CN109271790A - A kind of malicious site access interception method and detection system based on flow analysis - Google Patents
A kind of malicious site access interception method and detection system based on flow analysis Download PDFInfo
- Publication number
- CN109271790A CN109271790A CN201811153950.2A CN201811153950A CN109271790A CN 109271790 A CN109271790 A CN 109271790A CN 201811153950 A CN201811153950 A CN 201811153950A CN 109271790 A CN109271790 A CN 109271790A
- Authority
- CN
- China
- Prior art keywords
- malicious site
- address
- daily record
- detection
- record data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of malicious site access interception method and detection system based on flow analysis, the method includes S1: malicious site detection model of the building based on log feature infomation detection in data on flows, wherein, the malicious site model is directed to the malicious site access detected, and access interception;S2: the traffic mirroring data packet of acquisition network exit in real time, and extract the log feature information in traffic mirroring data packet and generate daily record data unit, it retransmits into log buffer queue;S3: the malicious site detection model based on S1 building carries out analysis detection to the daily record data unit in S2, and the IP address after will test-domain name mapping temporary file is updated in IP address-domain name mapped file of dns server.The present invention realizes the real-time online detection to malicious site and realizes real-time blocking to the malicious site access detected, and then improves the safety of network system.
Description
Technical field
The invention belongs to network information security technologies, and in particular to a kind of malicious site access interception based on flow analysis
Method and detection system.
Background technique
Malicious site refers to is embedded in malicious code in webpage, and in remotely control wooden horse or virus combine, user not
In the case where permission, the computer software of user is destroyed and is stolen the network station of the rogue activities such as the personal information of user
Point.The switch domain name website in blackmailer's virus such as to have swept the globe for 2017.National Internet emergency center and some provincial
The network supervisions mechanism such as Communications Administration Bureau also discloses the blacklist of malicious site.Pass through detection malicious site access, Ke Yiding
The information assets of position virus infection wooden horse avoids the large area of viral wooden horse from infecting so as to carry out emergency measure rapidly, prevents
The only generation of network safety event.Detection currently for malicious site lacks technical measures, mainly passes through DNS name resolution
The mode of filtering prevents access malicious site.But the method for DNS name resolution can not detect the visit for malice IP website
It asks.Malicious site access has the characteristics that detection difficulty is big, threat degree is high, it has also become information security persistent ailment, therefore prison in real time
It is particularly significant to survey malicious site.Currently, there are no open source literatures to be related to the real-time on-line detecting method of malicious site.
Summary of the invention
The object of the present invention is to provide a kind of malicious site access real-time blocking method and detection system based on flow analysis
System realizes the real-time online detection to malicious site and realizes real-time blocking to the malicious site access detected, in turn
Improve the safety of network system.
A kind of malicious site access real-time blocking method based on flow analysis, including
S1: malicious site detection model of the building based on log feature infomation detection in data on flows;
Wherein, the log feature information includes source IP address, the syn value of Transmission Control Protocol, ack value, the purpose of Transmission Control Protocol
IP address;
The following S11-S14 of detection process of the malicious site detection model:
S11: the daily record data unit in log buffer queue is extracted, and identifies that the source IP address in daily record data unit is
No is enterprises address, if so, executing step S12;Otherwise, step S11 is repeated;
S12: judge whether the syn value of Transmission Control Protocol in daily record data unit, the ack value of Transmission Control Protocol are 1, if so, holding
Row step S12;Otherwise, return step S11;
S13: judge that whether purpose IP address is in the malicious site list prestored in daily record data unit, if so, executing step
Rapid S14, otherwise, return step S11;
S14:<127.0.0.1 [host]>is appended in IP address-domain name mapping temporary file, return step S11 is mentioned
Take the next daily record data unit of analysis;
Wherein, host is the host attribute in daily record data unit, i.e. main website domain name;<127.0.0.1 [host]>
Indicate that domain name is resolved to local loopback address for host by DNS, so that the user that source address is src_ip can not access host master
It stands, to access in blocking malicious site;
S2: the traffic mirroring data packet of acquisition network exit in real time, and extract the spy of the log in traffic mirroring data packet
Reference breath generates daily record data unit, retransmits into log buffer queue;
S3: the malicious site detection model based on S1 building carries out analysis detection to the daily record data unit in S2,
And the IP address after will test-domain name mapping temporary file is updated in IP address-domain name mapped file of dns server.
The malicious site detection model that the present invention constructs be based on being constructed using log feature information in data on flows,
Specifically based on " source IP address, the syn value of Transmission Control Protocol, ack value, the purpose IP address of Transmission Control Protocol " extracted in flow packet.
Present invention firstly provides the access monitored based on the mode of flow analysis to malicious site, since data on flows most can be intuitively
The purpose of current accessed is reacted, therefore, the present invention has by the logic judgment layer by layer to log feature information in data on flows
The real-time monitoring accessed malicious site is realized on effect ground, improves internet security.Wherein, malicious site list of the present invention
It is to be issued by the network supervisions mechanism such as Communications Administration Bureau, there is authority and credibility.
It further preferably, is real using snort technology when acquiring the traffic mirroring data packet of network exit in step S2
When capture network egress traffic mirroring data packet.
On the other hand, the present invention provides a kind of detection system based on the above method, including flow data collector client,
Malicious site detecting and alarm and dns server, the flow data collector client and dns server with the malicious site
Detecting and alarm communication connection;
Wherein, the flow data collector client include flow data collector module, log extraction module and
Socket communication module;The flow data collector module for acquiring the traffic mirroring data packet of network exit in real time;Institute
It states log extraction module and generates daily record data unit for extracting the log feature information in traffic mirroring data packet, it is described
Socket communication module is for daily record data unit to be sent in log buffer queue;
The malicious site detecting and alarm includes malicious site detection model, malicious site list, daily record data caching team
Column, communication module and data storage threads;Malicious site detection model for detecting whether in the presence of with malicious site name single-phase
The daily record data unit matched;The data storage threads, which are used to for<127.0.0.1 [host]>to be appended to IP address-domain name, to be mapped
In temporary file;The communication module is used to IP address-domain name mapping temporary file occur to dns server, for updating
The IP address of the dns server-domain name mapped file.
Further preferably, the flow data collector client and dns server and the malicious site detecting and alarm are equal
It is connected by Ethernet.
Further preferably, the flow data collector module is snort acquisition module.
Beneficial effect
1, present invention firstly provides the access monitored based on the mode of flow analysis to malicious site, due to data on flows
The purpose of current accessed most can be intuitively reacted, therefore, the present invention passes through to log feature information architecture malice in data on flows
Website detection model effectively realizes the real-time monitoring to malicious site access especially by logic judgment layer by layer, improves net
Network safety.
2, the present invention realizes the real time monitoring to malicious site, realizes simply, convenient for promoting;And being directed to confirmation is malice
The access request of website, then intercepted, and ensure that the safety of system.
Detailed description of the invention
Fig. 1 is the flow chart of malicious site detection model provided by the invention.
Specific embodiment
Below in conjunction with embodiment, the present invention is described further.
The present invention is that malicious site access is detected based on flow analysis, has specifically used in data on flows " source IP
The log feature information of address, the syn value of Transmission Control Protocol, ack value, the purpose IP address of Transmission Control Protocol " identifies current access
Whether be malicious site access.The present invention will therefrom extract characteristic information generation daily record data unit after collecting flow packet,
As illustrated in chart 1 it is the format of daily record data unit:
Table 1
| Attribute | Property Name |
| src_ip | The source address ip |
| dst_ip | The address purpose ip |
| host | Main website domain name |
| syn | The syn value of Transmission Control Protocol |
| message | Original log information |
The present invention in order to realize malicious site access monitoring, utilize the malicious site inspection of above-mentioned log feature information architecture
Model is surveyed, and realizes intercept process for the access of confirmation malicious site.As shown in Figure 1, malicious site inspection provided by the invention
The detection process for surveying model includes the following steps:
S11: the daily record data unit in log buffer queue is extracted, and identifies that the source IP address in daily record data unit is
No is enterprises address, if so, executing step S12;Otherwise, step S11 is repeated.Wherein, if source IP address enterprises
Address then exports 1.
S12: judge whether the syn value of Transmission Control Protocol in daily record data unit, the ack value of Transmission Control Protocol are 1, if so, holding
Row step S12;Otherwise, return step S11;
S13: judge that whether purpose IP address is in the malicious site list prestored in daily record data unit, if so, executing step
Rapid S14, otherwise, return step S11;
S14:<127.0.0.1 [host]>is appended in IP address-domain name mapping temporary file, return step S11 is mentioned
Take the next daily record data unit of analysis;
Wherein, described<127.0.0.1 [host]>indicates to be that host resolves to local loopback address by domain name, for blocking
Currently to the access of malicious site.
After malicious site detection model based on building, the present invention realizes that malicious site access real-time blocking further includes as follows
Step:
S2: the traffic mirroring data packet of acquisition network exit in real time, and extract the spy of the log in traffic mirroring data packet
Reference breath generates daily record data unit, retransmits into log buffer queue.
Wherein, daily record data unit is as listed in Table 1.
S3: the malicious site detection model based on S1 building carries out analysis detection to the daily record data unit in S2,
And the IP address after will test-domain name mapping temporary file is updated in IP address-domain name mapped file of dns server.
During actual monitoring, the present invention implements the traffic mirroring data packet of ability network exit, and generates log number
It is distributed in log buffer queue again according to unit, the malicious site detection model for then recalling building carrys out analysis detection log number
It according to unit, if daily record data unit matches with malicious site list, links with dns server, realizes malicious site access
It intercepts.
In order to realize above-mentioned hold-up interception method, the present invention has built a detection system, comprising: flow data collector client
End, malicious site detecting and alarm and dns server, the flow data collector client and dns server pass through Ethernet
It is communicated to connect with the malicious site detecting and alarm.
Wherein, flow data collector client includes flow data collector module, log extraction module and socket logical
Believe module.The flow data collector module uses snort for acquiring the traffic mirroring data packet of network exit in real time
A kind of (network invasion monitoring software of open source) software captures network egress traffic mirroring data packet in real time.The log is extracted
The log feature information that module is used to extract in traffic mirroring data packet generates daily record data unit, the socket communication module
For daily record data unit being sent in the log buffer queue of malicious site detecting and alarm;
Malicious site detecting and alarm includes malicious site detection model, malicious site list, daily record data buffer queue, leads to
Interrogate module and data storage threads.Wherein, malicious site detection model for detecting whether in the presence of with malicious site name single-phase
The daily record data unit matched;The data storage threads, which are used to for<127.0.0.1 [host]>to be appended to IP address-domain name, to be mapped
In temporary file;The communication module is used to IP address-domain name mapping temporary file occur to dns server, for updating
The IP address of the dns server-domain name mapped file.
In conclusion the present invention, which uses network flow data, constructs a completely new malicious site detection model, then
The real-time monitoring of malicious site access is realized based on the malicious site detection model of building, and is visited for malicious site is confirmed as
The related access asked, realizes real-time blocking by the way of linking with dns server.
It is emphasized that example of the present invention be it is illustrative, without being restrictive, thus the present invention it is unlimited
Example described in specific embodiment, other all obtained according to the technique and scheme of the present invention by those skilled in the art
Embodiment does not depart from present inventive concept and range, and whether modification or replacement, also belong to protection model of the invention
It encloses.
Claims (5)
1. a kind of malicious site access interception method based on flow analysis, characterized by the following steps:
S1: malicious site detection model of the building based on log feature infomation detection in data on flows;
Wherein, the log feature information includes source IP address, the syn value of Transmission Control Protocol, the ack value of Transmission Control Protocol, destination IP
Location;
The following S11-S14 of detection process of the malicious site detection model:
S11: extract log buffer queue in daily record data unit, and identify the source IP address in daily record data unit whether be
Enterprises address, if so, executing step S12;Otherwise, step S11 is repeated;
Wherein, the daily record data unit includes at least the log feature information and main website domain name host;
S12: judge whether the syn value of Transmission Control Protocol in daily record data unit, the ack value of Transmission Control Protocol are 1, if so, executing step
Rapid S13;Otherwise, return step S11;
S13: judge that whether purpose IP address is in the malicious site list prestored in daily record data unit, if so, executing step
S14, otherwise, return step S11;
S14:<127.0.0.1 [host]>is appended in IP address-domain name mapping temporary file, return step S11 is extracted and divided
Analyse next daily record data unit;
Wherein, described<127.0.0.1 [host]>indicates that domain name is resolved to local loopback address for host by DNS, for blocking
Malicious site is accessed;
S2: the traffic mirroring data packet of acquisition network exit in real time, and extract the letter of the log feature in traffic mirroring data packet
Breath generates daily record data unit, retransmits into log buffer queue;
S3: the malicious site detection model based on S1 building carries out analysis detection to the daily record data unit in S2, and will
IP address-domain name mapping temporary file after detection is updated in IP address-domain name mapped file of dns server.
2. according to the method described in claim 1, it is characterized by: acquiring the traffic mirroring data of network exit in step S2
It is to capture network egress traffic mirroring data packet in real time using snort technology when packet.
3. one kind is based on the described in any item detection systems of claim 1-2, it is characterised in that: including flow data collector client
End, malicious site detecting and alarm and dns server, the flow data collector client and dns server with the malice
The communication connection of website detecting and alarm;
Wherein, the flow data collector client includes flow data collector module, log extraction module and socket logical
Believe module;The flow data collector module for acquiring the traffic mirroring data packet of network exit in real time;The log mentions
The log feature information that modulus block is used to extract in traffic mirroring data packet generates daily record data unit, and the socket communicates mould
Block is for daily record data unit to be sent in log buffer queue;
The malicious site detecting and alarm includes malicious site detection model, malicious site list, daily record data buffer queue, leads to
Interrogate module and data storage threads;Malicious site detection model is for detecting whether in the presence of the day to match with malicious site list
Will data cell;The data storage threads are used to for<127.0.0.1 [host]>being appended to IP address-interim text of domain name mapping
In part;The communication module is used to P address-domain name mapping temporary file occur to dns server, for updating the DNS
The IP address of server-domain name mapped file.
4. detection system according to claim 3, it is characterised in that: the flow data collector client and DNS service
Device passes through Ethernet with the malicious site detecting and alarm and connect.
5. detection system according to claim 3, it is characterised in that: the flow data collector module is snort acquisition
Module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811153950.2A CN109271790A (en) | 2018-09-30 | 2018-09-30 | A kind of malicious site access interception method and detection system based on flow analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811153950.2A CN109271790A (en) | 2018-09-30 | 2018-09-30 | A kind of malicious site access interception method and detection system based on flow analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109271790A true CN109271790A (en) | 2019-01-25 |
Family
ID=65195322
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811153950.2A Pending CN109271790A (en) | 2018-09-30 | 2018-09-30 | A kind of malicious site access interception method and detection system based on flow analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109271790A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110493083A (en) * | 2019-08-27 | 2019-11-22 | 苏州八维通智慧科技有限公司 | A kind of gate off-line checking method based on SYN half-connection data packet |
| CN110572402A (en) * | 2019-09-11 | 2019-12-13 | 国网湖南省电力有限公司 | internet hosting website detection method and system based on network access behavior analysis and readable storage medium |
| CN112818278A (en) * | 2021-02-07 | 2021-05-18 | 国网湖南省电力有限公司 | Method and system for checking internet hosting website |
| CN114205105A (en) * | 2020-09-01 | 2022-03-18 | 威联通科技股份有限公司 | Network malicious behavior detection method and switching system using same |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719892A (en) * | 2008-10-09 | 2010-06-02 | 郁迪 | Method for protecting computer |
| CN107454109A (en) * | 2017-09-22 | 2017-12-08 | 杭州安恒信息技术有限公司 | A kind of network based on HTTP flow analyses is stolen secret information behavioral value method |
| CN107465690A (en) * | 2017-09-12 | 2017-12-12 | 国网湖南省电力公司 | A kind of passive type abnormal real-time detection method and system based on flow analysis |
-
2018
- 2018-09-30 CN CN201811153950.2A patent/CN109271790A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719892A (en) * | 2008-10-09 | 2010-06-02 | 郁迪 | Method for protecting computer |
| CN107465690A (en) * | 2017-09-12 | 2017-12-12 | 国网湖南省电力公司 | A kind of passive type abnormal real-time detection method and system based on flow analysis |
| CN107454109A (en) * | 2017-09-22 | 2017-12-08 | 杭州安恒信息技术有限公司 | A kind of network based on HTTP flow analyses is stolen secret information behavioral value method |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110493083A (en) * | 2019-08-27 | 2019-11-22 | 苏州八维通智慧科技有限公司 | A kind of gate off-line checking method based on SYN half-connection data packet |
| CN110493083B (en) * | 2019-08-27 | 2023-01-10 | 苏州八维通智慧科技有限公司 | Gate offline detection method based on SYN semi-connection data packet |
| CN110572402A (en) * | 2019-09-11 | 2019-12-13 | 国网湖南省电力有限公司 | internet hosting website detection method and system based on network access behavior analysis and readable storage medium |
| CN110572402B (en) * | 2019-09-11 | 2021-11-16 | 国网湖南省电力有限公司 | Internet hosting website detection method and system based on network access behavior analysis and readable storage medium |
| CN114205105A (en) * | 2020-09-01 | 2022-03-18 | 威联通科技股份有限公司 | Network malicious behavior detection method and switching system using same |
| CN112818278A (en) * | 2021-02-07 | 2021-05-18 | 国网湖南省电力有限公司 | Method and system for checking internet hosting website |
| CN112818278B (en) * | 2021-02-07 | 2022-06-03 | 国网湖南省电力有限公司 | Method and system for checking internet hosting website |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109271790A (en) | A kind of malicious site access interception method and detection system based on flow analysis | |
| CN107454109B (en) | Network privacy stealing behavior detection method based on HTTP traffic analysis | |
| CN101262351B (en) | A network tracking system | |
| CN101902456B (en) | Safety defense system of Website | |
| CN105119930B (en) | Malicious websites means of defence based on OpenFlow agreement | |
| CN111600856B (en) | Safety system of operation and maintenance of data center | |
| KR101689295B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| CN109861995A (en) | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| CN109885562A (en) | A kind of big data intelligent analysis system based on cyberspace safety | |
| CN105933268A (en) | Webshell detection method and apparatus based on total access log analysis | |
| CN106411562A (en) | Electric power information network safety linkage defense method and system | |
| KR20040042397A (en) | Method and system for defensing distributed denial of service | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN107276983A (en) | A kind of the traffic security control method and system synchronous with cloud based on DPI | |
| CN108183888A (en) | A kind of social engineering Network Intrusion path detection method based on random forests algorithm | |
| CN110505235A (en) | A kind of detection system and method for the malicious requests around cloud WAF | |
| CN109587122B (en) | System and method for realizing self-guarantee of Web subsystem security based on WAF system function | |
| CN111510463B (en) | Abnormal behavior recognition system | |
| CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
| CN107231360A (en) | Network virus protection method, safe wireless router and system based on cloud network | |
| CN104486320A (en) | Intranet sensitive information disclosure evidence collection system and method based on honeynet technology | |
| CN114826880A (en) | Method and system for online monitoring of data safe operation | |
| CN107659584A (en) | A kind of food processing factory's network security management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190125 |