing the generated security protection strategy to network boundary security protection equipment, and/or sharing the generated security protection strategy in a network where the service system to be tested is located.
With reference to the first aspect, in a fifth possibility of the first aspect, the method for identifying a network attack mode further includes: constructing a virtual host by using a low-interaction honeypot, wherein the IP address of the network protocol of the virtual host is consistent with the IP address of a real host in a service system to be tested; rewriting a bug simulation code in the virtual host to patch a bug in the virtual host; and importing the network flow received by the service system to be tested into the virtual host with the repaired bugs.
With reference to the first aspect, in a sixth possibility of the first aspect, the step of determining whether the attack behavior feature conforms to a preset normal behavior condition, and obtaining an attack behavior feature value set according to a determination result includes: judging whether the attack behavior characteristics accord with preset normal behavior conditions or not; assigning the value of the attack behavior characteristic which accords with the preset normal behavior condition as a first value; assigning the value of the attack behavior characteristic which does not meet the preset normal behavior condition as a second value; and combining the value of the attack behavior characteristic assigned as the first value and/or the value of the attack behavior characteristic assigned as the second value into an attack behavior characteristic value set.
With reference to the sixth possibility of the first aspect, in a seventh possibility of the first aspect, before the step of determining whether the attack behavior feature meets a preset normal behavior condition, for any one of the attack behavior features, the method further includes: acquiring the attack behavior characteristics for multiple times to obtain multiple attack behavior characteristic acquisition values; calculating the average value and standard error of a plurality of attack behavior characteristic acquisition values; calculating the product of the standard error and a preset correction parameter as a correction standard error; the range of the standard error of the floating correction on the basis of the average value was calculated as a normal behavior condition.
With reference to the first aspect, in an eighth possibility of the first aspect, the step of calculating the similarity between the set of attack behavior feature values and the set of feature values of a plurality of known attack patterns includes: calculating Euclidean distances between the attack behavior characteristic value set and each set in the characteristic value set of the known attack mode; and wherein, obtain the attack pattern corresponding to characteristic value set of the known attack pattern with the highest degree of similarity of characteristic value set of the attack behavior, as the attack pattern of the characteristic value set of the attack behavior, include: and acquiring an attack mode corresponding to the characteristic value set of the known attack mode with the minimum Euclidean distance to the attack behavior characteristic value set as the attack mode of the attack behavior characteristic value set.
With reference to the first aspect, in a ninth possibility of the first aspect, the network protocol IP address of the low interaction honeypot is the same as the IP address of the high interaction honeypot.
In a second aspect, an embodiment of the present invention provides an apparatus for identifying a network attack mode, including: the log acquisition module is configured to acquire log information of the service system to be tested and network flow forwarded to the high-interaction honeypot by a preset low-interaction honeypot in the service system to be tested; the characteristic acquisition module is configured to acquire attack behavior characteristics from network flow and log information of a service system to be detected; the system comprises a set acquisition module, a judgment module and a processing module, wherein the set acquisition module is configured to judge whether the attack behavior characteristics accord with a preset normal behavior condition or not, and obtain an attack behavior characteristic value set according to a judgment result, and the attack behavior characteristic value set comprises at least one value of the attack behavior characteristics; a calculation module configured to calculate similarities of the set of attack behavior feature values to a set of feature values of a plurality of known attack patterns; and the analysis module is configured to acquire an attack mode corresponding to the characteristic value set of the known attack mode with the highest similarity to the attack behavior characteristic value set as the attack mode of the attack behavior characteristic value set.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the log information of the service system to be tested includes log information of the high-interaction honeypot.
With reference to the second aspect, in a second possible scenario of the second aspect, the log information of the service system to be tested includes log information of the high-interaction honeypot and an alarm log of the network boundary safety protection device in the network where the service system to be tested is located.
With reference to the second aspect, in a third possibility of the second aspect, the apparatus for identifying a network attack mode further includes: and the strategy generation module is configured to generate a corresponding security protection strategy according to the attack mode of the attack behavior characteristic value set.
With reference to the third possibility of the second aspect, in a fourth possibility of the second aspect, the apparatus for identifying a network attack mode further includes: the policy issuing module is configured to issue the generated security protection policy to the network boundary security protection device, and/or the policy sharing module is configured to share the generated security protection policy in a network where the service system to be tested is located.
With reference to the second aspect, in a fifth possibility of the second aspect, the apparatus for identifying a network attack mode further includes: the virtual host constructing module is configured to utilize the low-interaction honeypot to construct a virtual host, and the IP address of the network protocol of the virtual host is consistent with the IP address of the real host in the service system to be tested; the bug fixing module is configured to rewrite bug simulation codes in the virtual host machine so as to fix bugs in the virtual host machine; and the flow import module is configured to import the network flow received by the service system to be tested into the virtual host with the repaired bug.
With reference to the second aspect, in a sixth possibility of the second aspect, the set acquisition module is configured to: judging whether the attack behavior characteristics accord with preset normal behavior conditions or not; assigning the value of the attack behavior characteristic which accords with the preset normal behavior condition as a first value; assigning the value of the attack behavior characteristic which does not meet the preset normal behavior condition as a second value; and combining the value of the attack behavior characteristic assigned as the first value and/or the value of the attack behavior characteristic assigned as the second value into an attack behavior characteristic value set.
With reference to the sixth possibility of the second aspect, in a seventh possibility of the second aspect, the apparatus for identifying a network attack mode further includes a condition setting module, where the condition setting module is configured to: acquiring the attack behavior characteristics for multiple times to obtain multiple attack behavior characteristic acquisition values; calculating the average value and standard error of a plurality of attack behavior characteristic acquisition values; calculating the product of the standard error and a preset correction parameter as a correction standard error; the range of the standard error of the floating correction on the basis of the average value was calculated as a normal behavior condition.
With reference to the second aspect, in an eighth possibility of the second aspect, the calculation module is specifically configured to calculate euclidean distances of the set of eigenvalues of attack behavior from each of the set of eigenvalues of known attack patterns; the analysis module is specifically configured to acquire an attack mode corresponding to the characteristic value set of the known attack mode with the smallest Euclidean distance to the characteristic value set of the attack behavior as the attack mode of the characteristic value set of the attack behavior.
In a ninth possibility of the second aspect in combination with the second aspect, the network protocol IP address of the low interaction honeypot is the same as the IP address of the high interaction honeypot.
The method and the device for identifying the network attack mode provided by the embodiment of the invention can extract the attack behavior characteristics from the log information and the network flow of the service system to be tested, judge whether the attack behavior characteristics accord with the preset normal behavior condition or not, obtain the attack behavior characteristic value set according to the judgment structure, and judge the attack mode of the attack behavior characteristic value by calculating the similarity between the attack behavior characteristic value set and the characteristic value sets of a plurality of known attack modes. And taking the attack mode corresponding to the characteristic value set of the known attack mode with the highest similarity with the characteristic value set of the attack behavior as the attack mode of the characteristic value set of the attack behavior. Aiming at the network attack received by the service system to be tested, the closest attack mode can be found according to the attack behavior characteristics of the network attack, and the condition that no matched attack mode exists in a public cloud database in the prior art can not occur, so that the unknown attack mode can be identified, the condition that the network attack is not reported is avoided, and the safety of the network is improved.
Drawings
The present invention will be better understood from the following description of specific embodiments thereof taken in conjunction with the accompanying drawings, in which like or similar reference characters designate like or similar features.
Fig. 1 is a flowchart of a network attack pattern recognition method according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method for identifying patterns of cyber attacks in another embodiment of the present invention;
FIG. 3 is a flowchart of a method for identifying patterns of network attacks in accordance with another embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus for identifying a network attack mode according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of an apparatus for identifying patterns of cyber attacks according to another embodiment of the present invention;
FIG. 6 is a schematic structural diagram of an apparatus for identifying patterns of cyber attacks according to another embodiment of the present invention;
fig. 7 is a schematic structural diagram of an apparatus for identifying a network attack pattern according to still another embodiment of the present invention.
Detailed Description
Features and exemplary embodiments of various aspects of the present invention will be described in detail below. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention. The present invention is in no way limited to any specific configuration and algorithm set forth below, but rather covers any modification, replacement or improvement of elements, components or algorithms without departing from the spirit of the invention. In the drawings and the following description, well-known structures and techniques are not shown in order to avoid unnecessarily obscuring the present invention.
Fig. 1 is a flowchart of a network attack pattern recognition method according to an embodiment of the present invention. As shown in fig. 1, the method for identifying a network attack pattern of the present embodiment includes steps 101 to 105.
In step 101, log information of the service system to be tested and network traffic forwarded to the high-interaction honeypot by the low-interaction honeypot preset in the service system to be tested are obtained.
The network attack mentioned in the embodiment of the invention can be a true network attack, and can also be a suspected network attack and other threats which may cause damage to the network. At least one service system exists in the network, and each service system can simulate a low-interaction honeypot, such as a honeypot of honeypot. Because the low-interaction honeypots occupy extremely low host resources, a plurality of low-interaction honeypots can be simulated in one service system, and particularly, a plurality of low-interaction honeypots of different operating systems can be simulated. Such as: different low-interaction honeypots respectively support windows, linux, solaris and other operating systems. The low-interaction honeypot can use the true IP (Internet Protocol) address of the idle state in the network segment occupied by the service system. In order to improve the reality degree of the virtual host simulated by the low-interaction honeypot, various services with security holes can be virtualized for the low-interaction honeypot, so that the network attack of a network intruder is attracted. The low-interaction honeypot can only simulate simple fingerprint information of network connection and banner information (title information) of various services, and the high-interaction honeypot can capture more and more detailed network intrusion information and extract attack characteristics from the network intrusion information. Therefore, the low-interaction honeypot can forward the received network traffic to the high-interaction honeypot so as to collect and analyze various attack behaviors of the network intruder. The high-interaction honeypot may also be referred to as a physical honeypot. Specifically, policy Routing may be combined with GRE (Generic Routing Encapsulation) channel technology, so that the IP address of the low-interaction honeypot is the same as the IP address of the high-interaction honeypot, and thus, network traffic sent to the low-interaction honeypot is forwarded to the high-interaction honeypot.
The network traffic received by the low-interaction honeypot may include operational information of unauthorized users. The service system to be tested can perform baseline modeling for the high-interaction honeypot, and specific information in system log information of the service to be tested can be acquired from a user baseline, a port baseline, a process baseline, a service baseline, a key file, a network flow baseline and the like. Specifically, the log information of the service system to be tested may include log information of the high-interaction honeypot, and may further include an alarm log of the network boundary safety protection device in the network where the service system to be tested is located.
In step 102, attack behavior characteristics are obtained from the network traffic and log information of the service system to be tested.
According to the network flow and the log information of the service system to be tested, whether the service system has the behaviors of adding and deleting account numbers, port, process, service starting or abnormal behaviors, key file modification, abnormal external connection and the like can be judged. The log information of the service system to be tested contains the timestamp information of the log, and the network flow and the alarm log of the network boundary safety protection equipment can be collected through a data capture tool, namely sebek. The network boundary security device may include a Firewall, IDS (Intrusion Detection Systems), IPS (Intrusion Prevention Systems), WAF (Web Application security), traffic cleaning device, and the like.
The attack behavior characteristics can be obtained from the received network traffic (which can be detected by an intrusion detection system snort and recorded by a sebek data capture tool) and the log information of the service system to be detected. Specifically, one or more of excessive outbound traffic (abbreviated as EOT), excessive inbound traffic (abbreviated as EIT), non-working time login (abbreviated as LI), firewall acceptance (abbreviated as FWA), firewall rejection (abbreviated as FWD), intranet login (abbreviated as LOIN), continuous multiple login failure (abbreviated as MFL), at least 1 successful login (abbreviated as SL), single-source exploration of multiple target IPs (abbreviated as SSPMD), single-source exploration of multiple target IPs and ports (abbreviated as SSPMDP), new account (abbreviated as MU), file operation (abbreviated as MF), process operation (abbreviated as MP), and port operation (abbreviated as PP) can be obtained.
In step 103, it is determined whether the attack behavior characteristics meet a preset normal behavior condition, and an attack behavior characteristic value set is obtained according to the determination result.
Wherein different values are possible for one attack behavior feature. For example, the attack behavior is characterized by excessive outbound traffic, if the outbound traffic does not meet the preset normal behavior condition, the value of the excessive outbound traffic may be recorded as yes or 1, and if the outbound traffic meets the preset normal behavior condition, the value of the excessive outbound traffic may not be recorded as no or 0. At least one attack behavior characteristic can be obtained from the log information of the network flow and the service system to be tested, and an attack behavior characteristic value set consisting of values of the attack behavior characteristic can be obtained according to the obtained at least one attack behavior characteristic, wherein the attack behavior characteristic value set comprises the values of the at least one attack behavior characteristic. For example, the attack behavior feature is excessive outbound traffic, excessive inbound traffic, non-working time login, firewall acceptance, firewall denial, intranet login, failure of continuous multiple login, successful login for at least 1 time, probing of multiple target IPs by a single source, probing of multiple target IPs and ports by a single source, new account, file operation, process operation, and port operation, where when excessive inbound traffic, intranet login, failure of continuous multiple login, and successful login for at least 1 time occur, the corresponding attack behavior feature value set is { no, yes, no, no, yes, yes, no, no, no, no, yes, yes, no, no, no } or {0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0 }.
In step 104, a similarity is calculated between the set of eigenvalues of the attack behavior and the set of eigenvalues of the plurality of known attack patterns.
The method comprises the steps of setting a plurality of characteristic value sets of known attack modes in advance in a network where a service system to be tested is located, wherein the characteristic value set of each known attack mode corresponds to one attack mode, searching the characteristic value set of the known attack mode most similar to the characteristic value set of the attack behavior through the similarity between the characteristic value set of the attack behavior obtained through calculation and the characteristic value set of each known attack mode, and taking the attack mode corresponding to the characteristic value set of the most similar known attack mode as the attack mode of the characteristic value set of the attack behavior.
The similarity may be calculated by using a euclidean distance, that is, the similarity between the attack behavior feature value set and each set of the feature value set of the known attack pattern may be calculated by calculating a euclidean distance between the attack behavior feature value set and each set of the feature value set of the known attack pattern, and a smaller euclidean distance indicates a higher similarity. Specifically, the euclidean distance can be calculated using the following formula (1).
Figure BDA0001159676620000081
Wherein s iseIs Euclidean distance, i is a positive integer, n is the number of values of the attack behavior characteristics in the attack behavior characteristic value set, piFor the i element in the unknown attack behavior characteristic value set aiming at a certain IP address in a period of time, qiIs the i-th element in the set of eigenvalues of the known attack pattern. It should be noted that other methods for calculating the similarity are also applicable to the embodiment of the present invention, and also fall within the scope of the embodiment of the present invention.
In step 105, the attack pattern corresponding to the feature value set of the known attack pattern with the highest similarity to the attack behavior feature value set is obtained as the attack pattern of the attack behavior feature value set.
If the Euclidean distance is used for representing the similarity, acquiring an attack mode corresponding to the characteristic value set of the known attack mode with the minimum Euclidean distance of the attack behavior characteristic value set as the attack mode of the attack behavior characteristic value set.
For example, the feature value set of the known attack pattern is shown in table one, the attack behavior feature value set of the unknown network attack is shown in table two, wherein yes in the attack behavior feature value set and the feature value set of the known attack pattern is shown by Y, no is shown by N, through similarity calculation, it can be known that the attack pattern corresponding to the attack behavior feature value set 1 in table two is a possible brute force cracking login in table one, the attack pattern corresponding to the attack behavior feature value set 2 in table two is a port scan in table one, the attack pattern corresponding to the attack behavior feature value set 3 in table two is a malware installation in table one, and the attack pattern corresponding to the attack behavior feature value set 4 in table two is a possible penetration attack in table one. Thereby identifying the attack pattern of the unknown network attack.
Watch 1
Figure BDA0001159676620000091
Watch two
Figure BDA0001159676620000092
Figure BDA0001159676620000101
The network attack mode identification method provided by the embodiment of the invention can extract attack behavior characteristics from log information and network flow of a service system to be tested, judge whether the attack behavior characteristics meet preset normal behavior conditions or not, obtain attack behavior characteristic value sets according to the judgment result, and judge the attack mode of the attack behavior characteristic values by calculating the similarity of the attack behavior characteristic value sets and the characteristic value sets of a plurality of known attack modes. And taking the attack mode corresponding to the characteristic value set of the known attack mode with the highest similarity with the characteristic value set of the attack behavior as the attack mode of the characteristic value set of the attack behavior. Aiming at the network attack received by the service system to be tested, the closest attack mode can be found according to the attack behavior characteristics of the network attack, and the condition that no matched attack mode exists in a public cloud database in the prior art can not occur, so that the unknown attack mode can be identified, the condition that the network attack is not reported is avoided, and the safety of the network is improved.
Fig. 2 is a flowchart of a network attack pattern recognition method in another embodiment of the present invention, and steps 101 to 105 in fig. 2 are substantially the same as steps 101 to 105 in fig. 1. The difference is that the network attack pattern recognition method shown in fig. 2 may further include steps 106 to 108.
In step 106, a corresponding security protection policy is generated according to the attack mode of the attack behavior feature value set.
Wherein different security protection policies can be generated for different attack modes. For example, a firewall policy may be generated, and a temporary security policy is generally used for the security policy issued by the firewall, such as blocking of remote vulnerability scanning attack, blocking of password guessing and cracking attack, and unauthorized remote management access. The source IP address does not change in a large range, the access from a certain source IP address to the destination IP address is closed in a short time, and the service system to be tested is not influenced too much. The specific format of the security protection policy issued to the firewall may be Sip + Sport + Dip + Dport + (permit, deny), where Sip refers to a source IP address, Sport refers to a source port, Dip refers to a destination IP address, Dport refers to a destination port, permit refers to permission of communication, and deny refers to non-permission of communication.
For another example, an IDS policy may be generated, and a security policy issued by the IDS device, which is generally a remote overflow attack protection policy, may be automatically associated with a CVE (Common Vulnerabilities & exposition) vulnerability library after an attack in network traffic is identified, so that when the security policy of the IDS is issued to an existing IDS device in a network, the IDS device needs to issue a CVE number of the attack vulnerability to the IDS device, and invoke a corresponding security policy to perform protection. The specific format of the security protection policy issued to the IDS device may be Sip + Sport + Dip + Dport + (vulnerability number), where Sip refers to the source IP address, Sport refers to the source port, Dip refers to the destination IP address, and Dport refers to the destination port.
For another example, a traffic cleaning device policy may be generated, and for a security policy issued by the traffic cleaning device, the security policy is generally a security policy of DDOS (Distributed Denial of Service) traffic attack class, and after a network attack in the network traffic is identified, the types of the network attack, including syn-flood, udp-flood, ack-flood, etc., may be automatically distinguished, so that when the security policy is issued to an existing traffic cleaning device in the network, the attack types need to be issued to the traffic cleaning device together, and the traffic cleaning device invokes a corresponding security policy for protection. The specific format of the security protection policy issued to the flow cleaning device may be Sip + Sport + Dip + Dport + (attack type), where Sip refers to the source IP address, Sport refers to the source port, Dip refers to the destination IP address, and Dport refers to the destination port.
Some special-purpose security devices also exist in the network, such as an attack protection System deployed at the front end of a Domain Name System (DNS) and a WAF device deployed at the front end of a portal, which can provide detailed attack behavior characteristics and receive security protection policy adjustment instructions of maintenance personnel.
In step 107, the generated security policy is issued to the network boundary security protection device.
And issuing the security protection strategy to the network boundary security protection equipment to realize the deep defense against unknown network attacks. Specifically, the generated safety protection policy may be issued to the terminal device of the maintenance staff in the form of a work order. It should be noted that, the terminal device of the maintenance staff may also receive a policy adjustment instruction input by the maintenance staff, so as to adjust the security protection policy.
In step 108, the generated security protection policy is shared in the network where the service system to be tested is located.
After the corresponding security protection strategy is generated, the security protection strategy can be shared in the network where the service system to be tested is located, so that other service systems in the network can also acquire the generated security protection strategy, thereby realizing multi-path blocking of network attack and improving the network attack early warning and protection capability of the whole network. After step 106, only step 107 may be executed, only step 108 may be executed, and step 107 and step 108 may also be executed. If step 107 and step 108 are executed after step 106, the execution sequence of step 107 and step 108 is not limited herein.
Fig. 3 is a flowchart of a network attack pattern recognition method according to another embodiment of the present invention, and steps 101 to 105 in fig. 3 are substantially the same as steps 101 to 105 in fig. 1. The difference is that the network attack pattern recognition method shown in fig. 3 may further include steps 109 to 111.
In step 109, a virtual host is built using the low interaction honeypot.
And the IP address of the virtual host is consistent with the IP address of the real host in the service system to be tested. The vulnerability of the real host can be simulated into the virtual host, so that the virtual host and the real host have the same vulnerability. The authenticity of the virtual host is ensured by utilizing the functions of TCP/IP (Transmission Control Protocol/Internet Protocol ) fingerprint simulation of the low-interaction honeypot and operating system fingerprint simulation.
In step 110, the bug simulation code in the virtual host is rewritten to fix the bug in the virtual host.
And rewriting vulnerability simulation codes in the virtual host to ensure that the virtualized virtual host and the application on the virtual host finish the repair of all the vulnerabilities.
In step 111, the network traffic received by the service system to be tested is led into the virtual host with the repaired bug.
Specifically, the policy routing function can be utilized to introduce network traffic destined for the real host into the virtual host, and the network traffic may contain network attack traffic, so that the virtual patch function of the real host is realized, various vulnerabilities are effectively hidden, and the security of the service system is improved. Through the virtual patch function, whether the patching of the vulnerability is proper or not can be detected, and the network security of the real host computer cannot be endangered.
It should be noted that, in the embodiment of the present invention, the execution timing relationship between steps 109-111 and steps 101-105 is not limited, but only one of the execution timing relationships between steps 109-111 and steps 101-105 is shown in fig. 3, and other possible execution timing relationships between steps 109-111 and steps 101-105 also fall within the scope of the embodiment of the present invention.
It should be noted that the content of step 103 in the above embodiment may be specifically detailed as the content of steps 1031 to 1034.
In step 1031, it is determined whether the attack behavior characteristics meet the preset normal behavior conditions.
The network of the service system to be tested is preset with a normal behavior condition, wherein the normal behavior condition is a judgment condition for judging whether the attack behavior characteristic possibly belongs to network attack.
In step 1032, the value of the attack behavior feature that meets the preset normal behavior condition is assigned as a first value.
In step 1033, the value of the attack behavior feature that does not meet the preset normal behavior condition is assigned as a second value.
Wherein the first value is different from the second value. The first value and the second value may be characters such as numbers, letters, symbols, and the like, and are not limited herein. If the similarity is represented by using a calculation method with specific numerical values such as the Euclidean distance, the first value and the second value are set to be better numbers, so that the calculation of the Euclidean distance is facilitated.
In step 1034, the values assigned to the attack behavior features of the first value and/or the values assigned to the attack behavior features of the second value are combined into an attack behavior feature value set.
If the attack behavior characteristic accords with the preset normal behavior condition, assigning the value of the attack behavior characteristic as a first value, and if the attack behavior characteristic does not accord with the preset normal behavior condition, assigning the value of the attack behavior characteristic as a second value, thereby obtaining the attack behavior characteristic value set. For example, the attack behavior feature is excessive outbound traffic, excessive inbound traffic, non-working time login, firewall acceptance, firewall rejection, intranet login, multiple login failures in succession, successful login for at least 1 time, probing multiple target IPs by a single source, probing multiple target IPs and ports by a single source, creating an account, file operation, process operation, and port operation, wherein the excessive inbound traffic, intranet login, multiple login failures in succession, and successful login for at least 1 time do not meet the preset normal behavior condition, the attack behavior feature other than the excessive inbound traffic, intranet login, multiple login failures in succession, and successful login for at least 1 time meets the preset normal behavior condition, the first value is set to 0, the second value is set to 1, and the corresponding attack behavior feature value set is {0, 1, 0, 0, 0, 1, 1,1,0,0,0,0,0,0}.
It should be further noted that before determining whether the attack features meet the preset abnormal conditions, normal behavior conditions may be set, and the normal behavior conditions may be set by using a machine learning method, and the step of setting the normal behavior conditions may include steps 1035 to 1038.
In step 1035, the attack behavior signature is collected multiple times, resulting in multiple collected values of the attack behavior signature. Specifically, attack behavior characteristics may be periodically collected over a period of time.
In step 1036, an average and standard error of the collected values of the plurality of attack behavior features are calculated.
In step 1037, a product of the standard error and a preset correction parameter is calculated as a corrected standard error.
In step 1038, a range of the floating correction standard error on the basis of the average is calculated as a normal behavior condition.
For example, the attack features obtained from the log information of the service system to be tested are sampled within a period of time, for example, within 4-6 weeks, and specifically, a plurality of attack feature acquisition values can be obtained by adopting periodic sampling. According to the acquired multiple attack characteristic acquisition values, the average value, the standard deviation and the standard error of the attack characteristic acquisition values can be calculated. In order to enable the judgment of the network attack under the later set normal behavior condition to be more accurate, correction parameters are introduced, and the correction parameters can be obtained through calculation according to the confidence coefficient. And obtaining a corrected standard error by using the standard error and the correction parameter, thereby obtaining a normal behavior condition according to the average value and the corrected standard error.
The following description will be given taking an example of excessive outbound traffic. And acquiring the outbound flow for N times in a period of time to obtain N outbound flow acquisition values. And (4) calculating according to the following formulas (2) to (4), finally calculating a baseline threshold range of the outbound flow, and taking the baseline threshold range as a normal behavior condition.
Figure BDA0001159676620000141
Figure BDA0001159676620000151
Figure BDA0001159676620000152
Wherein x iskIs the kth value of the N outbound traffic collection values, k is a positive integer, mu is the mean, σ is the standard deviation, s is the standard error, and N is a positive integer.
If the confidence is set to be 95%, the correction parameter obtained according to the confidence is 1.96, and 1.96 × s is the correction standard error, so the baseline threshold range is (μ -1.96 × s, μ +1.96 × s), that is, the normal behavior condition corresponding to the excessive outbound traffic is (μ -1.96 × s, μ +1.96 × s), when the excessive outbound traffic is in the range of (μ -1.96 × s, μ +1.96 × s ], the value of the excessive outbound traffic is assigned as the first value, and when the excessive outbound traffic is out of the range of (μ -1.96 × s, μ +1.96 × s ], the value of the excessive outbound traffic is assigned as the second value.
It should be noted that some attack behavior features have no specific numerical quantity, and the normal behavior conditions thereof can be directly determined, for example, whether the firewall is accepted or not can be indicated by yes or no or other characters according to whether the firewall can accept or not in the actual situation, if the firewall accepts, the value accepted by the firewall can be set to yes or 1, and if the firewall does not accept, the value accepted by the firewall can be set to no or 0.
Fig. 4 is a schematic structural diagram of a device for identifying a network attack pattern according to an embodiment of the present invention, and the device 200 for identifying a network attack pattern shown in fig. 4 includes a log obtaining module 201, a feature obtaining module 202, a set obtaining module 203, a calculating module 204, and an analyzing module 205.
The log obtaining module 201 may be configured to obtain log information of the service system to be tested and network traffic forwarded to the high-interaction honeypot by a preset low-interaction honeypot in the service system to be tested.
The characteristic obtaining module 202 may be configured to obtain the attack behavior characteristic from the network traffic and log information of the service system to be tested.
The set obtaining module 205 is configured to determine whether the attack behavior feature conforms to a preset normal behavior condition, and obtain an attack behavior feature value set according to a determination result, where the attack behavior feature value set includes at least one value of the attack behavior feature.
The calculation module 204 may be configured to calculate a similarity of the set of attack behavior feature values to a set of feature values of a plurality of known attack patterns.
The analysis module 205 may be configured to obtain an attack pattern corresponding to the feature value set of the known attack pattern with the highest similarity to the attack behavior feature value set as an attack pattern of the attack behavior feature value set.
It should be noted that the log information of the service system to be tested may include log information of the high-interaction honeypot. The log information of the service system to be tested may also include log information of the high-interaction honeypot and an alarm log of the network boundary safety protection device in the network in which the service system to be tested is located. And the IP address of the network protocol of the low-interaction honeypot is the same as the IP address of the high-interaction honeypot.
The network attack mode identification device 200 provided by the embodiment of the invention can extract attack behavior characteristics from log information and network flow of a service system to be tested, judge whether the attack behavior characteristics meet preset normal behavior conditions, obtain attack behavior characteristic value sets according to the judgment result, and judge the attack mode of the attack behavior characteristic values by calculating the similarity between the attack behavior characteristic value sets and the characteristic value sets of a plurality of known attack modes. And taking the attack mode corresponding to the characteristic value set of the known attack mode with the highest similarity with the characteristic value set of the attack behavior as the attack mode of the characteristic value set of the attack behavior. Aiming at the network attack received by the service system to be tested, the closest attack mode can be found according to the attack behavior characteristics of the network attack, and the condition that no matched attack mode exists in a public cloud database in the prior art can not occur, so that the unknown attack mode can be identified, the condition that the network attack is not reported is avoided, and the safety of the network is improved.
Fig. 5 is a schematic structural diagram of a device for identifying a network attack mode according to another embodiment of the present invention, and the log obtaining module 201, the feature obtaining module 202, the set obtaining module 203, the calculating module 204, and the analyzing module 205 in fig. 5 are substantially the same as the log obtaining module 201, the feature obtaining module 202, the set obtaining module 203, the calculating module 204, and the analyzing module 205 in fig. 4. The difference is that the apparatus 200 for identifying a network attack mode shown in fig. 5 further includes a policy generation module 206, a policy issuing module 207, and a policy sharing module 208.
The policy generating module 206 may be configured to generate a corresponding security protection policy according to the attack mode of the attack behavior feature value set.
The policy issuing module 207 may be configured to issue the generated security policy to the network boundary security protection device.
And the policy sharing module 208 may be configured to share the generated security protection policy in the network where the service system to be tested is located.
In the embodiment of the present invention, the policy issuing module 207 issues the security protection policy to the network boundary security protection device, so as to implement deep defense against unknown network attacks. The policy sharing module 208 may share the security protection policy in the network where the service system to be tested is located, so that other service systems in the network may also obtain the generated security protection policy, thereby implementing multi-path blocking of network attack and improving the network attack early warning and protection capability of the whole network. It should be noted that, in the embodiment of the present invention, the apparatus 200 for identifying a network attack mode may include the policy issuing module 207 and the policy sharing module 208, or may include only one functional module of the policy issuing module 207 and the policy sharing module 208, which is not limited herein.
Fig. 6 is a schematic structural diagram of a device for identifying a network attack mode according to another embodiment of the present invention, and the log obtaining module 201, the feature obtaining module 202, the set obtaining module 203, the calculating module 204, and the analyzing module 205 in fig. 6 are substantially the same as the log obtaining module 201, the feature obtaining module 202, the set obtaining module 203, the calculating module 204, and the analyzing module 205 in fig. 4. The difference is that the apparatus 200 for identifying a network attack mode shown in fig. 6 further includes a virtual host building module 209, a vulnerability fixing module 210, and a traffic importing module 211.
The virtual host building module 209 may be configured to build a virtual host using the low-interaction honeypot, where the network protocol IP address of the virtual host is consistent with the IP address of the real host in the service system to be tested.
The bug fixing module 210 may be configured to rewrite bug simulation codes in the virtual host to fix bugs in the virtual host.
The traffic import module 211 may be configured to import the network traffic received by the service system to be tested into the virtual host after the bug is repaired.
The embodiment of the invention can realize the virtual patch function of the real host, effectively hide various bugs and improve the safety of a service system. Through the virtual patch function, whether the patching of the vulnerability is proper or not can be detected, and the network security of the real host computer cannot be endangered.
Fig. 7 is a schematic structural diagram of a device for identifying a network attack mode according to still another embodiment of the present invention, where a log obtaining module 201, a feature obtaining module 202, a set obtaining module 203, a calculating module 204, and an analyzing module 205 in fig. 7 are substantially the same as the log obtaining module 201, the feature obtaining module 202, the set obtaining module 203, the calculating module 204, and the analyzing module 205 in fig. 4. The difference is that the network attack pattern recognition apparatus 200 shown in fig. 7 further includes a condition setting module 212.
Wherein, the condition setting module 212 may be configured to: acquiring the attack behavior characteristics for multiple times to obtain multiple attack behavior characteristic acquisition values; calculating the average value and standard error of a plurality of attack behavior characteristic acquisition values; calculating the product of the standard error and a preset correction parameter as a correction standard error; the range of the standard error of the floating correction on the basis of the average value was calculated as a normal behavior condition.
It should be noted that, the set obtaining module 203 in the foregoing embodiment may be specifically configured to: judging whether the attack behavior characteristics accord with preset normal behavior conditions or not; assigning the value of the attack behavior characteristic which accords with the preset normal behavior condition as a first value; assigning the value of the attack behavior characteristic which does not meet the preset normal behavior condition as a second value; and combining the value of the attack behavior characteristic assigned as the first value and/or the value of the attack behavior characteristic assigned as the second value into an attack behavior characteristic value set.
The calculation module 204 in the above embodiments may be specifically configured to calculate the euclidean distance between the set of eigenvalues of the attack behavior and each of the sets of eigenvalues of the known attack patterns.
The analysis module 205 may be specifically configured to acquire an attack pattern corresponding to the feature value set of the known attack pattern with the smallest euclidean distance to the attack behavior feature value set as the attack pattern of the attack behavior feature value set.
It is to be understood that the invention is not limited to the specific arrangements and instrumentality described above and shown in the drawings. Also, a detailed description of known process techniques is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention.
The functional blocks shown in the above-described structural diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.

Claims (20)

1. A network attack mode identification method comprises the following steps:
acquiring log information of a service system to be tested and network flow forwarded to a high-interaction honeypot by a low-interaction honeypot preset in the service system to be tested; the high-interaction honeypot is a physical honeypot, and the business system to be tested carries out baseline modeling aiming at the high-interaction honeypot;
acquiring attack behavior characteristics from the network flow and the log information of the service system to be tested;
judging whether the attack behavior characteristics accord with preset normal behavior conditions or not, and obtaining an attack behavior characteristic value set according to a judgment result, wherein the attack behavior characteristic value set comprises at least one attack behavior characteristic value;
calculating the similarity of the characteristic value set of the attack behaviors and the characteristic value set of a plurality of known attack modes;
and acquiring an attack mode corresponding to the characteristic value set of the known attack mode with the highest similarity to the attack behavior characteristic value set as the attack mode of the attack behavior characteristic value set.
2. The method of claim 1, wherein the log information of the business system under test comprises log information of the high-interaction honeypot.
3. The method of claim 1, wherein the log information of the service system to be tested comprises log information of the high-interaction honeypot and an alarm log of a network boundary safety protection device in a network in which the service system to be tested is located.
4. The method of claim 1, further comprising:
and generating a corresponding safety protection strategy according to the attack mode of the attack behavior characteristic value set.
5. The method of claim 4, further comprising:
issuing the generated security protection strategy to network boundary security protection equipment and/or
And sharing the generated security protection strategy in the network where the service system to be tested is located.
6. The method of claim 1, further comprising:
constructing a virtual host by using the low-interaction honeypot, wherein the IP address of the network protocol of the virtual host is consistent with the IP address of the real host in the service system to be tested;
rewriting a bug simulation code in the virtual host to repair a bug in the virtual host;
and importing the network flow received by the service system to be tested into the virtual host after the bug is repaired.
7. The method of claim 1, wherein the step of determining whether the attack behavior feature meets a preset normal behavior condition and obtaining an attack behavior feature value set according to the determination result comprises:
judging whether the attack behavior characteristics accord with the preset normal behavior conditions or not;
assigning the value of the attack behavior characteristic which accords with the preset normal behavior condition as a first value;
assigning the value of the attack behavior characteristic which does not meet the preset normal behavior condition as a second value;
and combining the value of the attack behavior characteristic assigned as the first value and/or the value of the attack behavior characteristic assigned as the second value into the attack behavior characteristic value set.
8. The method according to claim 7, wherein for any one of the aggressive behavior characteristics, before the step of determining whether the aggressive behavior characteristic meets a preset normal behavior condition, the method further comprises:
collecting the attack behavior characteristics for multiple times to obtain multiple attack behavior characteristic collection values;
calculating the average value and standard error of a plurality of attack behavior characteristic acquisition values;
calculating the product of the standard error and a preset correction parameter as a correction standard error;
calculating a range of the corrected standard error that floats on the basis of the average as the normal behavior condition.
9. The method of claim 1, wherein the step of calculating the similarity of the set of attack behavior feature values to a set of feature values of a plurality of known attack patterns comprises:
calculating Euclidean distances between the set of attack behavior feature values and each set of the set of feature values of the known attack pattern;
and wherein, the step of obtaining the attack pattern corresponding to the eigenvalue set of the known attack pattern with the highest similarity to the eigenvalue set of the attack behavior, as the attack pattern of the eigenvalue set of the attack behavior, includes:
and acquiring an attack mode corresponding to the characteristic value set of the known attack mode with the minimum Euclidean distance of the attack behavior characteristic value set, and taking the attack mode as the attack mode of the attack behavior characteristic value set.
10. The method as described in claim 1, wherein the network protocol IP address of the low interaction honeypot is the same as the IP address of the high interaction honeypot.
11. An apparatus for identifying a network attack pattern, comprising:
the log acquisition module is configured to acquire log information of a service system to be tested and network traffic forwarded to a high-interaction honeypot by a low-interaction honeypot preset in the service system to be tested; the high-interaction honeypot is a physical honeypot, and the business system to be tested carries out baseline modeling aiming at the high-interaction honeypot;
the characteristic acquisition module is configured to acquire attack behavior characteristics from the network flow and the log information of the service system to be tested;
the set acquisition module is configured to judge whether the attack behavior characteristics meet preset normal behavior conditions or not, and obtain an attack behavior characteristic value set according to a judgment result, wherein the attack behavior characteristic value set comprises at least one value of the attack behavior characteristics;
a calculation module configured to calculate similarities of the set of attack behavior feature values to a set of feature values of a plurality of known attack patterns;
and the analysis module is configured to acquire an attack mode corresponding to the characteristic value set of the known attack mode with the highest similarity to the attack behavior characteristic value set as the attack mode of the attack behavior characteristic value set.
12. The apparatus of claim 11, wherein the log information of the business system under test comprises log information of the high-interaction honeypot.
13. The apparatus of claim 11, wherein the log information of the service system to be tested comprises log information of the high-interaction honeypot and an alarm log of a network boundary safety protection device in a network in which the service system to be tested is located.
14. The apparatus of claim 11, further comprising:
and the strategy generation module is configured to generate a corresponding security protection strategy according to the attack mode of the attack behavior characteristic value set.
15. The apparatus of claim 14, further comprising:
a policy issuing module configured to issue the generated security protection policy to a network boundary security protection device,
and/or a policy sharing module configured to share the generated security protection policy in a network in which the service system to be tested is located.
16. The apparatus of claim 11, further comprising:
the virtual host building module is configured to build a virtual host by using the low-interaction honeypot, wherein the IP address of the network protocol of the virtual host is consistent with the IP address of the real host in the service system to be tested;
a bug fixing module configured to rewrite bug simulation codes in the virtual host machine to fix bugs in the virtual host machine;
and the flow import module is configured to import the network flow received by the service system to be tested into the virtual host after the bug is repaired.
17. The apparatus of claim 11, wherein the set acquisition module is configured to:
judging whether the attack behavior characteristics accord with the preset normal behavior conditions or not;
assigning the value of the attack behavior characteristic which accords with the preset normal behavior condition as a first value;
assigning the value of the attack behavior characteristic which does not meet the preset normal behavior condition as a second value;
and combining the value of the attack behavior characteristic assigned as the first value and/or the value of the attack behavior characteristic assigned as the second value into the attack behavior characteristic value set.
18. The apparatus of claim 17, further comprising a condition setting module configured to:
collecting the attack behavior characteristics for multiple times to obtain multiple attack behavior characteristic collection values;
calculating the average value and standard error of a plurality of attack behavior characteristic acquisition values;
calculating the product of the standard error and a preset correction parameter as a correction standard error;
calculating a range of the corrected standard error that floats on the basis of the average as the normal behavior condition.
19. The apparatus according to claim 11, wherein the calculation module is specifically configured to calculate euclidean distances of the set of attack behavior feature values from each of the set of feature values of the known attack patterns;
the analysis module is specifically configured to acquire an attack pattern corresponding to a feature value set of a known attack pattern with a minimum Euclidean distance to the attack behavior feature value set as an attack pattern of the attack behavior feature value set.
20. The apparatus of claim 11, wherein the network protocol IP address of the low interaction honeypot is the same as the IP address of the high interaction honeypot.
CN201611062203.9A 2016-11-23 2016-11-23 Network attack mode identification method and device Active CN108092948B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611062203.9A CN108092948B (en) 2016-11-23 2016-11-23 Network attack mode identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611062203.9A CN108092948B (en) 2016-11-23 2016-11-23 Network attack mode identification method and device

Publications (2)

Publication Number Publication Date
CN108092948A CN108092948A (en) 2018-05-29
CN108092948B true CN108092948B (en) 2021-04-02

Family

ID=62170221

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611062203.9A Active CN108092948B (en) 2016-11-23 2016-11-23 Network attack mode identification method and device

Country Status (1)

Country Link
CN (1) CN108092948B (en)

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110839088A (en) * 2018-08-16 2020-02-25 深信服科技股份有限公司 Detection method, system, device and storage medium for dug by virtual currency
CN109167767A (en) * 2018-08-17 2019-01-08 苏州亮磊知识产权运营有限公司 A kind of working method of the ddos attack system of defense for DHCP framework
CN109361670B (en) * 2018-10-21 2021-05-28 北京经纬信安科技有限公司 Device and method for capturing malicious sample by utilizing targeted dynamic deployment of honeypots
CN109302401B (en) * 2018-10-25 2021-07-09 国家电网有限公司 Information security protection method and device
CN111447168B (en) * 2019-01-16 2022-05-24 河南信安通信技术股份有限公司 Multidimensional network security prediction method
CN109818984A (en) * 2019-04-10 2019-05-28 吉林亿联银行股份有限公司 The defence method and device of loophole
CN110351237B (en) * 2019-05-23 2020-07-10 中国科学院信息工程研究所 Honeypot method and device for numerical control machine tool
CN110751570A (en) * 2019-09-16 2020-02-04 中国电力科学研究院有限公司 Power service message attack identification method and system based on service logic
CN110830457B (en) * 2019-10-25 2022-06-21 腾讯科技(深圳)有限公司 Attack sensing method, device, equipment and medium based on honeypot induction
CN111726264B (en) * 2020-06-18 2021-11-19 中国电子科技集团公司第三十六研究所 Network protocol variation detection method, device, electronic equipment and storage medium
CN111835777B (en) * 2020-07-20 2022-09-30 深信服科技股份有限公司 Abnormal flow detection method, device, equipment and medium
CN112165459B (en) * 2020-09-08 2021-06-11 广州锦行网络科技有限公司 Application method for automatically switching to host honeypot based on alarm honeypot information analysis
CN112367307B (en) * 2020-10-27 2023-05-23 中国电子科技集团公司第二十八研究所 Intrusion detection method and system based on container-level honey pot group
CN112333196B (en) * 2020-11-10 2023-04-04 恒安嘉新(北京)科技股份公司 Attack event tracing method and device, electronic equipment and storage medium
CN112910895B (en) * 2021-02-02 2022-11-15 杭州安恒信息技术股份有限公司 Network attack behavior detection method and device, computer equipment and system
CN113395288B (en) * 2021-06-24 2022-06-24 浙江德迅网络安全技术有限公司 Active defense DDOS system based on SDWAN
CN115529145A (en) * 2021-06-25 2022-12-27 ***通信集团广东有限公司 Network security intrusion detection and protection system and method
CN113422787B (en) * 2021-08-24 2021-11-09 广州乐盈信息科技股份有限公司 Intelligent anti-attack method for passive optical network system
CN114006766A (en) * 2021-11-04 2022-02-01 杭州安恒信息安全技术有限公司 Network attack detection method and device, electronic equipment and readable storage medium
CN114205127A (en) * 2021-11-29 2022-03-18 中国铁路北京局集团有限公司北京通信段 Network safety monitoring method and system for railway
CN114866349B (en) * 2022-07-06 2022-11-15 深圳市永达电子信息股份有限公司 Network information filtering method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102314A (en) * 2007-06-21 2008-01-09 北京联合大学 A 3-level modular intrusion detection system based on risk model
CN103971054A (en) * 2014-04-25 2014-08-06 天津大学 Detecting method of browser extension loophole based on behavior sequence
CN105245495A (en) * 2015-08-27 2016-01-13 哈尔滨工程大学 Similarity match based rapid detection method for malicious shellcode
CN105488394A (en) * 2014-12-27 2016-04-13 哈尔滨安天科技股份有限公司 Method and system for carrying out intrusion behavior identification and classification on hotpot system
CN105721416A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Apt event attack organization homology analysis method and apparatus

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9253204B2 (en) * 2014-03-19 2016-02-02 International Business Machines Corporation Generating accurate preemptive security device policy tuning recommendations

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102314A (en) * 2007-06-21 2008-01-09 北京联合大学 A 3-level modular intrusion detection system based on risk model
CN103971054A (en) * 2014-04-25 2014-08-06 天津大学 Detecting method of browser extension loophole based on behavior sequence
CN105488394A (en) * 2014-12-27 2016-04-13 哈尔滨安天科技股份有限公司 Method and system for carrying out intrusion behavior identification and classification on hotpot system
CN105245495A (en) * 2015-08-27 2016-01-13 哈尔滨工程大学 Similarity match based rapid detection method for malicious shellcode
CN105721416A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Apt event attack organization homology analysis method and apparatus

Also Published As

Publication number Publication date
CN108092948A (en) 2018-05-29

Similar Documents

Publication Publication Date Title
CN108092948B (en) Network attack mode identification method and device
Stiawan et al. Investigating brute force attack patterns in IoT network
CN107251513B (en) System and method for accurate assurance of malicious code detection
CN108289088B (en) Abnormal flow detection system and method based on business model
Vukalović et al. Advanced persistent threats-detection and defense
CN111490970A (en) Tracing analysis method for network attack
CN105227383B (en) A kind of device of network topology investigation
CN111245787A (en) Method and device for equipment defect identification and equipment defect degree evaluation
Zarras et al. Automated generation of models for fast and precise detection of HTTP-based malware
US20180332061A1 (en) Information processing apparatus, method and medium for classifying unauthorized activity
KR102414334B1 (en) Method and apparatus for detecting threats of cooperative-intelligent transport road infrastructure
CN113079185B (en) Industrial firewall control method and equipment for realizing deep data packet detection control
Ádám et al. Artificial neural network based IDS
Bortolameotti et al. Headprint: detecting anomalous communications through header-based application fingerprinting
CN111083172A (en) Link communication monitoring view construction method based on data packet analysis
Asha et al. Analysis on botnet detection techniques
Auliar et al. Security in iot-based smart homes: A taxonomy study of detection methods of mirai malware and countermeasures
Athavale et al. Framework for threat analysis and attack modelling of network security protocols
Seo et al. Abnormal behavior detection to identify infected systems using the APChain algorithm and behavioral profiling
CN114372269A (en) Risk assessment method based on system network topological structure
Faizal et al. Threshold verification technique for network intrusion detection system
KR102377784B1 (en) Network security system that provides security optimization function of internal network
Tiwari et al. Secure Socket Shell bruteforce attack detection with petri net modeling
CN110611636B (en) Major data algorithm-based defect host detection method
Fujimoto et al. Detecting attacks leveraging vulnerabilities fixed in MS17-010 from Event Log

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant