[go: up one dir, main page]

CN115086068A - A network intrusion detection method and device - Google Patents

A network intrusion detection method and device Download PDF

Info

Publication number
CN115086068A
CN115086068A CN202210845301.9A CN202210845301A CN115086068A CN 115086068 A CN115086068 A CN 115086068A CN 202210845301 A CN202210845301 A CN 202210845301A CN 115086068 A CN115086068 A CN 115086068A
Authority
CN
China
Prior art keywords
target file
file
intrusion detection
current
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210845301.9A
Other languages
Chinese (zh)
Other versions
CN115086068B (en
Inventor
李慧萍
殷光强
王治国
王春雨
李振慧
何国峰
李超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN202210845301.9A priority Critical patent/CN115086068B/en
Publication of CN115086068A publication Critical patent/CN115086068A/en
Application granted granted Critical
Publication of CN115086068B publication Critical patent/CN115086068B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention relates to the technical field of computer security, and provides a network intrusion detection method and a network intrusion detection device.

Description

一种网络入侵检测方法和装置A network intrusion detection method and device

技术领域technical field

本发明涉及计算机安全技术领域,特别涉及一种网络入侵检测方法和装置。The invention relates to the technical field of computer security, in particular to a network intrusion detection method and device.

背景技术Background technique

近年来,全球网络安全形势愈发严峻,网络攻击及数据泄露等安全事件频发。网络入侵检测技术是通过一定的技术手段监听网络通信数据包,通过对这些数据包进行分析,从而发现网络中是否存在可能影响后续设备网络安全的恶意行为。In recent years, the global network security situation has become increasingly severe, and security incidents such as network attacks and data leakage have occurred frequently. Network intrusion detection technology monitors network communication data packets through certain technical means, and analyzes these data packets to find out whether there is malicious behavior in the network that may affect the network security of subsequent devices.

入侵检测系统(Intrusion Detection System,简称“IDS”) 是一种对网络传输进行即时监视,在发现可疑传输时发出警报或者采取主动反应措施的网络安全设备。它与其它网络安全设备的不同之处在于:IDS 是一种积极主动的安全防护技术。Intrusion Detection System (IDS for short) is a network security device that monitors network transmissions in real time and issues alerts or takes proactive measures when suspicious transmissions are found. It differs from other network security devices in that: IDS is a proactive security technology.

因此,如何有效地提高网络入侵检测的检出率,是目前本领域技术人员急需解决的技术问题。Therefore, how to effectively improve the detection rate of network intrusion detection is a technical problem that those skilled in the art urgently need to solve.

发明内容SUMMARY OF THE INVENTION

为了提高网络入侵检测的检出率,本发明提供了一种网络入侵检测方法和实现该方法的装置。In order to improve the detection rate of network intrusion detection, the present invention provides a network intrusion detection method and a device for realizing the method.

第一方面,一种网络入侵检测方法,包括:A first aspect provides a network intrusion detection method, comprising:

对从待检测网络设备中抓取的网络流量进行解析处理,得到解析数据;Analyze and process the network traffic captured from the network device to be detected to obtain the analysis data;

对所述解析数据进行入侵检测,得到目标文件;其中,所述目标文件包括第一目标文件和第二目标文件,所述第一目标文件为基于远程桌面协议的文件,所述第二目标文件为格式不能被识别的文件;Perform intrusion detection on the parsed data to obtain a target file; wherein, the target file includes a first target file and a second target file, the first target file is a file based on a remote desktop protocol, and the second target file It is a file whose format cannot be recognized;

在得到所述第一目标文件时,执行如下操作:对当前第一目标文件进行解析处理,得到当前第一目标文件的配置项;基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测;其中,所述第一入侵检测策略是基于已知的基于远程桌面协议的文件的所有配置项进行确定的;When the first target file is obtained, the following operations are performed: parsing the current first target file to obtain the configuration items of the current first target file; based on the preset first intrusion detection strategy and the current first target file a configuration item, performing intrusion detection on the current first target file; wherein, the first intrusion detection strategy is determined based on all configuration items of the known remote desktop protocol-based file;

在得到所述第二目标文件时,执行如下操作:将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾,得到目标二进制数据;基于预设的第二入侵检测策略,对所述目标二进制数据进行入侵检测;其中,所述安全文件包括可移植的执行体PE文件和可执行与可链接格式ELF文件,所述第二入侵检测策略与所述安全文件的类型相对应。When obtaining the second target file, perform the following operations: connect the first binary data corresponding to the current second target file to the end of the second binary data corresponding to the preset security file, and obtain the target binary data ; Based on a preset second intrusion detection strategy, intrusion detection is performed on the target binary data; wherein, the security file includes a portable executable PE file and an executable and linkable format ELF file, the second intrusion detection The detection strategy corresponds to the type of the security document.

在一种可能的设计中,所述第一入侵检测策略具体是基于如下方式进行确定的:In a possible design, the first intrusion detection strategy is specifically determined based on the following manner:

获取针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值;Get the score value assigned to each configuration item of a known Remote Desktop Protocol-based file;

获取针对已知的基于远程桌面协议的文件的所有配置项进行的威胁等级分类的分类结果;Obtain the classification results of threat level classification for all configuration items of known Remote Desktop Protocol-based files;

基于所述分数值和所述分类结果,确定与每一个威胁等级对应的威胁阈值;determining a threat threshold corresponding to each threat level based on the score value and the classification result;

基于每一个威胁等级对应的威胁阈值,确定第一入侵检测策略。Based on the threat threshold corresponding to each threat level, the first intrusion detection strategy is determined.

在一种可能的设计中,所述基于所述分数值和所述分类结果,确定与每一个威胁等级对应的威胁阈值,包括:In a possible design, determining a threat threshold corresponding to each threat level based on the score value and the classification result, including:

采用如下公式确定与每一个威胁等级对应的威胁阈值:The following formula is used to determine the threat threshold corresponding to each threat level:

Figure 374552DEST_PATH_IMAGE001
Figure 374552DEST_PATH_IMAGE001

其中,V i 为第i个威胁等级的威胁阈值,C ij 为第i个威胁等级中第j个配置项的分数值,n为第i个威胁等级中的配置项的总个数。Among them, Vi is the threat threshold of the ith threat level, Cij is the score value of the jth configuration item in the ith threat level , and n is the total number of configuration items in the ith threat level .

在一种可能的设计中,在所述获取针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值之后,还包括:基于已知的基于远程桌面协议的文件的所有配置项和与每一个配置项对应的分数值,得到配置项分数值库;In a possible design, after the obtaining the score value assigned to each configuration item of the known Remote Desktop Protocol-based file, the method further includes: all configuration items based on the known Remote Desktop Protocol-based file and the score value corresponding to each configuration item to obtain the configuration item score value library;

所述基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测,包括:The performing intrusion detection on the current first target file based on the preset first intrusion detection strategy and the configuration item of the current first target file includes:

基于所述配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值;Obtain the security reference value of the current first target file based on the configuration item score value library and the configuration item of the current first target file;

基于所述安全参考值和所述第一入侵检测策略,对当前第一目标文件进行入侵检测。Based on the security reference value and the first intrusion detection strategy, intrusion detection is performed on the current first target file.

在一种可能的设计中,所述基于所述配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值,包括:In a possible design, the security reference value of the current first target file is obtained based on the configuration item score value library and the configuration item of the current first target file, including:

采用如下公式得到当前第一目标文件的安全参考值:The following formula is used to obtain the security reference value of the current first target file:

Figure 743392DEST_PATH_IMAGE002
Figure 743392DEST_PATH_IMAGE002

其中,S为当前第一目标文件的安全参考值,为当前第一目标文件中第j个配置项的分数值,k为当前第一目标文件中的配置项的总个数。Wherein, S is the security reference value of the current first target file, is the score value of the jth configuration item in the current first target file, and k is the total number of configuration items in the current first target file.

在一种可能的设计中,所述基于所述安全参考值和所述第一入侵检测策略,对当前第一目标文件进行入侵检测,包括:In a possible design, the performing intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy includes:

将所述安全参考值和所述第一入侵检测策略包括的与每一个威胁等级对应的威胁阈值进行比对,得到当前第一目标文件的威胁等级,以完成对当前第一目标文件的入侵检测。Compare the security reference value with the threat threshold value corresponding to each threat level included in the first intrusion detection strategy to obtain the threat level of the current first target file, so as to complete the intrusion detection on the current first target file .

在一种可能的设计中,在所述对所述目标二进制数据进行入侵检测之后,还包括:In a possible design, after the intrusion detection is performed on the target binary data, the method further includes:

响应于检测结果为所述第二目标文件是危险文件,将与所述第二目标文件对应的网络流量放行,以使接收所述网络流量的终端设备对调用所述第二目标文件的进程进行监视,从而可以将调用所述第二目标文件的进程确定为恶意进程。In response to the detection result being that the second target file is a dangerous file, the network traffic corresponding to the second target file is released, so that the terminal device receiving the network traffic executes the process of calling the second target file. monitoring, so that the process calling the second target file can be determined as a malicious process.

第二方面,一种网络入侵检测装置,包括:In a second aspect, a network intrusion detection device includes:

解析模块,用于对从待检测网络设备中抓取的网络流量进行解析处理,得到解析数据;The parsing module is used for parsing and processing the network traffic captured from the network device to be detected to obtain parsing data;

检测模块,用于对所述解析数据进行入侵检测,得到目标文件;其中,所述目标文件包括第一目标文件和第二目标文件,所述第一目标文件为基于远程桌面协议的文件,所述第二目标文件为格式不能被识别的文件;A detection module, configured to perform intrusion detection on the parsed data to obtain a target file; wherein, the target file includes a first target file and a second target file, and the first target file is a file based on a remote desktop protocol, so The second target file is a file whose format cannot be recognized;

第一执行模块,用于在得到所述第一目标文件时,执行如下操作:对当前第一目标文件进行解析处理,得到当前第一目标文件的配置项;基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测;其中,所述第一入侵检测策略是基于已知的基于远程桌面协议的文件的所有配置项进行确定的;a first execution module, configured to perform the following operations when obtaining the first target file: perform parsing processing on the current first target file to obtain configuration items of the current first target file; based on a preset first intrusion detection strategy and the configuration items of the current first target file, perform intrusion detection on the current first target file; wherein, the first intrusion detection strategy is determined based on all configuration items of the known remote desktop protocol-based file;

第二执行模块,用于在得到所述第二目标文件时,执行如下操作:将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾,得到目标二进制数据;基于预设的第二入侵检测策略,对所述目标二进制数据进行入侵检测;其中,所述安全文件包括PE文件和ELF文件,所述第二入侵检测策略与所述安全文件的类型相对应。The second execution module is configured to perform the following operation when obtaining the second target file: connect the first binary data corresponding to the current second target file to the second binary data corresponding to the preset security file At the end, the target binary data is obtained; based on a preset second intrusion detection strategy, intrusion detection is performed on the target binary data; wherein, the security file includes a PE file and an ELF file, and the second intrusion detection strategy is related to all corresponding to the type of security document described above.

本发明的有益效果是,通过对从待检测网络设备中抓取的网络流量进行解析处理来得到解析数据,然后对解析数据进行入侵检测来得到包括第一目标文件和第二目标文件的目标文件,最后分别利用预设的第一入侵检测策略和第二入侵检测策略来对第一目标文件和第二目标文件进行入侵检测,这样能够有效地提高网络入侵检测的检出率。The beneficial effect of the present invention is that the analysis data is obtained by analyzing the network traffic captured from the network device to be detected, and then the intrusion detection is performed on the analysis data to obtain the target file including the first target file and the second target file. Finally, the preset first intrusion detection strategy and the second intrusion detection strategy are respectively used to perform intrusion detection on the first target file and the second target file, which can effectively improve the detection rate of network intrusion detection.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to illustrate the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are For some embodiments of the present invention, for those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative effort.

图1是本发明一实施例提供的一种网络入侵检测方法流程图;FIG. 1 is a flowchart of a network intrusion detection method provided by an embodiment of the present invention;

图2是本发明一实施例提供的一种电子设备的硬件架构图;2 is a hardware architecture diagram of an electronic device provided by an embodiment of the present invention;

图3是本发明一实施例提供的一种网络入侵检测装置结构图。FIG. 3 is a structural diagram of a network intrusion detection apparatus according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例,基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work are protected by the present invention. scope.

请参考图1,本发明实施例提供了一种网络入侵检测方法,应用于入侵检测系统,该方法包括:Referring to FIG. 1, an embodiment of the present invention provides a network intrusion detection method, which is applied to an intrusion detection system. The method includes:

对从待检测网络设备中抓取的网络流量进行解析处理,得到解析数据;Analyze and process the network traffic captured from the network device to be detected to obtain the analysis data;

对解析数据进行入侵检测,得到目标文件;其中,目标文件包括第一目标文件和第二目标文件,第一目标文件为基于远程桌面协议的文件,第二目标文件为格式不能被识别的文件;Intrusion detection is performed on the parsed data to obtain a target file; wherein, the target file includes a first target file and a second target file, the first target file is a file based on the remote desktop protocol, and the second target file is a file whose format cannot be identified;

在得到第一目标文件时,执行如下操作:对当前第一目标文件进行解析处理,得到当前第一目标文件的配置项;基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测;其中,第一入侵检测策略是基于已知的基于远程桌面协议的文件的所有配置项进行确定的;When the first target file is obtained, perform the following operations: perform parsing processing on the current first target file to obtain the configuration item of the current first target file; based on the preset first intrusion detection strategy and the configuration item of the current first target file , performing intrusion detection on the current first target file; wherein, the first intrusion detection strategy is determined based on all configuration items of the known remote desktop protocol-based file;

在得到第二目标文件时,执行如下操作:将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾,得到目标二进制数据;基于预设的第二入侵检测策略,对目标二进制数据进行入侵检测;其中,安全文件包括PE文件和ELF文件,第二入侵检测策略与安全文件的类型相对应。When obtaining the second target file, perform the following operations: connect the first binary data corresponding to the current second target file to the end of the second binary data corresponding to the preset security file to obtain target binary data; based on The preset second intrusion detection strategy performs intrusion detection on the target binary data; wherein, the security files include PE files and ELF files, and the second intrusion detection strategy corresponds to the type of security files.

本发明实施例中,通过对从待检测网络设备中抓取的网络流量进行解析处理来得到解析数据,然后对解析数据进行入侵检测来得到包括第一目标文件和第二目标文件的目标文件,最后分别利用预设的第一入侵检测策略和第二入侵检测策略来对第一目标文件和第二目标文件进行入侵检测,这样能够有效地提高网络入侵检测的检出率。In the embodiment of the present invention, the parsed data is obtained by analyzing the network traffic captured from the network device to be detected, and then the parsed data is subjected to intrusion detection to obtain the target file including the first target file and the second target file, Finally, the preset first intrusion detection strategy and the second intrusion detection strategy are respectively used to perform intrusion detection on the first target file and the second target file, which can effectively improve the detection rate of network intrusion detection.

下面描述图1所示的各个步骤的执行方式。The following describes how each step shown in FIG. 1 is performed.

入侵检测系统是以软件的形式部署在待检测网络设备(例如防火墙)中,以监听经由待检测网络设备传输的所有网络流量数据包。其中,网络流量数据包包括但不限于IP数据包、TCP数据包、UDP数据包和ICMP数据包。The intrusion detection system is deployed in the network device to be detected (such as a firewall) in the form of software to monitor all network traffic data packets transmitted through the network device to be detected. The network traffic data packets include but are not limited to IP data packets, TCP data packets, UDP data packets and ICMP data packets.

解析处理即完成网络流量的解码、协议预处理、协议识别、应用识别等功能,此为本领域技术人员所熟知,在此不进行赘述。其中,识别的协议包括但不限于:IP(InternetProtocol,网络之间互连的协议)、TCP(Transmission Control Protocol,传输控制协议)、UDP(User Datagram Protocol,用户数据报协议)、ICMP(Internet Control ManagemetProtocol Version6,互联网控制信息协议版本六);支持且不限于识别如下应用层协议:HTTP(Hyper Text Transfer Protocol over Secure Socket Layer,超文本传输安全协议)、FTP(File Transfer Protocol,文件传输协议)、TLS(Transport Layer Security,安全传输层协议)、SMB(Server Message Block,协议名)、DNS(Domain Name System,域名解析协议)、SSH(Secure Shell,安全外壳协议)、SMTP(Simple Mail Transfer Protocol,简单邮件传输协议)、DHCP(Dynamic Host Configuration Protocol,动态主机配置协议)。The parsing process completes functions such as decoding of network traffic, protocol preprocessing, protocol identification, and application identification, which are well known to those skilled in the art and will not be described in detail here. Among them, the identified protocols include but are not limited to: IP (Internet Protocol, the protocol for interconnection between networks), TCP (Transmission Control Protocol, Transmission Control Protocol), UDP (User Datagram Protocol, User Datagram Protocol), ICMP (Internet Control Protocol) ManagemetProtocol Version6, Internet Control Information Protocol Version 6); supports but is not limited to identifying the following application layer protocols: HTTP (Hyper Text Transfer Protocol over Secure Socket Layer), FTP (File Transfer Protocol, file transfer protocol), TLS (Transport Layer Security), SMB (Server Message Block, protocol name), DNS (Domain Name System, Domain Name Resolution Protocol), SSH (Secure Shell, Secure Shell Protocol), SMTP (Simple Mail Transfer Protocol, Simple Mail Transfer Protocol), DHCP (Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol).

入侵检测是指对解析数据是否为恶意数据进行检测,具体的检测手段包括但不限于流式估计检测和文件抽取等,此为本领域技术人员所熟知,在此不进行赘述。Intrusion detection refers to detecting whether the parsed data is malicious data, and specific detection methods include but are not limited to streaming estimation detection and file extraction, etc., which are well known to those skilled in the art and will not be repeated here.

在一些相关技术中,黑客会利用邮件、聊天等方式,诱导用户点击相关链接,进而加载恶意的基于远程桌面协议(Remote Desktop Protocol,RDP)的文件,如此会导致用户计算机和由黑客控制的远程服务器建立连接,此时黑客可以通过远程服务器来控制用户计算机执行相关恶意操作。In some related technologies, hackers will use emails, chats, etc. to induce users to click on relevant links, and then load malicious Remote Desktop Protocol (RDP)-based files, which will lead to the user's computer and the remote controlled by the hacker. The server establishes a connection, and the hacker can control the user's computer to perform related malicious operations through the remote server.

具体地,黑客可能在加载的恶意的基于远程桌面协议的文件中事先预置了驱动器映射、USB设备映射、打印机映射和剪贴板映射等配置项,这样黑客就能够通过操控远程服务器来对用户计算机执行相关恶意操作,例如窃取用户计算机中的重要文件内容。因此,有必要对基于远程桌面协议的文件进行入侵检测。Specifically, the hacker may pre-set configuration items such as drive mapping, USB device mapping, printer mapping, and clipboard mapping in the loaded malicious Remote Desktop Protocol-based file, so that the hacker can manipulate the remote server to target the user's computer. Perform related malicious actions, such as stealing the contents of important files from the user's computer. Therefore, it is necessary to perform intrusion detection on files based on Remote Desktop Protocol.

在另一些相关技术中,入侵检测系统为了提高检测效率,会根据文件格式进行分类,对于不同的文件格式执行不同的检测策略。对于入侵检测系统不能识别的文件格式,入侵检测系统通常不会对该格式的文件进行处理(例如删除)。因此,黑客通常会将危险文件的格式进行更改,以防止入侵检测系统对危险文件的检出。In other related technologies, in order to improve the detection efficiency, the intrusion detection system will classify according to the file format, and execute different detection strategies for different file formats. For file formats that are not recognized by the intrusion detection system, the intrusion detection system usually does not process (eg delete) the files in this format. Therefore, hackers usually change the format of dangerous files to prevent the detection of dangerous files by intrusion detection systems.

具体地,黑客会将危险文件中的恶意代码提取出来生成一个不能被入侵检测系统识别的格式的文件,然后用一个没有恶意代码的文件在用户计算机中打开这个生成的新文件,以获取恶意代码并执行恶意代码,这对用户计算机的安全是不利的。因此,有必要对基于远程桌面协议的文件进行入侵检测。Specifically, the hacker will extract the malicious code in the dangerous file to generate a file in a format that cannot be recognized by the intrusion detection system, and then use a file without malicious code to open the generated new file in the user's computer to obtain the malicious code. And execute malicious code, which is detrimental to the security of the user's computer. Therefore, it is necessary to perform intrusion detection on files based on Remote Desktop Protocol.

综上,为了能够有效地提高网络入侵检测的检出率,可以对上述两种类型的目标文件(即基于远程桌面协议的第一目标文件和格式不能被入侵检测系统识别的第二目标文件)进行入侵检测。To sum up, in order to effectively improve the detection rate of network intrusion detection, the above two types of target files (that is, the first target file based on the remote desktop protocol and the second target file whose format cannot be recognized by the intrusion detection system) can be detected. Perform intrusion detection.

下面重点介绍如何有效检出第一目标文件和第二目标文件。The following focuses on how to effectively check out the first target file and the second target file.

在通过入侵检测得到第一目标文件后,首先对第一目标文件进行解析处理来得到第一目标文件的配置项,然后基于预设的第一入侵检测策略和得到的第一目标文件的配置项,对当前第一目标文件进行入侵检测,这样就可以确定第一目标文件是否为危险文件(例如将下文确定的威胁等级为中安全威胁或高安全威胁的第一目标文件确定为危险文件),从而能够有效地提高网络入侵检测的检出率。After obtaining the first target file through intrusion detection, the first target file is parsed to obtain the configuration items of the first target file, and then based on the preset first intrusion detection strategy and the obtained configuration items of the first target file , perform intrusion detection on the current first target file, so that it can be determined whether the first target file is a dangerous file (for example, the first target file whose threat level determined below is a medium security threat or a high security threat is determined as a dangerous file), Therefore, the detection rate of network intrusion detection can be effectively improved.

在一些实施方式中,第一入侵检测策略具体是基于如下方式进行确定的:In some embodiments, the first intrusion detection strategy is specifically determined based on the following manner:

步骤A1、获取针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值;Step A1, obtain the score value given for each configuration item of the known remote desktop protocol-based file;

步骤A2、获取针对已知的基于远程桌面协议的文件的所有配置项进行的威胁等级分类的分类结果;Step A2, obtaining the classification result of the threat level classification performed for all configuration items of the known remote desktop protocol-based file;

步骤A3、基于分数值和分类结果,确定与每一个威胁等级对应的威胁阈值;Step A3, based on the score value and the classification result, determine the threat threshold corresponding to each threat level;

步骤A4、基于每一个威胁等级对应的威胁阈值,确定第一入侵检测策略。Step A4: Determine a first intrusion detection strategy based on a threat threshold corresponding to each threat level.

在本实施例中,利用对已知的基于远程桌面协议的文件的每一个配置项赋予分数值和进行威胁等级分类的方式,来计算与每一个威胁等级对应的威胁阈值,进而通过威胁阈值来制定第一入侵检测策略。这样,在后续对第一目标文件进行入侵检测时,就可以根据第一目标文件中配置项的分数值和该第一入侵检测策略,得到第一目标文件的入侵检测结果。In this embodiment, the threat threshold corresponding to each threat level is calculated by assigning a score value to each configuration item of the known remote desktop protocol-based file and classifying the threat level, and then the threat threshold value is used to calculate the threat threshold value. Develop a first intrusion detection strategy. In this way, in the subsequent intrusion detection on the first target file, the intrusion detection result of the first target file can be obtained according to the score value of the configuration item in the first target file and the first intrusion detection strategy.

在步骤A1中,工作人员可以事先列出已知的基于远程桌面协议的文件中的所有配置项,然后根据先验知识(例如专家安全知识库)对每一个配置项的安全性进行打分(即赋予分数值),从而使用户计算机可以获取到针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值。In step A1, the staff can list all configuration items in the known remote desktop protocol-based files in advance, and then score the security of each configuration item according to prior knowledge (such as an expert security knowledge base) (ie assigning a score value), so that the user's computer can obtain the score value assigned to each configuration item of the known Remote Desktop Protocol-based file.

在一些实施方式中,用户计算机获取到的针对已知RDP文件的每一个配置项赋予的分数值可以参见表1。需要说明的是,表1中只列出了已知RDP文件的部分配置项及其分数值。In some embodiments, the score value assigned to each configuration item of the known RDP file obtained by the user's computer can be referred to in Table 1. It should be noted that only some configuration items of known RDP files and their score values are listed in Table 1.

表1Table 1

Figure 60104DEST_PATH_IMAGE003
Figure 60104DEST_PATH_IMAGE003

在步骤A2中,例如可以将威胁等级分为三类,即高安全威胁、中安全威胁、低安全威胁。当然,也可以分为数量更多或更少的威胁等级,在此对威胁等级的数量不进行限定。In step A2, for example, the threat levels may be classified into three categories, namely, high security threats, medium security threats, and low security threats. Of course, it can also be divided into more or less threat levels, and the number of threat levels is not limited here.

在一些实施方式中,高安全威胁例如可以包括驱动器映射、剪贴板映射、USB设备映射和打印机映射等配置项,中安全威胁例如可以包括智能卡映射等配置项,低安全威胁例如可以包括远程应用图标和屏幕显示模式等配置项。In some embodiments, high security threats may include configuration items such as drive mapping, clipboard mapping, USB device mapping, and printer mapping, for example, medium security threats may include configuration items such as smart card mapping, and low security threats may include remote application icons, for example and configuration items such as screen display mode.

在一些实施方式中,用户计算机获取到的针对已知的基于远程桌面协议的文件的所有配置项进行的威胁等级分类的分类结果可以参见表2。需要说明的是,表2中只列出了与表1相同的已知的基于远程桌面协议的文件的部分配置项及其威胁等级。In some embodiments, the classification results of the threat level for all configuration items of the known Remote Desktop Protocol-based files obtained by the user's computer can be seen in Table 2. It should be noted that, Table 2 only lists some configuration items and threat levels of known Remote Desktop Protocol-based files that are the same as Table 1.

表2Table 2

Figure 391859DEST_PATH_IMAGE004
Figure 391859DEST_PATH_IMAGE004

另外,在此对步骤A1和A2的先后顺序不做具体限定,即可以先执行步骤A1后执行步骤A2,也可以先执行步骤A2后执行步骤A1。In addition, the sequence of steps A1 and A2 is not specifically limited here, that is, step A1 may be performed first and then step A2 may be performed, or step A2 may be performed first and then step A1 may be performed.

经过步骤A1和A2之后,每一个威胁等级中的配置项均被赋予了分数值,这样可以确定每一个威胁等级的威胁阈值,以利于后续对第一目标文件的入侵检测。After steps A1 and A2, the configuration items in each threat level are assigned a score value, so that the threat threshold of each threat level can be determined to facilitate subsequent intrusion detection on the first target file.

在一些实施方式中,步骤A3具体可以包括:In some embodiments, step A3 may specifically include:

采用如下公式确定与每一个威胁等级对应的威胁阈值:The following formula is used to determine the threat threshold corresponding to each threat level:

Figure 255648DEST_PATH_IMAGE001
Figure 255648DEST_PATH_IMAGE001

其中,V i 为第i个威胁等级的威胁阈值,C ij 为第i个威胁等级中第j个配置项的分数值,n为第i个威胁等级中的配置项的总个数。Among them, Vi is the threat threshold of the ith threat level, Cij is the score value of the jth configuration item in the ith threat level , and n is the total number of configuration items in the ith threat level .

举例来说,如表1和表2所示,可以利用上述公式分别计算高安全威胁、中安全威胁和低安全威胁的威胁等级所对应的威胁阈值,从而可以计算得到高安全威胁、中安全威胁和低安全威胁的威胁阈值分别为85、10和1。For example, as shown in Table 1 and Table 2, the above formulas can be used to calculate the threat thresholds corresponding to the threat levels of high security threat, medium security threat and low security threat respectively, so that high security threat and medium security threat can be calculated. The threat thresholds for low and low security threats are 85, 10, and 1, respectively.

需要说明的是,将每一个威胁等级中配置项的均值作为威胁阈值,可以避免当威胁等级划分较少且每一个威胁等级中不同配置项的分数值差距较大时,仍然能够得到更加客观和准确的各威胁等级的威胁阈值,以此来提高对第一目标文件的入侵检测的准确度。It should be noted that taking the average value of the configuration items in each threat level as the threat threshold can avoid that when the threat level is less divided and the scores of different configuration items in each threat level are far apart, it is still possible to obtain a more objective and Accurate threat thresholds of each threat level are used to improve the accuracy of intrusion detection on the first target file.

在步骤A3中,每一个威胁等级的威胁阈值也可以采用其它方式确定,例如可以将每一个威胁等级中配置项的最低分数值作为该威胁等级的威胁阈值。当然,也可以将每一个威胁等级中配置项的中值作为该威胁等级的威胁阈值,故在此对威胁阈值的确定方式不进行具体限定。In step A3, the threat threshold of each threat level may also be determined in other ways, for example, the lowest score value of the configuration item in each threat level may be used as the threat threshold of the threat level. Of course, the median value of the configuration items in each threat level can also be used as the threat threshold of the threat level, so the method for determining the threat threshold is not specifically limited here.

需要说明的是,当检测到第一目标文件时,首先入侵检测系统会对第一目标文件进行解析处理来得到第一目标文件中的配置项,然后利用预设的第一入侵检测策略和解析得到的第一目标文件的配置项,来对第一目标文件进行入侵检测。在此,本发明实施例对第一目标文件的解析处理方式不进行具体限定,例如可以是正则匹配。It should be noted that when the first target file is detected, the intrusion detection system will first perform parsing processing on the first target file to obtain the configuration items in the first target file, and then use the preset first intrusion detection strategy and analysis. The obtained configuration item of the first target file is used to perform intrusion detection on the first target file. Here, the embodiment of the present invention does not specifically limit the way of parsing and processing the first target file, for example, it may be regular matching.

在一些实施方式中,在步骤A1之后,还包括:基于已知的基于远程桌面协议的文件的所有配置项和与每一个配置项对应的分数值,得到配置项分数值库;In some embodiments, after step A1, the method further includes: obtaining a configuration item score value library based on all configuration items of the known remote desktop protocol-based file and the score value corresponding to each configuration item;

基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测,包括:Based on the preset first intrusion detection strategy and the configuration items of the current first target file, intrusion detection is performed on the current first target file, including:

步骤B1、基于配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值;Step B1, based on the configuration item score value library and the configuration item of the current first target file, obtain the safety reference value of the current first target file;

步骤B2、基于安全参考值和第一入侵检测策略,对当前第一目标文件进行入侵检测。Step B2: Perform intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy.

在本实施例中,通过利用配置项分数值库来得到第一目标文件的配置项的分数值,并根据第一目标文件的配置项的分数值来确定第一目标文件的安全参考值,通过将安全参考值和第一入侵检测策略包括的与每一个威胁等级对应的威胁阈值进行比对,得到第一目标文件的威胁等级,以完成对第一目标文件的入侵检测。In this embodiment, the score value of the configuration item of the first target file is obtained by using the configuration item score value library, and the security reference value of the first target file is determined according to the score value of the configuration item of the first target file. The security reference value and the threat threshold corresponding to each threat level included in the first intrusion detection strategy are compared to obtain the threat level of the first target file, so as to complete the intrusion detection of the first target file.

在步骤B1中,可以利用配置项分数值库对解析得到的第一目标文件的配置项进行分数值匹配,然后利用第一目标文件的配置项的分数值来计算安全参考值,以利于后续对第一目标文件进行入侵检测。In step B1, the configuration item score value library can be used to match the score value of the configuration item of the first target file obtained by parsing, and then use the score value of the configuration item of the first target file to calculate the safety reference value, so as to facilitate the subsequent comparison of The first target file is subjected to intrusion detection.

在一些实施方式中,步骤B1具体可以包括:In some embodiments, step B1 may specifically include:

采用如下公式得到当前第一目标文件的安全参考值:The following formula is used to obtain the security reference value of the current first target file:

Figure 723669DEST_PATH_IMAGE005
Figure 723669DEST_PATH_IMAGE005

其中,S为当前第一目标文件的安全参考值,D j 为当前第一目标文件中第j个配置项的分数值,k为当前第一目标文件中的配置项的总个数。Wherein, S is the security reference value of the current first target file, D j is the score value of the jth configuration item in the current first target file, and k is the total number of configuration items in the current first target file.

在本实施例中,将第一目标文件中所有配置项的分数值之和作为第一目标文件的安全参考值,相比将第一目标文件中所有配置项的分数值的平均值、最高值、最低值等数值作为第一目标文件的安全参考值的方式,前者方式可以防止当第一目标文件的配置项的数目较少且不同配置项的分数值差距较大时,仍然能够得到更加客观和准确的用于表征第一目标文件的威胁等级的安全参考值,如此可以提高对第一目标文件入侵检测的准确度。In this embodiment, the sum of the score values of all the configuration items in the first target file is used as the security reference value of the first target file, compared with the average value and the highest value of the score values of all the configuration items in the first target file. , the lowest value and other values as the safety reference value of the first target file. The former method can prevent that when the number of configuration items in the first target file is small and the difference between the scores of different configuration items is large, it is still possible to obtain a more objective value. and an accurate security reference value for characterizing the threat level of the first target file, so that the accuracy of intrusion detection on the first target file can be improved.

当然,第一目标文件的安全参考值也可以采用其它方式确定,例如可以将第一目标文件中所有配置项的均值或配置项中的最高分数值作为安全参考值,在此对安全参考值的确定方式不进行具体限定。Of course, the safety reference value of the first target file can also be determined in other ways. For example, the average value of all configuration items in the first target file or the highest score value in the configuration items can be used as the safety reference value. The determination method is not specifically limited.

在一些实施方式中,步骤B2具体可以包括:In some embodiments, step B2 may specifically include:

将安全参考值和第一入侵检测策略包括的与每一个威胁等级对应的威胁阈值进行比对,得到当前第一目标文件的威胁等级,以完成对当前第一目标文件的入侵检测。The security reference value and the threat threshold corresponding to each threat level included in the first intrusion detection strategy are compared to obtain the current threat level of the first target file, so as to complete the intrusion detection of the current first target file.

举例来说,可以将得到的安全参考值与确定的各威胁等级对应的威胁阈值进行比较,若安全参考值大于等于高安全威胁的威胁阈值,即S≥V3时,则表示第一目标文件的威胁等级为高安全威胁级别;若安全参考值大于等于中安全威胁的威胁阈值,且小于高安全威胁的威胁阈值,即S<V3且S≥V2时,则表示第一目标文件的威胁等级为中安全威胁级别;若安全参考值大于等于低安全威胁的威胁阈值,且小于中安全威胁的威胁阈值,即S<V2且S≥V1时,则表示第一目标文件的威胁等级为低安全威胁级别。如此,就可以得到第一目标文件的入侵检测结果(即第一目标文件的威胁等级),然后就可以根据第一目标文件的威胁等级来执行对应的操作,例如禁止运行、弹框后由用户选择是否运行、允许运行等操作。For example, the obtained security reference value can be compared with the determined threat threshold corresponding to each threat level. If the security reference value is greater than or equal to the threat threshold of high security threat, that is, when S≥V3, it means that the first target file has a The threat level is the high security threat level; if the security reference value is greater than or equal to the threat threshold of the medium security threat and less than the threat threshold of the high security threat, that is, when S<V3 and S≥V2, it means that the threat level of the first target file is Medium security threat level; if the security reference value is greater than or equal to the threat threshold of low security threat and less than the threat threshold of medium security threat, that is, when S<V2 and S≥V1, it means that the threat level of the first target file is a low security threat level. In this way, the intrusion detection result of the first target file (that is, the threat level of the first target file) can be obtained, and then corresponding operations can be performed according to the threat level of the first target file, such as prohibiting the operation, and the user will Choose whether to run, allow to run, etc.

在通过入侵检测得到第二目标文件后,首先将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾来得到目标二进制数据,即将不能被入侵检测系统识别的格式的文件转换为能被入侵检测系统识别的格式的文件(即包括PE文件和ELF文件),这样就可以对第二目标文件进行入侵检测,从而解决了入侵检测系统对其不能识别的格式的文件不能有效检测的问题,进而能够有效地提高网络入侵检测的检出率。After obtaining the second target file through intrusion detection, firstly connect the first binary data corresponding to the current second target file to the end of the second binary data corresponding to the preset security file to obtain the target binary data. Converting files in a format that cannot be recognized by the intrusion detection system into files in a format that can be recognized by the intrusion detection system (that is, including PE files and ELF files), so that intrusion detection can be performed on the second target file, thus solving the intrusion detection system. The problem that the files in the unrecognized format cannot be effectively detected can effectively improve the detection rate of network intrusion detection.

需要说明的是,“不能被入侵检测系统识别的格式”可以理解为:既不属于本领域技术人员所熟知的文件格式,也不属于预先设置于入侵检测系统中可识别的文件格式。相反,“能被入侵检测系统识别的格式”可以理解为:既可以属于本领域技术人员所熟知的文件格式,也可以属于预先设置于入侵检测系统中可识别的文件格式。It should be noted that "a format that cannot be recognized by the intrusion detection system" can be understood as: neither a file format known to those skilled in the art nor a pre-recognized file format in the intrusion detection system. On the contrary, "a format that can be recognized by the intrusion detection system" can be understood as: either a file format well-known to those skilled in the art, or a file format pre-set and identifiable in the intrusion detection system.

其中,选用PE文件和ELF文件作为安全文件,这是考虑到这两种类型的文件可被计算机自身执行,因此有利于后续对目标二进制数据的入侵检测。Among them, PE files and ELF files are selected as security files, considering that these two types of files can be executed by the computer itself, which is beneficial to the subsequent intrusion detection of target binary data.

还需要说明的是,可移植的可执行文件(Portable Executable,PE)是一种用于可执行文件、目标文件和动态链接库的文件格式,主要使用在32位和64位的Windows操作系统上。“可移植的”是指该文件格式的通用性,可用于许多种不同的操作系统和体系结构中。PE文件格式封装了Windows操作系统加载可执行程序代码时所必需的一些信息。这些信息包括动态链接库、API导入和导出表、资源管理数据和线程局部存储数据。在WindowsNT操作系统中,PE文件格式主要用于EXE文件、DLL文件、SYS(驱动程序)和其他文件类型。可扩展固件接口(EFI)技术规范书中说明PE格式是EFI环境中的标准可执行文件格式,开头为DOS头部。It should also be noted that Portable Executable (PE) is a file format for executable files, object files and dynamic link libraries, mainly used on 32-bit and 64-bit Windows operating systems . "Portable" refers to the generality of the file format, which can be used on many different operating systems and architectures. The PE file format encapsulates some information necessary for the Windows operating system to load executable program code. This information includes dynamic link libraries, API import and export tables, resource management data, and thread-local storage data. In the Windows NT operating system, the PE file format is mainly used for EXE files, DLL files, SYS (drivers) and other file types. The Extensible Firmware Interface (EFI) technical specification states that the PE format is a standard executable file format in the EFI environment, beginning with a DOS header.

可执行和可链接格式(Executable and Linkable Format,ELF),常被称为ELF格式,在计算机科学中,是一种用于执行档、目的档、共享库和核心转储的标准文件格式。The Executable and Linkable Format (ELF), often referred to as the ELF format, is a standard file format for executables, objects, shared libraries, and core dumps in computer science.

为了保证对第二目标文件检测的全面性和准确性,可以考虑将目标二进制数据的数量和安全文件的数量设置为相同。也就是说,将第二目标文件对应的第一二进制数据复制多次,并将复制得到的每一组第一二进制数据分别接续到每一种不同类型的安全文件的第二二进制数据的末尾,从而得到多种目标二进制数据。In order to ensure the comprehensiveness and accuracy of the detection of the second target file, it may be considered to set the number of target binary data and the number of security files to be the same. That is to say, the first binary data corresponding to the second target file is copied multiple times, and each set of the copied first binary data is respectively connected to the second and second binary data of each different type of security file. At the end of the binary data, various target binary data are obtained.

需要说明的是,入侵检测系统中预设的第二入侵检测策略可以是基于现有的成熟的检测策略得到,这些检测策略为本领域技术人员所熟知,在此对具体的检测策略不进行赘述。It should be noted that the second intrusion detection strategy preset in the intrusion detection system may be obtained based on existing mature detection strategies, and these detection strategies are well known to those skilled in the art, and the specific detection strategies will not be repeated here. .

如果入侵检测系统的检测结果为第二目标文件是危险文件,则说明该第二目标文件中存在恶意代码,后续很可能会被用户计算机中的相关恶意进程进行调用,以完成对用户计算机的感染。If the detection result of the intrusion detection system is that the second target file is a dangerous file, it means that there is malicious code in the second target file, which is likely to be called by a related malicious process in the user's computer to complete the infection of the user's computer. .

为了解决该技术问题,在一些实施方式中,还包括:In order to solve this technical problem, in some embodiments, it also includes:

响应于检测结果为第二目标文件是危险文件,将与第二目标文件对应的网络流量放行,以使接收网络流量的终端设备对调用第二目标文件的进程进行监视,从而可以将调用第二目标文件的进程确定为恶意进程。In response to the detection result being that the second target file is a dangerous file, the network traffic corresponding to the second target file is released, so that the terminal device receiving the network traffic monitors the process of calling the second target file, so that the call to the second target file can be monitored. The process of the target file is determined to be a malicious process.

在本实施例中,通过在确定第二目标文件是危险文件时,入侵检测系统可以将与第二目标文件对应的网络流量放行,这样在知晓第二目标文件是危险文件的前提下,反而将其对应的网络流量放行,有利于利用后续终端设备对与第二目标文件相关联的进程进行监视和分析。即,在确定第二目标文件是危险文件时,接收网络流量的终端设备(例如用户计算机)对调用第二目标文件的进程进行监视(例如采用hook技术),以将调用第二目标文件的进程确定为恶意进程,并可以对该恶意进程进行进一步处理(例如删除或做进一步相关分析),从而保证了用户计算机不会被病毒感染,同时也对此类病毒进行了相关分析,有利于工作人员掌握此类病毒的攻击习惯。In this embodiment, when it is determined that the second target file is a dangerous file, the intrusion detection system can release the network traffic corresponding to the second target file. The corresponding network traffic is released, which is beneficial to monitor and analyze the process associated with the second target file by using the subsequent terminal device. That is, when it is determined that the second target file is a dangerous file, the terminal device (such as a user's computer) that receives network traffic monitors the process that calls the second target file (for example, using hook technology), so that the process that calls the second target file is It is determined to be a malicious process, and the malicious process can be further processed (such as deletion or further related analysis), thus ensuring that the user's computer will not be infected by viruses, and at the same time, relevant analysis of such viruses is also carried out, which is beneficial to the staff Master the attack habits of such viruses.

如图2和图3所示,本发明实施例提供了一种网络入侵检测装置。装置实施例可以通过软件实现,也可以通过硬件或者软硬件结合的方式实现。从硬件层面而言,如图2所示,为本发明实施例提供的一种网络入侵检测装置所在电子设备的一种硬件架构图,除了图2所示的处理器、内存、网络接口、以及非易失性存储器之外,实施例中装置所在的电子设备通常还可以包括其它硬件,如负责处理报文的转发芯片等等。以软件实现为例,如图3所示,作为一个逻辑意义上的装置,是通过其所在电子设备的CPU将非易失性存储器中对应的计算机程序读取到内存中运行形成的。As shown in FIG. 2 and FIG. 3 , an embodiment of the present invention provides a network intrusion detection apparatus. The apparatus embodiment may be implemented by software, or may be implemented by hardware or a combination of software and hardware. From a hardware perspective, as shown in FIG. 2 , it is a hardware architecture diagram of an electronic device where a network intrusion detection apparatus provided by an embodiment of the present invention is located, except for the processor, memory, network interface, and In addition to the non-volatile memory, the electronic device where the apparatus in the embodiment is located may also generally include other hardware, such as a forwarding chip responsible for processing messages, and so on. Taking software implementation as an example, as shown in FIG. 3 , as a logical device, it is formed by reading the corresponding computer program in the non-volatile memory into the memory through the CPU of the electronic device where it is located.

如图3所示,本实施例提供的一种网络入侵检测装置,包括:As shown in FIG. 3 , a network intrusion detection device provided by this embodiment includes:

解析模块,用于对从待检测网络设备中抓取的网络流量进行解析处理,得到解析数据;The parsing module is used for parsing and processing the network traffic captured from the network device to be detected to obtain parsing data;

检测模块,用于对所述解析数据进行入侵检测,得到目标文件;其中,所述目标文件包括第一目标文件和第二目标文件,所述第一目标文件为基于远程桌面协议的文件,所述第二目标文件为格式不能被识别的文件;A detection module, configured to perform intrusion detection on the parsed data to obtain a target file; wherein, the target file includes a first target file and a second target file, and the first target file is a file based on a remote desktop protocol, so The second target file is a file whose format cannot be recognized;

第一执行模块,用于在得到所述第一目标文件时,执行如下操作:对当前第一目标文件进行解析处理,得到当前第一目标文件的配置项;基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测;其中,所述第一入侵检测策略是基于已知的基于远程桌面协议的文件的所有配置项进行确定的;a first execution module, configured to perform the following operations when obtaining the first target file: perform parsing processing on the current first target file to obtain configuration items of the current first target file; based on a preset first intrusion detection strategy and the configuration items of the current first target file, perform intrusion detection on the current first target file; wherein, the first intrusion detection strategy is determined based on all configuration items of the known remote desktop protocol-based file;

第二执行模块,用于在得到所述第二目标文件时,执行如下操作:将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾,得到目标二进制数据;基于预设的第二入侵检测策略,对所述目标二进制数据进行入侵检测;其中,所述安全文件包括PE文件和ELF文件,所述第二入侵检测策略与所述安全文件的类型相对应。The second execution module is configured to perform the following operation when obtaining the second target file: connect the first binary data corresponding to the current second target file to the second binary data corresponding to the preset security file At the end, the target binary data is obtained; based on a preset second intrusion detection strategy, intrusion detection is performed on the target binary data; wherein, the security file includes a PE file and an ELF file, and the second intrusion detection strategy is related to all corresponding to the type of security document described above.

在本发明的一个实施例中,所述第一入侵检测策略具体是基于如下方式进行确定的:In an embodiment of the present invention, the first intrusion detection strategy is specifically determined based on the following manner:

获取针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值;Get the score value assigned to each configuration item of a known Remote Desktop Protocol-based file;

获取针对已知的基于远程桌面协议的文件的所有配置项进行的威胁等级分类的分类结果;Obtain the classification results of threat level classification for all configuration items of known Remote Desktop Protocol-based files;

基于所述分数值和所述分类结果,确定与每一个威胁等级对应的威胁阈值;determining a threat threshold corresponding to each threat level based on the score value and the classification result;

基于每一个威胁等级对应的威胁阈值,确定第一入侵检测策略。Based on the threat threshold corresponding to each threat level, the first intrusion detection strategy is determined.

在本发明的一个实施例中,所述基于所述分数值和所述分类结果,确定与每一个威胁等级对应的威胁阈值,包括:In an embodiment of the present invention, determining a threat threshold corresponding to each threat level based on the score value and the classification result includes:

采用如下公式确定与每一个威胁等级对应的威胁阈值:The following formula is used to determine the threat threshold corresponding to each threat level:

Figure 916010DEST_PATH_IMAGE006
Figure 916010DEST_PATH_IMAGE006

其中,

Figure 735061DEST_PATH_IMAGE007
为第i个威胁等级的威胁阈值,为第i个威胁等级中第j个配置项的分数值,n为第i个威胁等级中的配置项的总个数。in,
Figure 735061DEST_PATH_IMAGE007
is the threat threshold of the ith threat level, is the score value of the jth configuration item in the ith threat level, and n is the total number of configuration items in the ith threat level.

在本发明的一个实施例中,第一执行模块,还用于执行如下操作:基于已知的基于远程桌面协议的文件的所有配置项和与每一个配置项对应的分数值,得到配置项分数值库;In an embodiment of the present invention, the first execution module is further configured to perform the following operation: based on all the configuration items of the known remote desktop protocol-based file and the score value corresponding to each configuration item, obtain the configuration item score Numeric library;

第一执行模块在执行所述基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测时,用于执行如下操作:When the first execution module executes the intrusion detection on the current first target file based on the preset first intrusion detection strategy and the configuration item of the current first target file, it is configured to perform the following operations:

基于所述配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值;Obtain the security reference value of the current first target file based on the configuration item score value library and the configuration item of the current first target file;

基于所述安全参考值和所述第一入侵检测策略,对当前第一目标文件进行入侵检测。Based on the security reference value and the first intrusion detection strategy, intrusion detection is performed on the current first target file.

在本发明的一个实施例中,第一执行模块在执行所述基于所述配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值时,用于执行如下操作:In an embodiment of the present invention, when the first execution module executes the configuration item based on the configuration item score value library and the current first target file to obtain the security reference value of the current first target file, the first execution module is configured to execute Do as follows:

采用如下公式得到当前第一目标文件的安全参考值:The following formula is used to obtain the security reference value of the current first target file:

Figure 700743DEST_PATH_IMAGE005
Figure 700743DEST_PATH_IMAGE005

其中,S为当前第一目标文件的安全参考值,D j 为当前第一目标文件中第j个配置项的分数值,k为当前第一目标文件中的配置项的总个数。Wherein, S is the security reference value of the current first target file, D j is the score value of the jth configuration item in the current first target file, and k is the total number of configuration items in the current first target file.

在本发明的一个实施例中,第一执行模块在执行所述基于所述安全参考值和所述第一入侵检测策略,对当前第一目标文件进行入侵检测时,用于执行如下操作:In an embodiment of the present invention, when the first execution module performs the intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy, the first execution module is configured to perform the following operations:

将所述安全参考值和所述第一入侵检测策略包括的与每一个威胁等级对应的威胁阈值进行比对,得到当前第一目标文件的威胁等级,以完成对当前第一目标文件的入侵检测。Compare the security reference value with the threat threshold value corresponding to each threat level included in the first intrusion detection strategy to obtain the threat level of the current first target file, so as to complete the intrusion detection on the current first target file .

在本发明的一个实施例中,第二执行模块,还用于执行如下操作:响应于检测结果为所述第二目标文件是危险文件,将与所述第二目标文件对应的网络流量放行,以使接收所述网络流量的终端设备对调用所述第二目标文件的进程进行监视,从而可以将调用所述第二目标文件的进程确定为恶意进程。In an embodiment of the present invention, the second execution module is further configured to perform the following operations: in response to the detection result being that the second target file is a dangerous file, release the network traffic corresponding to the second target file, So that the terminal device receiving the network traffic monitors the process calling the second target file, so that the process calling the second target file can be determined as a malicious process.

可以理解的是,本发明实施例示意的结构并不构成对一种网络入侵检测装置的具体限定。在本发明的另一些实施例中,一种网络入侵检测装置可以包括比图示更多或者更少的部件,或者组合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件、软件或者软件和硬件的组合来实现。It can be understood that the structures illustrated in the embodiments of the present invention do not constitute a specific limitation on a network intrusion detection apparatus. In other embodiments of the present invention, a network intrusion detection apparatus may include more or less components than shown, or some components are combined, or some components are split, or different components are arranged. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

上述装置内的各模块之间的信息交互、执行过程等内容,由于与本发明方法实施例基于同一构思,具体内容可参见本发明方法实施例中的叙述,此处不再赘述。Since the information exchange and execution process among the modules in the above apparatus are based on the same concept as the method embodiments of the present invention, the specific content can be found in the descriptions in the method embodiments of the present invention, and will not be repeated here.

本发明实施例还提供了一种电子设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器执行所述计算机程序时,实现本发明任一实施例中的一种网络入侵检测方法。An embodiment of the present invention further provides an electronic device, including a memory and a processor, wherein a computer program is stored in the memory, and when the processor executes the computer program, a network in any embodiment of the present invention is implemented Intrusion detection method.

本发明实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序在被处理器执行时,使所述处理器执行本发明任一实施例中的一种网络入侵检测方法。Embodiments of the present invention further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program causes the processor to execute any implementation of the present invention An example of a network intrusion detection method.

具体地,可以提供配有存储介质的系统或者装置,在该存储介质上存储着实现上述实施例中任一实施例的功能的软件程序代码,且使该系统或者装置的计算机(或CPU或MPU)读出并执行存储在存储介质中的程序代码。Specifically, it is possible to provide a system or device equipped with a storage medium on which software program codes for implementing the functions of any one of the above-described embodiments are stored, and make a computer (or CPU or MPU of the system or device) ) to read and execute the program code stored in the storage medium.

在这种情况下,从存储介质读取的程序代码本身可实现上述实施例中任何一项实施例的功能,因此程序代码和存储程序代码的存储介质构成了本发明的一部分。In this case, the program code itself read from the storage medium can implement the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.

用于提供程序代码的存储介质实施例包括软盘、硬盘、磁光盘、光盘(如CD-ROM、CD-R、CD-RW、DVD-ROM、DVD-RAM、DVD-RW、DVD+RW)、磁带、非易失性存储卡和ROM。可选择地,可以由通信网络从服务器计算机上下载程序代码。Examples of storage media for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (eg, CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), Magnetic tapes, non-volatile memory cards and ROMs. Alternatively, the program code may be downloaded from a server computer over a communications network.

此外,应该清楚的是,不仅可以通过执行计算机所读出的程序代码,而且可以通过基于程序代码的指令使计算机上操作的操作系统等来完成部分或者全部的实际操作,从而实现上述实施例中任意一项实施例的功能。In addition, it should be clear that part or all of the actual operations can be implemented not only by executing the program code read out by the computer, but also by the operating system or the like operating on the computer based on the instructions of the program code, so as to realize the above-mentioned embodiments. Function of any one of the embodiments.

此外,可以理解的是,将由存储介质读出的程序代码写到插入计算机内的扩展板中所设置的存储器中或者写到与计算机相连接的扩展模块中设置的存储器中,随后基于程序代码的指令使安装在扩展板或者扩展模块上的CPU等来执行部分和全部实际操作,从而实现上述实施例中任一实施例的功能。In addition, it can be understood that the program code read from the storage medium is written into the memory provided in the expansion board inserted into the computer or into the memory provided in the expansion module connected with the computer, and then based on the program code The instructions cause the CPU or the like installed on the expansion board or expansion module to perform part and all of the actual operations, so as to realize the functions of any one of the above-mentioned embodiments.

需要说明的是,在本文中,诸如第一和第二之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其它变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其它要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个…”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同因素。It should be noted that, in this document, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply a relationship between these entities or operations. There is no such actual relationship or sequence. Furthermore, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device comprising a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article, or device that includes the element.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储在计算机可读取的存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质中。Those of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiments can be completed by program instructions related to hardware, the aforementioned program can be stored in a computer-readable storage medium, and when the program is executed, execute It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other mediums that can store program codes.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be The technical solutions described in the foregoing embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1. A method for network intrusion detection, comprising:
analyzing the network traffic captured from the network equipment to be detected to obtain analysis data;
carrying out intrusion detection on the analyzed data to obtain a target file; the target files comprise a first target file and a second target file, wherein the first target file is a file based on a remote desktop protocol, and the second target file is a file with a format which cannot be identified by an intrusion detection system;
when the first target file is obtained, the following operations are executed: analyzing the current first target file to obtain a configuration item of the current first target file; carrying out intrusion detection on the current first target file based on a preset first intrusion detection strategy and the configuration item of the current first target file; wherein the first intrusion detection policy is determined based on all configuration items of a known remote desktop protocol-based file;
when the second target file is obtained, the following operations are executed: connecting the first binary data corresponding to the current second target file to the tail of the second binary data corresponding to the preset safety file to obtain target binary data; carrying out intrusion detection on the target binary data based on a preset second intrusion detection strategy; the security file comprises a portable executive PE file and an executable ELF file in a linkable format, and the second intrusion detection strategy corresponds to the type of the security file.
2. The method according to claim 1, characterized in that the first intrusion detection policy is determined based on:
acquiring a score value given to each configuration item of a known file based on a remote desktop protocol;
obtaining classification results of threat level classification for all configuration items of known files based on a remote desktop protocol;
determining a threat threshold corresponding to each threat level based on the score value and the classification result;
and determining a first intrusion detection strategy based on the threat threshold corresponding to each threat level.
3. The method of claim 2, wherein determining a threat threshold corresponding to each threat level based on the score value and the classification result comprises:
determining a threat threshold corresponding to each threat level as follows:
Figure 311746DEST_PATH_IMAGE001
wherein,V i is a firstiA threat threshold for each of the threat levels,C ij is as followsiFirst in individual threat leveljThe score value of each of the configuration items,nis as followsiTotality of configuration items in individual threat levelsAnd (4) the number.
4. The method of claim 2, further comprising, after the obtaining the score value assigned to each configuration item of the known remote desktop protocol-based file: obtaining a configuration item point value library based on all configuration items of a known file based on a remote desktop protocol and a point value corresponding to each configuration item;
the intrusion detection is carried out on the current first target file based on the preset first intrusion detection strategy and the configuration item of the current first target file, and the intrusion detection method comprises the following steps:
obtaining a security reference value of the current first target file based on the configuration item point value library and the configuration item of the current first target file;
and carrying out intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy.
5. The method of claim 4, wherein obtaining the security reference value of the current first target file based on the configuration item score value database and the configuration item of the current first target file comprises:
obtaining a security reference value of the current first target file by adopting the following method:
Figure 93888DEST_PATH_IMAGE002
wherein,Sis the security reference value of the current first target file,D j is the first target file in the current first target filejThe score value of each of the configuration items,kis the total number of configuration items in the current first target file.
6. The method of claim 4, wherein the performing intrusion detection on the current first target file based on the security reference value and the first intrusion detection policy comprises:
and comparing the security reference value with threat threshold values corresponding to each threat level and included in the first intrusion detection strategy to obtain the threat level of the current first target file so as to complete intrusion detection on the current first target file.
7. The method of any of claims 1-6, further comprising, after said intrusion detection on said target binary data:
and in response to the detection result that the second target file is a dangerous file, releasing the network traffic corresponding to the second target file, so that the terminal device receiving the network traffic monitors a process calling the second target file, and the process calling the second target file can be determined as a malicious process.
8. A network intrusion detection device, comprising:
the analysis module is used for analyzing and processing the network traffic captured from the network equipment to be detected to obtain analysis data;
the detection module is used for carrying out intrusion detection on the analyzed data to obtain a target file; the target files comprise a first target file and a second target file, the first target file is a file based on a remote desktop protocol, and the second target file is a file of which the format cannot be identified;
a first executing module, configured to, when the first target file is obtained, execute the following operations: analyzing the current first target file to obtain a configuration item of the current first target file; carrying out intrusion detection on the current first target file based on a preset first intrusion detection strategy and the configuration item of the current first target file; wherein the first intrusion detection policy is determined based on all configuration items of a known remote desktop protocol-based file;
a second executing module, configured to, when the second target file is obtained, execute the following operations: connecting the first binary data corresponding to the current second target file to the tail of the second binary data corresponding to the preset safety file to obtain target binary data; carrying out intrusion detection on the target binary data based on a preset second intrusion detection strategy; the security file comprises a PE file and an ELF file, and the second intrusion detection strategy corresponds to the type of the security file.
CN202210845301.9A 2022-07-19 2022-07-19 A network intrusion detection method and device Active CN115086068B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210845301.9A CN115086068B (en) 2022-07-19 2022-07-19 A network intrusion detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210845301.9A CN115086068B (en) 2022-07-19 2022-07-19 A network intrusion detection method and device

Publications (2)

Publication Number Publication Date
CN115086068A true CN115086068A (en) 2022-09-20
CN115086068B CN115086068B (en) 2022-11-08

Family

ID=83259812

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210845301.9A Active CN115086068B (en) 2022-07-19 2022-07-19 A network intrusion detection method and device

Country Status (1)

Country Link
CN (1) CN115086068B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319057A (en) * 2023-04-11 2023-06-23 华能信息技术有限公司 HTTP traffic reduction method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070282951A1 (en) * 2006-02-10 2007-12-06 Selimis Nikolas A Cross-domain solution (CDS) collaborate-access-browse (CAB) and assured file transfer (AFT)
CN102043915A (en) * 2010-11-03 2011-05-04 厦门市美亚柏科信息股份有限公司 Method and device for detecting malicious code contained in non-executable file
CN103401872A (en) * 2013-08-05 2013-11-20 北京工业大学 Method for preventing and detecting man-in-the-middle attack based on improved RDP (Remote Desktop Protocol)
CN111324890A (en) * 2018-12-14 2020-06-23 华为技术有限公司 Portable executable file processing method, detection method and device
CN111865981A (en) * 2020-07-20 2020-10-30 交通运输信息安全中心有限公司 Network security vulnerability assessment system and method
CN112333203A (en) * 2020-11-26 2021-02-05 哈尔滨工程大学 RDP conversation method of high-interaction honeypot system based on man-in-the-middle technology
US20210092136A1 (en) * 2019-09-24 2021-03-25 Pc Matic Inc Protecting Against Remote Desktop Protocol Intrusions
CN114036042A (en) * 2021-10-25 2022-02-11 杭州安恒信息技术股份有限公司 Model testing method, device, computer and readable storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070282951A1 (en) * 2006-02-10 2007-12-06 Selimis Nikolas A Cross-domain solution (CDS) collaborate-access-browse (CAB) and assured file transfer (AFT)
CN102043915A (en) * 2010-11-03 2011-05-04 厦门市美亚柏科信息股份有限公司 Method and device for detecting malicious code contained in non-executable file
CN103401872A (en) * 2013-08-05 2013-11-20 北京工业大学 Method for preventing and detecting man-in-the-middle attack based on improved RDP (Remote Desktop Protocol)
CN111324890A (en) * 2018-12-14 2020-06-23 华为技术有限公司 Portable executable file processing method, detection method and device
US20210092136A1 (en) * 2019-09-24 2021-03-25 Pc Matic Inc Protecting Against Remote Desktop Protocol Intrusions
CN111865981A (en) * 2020-07-20 2020-10-30 交通运输信息安全中心有限公司 Network security vulnerability assessment system and method
CN112333203A (en) * 2020-11-26 2021-02-05 哈尔滨工程大学 RDP conversation method of high-interaction honeypot system based on man-in-the-middle technology
CN114036042A (en) * 2021-10-25 2022-02-11 杭州安恒信息技术股份有限公司 Model testing method, device, computer and readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319057A (en) * 2023-04-11 2023-06-23 华能信息技术有限公司 HTTP traffic reduction method

Also Published As

Publication number Publication date
CN115086068B (en) 2022-11-08

Similar Documents

Publication Publication Date Title
KR102580898B1 (en) System and method for selectively collecting computer forensics data using DNS messages
US10721244B2 (en) Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
US20190347418A1 (en) System and method for protection against ransomware attacks
US9853988B2 (en) Method and system for detecting threats using metadata vectors
CN109194680B (en) Network attack identification method, device and equipment
US11258812B2 (en) Automatic characterization of malicious data flows
CN112751815B (en) Message processing method, device, equipment and computer readable storage medium
JP6159018B2 (en) Extraction condition determination method, communication monitoring system, extraction condition determination apparatus, and extraction condition determination program
US20090178140A1 (en) Network intrusion detection system
CN113810408B (en) Network attack organization detection method, device, equipment and readable storage medium
US12069077B2 (en) Methods for detecting a cyberattack on an electronic device, method for obtaining a supervised random forest model for detecting a DDoS attack or a brute force attack, and electronic device configured to detect a cyberattack on itself
CA2545916A1 (en) Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
KR20090087437A (en) Traffic detection method and apparatus
US11973773B2 (en) Detecting and mitigating zero-day attacks
US10489720B2 (en) System and method for vendor agnostic automatic supplementary intelligence propagation
CN105100092A (en) Detection method, device and system for controlling client to access network
CN110798427A (en) Anomaly detection method, device and equipment in network security defense
US11063975B2 (en) Malicious content detection with retrospective reporting
CN113965419B (en) Method and device for judging attack success through reverse connection
US10027693B2 (en) Method, device and system for alerting against unknown malicious codes within a network environment
CN107612890A (en) A kind of network monitoring method and system
CN106911640A (en) Cyberthreat treating method and apparatus
CN113452717A (en) Method and device for communication software safety protection, electronic equipment and storage medium
CN115086068B (en) A network intrusion detection method and device
JP6676790B2 (en) Request control device, request control method, and request control program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant