CN116192490A - Network threat detection method and system based on flow behaviors - Google Patents
Network threat detection method and system based on flow behaviors Download PDFInfo
- Publication number
- CN116192490A CN116192490A CN202310112450.9A CN202310112450A CN116192490A CN 116192490 A CN116192490 A CN 116192490A CN 202310112450 A CN202310112450 A CN 202310112450A CN 116192490 A CN116192490 A CN 116192490A
- Authority
- CN
- China
- Prior art keywords
- data
- session
- target
- flow
- flow data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 32
- 230000006399 behavior Effects 0.000 title abstract description 32
- 238000004458 analytical method Methods 0.000 claims abstract description 66
- 239000000284 extract Substances 0.000 claims abstract description 44
- 230000005540 biological transmission Effects 0.000 claims abstract description 21
- 238000000034 method Methods 0.000 claims description 44
- 230000008569 process Effects 0.000 claims description 4
- 230000004931 aggregating effect Effects 0.000 claims description 3
- 230000007547 defect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000012351 Integrated analysis Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network threat detection method and a system based on flow behaviors, wherein a flow receiving module receives target flow data, the flow receiving module sends the target flow data to a transmission layer analysis module, the transmission layer analysis module extracts all protocol related fields in the target flow data and extracts characteristic data of the target flow data, a session management module calculates a Hash according to the characteristic data of the target flow data, aggregates the same session flow information in the target flow data according to the Hash, extracts session data of a session, feeds the session data back to a comprehensive analysis module, and the comprehensive analysis module performs rule matching on the session data according to preset behavior rules, if the target flow data is matched, judges the target flow data as threat flow data and outputs matched session data.
Description
Technical Field
The application relates to the technical field of network threat detection based on traffic behaviors, in particular to a network threat detection method and system based on traffic behaviors.
Background
As network traffic is increasingly encrypted, the traditional detection model based on deep packet inspection is more and more difficult to deal with malicious traffic detection, and the traditional detection model fails. At present, the identification method of the malicious traffic by the traditional network threat detection still adopts a characteristic value matching method, and the characteristic value matching method is a method for judging the malicious traffic by comparing part or all of data information in the traffic with the existing characteristic data information. The feature matching is a main method for identifying network threats by current security manufacturers, and the feature matching can accurately match the malicious traffic, but the traditional feature matching method fails to detect due to the fact that the current network traffic is more and more encrypted.
Disclosure of Invention
Based on the above, a network threat detection method and system based on traffic behavior are provided to solve the problem that the conventional eigenvalue matching method fails to detect due to the fact that the encryption of network traffic is more and more at present.
In a first aspect, a method for detecting a cyber threat based on traffic behavior, the method comprising:
the flow receiving module receives target flow data;
the flow receiving module sends the target flow data to a transport layer analyzing module;
the transport layer analysis module extracts all protocol related fields in the target flow data and extracts characteristic data of the target flow data;
the session management module calculates a Hash according to the characteristic data of the target flow data, aggregates the same session flow information in the target flow data according to the Hash, extracts the session data of the session, and feeds the session data back to the comprehensive analysis module;
and the comprehensive analysis module performs rule matching on the session data according to a preset behavior rule, and if the matching hits, the comprehensive analysis module judges that the target flow data is threat flow data and outputs the session data hit by the matching.
In the foregoing solution, optionally, before the flow receiving module receives the target flow data, the method includes:
obtaining flow data to be detected and copying the flow data to be detected to generate target flow data; the method comprises the steps of copying the flow data to be detected to generate target flow data, and specifically, performing flow beam splitting or flow mirroring on the flow data to be detected to generate target flow data.
In the above solution, further optionally, the traffic receiving module uses a DPDK efficient packet receiving engine to receive the target traffic data, where the DPDK efficient packet receiving engine operates in a user space, and utilizes a data plane library provided by itself to complete the sending and receiving of the data packet, thereby bypassing a processing procedure of the data packet by a linux kernel protocol stack.
In the above solution, further optionally, the transport layer parsing module extracts all protocol related fields in the target traffic data, and extracts feature data of the target traffic data, including: and extracting characteristic data of the target flow data through analysis of a link layer, a network layer and a transmission layer of the target flow data by processing the target flow data.
In the above solution, further optionally, the feature data of the target traffic data includes five-tuple data of the target traffic, a MAC address, a session formation packet number, a packet length sequence, a packet interval time sequence, a session length, a feature word, a TTL value, an ICMP command type and command code, a TCP session window, a TCP flag bit, a UD protocol field, and an igmp protocol field.
In the above solution, further optionally, the session management module calculates a Hash according to the feature data of the target traffic data, aggregates the same session flow information in the target traffic data according to the Hash, extracts the session data of the session, specifically, the session management module calculates a Hash according to the MAC address and the five-tuple, aggregates the same session flow information in the target traffic data according to the Hash, extracts the number of uplink bytes and downlink bytes of the session, the duration of the session, the session start time and the session end time, and simultaneously performs timeout analysis on the traffic data.
In a second aspect, a cyber threat detection system based on traffic behavior, the system comprising:
the flow receiving module is used for: the system comprises a transport layer analysis module, a transmission layer analysis module and a target flow data receiving module, wherein the transport layer analysis module is used for receiving the target flow data and sending the target flow data to the transport layer analysis module;
and a transmission layer analysis module: extracting all protocol related fields in the target flow data, and extracting characteristic data of the target flow data;
session management module: the method comprises the steps of calculating a Hash according to characteristic data of target flow data, aggregating same session flow information in the target flow data according to the Hash, extracting session data of the session, and feeding the session data back to a comprehensive analysis module;
and the comprehensive analysis module is used for: and the method is used for carrying out rule matching on the session data according to a preset behavior rule, and if the matching is hit, judging the target flow data as threat flow data and outputting the session data hit by the matching.
In the foregoing solution, optionally, before the flow receiving module receives the target flow data, the method includes:
obtaining flow data to be detected and copying the flow data to be detected to generate target flow data; the method comprises the steps of copying the flow data to be detected to generate target flow data, specifically, performing flow beam splitting or flow mirroring on the flow data to be detected to generate target flow data;
the traffic receiving module receives the target traffic data by using a DPDK efficient packet receiving engine, wherein the DPDK efficient packet receiving engine operates in a user space, and utilizes a data plane library provided by the DPDK efficient packet receiving engine to complete the receiving and transmitting of the data packet, thereby bypassing the processing process of the data packet by a linux kernel protocol stack.
In the above solution, further optionally, the transport layer parsing module extracts all protocol related fields in the target traffic data, and extracts feature data of the target traffic data, including: extracting characteristic data of target flow data through analysis of a link layer, a network layer and a transmission layer of the target flow data by processing the target flow data;
the characteristic data of the target flow data comprises quintuple data of the target flow, an MAC address, a session constitution packet number, a packet length sequence, a packet interval time sequence, a session length, a characteristic word, a TTL value, an ICMP command type and command code, a TCP session window, a TCP flag bit, a UD protocol field and an igmp protocol field.
In the above solution, further optionally, the session management module calculates a Hash according to the feature data of the target traffic data, aggregates the same session flow information in the target traffic data according to the Hash, extracts the session data of the session, specifically, the session management module calculates a Hash according to the MAC address and the five-tuple, aggregates the same session flow information in the target traffic data according to the Hash, extracts the number of uplink bytes and downlink bytes of the session, the duration of the session, the session start time and the session end time, and simultaneously performs timeout analysis on the traffic data.
The invention has at least the following beneficial effects:
the invention is based on further analysis and research of the prior art, and recognizes that the problem of failure detection of the traditional eigenvalue matching method is caused by more and more encryption of the current network traffic. The invention can fill the defect of identifying the network threat in the traditional characteristic mode, and improves the detection capability of threat flow by extracting the behavior elements, so that the detection of the flow threat is more perfect.
Drawings
FIG. 1 is a flow chart of a method for detecting network threats based on traffic behavior according to one embodiment of the present invention;
FIG. 2 is a flow chart of a method for detecting traffic behavior based on a network threat detection method according to an embodiment of the invention;
fig. 3 is a schematic diagram of a flow receiving module DPDK efficient packet receiving engine according to a network threat detection method based on flow behavior according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating the internal operation of a session management module of a network threat detection method based on traffic behavior according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating an internal decision of an integrated analysis module of a network threat detection method based on traffic behavior according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
In one embodiment, as shown in fig. 1 and fig. 2, the method for detecting a network threat based on traffic behavior includes the following steps:
the flow receiving module receives target flow data;
the flow receiving module sends the target flow data to a transport layer analyzing module;
the transport layer analysis module extracts all protocol related fields in the target flow data and extracts characteristic data of the target flow data;
the session management module calculates a Hash according to the characteristic data of the target flow data, aggregates the same session flow information in the target flow data according to the Hash, extracts the session data of the session, and feeds the session data back to the comprehensive analysis module;
and the comprehensive analysis module performs rule matching on the session data according to a preset behavior rule, and if the matching hits, the comprehensive analysis module judges that the target flow data is threat flow data and outputs the session data hit by the matching.
In one embodiment, the flow receiving module includes, prior to receiving the target flow data:
obtaining flow data to be detected and copying the flow data to be detected to generate target flow data; the method comprises the steps of copying the flow data to be detected to generate target flow data, and specifically, performing flow beam splitting or flow mirroring on the flow data to be detected to generate target flow data.
In one embodiment, the traffic receiving module receives the target traffic data by using a DPDK efficient packet receiving engine, where the DPDK efficient packet receiving engine operates in a user space, and completes the sending and receiving of the data packet by using a data plane library provided by the DPDK efficient packet receiving engine, thereby bypassing a processing procedure of the linux kernel protocol stack on the data packet.
In one embodiment, the transport layer parsing module extracts all protocol related fields in the target traffic data, and extracts feature data of the target traffic data, including: and extracting characteristic data of the target flow data through analysis of a link layer, a network layer and a transmission layer of the target flow data by processing the target flow data.
In one embodiment, the characteristic data of the target traffic data includes five-tuple data of the target traffic, a MAC address, a number of session constituent packets, a sequence of packet lengths, a sequence of packet interval times, a session length, a characteristic word, a TTL value, an ICMP command type and command code, a TCP session window, a TCP flag bit, a UD protocol field, and an igmp protocol field.
In one embodiment, the session management module calculates a Hash according to the feature data of the target traffic data, aggregates the same session flow information in the target traffic data according to the Hash, extracts the session data of the session, specifically calculates a Hash according to the MAC address and the five-tuple, aggregates the same session flow information in the target traffic data according to the Hash, extracts the uplink and downlink byte number, the session duration, the session start time and the session end time of the session, and performs timeout analysis on the traffic data.
In the embodiment, the flow receiving module receives target flow data, the flow receiving module sends the target flow data to the transmission layer analysis module, the transmission layer analysis module extracts all relevant fields of protocols in the target flow data, extracts characteristic data of the target flow data, the session management module calculates a Hash according to the characteristic data of the target flow data, aggregates the same session flow information in the target flow data according to the Hash, extracts session data of the session, feeds the session data back to the comprehensive analysis module, the comprehensive analysis module performs rule matching on the session data according to preset behavior rules, and if the matching is hit, judges the target flow data as threat flow data and outputs the hit session data. The method can fill the defect of identifying the network threat in the traditional characteristic mode, and improves the detection capability of threat flow by extracting the behavior elements, so that the flow threat detection is more perfect.
In one embodiment, as shown in FIG. 2, traffic behavior threat detection consists of: the system comprises a flow access module, a session management module, a transport layer packet analysis module and a comprehensive analysis module.
In one embodiment, the main functions and workflow of the various modules in FIG. 2 are summarized as follows:
the flow receiving module is used for: the whole flow behavior detection is aimed at the data type of Ethernet, the flow receiving module adopts a DPDK efficient packet receiving engine, the engine operates in a user space, and utilizes a data plane base provided by the engine to complete the receiving and transmitting of the data packet, so that the processing process of the data packet by a linux kernel protocol stack is bypassed, unnecessary memory copying and system calling are avoided, and the processing speed of the data packet is accelerated, as shown in figure 3.
And a transport layer packet analysis module: the module mainly analyzes a transmission layer protocol, extracts all relevant fields of the protocol, extracts MAC addresses, session constitution packet numbers, packet length sequences, packet interval time sequences, session lengths, characteristic words, TTL values, ICMP command types and command codes, TCP session windows, TCP zone bits, UD protocol fields, igmp protocol fields and the like through the analysis of a link layer, a network layer and a transmission layer by processing the original flow, and provides data support for a later comprehensive analysis module.
Session management module: the session management module firstly calculates a Hash according to the MAC address and the quintuple, and aggregates related information of the same session stream by using the Hash, so as to extract the number of bytes of the uplink and downlink of the session, the duration of the session, the start time and the end time of the session, and perform timeout analysis on stream information at the same time, and feed the information back to the comprehensive analysis module, as shown in fig. 4.
And the comprehensive analysis module is used for: the module is mainly used for analyzing the flow behavior, carrying out rule matching on the flow information output by the session management module through preset or self-defined rules, outputting and warehousing hit rules, and feeding back the hit rules to the interface, as shown in fig. 5.
The embodiment is used for filling the defect of identifying the network threat in the traditional characteristic mode, and behavioral elements are extracted: the protocol types above the transmission layer, the session constitution packet number, the packet length sequence, the packet interval time sequence, the session length, the number of uplink and downlink bytes of the session, the session duration, the session time, the feature words, the TTL value, the ICMP command types and command codes, the TCP session window and the TCP zone bit, and the detection capability of threat traffic is improved, so that the traffic threat detection model is more perfect. The method supports multi-element rule combination matching, and comprises continuous multi-packet element matching and cross-multi-packet element matching in a single session, association matching among continuous multi-session and cross-multi-session association matching, so that a traffic behavior threat detection model is more complete.
It should be understood that, although the steps in the flowchart of fig. 1 are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least a portion of the steps in fig. 1 may include a plurality of steps or stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily sequential, but may be performed in rotation or alternatively with at least a portion of the steps or stages in other steps or other steps.
In one embodiment, a network threat detection system based on traffic behavior is provided, comprising the following program modules: wherein:
the flow receiving module is used for: the system comprises a transport layer analysis module, a transmission layer analysis module and a target flow data receiving module, wherein the transport layer analysis module is used for receiving the target flow data and sending the target flow data to the transport layer analysis module;
and a transmission layer analysis module: extracting all protocol related fields in the target flow data, and extracting characteristic data of the target flow data;
session management module: the method comprises the steps of calculating a Hash according to characteristic data of target flow data, aggregating same session flow information in the target flow data according to the Hash, extracting session data of the session, and feeding the session data back to a comprehensive analysis module;
and the comprehensive analysis module is used for: and the method is used for carrying out rule matching on the session data according to a preset behavior rule, and if the matching is hit, judging the target flow data as threat flow data and outputting the session data hit by the matching.
In one embodiment, the flow receiving module includes, prior to receiving the target flow data:
obtaining flow data to be detected and copying the flow data to be detected to generate target flow data; the method comprises the steps of copying the flow data to be detected to generate target flow data, specifically, performing flow beam splitting or flow mirroring on the flow data to be detected to generate target flow data;
the traffic receiving module receives the target traffic data by using a DPDK efficient packet receiving engine, wherein the DPDK efficient packet receiving engine operates in a user space, and utilizes a data plane library provided by the DPDK efficient packet receiving engine to complete the receiving and transmitting of the data packet, thereby bypassing the processing process of the data packet by a linux kernel protocol stack.
In one embodiment, the transport layer parsing module extracts all protocol related fields in the target traffic data, and extracts feature data of the target traffic data, including: extracting characteristic data of target flow data through analysis of a link layer, a network layer and a transmission layer of the target flow data by processing the target flow data;
the characteristic data of the target flow data comprises quintuple data of the target flow, an MAC address, a session constitution packet number, a packet length sequence, a packet interval time sequence, a session length, a characteristic word, a TTL value, an ICMP command type and command code, a TCP session window, a TCP flag bit, a UD protocol field and an igmp protocol field.
In one embodiment, the session management module calculates a Hash according to the feature data of the target traffic data, aggregates the same session flow information in the target traffic data according to the Hash, extracts the session data of the session, specifically calculates a Hash according to the MAC address and the five-tuple, aggregates the same session flow information in the target traffic data according to the Hash, extracts the uplink and downlink byte number, the session duration, the session start time and the session end time of the session, and performs timeout analysis on the traffic data.
In the embodiment, the flow receiving module receives target flow data, the flow receiving module sends the target flow data to the transmission layer analysis module, the transmission layer analysis module extracts all relevant fields of protocols in the target flow data, extracts characteristic data of the target flow data, the session management module calculates a Hash according to the characteristic data of the target flow data, aggregates the same session flow information in the target flow data according to the Hash, extracts session data of the session, feeds the session data back to the comprehensive analysis module, the comprehensive analysis module performs rule matching on the session data according to preset behavior rules, and if the matching is hit, judges the target flow data as threat flow data and outputs the hit session data. The method can fill the defect of identifying the network threat in the traditional characteristic mode, and improves the detection capability of threat flow by extracting the behavior elements, so that the flow threat detection is more perfect.
Specific limitations regarding the traffic behavior-based cyber-threat detection system may be found in the above limitations on the traffic behavior-based cyber-threat detection method, and are not described in detail herein. The various modules in the traffic behavior-based cyber threat detection system described above may be implemented in whole or in part in software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (10)
1. A method for detecting a network threat based on traffic behavior, the method comprising:
the flow receiving module receives target flow data;
the flow receiving module sends the target flow data to a transport layer analyzing module;
the transport layer analysis module extracts all protocol related fields in the target flow data and extracts characteristic data of the target flow data;
the session management module calculates a Hash according to the characteristic data of the target flow data, aggregates the same session flow information in the target flow data according to the Hash, extracts the session data of the session, and feeds the session data back to the comprehensive analysis module;
and the comprehensive analysis module performs rule matching on the session data according to a preset behavior rule, and if the matching hits, the comprehensive analysis module judges that the target flow data is threat flow data and outputs the session data hit by the matching.
2. The method of claim 1, wherein the flow receiving module comprises, prior to receiving the target flow data:
obtaining flow data to be detected and copying the flow data to be detected to generate target flow data; the method comprises the steps of copying the flow data to be detected to generate target flow data, and specifically, performing flow beam splitting or flow mirroring on the flow data to be detected to generate target flow data.
3. The method of claim 1, wherein the traffic receiving module receives the target traffic data using a DPDK efficient packet receiving engine, wherein the DPDK efficient packet receiving engine operates in a user space, and utilizes a data plane library provided by the DPDK efficient packet receiving engine to complete the transceiving of the data packet, thereby bypassing a processing procedure of the linux kernel protocol stack for the data packet.
4. The method of claim 1, wherein the transport layer parsing module extracts all protocol related fields in the target traffic data and extracts feature data of the target traffic data, comprising: and extracting characteristic data of the target flow data through analysis of a link layer, a network layer and a transmission layer of the target flow data by processing the target flow data.
5. The method of claim 4 wherein the characteristic data of the target traffic data comprises five-tuple data of the target traffic, a MAC address, a number of session constitution packets, a sequence of packet lengths, a sequence of packet interval times, a session length, a characteristic word, a TTL value, an ICMP command type and command code, a TCP session window, a TCP flag bit, a UD protocol field, and an igmp protocol field.
6. The method of claim 5 wherein the session management module calculates a Hash according to the characteristic data of the target traffic data, aggregates the same session flow information in the target traffic data according to the Hash, extracts the session data of the session, specifically, the session management module calculates a Hash according to the MAC address and the five-tuple, aggregates the same session flow information in the target traffic data according to the Hash, extracts the number of uplink and downlink bytes, the session duration, the session start and end time of the session, and simultaneously performs timeout analysis on the traffic data.
7. A network threat detection system based on traffic behavior, the system comprising:
the flow receiving module is used for: the system comprises a transport layer analysis module, a transmission layer analysis module and a target flow data receiving module, wherein the transport layer analysis module is used for receiving the target flow data and sending the target flow data to the transport layer analysis module;
and a transmission layer analysis module: extracting all protocol related fields in the target flow data, and extracting characteristic data of the target flow data;
session management module: the method comprises the steps of calculating a Hash according to characteristic data of target flow data, aggregating same session flow information in the target flow data according to the Hash, extracting session data of the session, and feeding the session data back to a comprehensive analysis module;
and the comprehensive analysis module is used for: and the method is used for carrying out rule matching on the session data according to a preset behavior rule, and if the matching is hit, judging the target flow data as threat flow data and outputting the session data hit by the matching.
8. The system of claim 7, wherein the flow receiving module comprises, prior to receiving the target flow data:
obtaining flow data to be detected and copying the flow data to be detected to generate target flow data; the method comprises the steps of copying the flow data to be detected to generate target flow data, specifically, performing flow beam splitting or flow mirroring on the flow data to be detected to generate target flow data;
the traffic receiving module receives the target traffic data by using a DPDK efficient packet receiving engine, wherein the DPDK efficient packet receiving engine operates in a user space, and utilizes a data plane library provided by the DPDK efficient packet receiving engine to complete the receiving and transmitting of the data packet, thereby bypassing the processing process of the data packet by a linux kernel protocol stack.
9. The system of claim 7, wherein the transport layer parsing module extracts all protocol related fields in the target traffic data and extracts feature data of the target traffic data, comprising: extracting characteristic data of target flow data through analysis of a link layer, a network layer and a transmission layer of the target flow data by processing the target flow data;
the characteristic data of the target flow data comprises quintuple data of the target flow, an MAC address, a session constitution packet number, a packet length sequence, a packet interval time sequence, a session length, a characteristic word, a TTL value, an ICMP command type and command code, a TCP session window, a TCP flag bit, a UD protocol field and an igmp protocol field.
10. The system of claim 9 wherein the session management module calculates a Hash according to the characteristic data of the target traffic data, aggregates the same session flow information in the target traffic data according to the Hash, extracts the session data of the session, specifically calculates a Hash according to the MAC address and five-tuple, aggregates the same session flow information in the target traffic data according to the Hash, extracts the number of uplink and downlink bytes, the session duration, the session start and end time of the session, and simultaneously performs timeout analysis on the traffic data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310112450.9A CN116192490A (en) | 2023-02-14 | 2023-02-14 | Network threat detection method and system based on flow behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310112450.9A CN116192490A (en) | 2023-02-14 | 2023-02-14 | Network threat detection method and system based on flow behaviors |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116192490A true CN116192490A (en) | 2023-05-30 |
Family
ID=86437900
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310112450.9A Pending CN116192490A (en) | 2023-02-14 | 2023-02-14 | Network threat detection method and system based on flow behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116192490A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016106592A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Method and device for feature information analysis |
| CN106034056A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Service safety analysis method and system thereof |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN111277587A (en) * | 2020-01-19 | 2020-06-12 | 武汉思普崚技术有限公司 | Malicious encrypted traffic detection method and system based on behavior analysis |
| US20210058411A1 (en) * | 2018-02-15 | 2021-02-25 | Nippon Telegraph And Telephone Corporation | Threat information extraction device and threat information extraction system |
| CN112822204A (en) * | 2021-01-28 | 2021-05-18 | 深信服科技股份有限公司 | NAT detection method, device, equipment and medium |
| CN114490302A (en) * | 2022-03-04 | 2022-05-13 | 大庆火兔网络科技有限公司 | Threat behavior analysis method based on big data analysis and server |
| CN115086242A (en) * | 2021-03-12 | 2022-09-20 | 天翼云科技有限公司 | Encrypted data packet identification method and device and electronic equipment |
-
2023
- 2023-02-14 CN CN202310112450.9A patent/CN116192490A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016106592A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Method and device for feature information analysis |
| CN106034056A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Service safety analysis method and system thereof |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| US20210058411A1 (en) * | 2018-02-15 | 2021-02-25 | Nippon Telegraph And Telephone Corporation | Threat information extraction device and threat information extraction system |
| CN111277587A (en) * | 2020-01-19 | 2020-06-12 | 武汉思普崚技术有限公司 | Malicious encrypted traffic detection method and system based on behavior analysis |
| CN112822204A (en) * | 2021-01-28 | 2021-05-18 | 深信服科技股份有限公司 | NAT detection method, device, equipment and medium |
| CN115086242A (en) * | 2021-03-12 | 2022-09-20 | 天翼云科技有限公司 | Encrypted data packet identification method and device and electronic equipment |
| CN114490302A (en) * | 2022-03-04 | 2022-05-13 | 大庆火兔网络科技有限公司 | Threat behavior analysis method based on big data analysis and server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8474043B2 (en) | Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing | |
| US11290484B2 (en) | Bot characteristic detection method and apparatus | |
| KR100862187B1 (en) | A Method and a Device for Network-Based Internet Worm Detection With The Vulnerability Analysis and Attack Modeling | |
| CN109117634B (en) | Malicious software detection method and system based on network traffic multi-view fusion | |
| CN101547126B (en) | Network virus detecting method based on network data streams and device thereof | |
| EP2924943B1 (en) | Virus detection method and device | |
| CN101557329B (en) | Application layer-based data segmenting method and device thereof | |
| US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
| CN112788034B (en) | Processing method and device for resisting network attack, electronic equipment and storage medium | |
| CN112600852B (en) | Vulnerability attack processing method, device, equipment and storage medium | |
| CN105592044B (en) | Message aggression detection method and device | |
| CN105635170A (en) | Method and device for identifying network data packet based on rules | |
| CN115695031A (en) | Host computer sink-loss detection method, device and equipment | |
| CN113079150A (en) | Intrusion detection method for power terminal equipment | |
| CN113765849B (en) | Abnormal network flow detection method and device | |
| KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
| CN116192490A (en) | Network threat detection method and system based on flow behaviors | |
| CN108650274B (en) | Network intrusion detection method and system | |
| CN114050917B (en) | Audio data processing method, device, terminal, server and storage medium | |
| CN115065592A (en) | Information processing method, device and storage medium | |
| Scheirer et al. | Syntax vs. semantics: competing approaches to dynamic network intrusion detection | |
| Schwartzenberg | Using machine learning techniques for advanced passive operating system fingerprinting | |
| US7792147B1 (en) | Efficient assembly of fragmented network traffic for data security | |
| Grashöfer et al. | Attacks on dynamic protocol detection of open source network security monitoring tools | |
| JP4391455B2 (en) | Unauthorized access detection system and program for DDoS attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |