CN105592044B - Message aggression detection method and device - Google Patents
Message aggression detection method and device Download PDFInfo
- Publication number
- CN105592044B CN105592044B CN201510519724.1A CN201510519724A CN105592044B CN 105592044 B CN105592044 B CN 105592044B CN 201510519724 A CN201510519724 A CN 201510519724A CN 105592044 B CN105592044 B CN 105592044B
- Authority
- CN
- China
- Prior art keywords
- message
- characteristic
- sequence
- time
- queue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of message aggression detection method and device, wherein determining temporal characteristics queue corresponding with the type identification this method comprises: receive the message with type identification;The behavioural characteristic for extracting the message determines test serial number corresponding with the behavioural characteristic;The test serial number is added in the temporal characteristics queue, and generates characteristic sequence;It is matched in preset temporal aspect library according to the characteristic sequence, and obtains matching result;Respective handling is carried out to the message according to matching result.The present invention can accurately detect the message attacked by time dimension, and correspondingly be evaded processing, and then improve the security performance of system.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for detecting a packet attack.
Background
The IPS (Intrusion Prevention System) is a security software System that detects and processes network messages to find anomalies and attack loads in the network messages.
When a traditional IPS detects a packet, usually only feature detection of spatial dimensions is performed, that is, content features of the packet are extracted, and whether the packet is an attack packet is determined according to the content features of the packet.
However, due to the diversity of attack load types, in some vulnerability attacks (for example, OpenSSL high-risk vulnerability CVE-2014-.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a message attack detection method and a message attack detection device.
The invention provides a message attack detection method, which is applied to IPS equipment of an intrusion prevention system, wherein the method comprises the following steps:
receiving a message with a type identifier, and determining a time characteristic queue corresponding to the type identifier;
extracting the behavior characteristics of the message and determining the message serial number corresponding to the behavior characteristics;
adding the message serial number in the time characteristic queue and generating a characteristic sequence;
matching in a preset time sequence feature library according to the feature sequence to obtain a matching result;
and carrying out corresponding processing on the message according to the matching result.
The invention also provides a message attack detection device, which is applied to IPS equipment and comprises:
the determining unit is used for receiving the message with the type identifier and determining a time characteristic queue corresponding to the type identifier;
the extracting unit is used for extracting the behavior characteristics of the message and determining the message serial number corresponding to the behavior characteristics;
a generating unit, configured to add the message sequence number to the time feature queue and generate a feature sequence;
the matching unit is used for matching in a preset time sequence feature library according to the feature sequence and obtaining a matching result;
and the processing unit is used for carrying out corresponding processing on the message according to the matching result.
When the received message has the type identifier, the message serial number corresponding to the message behavior characteristic is added to the time characteristic queue corresponding to the type identifier, and the characteristic sequence generated by the message serial number in the time characteristic queue is matched in the preset time sequence characteristic library, so that whether the message is a time sequence attack message or not is further detected, and the detected attack message is correspondingly processed. Therefore, the invention can accurately detect the message attacked by the time dimension and correspondingly avoid the processing, thereby improving the safety performance of the system.
Drawings
Fig. 1 is a schematic flow chart of a message attack detection method in an embodiment of the present invention;
FIG. 2 is a diagram illustrating a process of processing a packet by a protocol engine according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a logical structure of a packet attack detection apparatus according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a hardware architecture of an IPS device where the packet attack detection apparatus is located in the embodiment of the present invention.
Detailed Description
For the purpose of making the present application more apparent, its technical solutions and advantages will be further described in detail with reference to the accompanying drawings.
In order to solve the problems in the prior art, the invention provides a message attack detection method and a message attack detection device.
Referring to fig. 1, a schematic processing flow diagram of the message attack detection method provided by the present invention is shown, where the message attack detection method can be applied to an IPS device. The message attack detection method comprises the following steps:
step 101, receiving a message with a type identifier, and determining a time characteristic queue corresponding to the type identifier;
in the embodiment of the present invention, after receiving a message, an IPS device may first perform order preserving processing on the received message to make the received message order be the original message sending order, in order to avoid the received message from being out of order. For example, the messages received within the buffering time may be sorted according to the message sending numbers carried in the header information of the received messages, and then the messages may be sequentially subjected to subsequent processing according to the sorting order. For the order preserving processing of the message, reference may be made to the processing flow for preserving the order of the message in the prior art, which is not described herein again.
And then, based on the characteristics of the IPS, the messages subjected to the order preserving processing can be subjected to spatial dimension attack detection in sequence by a detection engine of the IPS equipment. Namely: acquiring content characteristics of a received message, and matching the content characteristics in a preset spatial characteristic library to obtain a matching result; and if the message is determined to be an attack message according to the matching result, determining the protocol type of the message, and adding a type identifier corresponding to the protocol type of the message into the message.
Specifically, the IPS device presets a spatial feature library in which feature information of attack packets summarized by packet attacks based on spatial dimensions is prestored.
After the IPS device receives the message, the detection engine analyzes the message to obtain the content of the data part of the message, and the detection engine extracts the character string of the data part of the message according to a preset rule or according to the requirement.
And then, the detection engine matches the extracted character strings as the content features of the message in a preset spatial feature library according to a preset multimode matching algorithm so as to determine whether the message is attacked through spatial dimensionality.
The preset multi-mode matching algorithm is an algorithm for searching a plurality of mode character strings in a character string most quickly and optimally, namely: and an algorithm for searching the characteristic information of the plurality of patterns corresponding to the key information in the characteristic information of the spatial characteristic library. For example, the multi-pattern matching algorithm provided in the present invention may be an AC (AHO-CORASICK) algorithm, a WM (WU-MANBER) algorithm, or the like.
The detection engine in the embodiment of the invention processes the messages differently according to different matching results. For example:
if the matching result is that the corresponding feature information is matched in the preset spatial feature library according to the content features, it can be stated that the message is an attack message of spatial dimension. Then, when the message is determined to be an attack message of the space dimension according to the processing information of the content characteristics, the message can be discarded to avoid being attacked, or alarm information can be reported to a manager according to the requirement after the message is discarded;
if the matching result is that the corresponding characteristic information is not matched in the preset spatial characteristic library according to the content characteristics, the message can be determined to be an attack type message with non-spatial dimension, and whether the message is attacked by using time dimension is further detected.
Supposing that the feature information of the attack message summarized in the preset spatial feature library includes: abcd11 e; abcd12 e; and abcd13 e. And the string of the extracted message data part is abcd11 e. Then, the matching result is that the message is matched with the feature information in the spatial feature library, the message is determined to be an attack message of spatial dimension, and the message can be discarded, or alarm information is reported to a manager when the message is discarded. If the extracted character string of the message data part is dbcd11e, then the matching result is that the message is not matched with the feature information in the spatial feature library, and then whether the message is a message attacked by using the time dimension is further detected.
In the embodiment of the invention, when the received message is a message which needs to be further detected whether to use time dimension attack, the protocol type of the message can be determined according to the protocol number in the quintuple information of the message, namely, the message of which protocol is the message is checked.
The invention is provided with different type identifications aiming at different protocol types in advance. The type identifier may be identified by a 32-bit integer, for example, a corresponding type identifier set in advance for a SIP (Session Initiation Protocol) may be 1, a corresponding type identifier set for an SAP (Session notification Protocol) may be 2, a corresponding type identifier set for an SSL (secure Sockets Layer) Protocol may be 3, a corresponding type identifier set for a TCP (Transmission Control Protocol) may be 4, and the like.
Then, when adding the type identifier to the message to be marked, the message may be marked according to the preset type identifier corresponding to each protocol.
In the embodiment of the invention, an integer field can be added in the control data structure of the message, and for the message which needs to be marked, the corresponding type identifier can be added in the integer field of the control data structure of the message so as to carry out time dimension attack detection on the message.
In order to avoid an attack performed by an attacker using a time dimension, an embodiment of the present invention may further set a co-engine (the detection engine may be used as a main engine) for the IPS device with the detection engine, where the co-engine is used to further perform a time dimension attack detection on the packet with the type identifier.
Fig. 2 is a schematic diagram of a processing process of a protocol engine for a message with a type identifier in an embodiment of the present invention, where after the protocol engine receives a message sent by a detection engine, the protocol engine first parses the message, checks whether a type identifier exists in an integer domain of a message control data structure, and if so, obtains the type identifier carried in the message.
The protocol engine of the invention also presets time characteristic queues respectively corresponding to different types of identifiers (protocol types), and after acquiring the type identifiers carried in the message, the time characteristic queues corresponding to the type identifiers can be determined according to the type identifiers.
102, extracting the behavior characteristics of the message and determining the message serial number corresponding to the behavior characteristics;
the embodiment of the invention also presets the message serial number corresponding to the message behavior characteristic. Namely, the corresponding message serial numbers are preset according to the behavior characteristics of the messages of different protocol types.
After the time characteristic queue corresponding to the type identifier carried by the message is determined, the message type of the message can be obtained after deep analysis is performed on the message, and the message type obtained by the deep analysis is the behavior characteristic of the message.
And then searching the message serial number corresponding to the behavior characteristic of the message in the preset message serial numbers corresponding to the behavior characteristic.
For example, the three-way handshake of a TCP session includes: the server sends a SYN message to the client, the server responds to the client with a SYN ACK (synchronous acknowledgement) message, and the client responds to the server with an ACK (acknowledgement) message according to the SYN ACK message. Then, the message sequence number set for the SYN message may be "1", the message sequence number set for the SYN ACK message may be "2", and the message sequence number set for the ACK message may be "3".
In addition, a preset sequence number may also be preset as a message sequence number that can mark any behavior feature, and in a general case, when it is determined that the message is a data message, the preset sequence number may be used as a message sequence number corresponding to the behavior feature of the data message, and the preset sequence number may match any value in the time sequence feature library, for example, the preset sequence number may be 0.
103, adding the message serial number in the time characteristic queue and generating a characteristic sequence;
and then, adding the message sequence number to a time characteristic queue corresponding to the type identifier carried by the message.
The time characteristic queue is a first-in first-out queue and is preset with a characteristic number that can be arranged, for example, the preset characteristic number that can be arranged of the time characteristic queue is 5, so when the 6 th message serial number is received in the characteristic queue, the message serial number arranged at the 1 st bit is moved out of the time characteristic queue.
After the message serial numbers are added to the time characteristic queue, the characteristic sequence is generated according to different characteristic sequence generation modes by checking the number of the message serial numbers currently arranged in the time characteristic queue.
When the number of the message serial numbers added in the time characteristic queue is smaller than the preset characteristic number of the time characteristic queue, combining the preset specific serial number with the message serial numbers in the time characteristic queue to generate a characteristic sequence with the number of the message serial numbers as the characteristic number; or when the number of the message serial numbers added in the time characteristic queue is the preset characteristic number of the time characteristic queue, generating the characteristic sequence according to the message serial numbers arranged in the time characteristic queue.
Specifically, still assuming that the number of the characteristics that can be arranged in the time characteristic queue is 5, after the packet sequence number of the packet is added to the time characteristic queue, the characteristic sequence may be generated according to the packet sequence number added in the time characteristic queue in the following two ways:
1. and acquiring all message serial numbers arranged in the time characteristic queue, and generating a characteristic sequence according to the arrangement sequence of all the message serial numbers in the time characteristic queue.
1) When the number of message sequence numbers added in the time feature queue is less than the preset feature number of the time feature queue (for example, the message sequence number is any one of 1-4 bits arranged in the time feature queue):
assuming that the packet sequence number currently added to the time signature queue is 3, which is the packet sequence number first added to the time signature queue (arranged at the first bit of the time signature queue), the packet sequence number 3 may be only used as the signature sequence, that is, the generated signature sequence is: 3.
if the message sequence number 3 currently added to the time signature queue is the fourth message sequence number added to the time signature queue (arranged at the fourth position of the time signature queue), and if the message sequence numbers arranged at the first 3 positions of the time signature queue are 5, 10 and 15 in sequence, the generated signature sequences are 5, 10, 15 and 3.
2) When the number of message sequence numbers added in the time characteristic queue is the preset characteristic number of the time characteristic queue (namely, the message sequence number is the 5 th bit arranged in the time characteristic queue):
assuming that the message sequence numbers arranged at the first 3 bits of the time characteristic queue are 5, 10, 15, and 20 in sequence, the characteristic sequence generated according to the message sequence numbers arranged in the time characteristic queue is 5, 10, 15, 20, and 3.
2. And combining preset message serial numbers with the message serial numbers in the time characteristic queue to generate a characteristic sequence with the message serial number quantity as the characteristic quantity.
The characteristic sequence generation mode is only used for the case when the number of the message sequence numbers added in the time characteristic queue is smaller than the preset characteristic number of the time characteristic queue (for example, the message sequence number is any one of 1-4 bits arranged in the time characteristic queue).
For example, a preset message sequence number may be set to "X" in advance, or the maximum value in a 32-bit integer, etc., and if the message sequence number 3 currently added to the time signature queue is the first message sequence number added to the time signature queue (arranged at the first bit of the time signature queue), the preset message sequence number (taking "X" as an example) may be combined with the message sequence number 3 to generate the signature sequences X, X, X, X, 3 with the number of message sequence numbers being the signature number (5).
If the message sequence number 3 currently added to the time signature queue is the fourth message sequence number added to the time signature queue (arranged at the fourth position of the time signature queue), and if the message sequence numbers arranged at the first 3 positions of the time signature queue are 5, 10 and 15 in sequence, the generated signature sequence is X, 5, 10, 15 and 3.
Step 104, matching in a preset time sequence feature library according to the feature sequence, and obtaining a matching result;
after the feature sequence is generated according to the message sequence number in the time feature queue, the generated feature sequence can be matched in a preset time sequence feature library according to a multi-mode matching algorithm. The preset multi-pattern matching algorithm may still be an AC algorithm or a WM algorithm, etc.
The time sequence feature library also stores feature information of attack messages summarized by message attacks based on time dimension in advance. The time series feature library may be a normal time series feature library in which normal time series features are stored, or may be an abnormal time series feature library in which abnormal time series features are stored.
When the time sequence feature library is a normal time sequence feature library, if the corresponding features are matched in a preset normal time sequence feature library according to the generated feature sequence, the matching result is that the features corresponding to the feature sequence are not matched in the normal time sequence feature library, and the message can be determined to be a non-time sequence attack type message, otherwise, the matching result is that the features corresponding to the feature sequence are not matched in the normal time sequence feature library, and the message can be determined to be a time sequence attack type message.
Similarly, when the time sequence feature library is an abnormal time sequence feature library, if the corresponding feature is matched in the preset abnormal time sequence feature library according to the generated feature sequence, the matching result is that the feature corresponding to the feature sequence is not matched in the abnormal time sequence feature library, and the message can be determined to be a non-time sequence attack type message, otherwise, the matching result is that the feature corresponding to the feature sequence is not matched in the abnormal time sequence feature library, and the message can be determined to be a non-time sequence attack type message.
It should be noted that if there is a message sequence number of 0 in the generated feature sequence, when performing feature matching, the message sequence number of 0 may match any value in the feature library.
For example, if the generated feature sequences are 5, 0, 15, 20, and 3, and when the feature sequences have feature information of 5, 8, 15, 20, and 3 in the time-series feature library, it may be considered that 0 in the feature sequences matches 8 in the feature information 5, 8, 15, 20, and 3, and it indicates that the feature sequences 5, 0, 15, 20, and 3 match corresponding feature information in the preset time-series feature library.
And 105, correspondingly processing the message according to the matching result.
The co-engine in the invention can also process different matching results correspondingly. For example:
when the time sequence features stored in the time sequence feature library are the time sequence features of the normal time sequence, if the matching result is that the features corresponding to the feature sequences are matched in the time sequence feature library, the method comprises the following steps: determining that the message is a non-time sequence attack type message, and forwarding the message according to a normal flow; if the matching result is that the feature corresponding to the feature sequence is not matched in the time sequence feature library, the method comprises the following steps: when the message is determined to be an attack type message in the time dimension, the message can be discarded so as to avoid being attacked.
When the time sequence features stored in the time sequence feature library are abnormal time sequence features, if the matching result is that the features corresponding to the feature sequences are not matched in the time sequence feature library, the method comprises the following steps: determining that the message is a non-time sequence attack type message, and forwarding the message according to a normal flow; otherwise, the message is discarded to avoid being attacked.
Furthermore, after the attack of the time dimension is determined, alarm information can be sent to the manager according to the requirement when the message is discarded, so that the manager can take precautionary measures in time.
In summary, when the received message has the type identifier, the message sequence number corresponding to the message behavior feature is added to the time feature queue corresponding to the type identifier, and the feature sequence generated by the message sequence number in the time feature queue is matched in the preset time sequence feature library, so as to further detect whether the message is a time sequence attack message, and correspondingly process the detected attack message. Therefore, the invention can accurately detect the message attacked by the time dimension and correspondingly avoid the processing, thereby improving the safety performance of the system.
The present invention further provides a message attack detection apparatus, fig. 3 is a schematic structural diagram of the message attack detection apparatus, the apparatus may be applied to an IPS device, the message attack detection apparatus may include a determining unit 301, an extracting unit 302, a generating unit 303, a matching unit 304, and a processing unit 305, where:
a determining unit 301, configured to receive a packet with a type identifier, and determine a time characteristic queue corresponding to the type identifier;
an extracting unit 302, configured to extract a behavior feature of the packet, and determine a packet sequence number corresponding to the behavior feature;
a generating unit 303, configured to add the packet sequence number to the time feature queue, and generate a feature sequence;
the matching unit 304 is configured to perform matching in a preset time sequence feature library according to the feature sequence, and obtain a matching result;
and the processing unit 305 is configured to perform corresponding processing on the packet according to the matching result.
Further, the apparatus may further include an obtaining unit 306 and an identifying unit 307, where the obtaining unit 306 is configured to obtain the content feature of the packet, and match the content feature in a preset spatial feature library to obtain a matching result; the identification unit 307 is configured to discard the attack packet of the space dimension when determining that the packet is the attack packet of the space dimension according to the matching result; and when the message is determined to be an attack message with non-spatial dimension according to the matching result, determining the protocol type of the message, and adding a type identifier corresponding to the protocol type of the message into the message.
Further, the generating unit 303 may be specifically configured to, when the number of the message sequence numbers added in the time feature queue is smaller than the preset feature number of the time feature queue, combine a preset specific sequence number with the message sequence numbers in the time feature queue to generate a feature sequence whose number of the message sequence numbers is the feature number; or when the number of the message serial numbers added in the time characteristic queue is the preset characteristic number of the time characteristic queue, generating the characteristic sequence according to the message serial numbers arranged in the time characteristic queue.
Further, the processing unit 305 may be further configured to, when the time sequence feature stored in the time sequence feature library is a time sequence feature of a normal time sequence, forward the packet if the matching result indicates that there is a feature in the time sequence feature library that matches the feature sequence, and otherwise discard the packet; or, when the time sequence characteristics stored in the time sequence characteristic library are abnormal time sequence characteristics, if the matching result is that the time sequence characteristic library does not have characteristics matched with the characteristic sequence, forwarding the message, otherwise, discarding the message.
Further, the extracting unit 302 may be specifically configured to, when the packet is determined to be a data packet, use a preset sequence number as a packet sequence number corresponding to the behavior feature of the packet, where the preset sequence number may match any value in the time sequence feature library.
The message attack detection device applied to the IPS equipment can be consistent with the processing flow of the message attack detection method in the specific processing flow, and is not described again here.
The above-mentioned apparatus can be implemented by software, or can be implemented by hardware, the hardware architecture schematic diagram of the network device where the packet attack detection apparatus of the present invention is located can be referred to as fig. 4, and its basic hardware environment includes a central processing unit CPU, a forwarding chip, a memory and other hardware, where the memory device includes a machine readable instruction, and the CPU reads and executes the machine readable instruction to execute the functions of each unit in fig. 3.
It can be seen from the foregoing various method and apparatus embodiments that, in the message attack detection method and apparatus provided in the embodiments of the present invention, when a received message has a type identifier, a message sequence number corresponding to a message behavior feature is added to a time feature queue corresponding to the type identifier, and a feature sequence generated from the message sequence number in the time feature queue is matched in a preset time sequence feature library, so as to further detect whether the message is a time sequence attack message, and perform corresponding processing on the detected attack message. Therefore, the invention can accurately detect the message attacked by the time dimension and correspondingly avoid the processing, thereby improving the safety performance of the system.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A message attack detection method is applied to intrusion prevention system IPS equipment, and is characterized by comprising the following steps:
receiving a message with a type identifier, and determining a time characteristic queue corresponding to the type identifier; wherein, the message with the type identification is an attack message with non-space dimensionality;
extracting the behavior characteristics of the message and determining the message serial number corresponding to the behavior characteristics;
adding the message serial number in the time characteristic queue and generating a characteristic sequence;
matching in a preset time sequence feature library according to the feature sequence to obtain a matching result;
and carrying out corresponding processing on the message according to the matching result.
2. The method of claim 1, wherein prior to receiving the message having the type identifier, the method further comprises:
acquiring the content characteristics of the message, and matching the content characteristics in a preset spatial characteristic library to obtain a matching result;
if the message is determined to be an attack message of the space dimension according to the matching result, discarding the attack message of the space dimension;
and if the message is determined to be the attack message with the non-space dimensionality according to the matching result, determining the protocol type of the message, and adding a type identifier corresponding to the protocol type of the message into the message.
3. The method according to claim 1, wherein the adding the packet sequence number to the time signature queue and generating the signature sequence specifically comprises:
when the number of the message serial numbers added in the time characteristic queue is smaller than the preset characteristic number of the time characteristic queue, combining the preset specific serial number with the message serial numbers in the time characteristic queue to generate a characteristic sequence with the number of the message serial numbers as the characteristic number; or,
and when the number of the message serial numbers added in the time characteristic queue is the preset characteristic number of the time characteristic queue, generating the characteristic sequence according to the message serial numbers arranged in the time characteristic queue.
4. The method according to claim 1, wherein the correspondingly processing the packet according to the matching result specifically comprises:
when the time sequence characteristics stored in the time sequence characteristic library are the time sequence characteristics of the normal time sequence, if the matching result is that the time sequence characteristic library has the characteristics matched with the characteristic sequence, forwarding the message, otherwise, discarding the message; or,
and when the time sequence characteristics stored in the time sequence characteristic library are abnormal time sequence characteristics, if the matching result is that the time sequence characteristic library does not have characteristics matched with the characteristic sequence, forwarding the message, otherwise, discarding the message.
5. The method according to claim 1, wherein the extracting the behavior feature of the packet and determining the packet sequence number corresponding to the behavior feature specifically comprises:
and if the message is determined to be a data message, taking a preset serial number as a message serial number corresponding to the behavior characteristic of the message, wherein the preset serial number can be matched with any value in the time sequence characteristic library.
6. A message attack detection device is applied to IPS equipment, and is characterized in that the device comprises:
the determining unit is used for receiving the message with the type identifier and determining a time characteristic queue corresponding to the type identifier; wherein, the message with the type identification is an attack message with non-space dimensionality;
the extracting unit is used for extracting the behavior characteristics of the message and determining the message serial number corresponding to the behavior characteristics;
a generating unit, configured to add the message sequence number to the time feature queue and generate a feature sequence;
the matching unit is used for matching in a preset time sequence feature library according to the feature sequence and obtaining a matching result;
and the processing unit is used for carrying out corresponding processing on the message according to the matching result.
7. The apparatus of claim 6, wherein the apparatus further comprises:
the acquisition unit is used for acquiring the content characteristics of the message and matching the content characteristics in a preset spatial characteristic library to obtain a matching result;
the identification unit is used for discarding the attack message with the space dimension when the message is determined to be the attack message with the space dimension according to the matching result; and when the message is determined to be an attack message with non-spatial dimension according to the matching result, determining the protocol type of the message, and adding a type identifier corresponding to the protocol type of the message into the message.
8. The apparatus of claim 6, wherein the generating unit is specifically configured to:
when the number of the message serial numbers added in the time characteristic queue is smaller than the preset characteristic number of the time characteristic queue, combining the preset specific serial number with the message serial numbers in the time characteristic queue to generate a characteristic sequence with the number of the message serial numbers as the characteristic number; or,
and when the number of the message serial numbers added in the time characteristic queue is the preset characteristic number of the time characteristic queue, generating the characteristic sequence according to the message serial numbers arranged in the time characteristic queue.
9. The apparatus as claimed in claim 6, wherein said processing unit is specifically configured to:
when the time sequence characteristics stored in the time sequence characteristic library are the time sequence characteristics of the normal time sequence, if the matching result is that the time sequence characteristic library has the characteristics matched with the characteristic sequence, forwarding the message, otherwise, discarding the message; or,
and when the time sequence characteristics stored in the time sequence characteristic library are abnormal time sequence characteristics, if the matching result is that the time sequence characteristic library does not have characteristics matched with the characteristic sequence, forwarding the message, otherwise, discarding the message.
10. The apparatus of claim 6, wherein the extraction unit is specifically configured to:
and if the message is determined to be a data message, taking a preset serial number as a message serial number corresponding to the behavior characteristic of the message, wherein the preset serial number can be matched with any value in the time sequence characteristic library.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510519724.1A CN105592044B (en) | 2015-08-21 | 2015-08-21 | Message aggression detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510519724.1A CN105592044B (en) | 2015-08-21 | 2015-08-21 | Message aggression detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105592044A CN105592044A (en) | 2016-05-18 |
| CN105592044B true CN105592044B (en) | 2019-05-07 |
Family
ID=55931261
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510519724.1A Active CN105592044B (en) | 2015-08-21 | 2015-08-21 | Message aggression detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105592044B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107888540B (en) * | 2016-09-29 | 2020-12-25 | 华为技术有限公司 | Network anti-attack method and network equipment |
| CN106961393B (en) * | 2017-03-06 | 2020-11-27 | 北京安博通科技股份有限公司 | Detection method and device for UDP (user Datagram protocol) message in network session |
| CN106911724B (en) * | 2017-04-27 | 2020-03-06 | 杭州迪普科技股份有限公司 | Message processing method and device |
| CN107426285B (en) * | 2017-05-19 | 2022-11-25 | 北京智联安行科技有限公司 | Vehicle-mounted CAN bus safety protection method and device |
| CN109246027B (en) * | 2018-09-19 | 2022-02-15 | 腾讯科技(深圳)有限公司 | Network maintenance method and device and terminal equipment |
| CN112491865A (en) * | 2020-04-11 | 2021-03-12 | 吴媛媛 | Intrusion detection method and device for data flow detection and time sequence feature extraction |
| CN112351002B (en) * | 2020-10-21 | 2022-04-26 | 新华三信息安全技术有限公司 | Message detection method, device and equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7181768B1 (en) * | 1999-10-28 | 2007-02-20 | Cigital | Computer intrusion detection system and method based on application monitoring |
| CN101034974A (en) * | 2007-03-29 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
| CN101388885A (en) * | 2008-07-23 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | Detection method and system for distributed denial of service attack |
| CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
| CN101572691A (en) * | 2008-04-30 | 2009-11-04 | 华为技术有限公司 | Method, system and device for intrusion detection |
-
2015
- 2015-08-21 CN CN201510519724.1A patent/CN105592044B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7181768B1 (en) * | 1999-10-28 | 2007-02-20 | Cigital | Computer intrusion detection system and method based on application monitoring |
| CN101034974A (en) * | 2007-03-29 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
| CN101572691A (en) * | 2008-04-30 | 2009-11-04 | 华为技术有限公司 | Method, system and device for intrusion detection |
| CN101388885A (en) * | 2008-07-23 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | Detection method and system for distributed denial of service attack |
| CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105592044A (en) | 2016-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105592044B (en) | Message aggression detection method and device | |
| JP6001689B2 (en) | Log analysis apparatus, information processing method, and program | |
| US10225280B2 (en) | System and method for verifying and detecting malware | |
| US10862923B2 (en) | System and method for detecting a compromised computing system | |
| TW201406106A (en) | Network traffic processing system | |
| KR102088299B1 (en) | Apparatus and method for detecting drdos | |
| KR20130014226A (en) | Dns flooding attack detection method on the characteristics by attack traffic type | |
| US20080313708A1 (en) | Data content matching | |
| US20140223564A1 (en) | System and method for pattern matching in a network security device | |
| US10348751B2 (en) | Device, system and method for extraction of malicious communication pattern to detect traffic caused by malware using traffic logs | |
| US10819717B2 (en) | Malware infected terminal detecting apparatus, malware infected terminal detecting method, and malware infected terminal detecting program | |
| CN107979581A (en) | The detection method and device of corpse feature | |
| JP2015222471A (en) | Malicious communication pattern detecting device, malicious communication pattern detecting method, and malicious communication pattern detecting program | |
| Calvert et al. | Detecting Slow HTTP POST DoS Attacks Using Netflow Features. | |
| KR100770357B1 (en) | High Performance Intrusion Prevention System and Method Using Signature Hash to Reduce Signature Matching Count | |
| CN115695031A (en) | Host computer sink-loss detection method, device and equipment | |
| JP6592196B2 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
| Choi et al. | PCAV: Internet attack visualization on parallel coordinates | |
| Barbhuiya et al. | An active host-based detection mechanism for ARP-related attacks | |
| KR20110061217A (en) | Distributed Denial of Service Attack Detection System Using Flow Pattern Information and Its Method | |
| KR102607050B1 (en) | Processing Method for security of Compressed packet and supporting device using the same | |
| Kang et al. | FPGA based intrusion detection system against unknown and known attacks | |
| Yasodha et al. | Bandwidth based Distributed Denial of Service Attack Detection using Artificial Immune System | |
| CN115499236A (en) | Access request processing method, device, medium and computing equipment | |
| Zhicai | The automaton modeling of typical network attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |