CN113709129A - White list generation method, device and system based on traffic learning - Google Patents
White list generation method, device and system based on traffic learning Download PDFInfo
- Publication number
- CN113709129A CN113709129A CN202110958793.8A CN202110958793A CN113709129A CN 113709129 A CN113709129 A CN 113709129A CN 202110958793 A CN202110958793 A CN 202110958793A CN 113709129 A CN113709129 A CN 113709129A
- Authority
- CN
- China
- Prior art keywords
- analysis result
- data flow
- message
- target
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000004458 analytical method Methods 0.000 claims abstract description 253
- 238000012545 processing Methods 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 9
- 230000000903 blocking effect Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 13
- 238000004590 computer program Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 11
- 230000007123 defense Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 241000985128 Cladium mariscus Species 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present application relates to the field of network communication technologies, and in particular, to a white list generation method, apparatus, and system based on traffic learning. According to the analysis rule, analyzing the data flow message to obtain a corresponding target analysis result, and according to the protocol specification and the target analysis result, when the data flow message is judged to be a legal message, storing the template identification at least in association with the analysis result, when the trigger condition is determined to be met, obtaining each target analysis result stored by the corresponding template identification, adding each obtained analysis result into the template corresponding to the template identification to obtain a white list.
Description
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a white list generation method, apparatus, and system based on traffic learning.
Background
With the rapid development of computer networks, the importance of network security technology is increasingly embodied.
In the related art, after a network attack is encountered, each service content provided in the network needs to be known in advance, and a corresponding security policy is configured for the network device based on the type of the network attack and each service content in the network, so as to achieve the purpose of network communication security.
Therefore, in the related art, when the network device configures the security policy, an exception occurs, that is, the network device cannot actively defend before the exception occurs.
Therefore, when a strong network attack is encountered, the network equipment cannot timely make a corresponding security strategy for defense, so that great hidden danger is brought to network security.
Disclosure of Invention
The embodiment of the application provides a white list generation method, a white list generation device and a white list generation system based on traffic learning, and aims to solve the problem that network equipment cannot actively defend before an anomaly occurs after network attack is encountered in the prior art.
The embodiment of the application provides the following specific technical scheme:
a white list generation method based on traffic learning comprises the following steps:
continuously receiving first data flow messages sent by each first device, wherein the following operations are executed when each first data flow message is received: analyzing the first data flow message according to a preset analysis rule to obtain a first target analysis result of the first data flow message, and when the first data flow message is judged to be a legal message according to a specified protocol specification and the first target analysis result, storing a preset template identifier at least in association with the first target analysis result;
when the preset trigger condition is met, acquiring each first target analysis result stored corresponding to the template identifier;
and adding each obtained first target analysis result to a template corresponding to the template identifier to obtain a white list.
Optionally, analyzing the first data flow packet according to a preset analysis rule to obtain a first target analysis result of the first data flow packet, including:
performing data link layer analysis on the first data stream message based on a preset first protocol stack analysis rule to obtain a first analysis result, wherein the first analysis result at least comprises a source Media Access Control (MAC) address and a target Media Access Control (MAC) address;
performing network layer analysis on the first data stream message subjected to data link layer analysis based on a second protocol stack analysis rule preset for a data link layer to obtain a second analysis result, wherein the second analysis result at least comprises a source Internet Protocol (IP) address and a destination IP address;
performing transport layer analysis on the first data stream message subjected to network layer analysis based on a third protocol stack analysis rule preset for a network layer to obtain a third analysis result, wherein the third analysis result at least comprises a source port number and a destination port number;
determining an application layer protocol to which the first data stream message belongs based on the third analysis result, and performing application layer analysis based on a depth analysis rule configured in advance for an application layer to obtain a fourth analysis result, wherein the fourth analysis result at least comprises an operation instruction;
and obtaining the corresponding first target analysis result based on the first analysis result, the second analysis result, the third analysis result and the fourth analysis result.
Optionally, determining whether the first data flow packet is a legal packet according to a specified protocol specification and the first target parsing result, including:
and judging whether the value of each field contained in the first target analysis result is consistent with the value of the corresponding field in the protocol specification or not based on the specified protocol specification and the first target analysis result, if so, judging that the first data flow message is a legal message, and otherwise, judging that the first data flow message is an illegal message.
Optionally, after determining that the first data stream packet is an illegal packet according to the specified protocol specification and the first target parsing result, the method further includes:
and stopping executing the transmission of the first data flow message, and generating alarm information based on a second analysis result of the first data flow message.
Optionally, the preset trigger condition includes:
the duration for continuously receiving the first data stream messages sent by each first device reaches a set threshold; or,
and receiving indication information for stopping receiving the first data flow message.
Optionally, adding each obtained first target analysis result to a template corresponding to the template identifier to obtain a white list, where the method includes:
and acquiring a template corresponding to the template identifier, determining each field to be added included in the template, and adding each corresponding first target analysis result to the template to acquire a white list.
Optionally, obtaining the white list further includes:
when a second data stream message sent by second equipment is received, analyzing the second data stream message according to a preset analysis rule to obtain a second target analysis result of the second data stream message;
judging whether the second target analysis result is matched with the content contained in the white list or not;
if yes, forwarding the second data flow message;
otherwise, blocking the second data flow message and generating corresponding alarm information.
A white list generation apparatus based on traffic learning, comprising:
a processing unit, configured to continuously receive first data flow packets sent by each first device, where, each time one first data flow packet is received, the following operations are performed: analyzing the first data flow message according to a preset analysis rule to obtain a first target analysis result of the first data flow message, and when the first data flow message is judged to be a legal message according to a specified protocol specification and the first target analysis result, storing a preset template identifier at least in association with the first target analysis result;
the acquisition unit is used for acquiring each first target analysis result stored corresponding to the template identifier when the preset trigger condition is met;
and the generating unit is used for adding each obtained first target analysis result to the template corresponding to the template identifier to obtain a white list.
Optionally, the first data flow packet is parsed according to a preset parsing rule to obtain a first target parsing result of the first data flow packet, and the processing unit is configured to:
performing data link layer analysis on the first data stream message based on a preset first protocol stack analysis rule to obtain a first analysis result, wherein the first analysis result at least comprises a source Media Access Control (MAC) address and a target Media Access Control (MAC) address;
performing network layer analysis on the first data stream message subjected to data link layer analysis based on a second protocol stack analysis rule preset for a data link layer to obtain a second analysis result, wherein the second analysis result at least comprises a source Internet Protocol (IP) address and a destination IP address;
performing transport layer analysis on the first data stream message subjected to network layer analysis based on a third protocol stack analysis rule preset for a network layer to obtain a third analysis result, wherein the third analysis result at least comprises a source port number and a destination port number;
determining an application layer protocol to which the first data stream message belongs based on the third analysis result, and performing application layer analysis based on a depth analysis rule configured in advance for an application layer to obtain a fourth analysis result, wherein the fourth analysis result at least comprises an operation instruction;
and obtaining the corresponding first target analysis result based on the first analysis result, the second analysis result, the third analysis result and the fourth analysis result.
Optionally, according to a specified protocol specification and the first target parsing result, determining whether the first data flow packet is a legal packet, where the processing unit is configured to:
and judging whether the value of each field contained in the first target analysis result is consistent with the value of the corresponding field in the protocol specification or not based on the specified protocol specification and the first target analysis result, if so, judging that the first data flow message is a legal message, and otherwise, judging that the first data flow message is an illegal message.
Optionally, if it is determined that the first data stream packet is an illegal packet according to the specified protocol specification and the first target parsing result, the processing unit is further configured to:
and stopping executing the transmission of the first data flow message, and generating alarm information based on a second analysis result of the first data flow message.
Optionally, the preset trigger condition includes:
the duration for continuously receiving the first data stream messages sent by each first device reaches a set threshold; or,
and receiving indication information for stopping receiving the first data flow message.
Optionally, each obtained first target analysis result is added to a template corresponding to the template identifier to obtain a white list, and the generating unit is configured to:
and acquiring a template corresponding to the template identifier, determining each field to be added included in the template, and adding each corresponding first target analysis result to the template to acquire a white list.
Optionally, after obtaining the white list, the processing unit is further configured to:
when a second data stream message sent by second equipment is received, analyzing the second data stream message according to a preset analysis rule to obtain a second target analysis result of the second data stream message;
judging whether the second target analysis result is matched with the content contained in the white list or not;
if yes, forwarding the second data flow message;
otherwise, blocking the second data flow message and generating corresponding alarm information.
An electronic device comprises a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the white list generation method based on traffic learning when executing the program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of a white list generation method based on traffic learning as described above.
In the embodiment of the application, when the data flow message is judged to be a legal message according to the preset analysis rule, the corresponding target analysis result is obtained, the preset template identification is at least stored in association with the analysis result when the data flow message is judged to be the legal message according to the specified protocol specification and the target analysis result, each target analysis result stored by the corresponding template identification is obtained when the preset trigger condition is determined to be met, each obtained analysis result is added into the template corresponding to the template identification to obtain the white list, therefore, the white list is obtained through learning, the generated white list is loaded, the flow in the network is detected and protected, when the data flow message in the flow can be matched with the white list, the data flow message is forwarded, otherwise, the data flow message is blocked, the warning information is generated, and the active defense before the abnormity occurs is realized, the security equipment is protected from being damaged, meanwhile, the mode of directly matching with the white list improves the detection efficiency and reduces the operation and maintenance cost of the security equipment.
Drawings
Fig. 1 is a schematic flowchart illustrating a white list generation method based on traffic learning in an embodiment of the present application;
fig. 2 is a schematic flow chart illustrating checking of validity of a data flow packet in an embodiment of the present application;
fig. 3 is a schematic flowchart of a white list applied by a security device in an embodiment of the present application;
fig. 4 is a schematic logic architecture of a white list generation apparatus based on traffic learning according to an embodiment of the present application;
fig. 5 is a schematic physical architecture diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to realize active defense of network equipment before an abnormality occurs and solve the problem that the network equipment cannot timely make a corresponding security policy to defend, in the embodiment of the application, a white list is generated by learning first, and then the learned white list is loaded on the security equipment, so that the security equipment actively blocks an offensive message.
Based on the above description, an embodiment of the present invention provides a white list generation method based on traffic learning, where before a specific embodiment is executed, a system needs to be set as a learning mode in advance, and a template needs to be created, which is specifically as follows:
the system sets the current application mode to the learning mode and creates a protocol protection template in response to the learning instruction.
For example, assuming that a learning control is provided in the system interface, when the user clicks the learning control, the system determines that a learning instruction input by the user is received, and in response to the learning instruction, sets the current application mode as the learning mode, creates a protocol protection template, and sets identification Information (ID) of the template, for example, set to 01.
Fig. 1 is a flowchart of a white list generation method for traffic learning in an embodiment of the present application, which is mainly applied to a security device, and specifically includes:
step 101: continuously receiving the first data flow messages sent by each first device, wherein, each time a first data flow message is received, step 1010 and step 1013 are executed, and the specific process is shown in fig. 2.
Step 1010: and analyzing the first data flow message according to an analysis rule preset by the system to obtain a first target analysis result of the first data flow message.
And according to a preset analysis rule of the system, analyzing the first data flow message based on the analysis rule to obtain a first target analysis result of the first data flow message.
The parsing rule may include one or any combination of the following: the system is used for setting a first protocol stack analysis rule aiming at a data link layer, a second protocol stack analysis rule aiming at a network layer, a third protocol stack analysis rule aiming at a transmission layer and a depth analysis rule configured in advance aiming at an application layer.
Firstly, based on a first protocol stack analysis rule included in the analysis rule, data link layer analysis is carried out on a first data flow message to obtain a first analysis result.
For example, assume that after performing data link layer parsing on a first data stream packet based on a first protocol stack parsing rule, a source MAC address is 00:00:54:20:47:28, and a destination MAC address is 00:0C:29:6D: C7: 08.
Secondly, based on a second protocol stack analysis rule included in the analysis rule, the network layer analysis is carried out on the first data flow message analyzed by the data link layer, and a second analysis result is obtained.
For example, it is assumed that, based on the second protocol stack parsing rule, after performing network layer parsing on the first data flow packet that is subjected to data link layer parsing, the source IP address is 10.65.60.77, and the destination IP address is 192.168.123.1.
And secondly, carrying out transmission layer analysis on the first data stream message subjected to network layer analysis based on a third protocol stack analysis rule included in the analysis rule to obtain a third analysis result.
For example, assume that, based on the third protocol stack parsing rule, after performing transport layer parsing on the first data flow packet that is parsed by the network layer, the source port number is 502 and the destination port number is 1168.
Further, based on the third parsing result, determining an application layer protocol to which the first data stream packet belongs, and based on a deep parsing rule included in the parsing rule, performing application layer parsing to obtain a fourth parsing result.
For example, assume that the first data flow packet is determined to belong to the Modbus protocol based on the source port number 502, and after performing application layer parsing based on the deep parsing rule included in the parsing rule, the obtained operation instruction is 0x01, the operating device ID is 1001, the register start address is 40001, and the end address is 0x 0000.
And finally, summarizing the first analysis result, the second analysis result, the third analysis result and the fourth analysis result to be used as a first target analysis result.
Step 1011: and judging whether the first data flow message is a legal message or not according to the specified protocol specification and the first target analysis result, if so, executing the step 1030, and otherwise, executing the step 1040.
And judging whether the first target analysis result is consistent with a corresponding value in the protocol specification or not according to the specified protocol specification and the first target analysis result, if so, judging that the first data flow message is a legal message, and otherwise, judging that the first data flow message is an illegal message.
Step 1012: and at least associating and storing the preset template identification with the first target analysis result.
Associating and storing the preset template identifier and the first target analysis result into a policy table in the database, and assuming that the specific content table 1 of the policy table in the database shows:
TABLE 1
In the embodiment of the present application, the attribute information of the policy table is the content described in table 1, but is not limited to the content described above.
After the association storage, the content in table 1 is updated, and the specific updated content is shown in table 2:
TABLE 2
And adding the newly added content into a policy table in the database according to the first target analysis result.
For example, the source MAC address 00:00:54:20:47:28 of the first resolution result is added to the entry "MAC address content" in the policy table in the database.
In the association saving process, further, the chinese description and the english description of the operation instruction may be obtained based on the operation instruction in the third parsing result and the preconfigured depth parsing specification, and the specific implementation process is as follows:
based on a deep parsing specification, obtaining a domain corresponding to a protocol, wherein the domain contains specific descriptions of operation instructions of related protocols, a supposed operation instruction is 0x01, it can be known that a corresponding Chinese description is a coil reading state, and an English description is a READ COLL STATUS, and based on the pre-configured deep parsing specification, obtaining an asset type corresponding to an application layer protocol, assuming that the asset type is a PLC, and finally, correspondingly adding the Chinese description, the English description and the asset type of the operation instructions into a policy table in a database, and after adding, updating the contents of table 3, and the specific contents after updating are shown in table 3:
TABLE 3
The Chinese description and the English description of the operation instruction are used for describing the operation instruction into contents which can be understood by a user.
Further, asset information may be obtained based on the first parsing result, where the asset information refers to first device information, and in this embodiment, the asset information includes a name based on a name of factory information of the first device, a source IP address and a source MAC address of the first device, but is not limited to the above. The specific implementation process for obtaining asset information is as follows:
determining factory information of the first device according to the value of the first 8 bits of the source MAC address, wherein the first 8 bits of the assumed source MAC address are 00:00:54:20, determining that the factory information of the first device is PLC Schneide, naming the source IP address and the source MAC address according to the factory information, and assuming to be named as PLC _ Schneide _ c1_ 1.
Judging whether the source IP address and the source MAC address are not in an asset table in the database, if so, associating and storing a naming result, the source IP address and the source MAC address into the asset table of the database, otherwise, the naming result, the source IP address and the source MAC address cannot be added into the asset table of the database, and if the specific content of a preset asset table is as shown in a table 4:
TABLE 4
| Name (R) | Source IP address | Source MAC address |
| Vmware_c1_1 | 10.65.60.112 | 00:0C:29:6D:C7:06 |
| PLC_Schneide_c1_1 | 10.65.60.77 | 00:00:54:20:47:28 |
As can be seen from table 4, it is assumed that the source IP address of 10.65.60.77 and the source MAC address of 00:00:54:20:47:28 in the first resolution result already exist and cannot be added to the asset table of this database.
The asset table of the database is used for storing asset information of the first device, and the asset information is displayed on the user interface in real time in the learning process.
Step 1013: and stopping executing the transmission of the first data flow message, and generating alarm information based on a second analysis result of the first data flow message.
It is assumed that the specific content of the warning information is shown in table 5:
TABLE 5
| Source IP address | Destination IP address | Information |
| 192.168.123.252 | 192.168.1.1 | Abnormality (S) |
| 192.168.123.22 | 192.168.25.1 | Abnormality (S) |
Step 102: and when the preset trigger condition is determined to be met, acquiring each first target analysis result stored corresponding to the template identifier.
The preset trigger conditions include, but are not limited to, the following two cases:
in case 1, the duration of continuously receiving the first data stream packet sent by each first device reaches a set threshold.
And continuously receiving the first data stream messages sent by each first device, judging whether the duration time reaches a set threshold value in real time, and if so, acquiring each first target analysis result stored by the corresponding template identifier.
For example: under the first condition of the preset triggering condition, assuming that the learning time is set to be 30 minutes before the learning is started, starting timing after clicking is started, continuously judging whether the set threshold is reached, and when the set threshold is reached to 30 minutes, automatically stopping the learning and obtaining each first target analysis result stored corresponding to the template identifier.
And 2, receiving indication information for stopping receiving the first data flow message.
And continuously receiving the first data stream messages sent by each first device, and acquiring each first target analysis result stored corresponding to the template identifier when receiving indication information for stopping receiving the first data stream messages.
For example: and under the second condition of the preset triggering condition, when receiving indication information for stopping receiving the first data flow message, stopping learning, and acquiring each first target analysis result stored corresponding to the template identifier.
Step 103: and adding each obtained first target analysis result to a template corresponding to the template identifier to obtain a white list.
For example, a corresponding Modbus template with a template identifier of 01 is obtained, each field to be added included in the Modbus template is determined, and each corresponding first target parsing result is added to the template based on table 3, so as to obtain a white list, where specific contents of the white list are shown in table 6:
TABLE 6
| Source MAC address | 00:00:24:20:47:28 | 00:00:54:20:47:28 |
| Destination MAC address | 00:0C:30:6D:C7:07 | 00:0C:29:6D:C7:08 |
| Source IP address | 10.60.60.77 | 10.65.60.77 |
| Destination IP address | 190.168.123.1 | 192.168.123.1 |
| Source port number | 502 | 502 |
| Destination port number | 1168 | 1168 |
| Operation instruction | 0x01 | 0x01 |
| Operating device ID | 1002 | 1003 |
| Register start address | 40001 | 40001 |
| Register end address | 0x0000 | 0x0000 |
Step 104: and applying the white list to the safety equipment to detect and protect the flow in the network.
Based on the above embodiment, after obtaining the white list, the white list is applied to the security device, and the security device receives the second data stream packet sent by the second device and performs detection protection on the second data stream packet, as shown in fig. 3, the specific process is as follows:
step 301: the white list is applied to the secure device.
For example, a white list is applied to the security device, wherein the specific content of the white list is shown in table 6, and belongs to the Modbus template with the template identification of 01.
Step 302: and receiving a second data stream message sent by the second equipment.
Step 303: and analyzing the second data flow message according to an analysis rule preset by the system to obtain a second target analysis result of the second data flow message.
And presetting an analysis rule according to the system, and analyzing the second data flow message based on the analysis rule to obtain a second target analysis result of the second data flow message.
The parsing rule may include one or any combination of the following: the system is used for setting a first protocol stack analysis rule aiming at a data link layer, a second protocol stack analysis rule aiming at a network layer, a third protocol stack analysis rule aiming at a transmission layer and a depth analysis rule configured in advance aiming at an application layer.
Firstly, based on a first protocol stack analysis rule included in the analysis rule, performing data link layer analysis on a second data stream message to obtain a first analysis result.
For example, assume that after performing data link layer analysis on the second data stream packet based on a preset first protocol stack analysis rule, the source MAC address is 00:00:24:20:47:28, and the destination MAC address is 00:0C:30:6D: C7: 07.
Secondly, based on a second protocol stack analysis rule included in the analysis rule, network layer analysis is carried out on a second data stream message analyzed by a data link layer, and a second analysis result is obtained.
For example, it is assumed that, based on the second protocol stack parsing rule, after performing network layer parsing on the second data stream packet that is subjected to data link layer parsing, the source IP address is 10.60.60.77, and the destination IP address is 190.168.123.1.
And secondly, carrying out transmission layer analysis on the second data stream message subjected to network layer analysis based on a third protocol stack analysis rule included in the analysis rule to obtain a third analysis result.
For example, assume that, based on the third protocol stack parsing rule, after performing transport layer parsing on the second data flow packet that is parsed by the network layer, the source port number is 502 and the destination port number is 1168.
Further, based on the third analysis result, determining an application layer protocol to which the second data stream packet belongs, and based on a deep analysis rule included in the analysis rule, performing application layer analysis to obtain a fourth analysis result.
For example, assume that the second data flow packet is determined to belong to the Modbus protocol based on the source port number 502, and the application layer parsing is performed based on the deep parsing rule included in the parsing rule, so that the obtained operation instruction is 0x01, the operation device ID is 1002, the register start address is 40001, and the end address is 0x 0000.
And finally, summarizing the first analysis result, the second analysis result, the third analysis result and the fourth analysis result to be used as a second target analysis result.
Step 304: and judging whether the second target analysis result is matched with the corresponding content in the white list, if so, executing step 305, otherwise, executing step 306.
For example, it is determined whether the source MAC address of the second target resolution result is 00:00:24:20:47:28, the destination MAC address is 00:0C:30:6D: C7:07, the source IP address is 10.60.60.77, the destination IP address is 190.168.123.1, the source port number is 502, the destination port number is 1168, the operation instruction is 0x01, the operation device ID is 1002, the register start address is 40001, and the end address is 0x0000 match corresponding contents in the white list.
Obviously, if the content corresponding to the second target parsing result is recorded in table 6, the determination result is determined to be a match.
Step 305: and forwarding the second data flow message.
And forwarding the second data stream message according to the second target analysis result based on the fact that the judgment result is matched.
For example, according to the destination IP address of 190.168.123.1, the router forwards the second data flow packet to the device corresponding to the destination IP address.
Step 306: and blocking the second data flow message and generating corresponding warning information.
Optionally, the first data flow packet and the second data flow packet belong to the same type of packet, the first data flow packet is used in a white list generation process, and the second data flow packet is used in a white list application process.
Optionally, the first target parsing result and the second target parsing result are obtained based on the same parsing rule, the first target parsing result is used in a white list generation process, and the second target parsing result is used in a white list application process.
Optionally, the first device and the second device represent the same or different apparatuses for sending the message, where the first device is used in a process of generating a white list, and the second device is used in a process of applying the white list.
Based on the same inventive concept, the embodiment of the application further provides a white list generation device based on traffic learning. Referring to fig. 4, a schematic logical structure diagram of a white list generation apparatus based on traffic learning in an embodiment of the present application specifically includes:
a processing unit 400, configured to continuously receive first data flow packets sent by each first device, where the following operations are performed when each first data flow packet is received: analyzing the first data flow message according to a preset analysis rule to obtain a first target analysis result of the first data flow message, and when the first data flow message is judged to be a legal message according to a specified protocol specification and the first target analysis result, storing a preset template identifier at least in association with the first target analysis result;
an obtaining unit 401, configured to obtain each first target analysis result stored corresponding to the template identifier when it is determined that a preset trigger condition is met;
a generating unit 402, configured to add each obtained first target parsing result to a template corresponding to the template identifier, so as to obtain a white list.
Optionally, the first data flow packet is analyzed according to a preset analysis rule to obtain a first target analysis result of the first data flow packet, and the processing unit 400 is configured to:
performing data link layer analysis on the first data stream message based on a preset first protocol stack analysis rule to obtain a first analysis result, wherein the first analysis result at least comprises a source Media Access Control (MAC) address and a target Media Access Control (MAC) address;
performing network layer analysis on the first data stream message subjected to data link layer analysis based on a second protocol stack analysis rule preset for a data link layer to obtain a second analysis result, wherein the second analysis result at least comprises a source Internet Protocol (IP) address and a destination IP address;
performing transport layer analysis on the first data stream message subjected to network layer analysis based on a third protocol stack analysis rule preset for a network layer to obtain a third analysis result, wherein the third analysis result at least comprises a source port number and a destination port number;
determining an application layer protocol to which the first data stream message belongs based on the third analysis result, and performing application layer analysis based on a depth analysis rule configured in advance for an application layer to obtain a fourth analysis result, wherein the fourth analysis result at least comprises an operation instruction;
and obtaining the corresponding first target analysis result based on the first analysis result, the second analysis result, the third analysis result and the fourth analysis result.
Optionally, according to a specified protocol specification and the first target parsing result, determining whether the first data flow packet is a legal packet, where the processing unit 400 is configured to:
and judging whether the value of each field contained in the first target analysis result is consistent with the value of the corresponding field in the protocol specification or not based on the specified protocol specification and the first target analysis result, if so, judging that the first data flow message is a legal message, and otherwise, judging that the first data flow message is an illegal message.
Optionally, if it is determined that the first data flow packet is an illegal packet according to the specified protocol specification and the first target parsing result, the processing unit 400 is further configured to:
and stopping executing the transmission of the first data flow message, and generating alarm information based on a second analysis result of the first data flow message.
Optionally, the preset trigger condition includes:
the duration for continuously receiving the first data stream messages sent by each first device reaches a set threshold; or,
and receiving indication information for stopping receiving the first data flow message.
Optionally, each obtained first target parsing result is added to a template corresponding to the template identifier to obtain a white list, where the generating unit 402 is configured to:
and acquiring a template corresponding to the template identifier, determining each field to be added included in the template, and adding each corresponding first target analysis result to the template to acquire a white list.
Optionally, after obtaining the white list, the processing unit 400 is further configured to:
when a second data stream message sent by second equipment is received, analyzing the second data stream message according to a preset analysis rule to obtain a second target analysis result of the second data stream message;
judging whether the second target analysis result is matched with the content contained in the white list or not;
if yes, forwarding the second data flow message;
otherwise, blocking the second data flow message and generating corresponding alarm information.
Based on the above embodiments, fig. 5 is a schematic physical architecture diagram of an electronic device according to an embodiment of the present application.
An embodiment of the present application provides an electronic device, which may include a processor 510 (CPU), a memory 520, an input device 530, an output device 540, and the like, wherein the input device 530 may include a keyboard, a mouse, a touch screen, and the like, and the output device 540 may include a Display device, such as a Liquid Crystal Display (LCD), a Cathode Ray Tube (CRT), and the like.
Based on the foregoing embodiments, in the embodiments of the present application, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, the white list generation method based on traffic learning in any of the above method embodiments is implemented.
In the embodiment of the application, when the data flow message is judged to be a legal message according to the preset analysis rule, the corresponding target analysis result is obtained, the preset template identification is at least stored in association with the analysis result when the data flow message is judged to be the legal message according to the specified protocol specification and the target analysis result, each target analysis result stored by the corresponding template identification is obtained when the preset trigger condition is determined to be met, each obtained analysis result is added into the template corresponding to the template identification to obtain the white list, therefore, the white list is obtained through learning, the generated white list is loaded, the flow in the network is detected and protected, when the data flow message in the flow can be matched with the white list, the data flow message is forwarded, otherwise, the data flow message is blocked, the warning information is generated, and the active defense before the abnormity occurs is realized, the security equipment is protected from being damaged, meanwhile, the mode of directly matching with the white list improves the detection efficiency and reduces the operation and maintenance cost of the security equipment.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A white list generation method based on traffic learning is characterized by comprising the following steps:
continuously receiving first data flow messages sent by each first device, wherein the following operations are executed when each first data flow message is received: analyzing the first data flow message according to a preset analysis rule to obtain a first target analysis result of the first data flow message, and when the first data flow message is judged to be a legal message according to a specified protocol specification and the first target analysis result, storing a preset template identifier at least in association with the first target analysis result;
when the preset trigger condition is met, acquiring each first target analysis result stored corresponding to the template identifier;
and adding each obtained first target analysis result to a template corresponding to the template identifier to obtain a white list.
2. The method of claim 1, wherein parsing the first data flow packet according to a preset parsing rule to obtain a first target parsing result of the first data flow packet comprises:
performing data link layer analysis on the first data stream message based on a preset first protocol stack analysis rule to obtain a first analysis result, wherein the first analysis result at least comprises a source Media Access Control (MAC) address and a target Media Access Control (MAC) address;
performing network layer analysis on the first data stream message subjected to data link layer analysis based on a second protocol stack analysis rule preset for a data link layer to obtain a second analysis result, wherein the second analysis result at least comprises a source Internet Protocol (IP) address and a destination IP address;
performing transport layer analysis on the first data stream message subjected to network layer analysis based on a third protocol stack analysis rule preset for a network layer to obtain a third analysis result, wherein the third analysis result at least comprises a source port number and a destination port number;
determining an application layer protocol to which the first data stream message belongs based on the third analysis result, and performing application layer analysis based on a depth analysis rule configured in advance for an application layer to obtain a fourth analysis result, wherein the fourth analysis result at least comprises an operation instruction;
and obtaining the corresponding first target analysis result based on the first analysis result, the second analysis result, the third analysis result and the fourth analysis result.
3. The method of claim 1, wherein determining whether the first data flow packet is a legitimate packet according to a specified protocol specification and the first target parsing result comprises:
and judging whether the value of each field contained in the first target analysis result is consistent with the value of the corresponding field in the protocol specification or not based on the specified protocol specification and the first target analysis result, if so, judging that the first data flow message is a legal message, and otherwise, judging that the first data flow message is an illegal message.
4. The method of claim 3, wherein the first data flow packet is determined to be an illegal packet according to a specified protocol specification and the first target parsing result, and the following operations are performed:
and stopping executing the transmission of the first data flow message, and generating alarm information based on a second analysis result of the first data flow message.
5. The method according to any one of claims 1-4, wherein the preset trigger condition comprises:
the duration for continuously receiving the first data stream messages sent by each first device reaches a set threshold; or,
and receiving indication information for stopping receiving the first data flow message.
6. The method according to any one of claims 1 to 4, wherein adding each obtained first target parsing result to a template corresponding to the template identifier to obtain a white list comprises:
and acquiring a template corresponding to the template identifier, determining each field to be added included in the template, and adding each corresponding first target analysis result to the template to acquire a white list.
7. The method of any of claims 1-4, wherein obtaining the whitelist further comprises:
when a second data stream message sent by second equipment is received, analyzing the second data stream message according to a preset analysis rule to obtain a second target analysis result of the second data stream message;
judging whether the second target analysis result is matched with the content contained in the white list or not;
if yes, forwarding the second data flow message;
otherwise, blocking the second data flow message and generating corresponding alarm information.
8. A white list generation apparatus based on traffic learning, comprising:
a processing unit, configured to continuously receive first data flow packets sent by each first device, where, each time one first data flow packet is received, the following operations are performed: analyzing the first data flow message according to a preset analysis rule to obtain a first target analysis result of the first data flow message, and when the first data flow message is judged to be a legal message according to a specified protocol specification and the first target analysis result, storing a preset template identifier at least in association with the first target analysis result;
the acquisition unit is used for acquiring each first target analysis result stored corresponding to the template identifier when the preset trigger condition is met;
and the generating unit is used for adding each obtained first target analysis result to the template corresponding to the template identifier to obtain a white list.
9. An electronic device, comprising a processor and a memory, wherein the memory stores program code which, when executed by the processor, causes the processor to perform the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, characterized in that it comprises program code for causing an electronic device to carry out the steps of the method according to any one of claims 1 to 7, when said program code is run on said electronic device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110958793.8A CN113709129A (en) | 2021-08-20 | 2021-08-20 | White list generation method, device and system based on traffic learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110958793.8A CN113709129A (en) | 2021-08-20 | 2021-08-20 | White list generation method, device and system based on traffic learning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113709129A true CN113709129A (en) | 2021-11-26 |
Family
ID=78653587
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110958793.8A Pending CN113709129A (en) | 2021-08-20 | 2021-08-20 | White list generation method, device and system based on traffic learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113709129A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115085973A (en) * | 2022-05-17 | 2022-09-20 | 度小满科技(北京)有限公司 | White list processing method and device, storage medium and computer terminal |
| CN116633656A (en) * | 2023-06-09 | 2023-08-22 | 北京源堡科技有限公司 | Application network traffic blocking method and device, computer equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017054526A1 (en) * | 2015-09-28 | 2017-04-06 | 中兴通讯股份有限公司 | Arp entry generation method and device |
| CN108848067A (en) * | 2018-05-28 | 2018-11-20 | 北京威努特技术有限公司 | The OPC protocol security means of defence of intelligence learning and preset read-only white list rule |
| CN109922085A (en) * | 2019-04-11 | 2019-06-21 | 江苏亨通工控安全研究院有限公司 | A kind of security protection system and method based on CIP agreement in PLC |
| CN110753064A (en) * | 2019-10-28 | 2020-02-04 | 中国科学技术大学 | Machine learning and rule matching fused security detection system |
| CN112468488A (en) * | 2020-11-25 | 2021-03-09 | 杭州安恒信息技术股份有限公司 | Industrial anomaly monitoring method and device, computer equipment and readable storage medium |
-
2021
- 2021-08-20 CN CN202110958793.8A patent/CN113709129A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017054526A1 (en) * | 2015-09-28 | 2017-04-06 | 中兴通讯股份有限公司 | Arp entry generation method and device |
| CN108848067A (en) * | 2018-05-28 | 2018-11-20 | 北京威努特技术有限公司 | The OPC protocol security means of defence of intelligence learning and preset read-only white list rule |
| CN109922085A (en) * | 2019-04-11 | 2019-06-21 | 江苏亨通工控安全研究院有限公司 | A kind of security protection system and method based on CIP agreement in PLC |
| CN110753064A (en) * | 2019-10-28 | 2020-02-04 | 中国科学技术大学 | Machine learning and rule matching fused security detection system |
| WO2021082339A1 (en) * | 2019-10-28 | 2021-05-06 | 中国科学技术大学 | Machine learning and rule matching integrated security detection method and device |
| CN112468488A (en) * | 2020-11-25 | 2021-03-09 | 杭州安恒信息技术股份有限公司 | Industrial anomaly monitoring method and device, computer equipment and readable storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115085973A (en) * | 2022-05-17 | 2022-09-20 | 度小满科技(北京)有限公司 | White list processing method and device, storage medium and computer terminal |
| CN115085973B (en) * | 2022-05-17 | 2024-03-12 | 度小满科技(北京)有限公司 | White list processing method, white list processing device, storage medium and computer terminal |
| CN116633656A (en) * | 2023-06-09 | 2023-08-22 | 北京源堡科技有限公司 | Application network traffic blocking method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8893278B1 (en) | Detecting malware communication on an infected computing device | |
| US9560056B2 (en) | Cloud-based gateway security scanning | |
| US8051484B2 (en) | Method and security system for indentifying and blocking web attacks by enforcing read-only parameters | |
| US10757135B2 (en) | Bot characteristic detection method and apparatus | |
| US8336098B2 (en) | Method and apparatus for classifying harmful packet | |
| CN113709129A (en) | White list generation method, device and system based on traffic learning | |
| CN112887274A (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
| CN111865996A (en) | Data detection method and device and electronic equipment | |
| CN105516073A (en) | Network intrusion prevention method | |
| CN113746781A (en) | Network security detection method, device, equipment and readable storage medium | |
| CN112769833A (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
| CN112822291A (en) | Monitoring method and device for industrial control equipment | |
| US8910281B1 (en) | Identifying malware sources using phishing kit templates | |
| US11108797B2 (en) | Timely detection of network traffic to registered DGA generated domains | |
| CN111756716A (en) | Flow detection method and device and computer readable storage medium | |
| WO2016008212A1 (en) | Terminal as well as method for detecting security of terminal data interaction, and storage medium | |
| CN113315785B (en) | Alarm reduction method, device, equipment and computer readable storage medium | |
| US11233703B2 (en) | Extending encrypted traffic analytics with traffic flow data | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN114338233A (en) | Network attack detection method and system based on flow analysis | |
| CN102231733A (en) | Access control method, host device and identifier router | |
| CN113596058A (en) | Malicious address processing method and device, computer equipment and storage medium | |
| CN114244593B (en) | DNS security defense method and system, electronic equipment and medium | |
| KR102446642B1 (en) | Device of detecting unknown threats using correlation of external threat intelligence with the packet information detected by IDSP for internal networks | |
| CN116582366B (en) | Web attack prevention method, device and system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211126 |
|
| RJ01 | Rejection of invention patent application after publication |