[go: up one dir, main page]

CN115086068B - A network intrusion detection method and device - Google Patents

A network intrusion detection method and device Download PDF

Info

Publication number
CN115086068B
CN115086068B CN202210845301.9A CN202210845301A CN115086068B CN 115086068 B CN115086068 B CN 115086068B CN 202210845301 A CN202210845301 A CN 202210845301A CN 115086068 B CN115086068 B CN 115086068B
Authority
CN
China
Prior art keywords
target file
intrusion detection
file
current
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210845301.9A
Other languages
Chinese (zh)
Other versions
CN115086068A (en
Inventor
李慧萍
殷光强
王治国
王春雨
李振慧
何国峰
李超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN202210845301.9A priority Critical patent/CN115086068B/en
Publication of CN115086068A publication Critical patent/CN115086068A/en
Application granted granted Critical
Publication of CN115086068B publication Critical patent/CN115086068B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention relates to the technical field of computer security, and provides a network intrusion detection method and a network intrusion detection device.

Description

一种网络入侵检测方法和装置Method and device for network intrusion detection

技术领域technical field

本发明涉及计算机安全技术领域,特别涉及一种网络入侵检测方法和装置。The invention relates to the technical field of computer security, in particular to a network intrusion detection method and device.

背景技术Background technique

近年来,全球网络安全形势愈发严峻,网络攻击及数据泄露等安全事件频发。网络入侵检测技术是通过一定的技术手段监听网络通信数据包,通过对这些数据包进行分析,从而发现网络中是否存在可能影响后续设备网络安全的恶意行为。In recent years, the global network security situation has become increasingly severe, and security incidents such as network attacks and data leakage have occurred frequently. Network intrusion detection technology monitors network communication data packets through certain technical means, and analyzes these data packets to find out whether there are malicious behaviors in the network that may affect the network security of subsequent devices.

入侵检测系统(Intrusion Detection System,简称“IDS”) 是一种对网络传输进行即时监视,在发现可疑传输时发出警报或者采取主动反应措施的网络安全设备。它与其它网络安全设备的不同之处在于:IDS 是一种积极主动的安全防护技术。Intrusion Detection System ("IDS" for short) is a network security device that monitors network transmissions in real time, and sends an alarm or takes active response measures when suspicious transmissions are found. It differs from other network security devices in that: IDS is a proactive security protection technology.

因此,如何有效地提高网络入侵检测的检出率,是目前本领域技术人员急需解决的技术问题。Therefore, how to effectively improve the detection rate of network intrusion detection is a technical problem urgently needed to be solved by those skilled in the art.

发明内容Contents of the invention

为了提高网络入侵检测的检出率,本发明提供了一种网络入侵检测方法和实现该方法的装置。In order to improve the detection rate of network intrusion detection, the invention provides a network intrusion detection method and a device for realizing the method.

第一方面,一种网络入侵检测方法,包括:In the first aspect, a network intrusion detection method includes:

对从待检测网络设备中抓取的网络流量进行解析处理,得到解析数据;Analyzing and processing the network traffic captured from the network device to be detected to obtain the analyzed data;

对所述解析数据进行入侵检测,得到目标文件;其中,所述目标文件包括第一目标文件和第二目标文件,所述第一目标文件为基于远程桌面协议的文件,所述第二目标文件为格式不能被识别的文件;performing intrusion detection on the parsed data to obtain a target file; wherein, the target file includes a first target file and a second target file, the first target file is a file based on the remote desktop protocol, and the second target file is a file in an unrecognized format;

在得到所述第一目标文件时,执行如下操作:对当前第一目标文件进行解析处理,得到当前第一目标文件的配置项;基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测;其中,所述第一入侵检测策略是基于已知的基于远程桌面协议的文件的所有配置项进行确定的;When obtaining the first target file, perform the following operations: analyze and process the current first target file to obtain the configuration items of the current first target file; based on the preset first intrusion detection strategy and the current first target file Configuration items, performing intrusion detection on the current first target file; wherein, the first intrusion detection strategy is determined based on all configuration items of known remote desktop protocol-based files;

在得到所述第二目标文件时,执行如下操作:将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾,得到目标二进制数据;基于预设的第二入侵检测策略,对所述目标二进制数据进行入侵检测;其中,所述安全文件包括可移植的执行体PE文件和可执行与可链接格式ELF文件,所述第二入侵检测策略与所述安全文件的类型相对应。When obtaining the second target file, perform the following operations: connect the first binary data corresponding to the current second target file to the end of the second binary data corresponding to the preset security file to obtain the target binary data ; Based on the preset second intrusion detection strategy, perform intrusion detection on the target binary data; wherein, the security file includes a portable executable PE file and an executable and linkable format ELF file, and the second intrusion The detection policy corresponds to the type of the security file.

在一种可能的设计中,所述第一入侵检测策略具体是基于如下方式进行确定的:In a possible design, the first intrusion detection strategy is specifically determined based on the following manner:

获取针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值;Obtain the score value assigned to each configuration item of a known remote desktop protocol-based file;

获取针对已知的基于远程桌面协议的文件的所有配置项进行的威胁等级分类的分类结果;Obtain the classification results of the threat level classification performed on all configuration items of known remote desktop protocol-based files;

基于所述分数值和所述分类结果,确定与每一个威胁等级对应的威胁阈值;determining a threat threshold corresponding to each threat level based on the score value and the classification result;

基于每一个威胁等级对应的威胁阈值,确定第一入侵检测策略。Based on the threat threshold corresponding to each threat level, a first intrusion detection strategy is determined.

在一种可能的设计中,所述基于所述分数值和所述分类结果,确定与每一个威胁等级对应的威胁阈值,包括:In a possible design, the determining a threat threshold corresponding to each threat level based on the score value and the classification result includes:

采用如下公式确定与每一个威胁等级对应的威胁阈值:Use the following formula to determine the threat threshold corresponding to each threat level:

Figure 374552DEST_PATH_IMAGE001
Figure 374552DEST_PATH_IMAGE001

其中,V i 为第i个威胁等级的威胁阈值,C ij 为第i个威胁等级中第j个配置项的分数值,n为第i个威胁等级中的配置项的总个数。Among them, V i is the threat threshold of the i -th threat level, C ij is the score value of the j -th configuration item in the i -th threat level, and n is the total number of configuration items in the i -th threat level.

在一种可能的设计中,在所述获取针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值之后,还包括:基于已知的基于远程桌面协议的文件的所有配置项和与每一个配置项对应的分数值,得到配置项分数值库;In a possible design, after the acquisition of the score value assigned to each configuration item of the known remote desktop protocol-based file, it further includes: all configuration items based on the known remote desktop protocol-based file and the score value corresponding to each configuration item to obtain the configuration item score value database;

所述基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测,包括:The intrusion detection of the current first target file based on the preset first intrusion detection strategy and configuration items of the current first target file includes:

基于所述配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值;Obtaining a security reference value of the current first target file based on the configuration item score database and the configuration items of the current first target file;

基于所述安全参考值和所述第一入侵检测策略,对当前第一目标文件进行入侵检测。Based on the security reference value and the first intrusion detection strategy, perform intrusion detection on the current first target file.

在一种可能的设计中,所述基于所述配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值,包括:In a possible design, the obtaining the security reference value of the current first target file based on the configuration item score database and the configuration items of the current first target file includes:

采用如下公式得到当前第一目标文件的安全参考值:The following formula is used to obtain the safety reference value of the current first target file:

Figure 743392DEST_PATH_IMAGE002
Figure 743392DEST_PATH_IMAGE002

其中,S为当前第一目标文件的安全参考值,为当前第一目标文件中第j个配置项的分数值,k为当前第一目标文件中的配置项的总个数。Wherein, S is the security reference value of the current first target file, is the score value of the jth configuration item in the current first target file, and k is the total number of configuration items in the current first target file.

在一种可能的设计中,所述基于所述安全参考值和所述第一入侵检测策略,对当前第一目标文件进行入侵检测,包括:In a possible design, the performing intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy includes:

将所述安全参考值和所述第一入侵检测策略包括的与每一个威胁等级对应的威胁阈值进行比对,得到当前第一目标文件的威胁等级,以完成对当前第一目标文件的入侵检测。Comparing the security reference value with the threat threshold corresponding to each threat level included in the first intrusion detection strategy to obtain the threat level of the current first target file, so as to complete the intrusion detection of the current first target file .

在一种可能的设计中,在所述对所述目标二进制数据进行入侵检测之后,还包括:In a possible design, after the intrusion detection is performed on the target binary data, it further includes:

响应于检测结果为所述第二目标文件是危险文件,将与所述第二目标文件对应的网络流量放行,以使接收所述网络流量的终端设备对调用所述第二目标文件的进程进行监视,从而可以将调用所述第二目标文件的进程确定为恶意进程。Responding to the detection result that the second target file is a dangerous file, release the network traffic corresponding to the second target file, so that the terminal device receiving the network traffic performs the process of invoking the second target file monitoring, so that the process calling the second target file can be determined as a malicious process.

第二方面,一种网络入侵检测装置,包括:In a second aspect, a network intrusion detection device includes:

解析模块,用于对从待检测网络设备中抓取的网络流量进行解析处理,得到解析数据;The parsing module is used for parsing and processing the network traffic captured from the network device to be detected to obtain parsing data;

检测模块,用于对所述解析数据进行入侵检测,得到目标文件;其中,所述目标文件包括第一目标文件和第二目标文件,所述第一目标文件为基于远程桌面协议的文件,所述第二目标文件为格式不能被识别的文件;A detection module, configured to perform intrusion detection on the parsed data to obtain a target file; wherein the target file includes a first target file and a second target file, the first target file is a file based on the remote desktop protocol, and the The second target file is a file whose format cannot be recognized;

第一执行模块,用于在得到所述第一目标文件时,执行如下操作:对当前第一目标文件进行解析处理,得到当前第一目标文件的配置项;基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测;其中,所述第一入侵检测策略是基于已知的基于远程桌面协议的文件的所有配置项进行确定的;The first execution module is configured to perform the following operations when obtaining the first target file: analyze and process the current first target file to obtain the configuration items of the current first target file; based on the preset first intrusion detection strategy and the configuration items of the current first target file, and perform intrusion detection on the current first target file; wherein, the first intrusion detection strategy is determined based on all configuration items of known remote desktop protocol-based files;

第二执行模块,用于在得到所述第二目标文件时,执行如下操作:将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾,得到目标二进制数据;基于预设的第二入侵检测策略,对所述目标二进制数据进行入侵检测;其中,所述安全文件包括PE文件和ELF文件,所述第二入侵检测策略与所述安全文件的类型相对应。The second execution module is configured to perform the following operations when obtaining the second target file: connect the first binary data corresponding to the current second target file to the second binary data corresponding to the preset security file At the end of , the target binary data is obtained; based on the preset second intrusion detection strategy, an intrusion detection is performed on the target binary data; wherein, the security file includes a PE file and an ELF file, and the second intrusion detection strategy and the corresponding to the type of security file described above.

本发明的有益效果是,通过对从待检测网络设备中抓取的网络流量进行解析处理来得到解析数据,然后对解析数据进行入侵检测来得到包括第一目标文件和第二目标文件的目标文件,最后分别利用预设的第一入侵检测策略和第二入侵检测策略来对第一目标文件和第二目标文件进行入侵检测,这样能够有效地提高网络入侵检测的检出率。The beneficial effect of the present invention is that the analysis data is obtained by analyzing the network flow captured from the network device to be detected, and then the analysis data is subjected to intrusion detection to obtain the target file including the first target file and the second target file , and finally use the preset first intrusion detection strategy and the second intrusion detection strategy to perform intrusion detection on the first target file and the second target file, which can effectively improve the detection rate of network intrusion detection.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are For some embodiments of the present invention, those skilled in the art can also obtain other drawings based on these drawings without creative effort.

图1是本发明一实施例提供的一种网络入侵检测方法流程图;Fig. 1 is a flow chart of a network intrusion detection method provided by an embodiment of the present invention;

图2是本发明一实施例提供的一种电子设备的硬件架构图;Fig. 2 is a hardware architecture diagram of an electronic device provided by an embodiment of the present invention;

图3是本发明一实施例提供的一种网络入侵检测装置结构图。Fig. 3 is a structural diagram of a network intrusion detection device provided by an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例,基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work belong to the protection of the present invention. scope.

请参考图1,本发明实施例提供了一种网络入侵检测方法,应用于入侵检测系统,该方法包括:Please refer to FIG. 1, an embodiment of the present invention provides a network intrusion detection method, which is applied to an intrusion detection system, and the method includes:

对从待检测网络设备中抓取的网络流量进行解析处理,得到解析数据;Analyzing and processing the network traffic captured from the network device to be detected to obtain the analyzed data;

对解析数据进行入侵检测,得到目标文件;其中,目标文件包括第一目标文件和第二目标文件,第一目标文件为基于远程桌面协议的文件,第二目标文件为格式不能被识别的文件;Performing intrusion detection on the parsed data to obtain a target file; wherein, the target file includes a first target file and a second target file, the first target file is a file based on the remote desktop protocol, and the second target file is a file whose format cannot be recognized;

在得到第一目标文件时,执行如下操作:对当前第一目标文件进行解析处理,得到当前第一目标文件的配置项;基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测;其中,第一入侵检测策略是基于已知的基于远程桌面协议的文件的所有配置项进行确定的;When obtaining the first target file, perform the following operations: analyze and process the current first target file to obtain the configuration items of the current first target file; based on the preset first intrusion detection strategy and the configuration items of the current first target file , performing intrusion detection on the current first target file; wherein, the first intrusion detection policy is determined based on all configuration items of known remote desktop protocol-based files;

在得到第二目标文件时,执行如下操作:将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾,得到目标二进制数据;基于预设的第二入侵检测策略,对目标二进制数据进行入侵检测;其中,安全文件包括PE文件和ELF文件,第二入侵检测策略与安全文件的类型相对应。When obtaining the second target file, perform the following operations: connect the first binary data corresponding to the current second target file to the end of the second binary data corresponding to the preset security file to obtain the target binary data; The preset second intrusion detection strategy performs intrusion detection on the target binary data; wherein, the security file includes a PE file and an ELF file, and the second intrusion detection strategy corresponds to the type of the security file.

本发明实施例中,通过对从待检测网络设备中抓取的网络流量进行解析处理来得到解析数据,然后对解析数据进行入侵检测来得到包括第一目标文件和第二目标文件的目标文件,最后分别利用预设的第一入侵检测策略和第二入侵检测策略来对第一目标文件和第二目标文件进行入侵检测,这样能够有效地提高网络入侵检测的检出率。In the embodiment of the present invention, the analysis data is obtained by analyzing the network traffic captured from the network device to be detected, and then the analysis data is subjected to intrusion detection to obtain the target file including the first target file and the second target file, Finally, the preset first intrusion detection strategy and the second intrusion detection strategy are used to perform intrusion detection on the first target file and the second target file, which can effectively improve the detection rate of network intrusion detection.

下面描述图1所示的各个步骤的执行方式。The execution manner of each step shown in FIG. 1 is described below.

入侵检测系统是以软件的形式部署在待检测网络设备(例如防火墙)中,以监听经由待检测网络设备传输的所有网络流量数据包。其中,网络流量数据包包括但不限于IP数据包、TCP数据包、UDP数据包和ICMP数据包。The intrusion detection system is deployed in the network device to be detected (such as a firewall) in the form of software to monitor all network traffic data packets transmitted through the network device to be detected. Wherein, the network traffic data packets include but not limited to IP data packets, TCP data packets, UDP data packets and ICMP data packets.

解析处理即完成网络流量的解码、协议预处理、协议识别、应用识别等功能,此为本领域技术人员所熟知,在此不进行赘述。其中,识别的协议包括但不限于:IP(InternetProtocol,网络之间互连的协议)、TCP(Transmission Control Protocol,传输控制协议)、UDP(User Datagram Protocol,用户数据报协议)、ICMP(Internet Control ManagemetProtocol Version6,互联网控制信息协议版本六);支持且不限于识别如下应用层协议:HTTP(Hyper Text Transfer Protocol over Secure Socket Layer,超文本传输安全协议)、FTP(File Transfer Protocol,文件传输协议)、TLS(Transport Layer Security,安全传输层协议)、SMB(Server Message Block,协议名)、DNS(Domain Name System,域名解析协议)、SSH(Secure Shell,安全外壳协议)、SMTP(Simple Mail Transfer Protocol,简单邮件传输协议)、DHCP(Dynamic Host Configuration Protocol,动态主机配置协议)。The parsing process is to complete functions such as network traffic decoding, protocol preprocessing, protocol identification, and application identification, which are well known to those skilled in the art and will not be described in detail here. Among them, the identified protocols include but are not limited to: IP (Internet Protocol, a protocol for interconnecting networks), TCP (Transmission Control Protocol, Transmission Control Protocol), UDP (User Datagram Protocol, User Datagram Protocol), ICMP (Internet Control ManagemetProtocol Version6, Internet Control Information Protocol Version 6); supports and is not limited to identifying the following application layer protocols: HTTP (Hyper Text Transfer Protocol over Secure Socket Layer, Hypertext Transfer Security Protocol), FTP (File Transfer Protocol, File Transfer Protocol), TLS (Transport Layer Security, secure transport layer protocol), SMB (Server Message Block, protocol name), DNS (Domain Name System, domain name resolution protocol), SSH (Secure Shell, secure shell protocol), SMTP (Simple Mail Transfer Protocol, Simple Mail Transfer Protocol), DHCP (Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol).

入侵检测是指对解析数据是否为恶意数据进行检测,具体的检测手段包括但不限于流式估计检测和文件抽取等,此为本领域技术人员所熟知,在此不进行赘述。Intrusion detection refers to detecting whether the parsed data is malicious data. The specific detection means include but not limited to stream estimation detection and file extraction, which are well known to those skilled in the art and will not be described here.

在一些相关技术中,黑客会利用邮件、聊天等方式,诱导用户点击相关链接,进而加载恶意的基于远程桌面协议(Remote Desktop Protocol,RDP)的文件,如此会导致用户计算机和由黑客控制的远程服务器建立连接,此时黑客可以通过远程服务器来控制用户计算机执行相关恶意操作。In some related technologies, hackers will use email, chat, etc. to induce users to click on relevant links, and then load malicious files based on Remote Desktop Protocol (RDP), which will cause the user's computer and the remote computer controlled by the hacker to The server establishes a connection. At this time, the hacker can control the user's computer to perform related malicious operations through the remote server.

具体地,黑客可能在加载的恶意的基于远程桌面协议的文件中事先预置了驱动器映射、USB设备映射、打印机映射和剪贴板映射等配置项,这样黑客就能够通过操控远程服务器来对用户计算机执行相关恶意操作,例如窃取用户计算机中的重要文件内容。因此,有必要对基于远程桌面协议的文件进行入侵检测。Specifically, the hacker may have preset configuration items such as drive mapping, USB device mapping, printer mapping, and clipboard mapping in the loaded malicious remote desktop protocol-based file, so that the hacker can control the remote server. Perform related malicious operations, such as stealing the contents of important files in the user's computer. Therefore, it is necessary to perform intrusion detection on files based on Remote Desktop Protocol.

在另一些相关技术中,入侵检测系统为了提高检测效率,会根据文件格式进行分类,对于不同的文件格式执行不同的检测策略。对于入侵检测系统不能识别的文件格式,入侵检测系统通常不会对该格式的文件进行处理(例如删除)。因此,黑客通常会将危险文件的格式进行更改,以防止入侵检测系统对危险文件的检出。In other related technologies, in order to improve the detection efficiency, the intrusion detection system will classify according to the file format, and implement different detection strategies for different file formats. For a file format that the intrusion detection system cannot recognize, the intrusion detection system usually does not process (for example, delete) the file in this format. Therefore, hackers usually change the format of dangerous files to prevent the intrusion detection system from checking out the dangerous files.

具体地,黑客会将危险文件中的恶意代码提取出来生成一个不能被入侵检测系统识别的格式的文件,然后用一个没有恶意代码的文件在用户计算机中打开这个生成的新文件,以获取恶意代码并执行恶意代码,这对用户计算机的安全是不利的。因此,有必要对基于远程桌面协议的文件进行入侵检测。Specifically, the hacker will extract the malicious code in the dangerous file to generate a file in a format that cannot be recognized by the intrusion detection system, and then use a file without malicious code to open the generated new file in the user's computer to obtain the malicious code And execute malicious code, which is detrimental to the security of the user's computer. Therefore, it is necessary to perform intrusion detection on files based on Remote Desktop Protocol.

综上,为了能够有效地提高网络入侵检测的检出率,可以对上述两种类型的目标文件(即基于远程桌面协议的第一目标文件和格式不能被入侵检测系统识别的第二目标文件)进行入侵检测。To sum up, in order to effectively improve the detection rate of network intrusion detection, the above two types of target files (that is, the first target file based on the remote desktop protocol and the second target file whose format cannot be recognized by the intrusion detection system) can be Perform intrusion detection.

下面重点介绍如何有效检出第一目标文件和第二目标文件。The following focuses on how to effectively check out the first target file and the second target file.

在通过入侵检测得到第一目标文件后,首先对第一目标文件进行解析处理来得到第一目标文件的配置项,然后基于预设的第一入侵检测策略和得到的第一目标文件的配置项,对当前第一目标文件进行入侵检测,这样就可以确定第一目标文件是否为危险文件(例如将下文确定的威胁等级为中安全威胁或高安全威胁的第一目标文件确定为危险文件),从而能够有效地提高网络入侵检测的检出率。After the first target file is obtained through intrusion detection, the first target file is parsed first to obtain the configuration items of the first target file, and then based on the preset first intrusion detection strategy and the obtained configuration items of the first target file , perform intrusion detection on the current first target file, so as to determine whether the first target file is a dangerous file (for example, determine the first target file whose threat level is medium security threat or high security threat determined below as a dangerous file), Therefore, the detection rate of network intrusion detection can be effectively improved.

在一些实施方式中,第一入侵检测策略具体是基于如下方式进行确定的:In some implementation manners, the first intrusion detection strategy is specifically determined based on the following manner:

步骤A1、获取针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值;Step A1, obtaining the score value assigned to each configuration item of the known remote desktop protocol-based file;

步骤A2、获取针对已知的基于远程桌面协议的文件的所有配置项进行的威胁等级分类的分类结果;Step A2, obtaining the classification result of the threat level classification for all configuration items of the known remote desktop protocol-based files;

步骤A3、基于分数值和分类结果,确定与每一个威胁等级对应的威胁阈值;Step A3, based on the score value and the classification result, determine the threat threshold corresponding to each threat level;

步骤A4、基于每一个威胁等级对应的威胁阈值,确定第一入侵检测策略。Step A4, based on the threat threshold corresponding to each threat level, determine a first intrusion detection strategy.

在本实施例中,利用对已知的基于远程桌面协议的文件的每一个配置项赋予分数值和进行威胁等级分类的方式,来计算与每一个威胁等级对应的威胁阈值,进而通过威胁阈值来制定第一入侵检测策略。这样,在后续对第一目标文件进行入侵检测时,就可以根据第一目标文件中配置项的分数值和该第一入侵检测策略,得到第一目标文件的入侵检测结果。In this embodiment, the threat threshold corresponding to each threat level is calculated by assigning a score value to each configuration item of the known remote desktop protocol-based file and classifying the threat level, and then using the threat threshold to Develop a first intrusion detection strategy. In this way, when subsequent intrusion detection is performed on the first target file, the intrusion detection result of the first target file can be obtained according to the score value of the configuration item in the first target file and the first intrusion detection strategy.

在步骤A1中,工作人员可以事先列出已知的基于远程桌面协议的文件中的所有配置项,然后根据先验知识(例如专家安全知识库)对每一个配置项的安全性进行打分(即赋予分数值),从而使用户计算机可以获取到针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值。In step A1, the staff can list all configuration items in the known remote desktop protocol-based files in advance, and then score the security of each configuration item according to prior knowledge (such as expert security knowledge base) (ie assigned score value), so that the user computer can obtain the score value assigned to each configuration item of the known remote desktop protocol-based file.

在一些实施方式中,用户计算机获取到的针对已知RDP文件的每一个配置项赋予的分数值可以参见表1。需要说明的是,表1中只列出了已知RDP文件的部分配置项及其分数值。In some implementation manners, the score value assigned to each configuration item of the known RDP file obtained by the user computer can be referred to Table 1. It should be noted that only some configuration items and their score values of known RDP files are listed in Table 1.

表1Table 1

Figure 60104DEST_PATH_IMAGE003
Figure 60104DEST_PATH_IMAGE003

在步骤A2中,例如可以将威胁等级分为三类,即高安全威胁、中安全威胁、低安全威胁。当然,也可以分为数量更多或更少的威胁等级,在此对威胁等级的数量不进行限定。In step A2, for example, the threat levels may be divided into three categories, namely, high security threat, medium security threat, and low security threat. Of course, it can also be divided into more or less threat levels, and the number of threat levels is not limited here.

在一些实施方式中,高安全威胁例如可以包括驱动器映射、剪贴板映射、USB设备映射和打印机映射等配置项,中安全威胁例如可以包括智能卡映射等配置项,低安全威胁例如可以包括远程应用图标和屏幕显示模式等配置项。In some implementations, high security threats may include configuration items such as drive mapping, clipboard mapping, USB device mapping, and printer mapping, for example, medium security threats may include configuration items such as smart card mapping, and low security threats may include, for example, remote application icons and screen display mode and other configuration items.

在一些实施方式中,用户计算机获取到的针对已知的基于远程桌面协议的文件的所有配置项进行的威胁等级分类的分类结果可以参见表2。需要说明的是,表2中只列出了与表1相同的已知的基于远程桌面协议的文件的部分配置项及其威胁等级。In some implementation manners, the classification result of the threat level classification obtained by the user computer for all configuration items of known remote desktop protocol-based files can be referred to in Table 2. It should be noted that Table 2 only lists some configuration items and their threat levels of the same known remote desktop protocol-based files as those in Table 1.

表2Table 2

Figure 391859DEST_PATH_IMAGE004
Figure 391859DEST_PATH_IMAGE004

另外,在此对步骤A1和A2的先后顺序不做具体限定,即可以先执行步骤A1后执行步骤A2,也可以先执行步骤A2后执行步骤A1。In addition, the order of steps A1 and A2 is not specifically limited here, that is, step A1 may be executed first and then step A2 may be executed, or step A2 may be executed first and then step A1 may be executed.

经过步骤A1和A2之后,每一个威胁等级中的配置项均被赋予了分数值,这样可以确定每一个威胁等级的威胁阈值,以利于后续对第一目标文件的入侵检测。After steps A1 and A2, the configuration items in each threat level are given a score value, so that the threat threshold of each threat level can be determined to facilitate the subsequent intrusion detection of the first target file.

在一些实施方式中,步骤A3具体可以包括:In some embodiments, step A3 may specifically include:

采用如下公式确定与每一个威胁等级对应的威胁阈值:Use the following formula to determine the threat threshold corresponding to each threat level:

Figure 255648DEST_PATH_IMAGE001
Figure 255648DEST_PATH_IMAGE001

其中,V i 为第i个威胁等级的威胁阈值,C ij 为第i个威胁等级中第j个配置项的分数值,n为第i个威胁等级中的配置项的总个数。Among them, V i is the threat threshold of the i -th threat level, C ij is the score value of the j -th configuration item in the i -th threat level, and n is the total number of configuration items in the i -th threat level.

举例来说,如表1和表2所示,可以利用上述公式分别计算高安全威胁、中安全威胁和低安全威胁的威胁等级所对应的威胁阈值,从而可以计算得到高安全威胁、中安全威胁和低安全威胁的威胁阈值分别为85、10和1。For example, as shown in Table 1 and Table 2, the above formulas can be used to calculate the threat thresholds corresponding to the threat levels of high security threat, medium security threat and low security threat, so that the high security threat, medium security threat Threat thresholds for low and low security threats are 85, 10, and 1, respectively.

需要说明的是,将每一个威胁等级中配置项的均值作为威胁阈值,可以避免当威胁等级划分较少且每一个威胁等级中不同配置项的分数值差距较大时,仍然能够得到更加客观和准确的各威胁等级的威胁阈值,以此来提高对第一目标文件的入侵检测的准确度。It should be noted that using the mean value of the configuration items in each threat level as the threat threshold can avoid obtaining more objective and Accurate threat thresholds of each threat level are used to improve the accuracy of intrusion detection of the first target file.

在步骤A3中,每一个威胁等级的威胁阈值也可以采用其它方式确定,例如可以将每一个威胁等级中配置项的最低分数值作为该威胁等级的威胁阈值。当然,也可以将每一个威胁等级中配置项的中值作为该威胁等级的威胁阈值,故在此对威胁阈值的确定方式不进行具体限定。In step A3, the threat threshold of each threat level may also be determined in other ways, for example, the lowest score value of the configuration item in each threat level may be used as the threat threshold of the threat level. Of course, the median value of the configuration items in each threat level may also be used as the threat threshold of the threat level, so the method of determining the threat threshold is not specifically limited here.

需要说明的是,当检测到第一目标文件时,首先入侵检测系统会对第一目标文件进行解析处理来得到第一目标文件中的配置项,然后利用预设的第一入侵检测策略和解析得到的第一目标文件的配置项,来对第一目标文件进行入侵检测。在此,本发明实施例对第一目标文件的解析处理方式不进行具体限定,例如可以是正则匹配。It should be noted that when the first target file is detected, the intrusion detection system will first analyze the first target file to obtain the configuration items in the first target file, and then use the preset first intrusion detection strategy and analysis The obtained configuration items of the first target file are used to perform intrusion detection on the first target file. Here, the embodiment of the present invention does not specifically limit the parsing and processing manner of the first target file, for example, regular matching may be used.

在一些实施方式中,在步骤A1之后,还包括:基于已知的基于远程桌面协议的文件的所有配置项和与每一个配置项对应的分数值,得到配置项分数值库;In some implementations, after step A1, further comprising: obtaining a configuration item score value database based on all configuration items of known remote desktop protocol-based files and a score value corresponding to each configuration item;

基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测,包括:Based on the preset first intrusion detection policy and the configuration items of the current first target file, the intrusion detection is performed on the current first target file, including:

步骤B1、基于配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值;Step B1, based on the configuration item score database and the configuration items of the current first target file, obtain the security reference value of the current first target file;

步骤B2、基于安全参考值和第一入侵检测策略,对当前第一目标文件进行入侵检测。Step B2: Perform intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy.

在本实施例中,通过利用配置项分数值库来得到第一目标文件的配置项的分数值,并根据第一目标文件的配置项的分数值来确定第一目标文件的安全参考值,通过将安全参考值和第一入侵检测策略包括的与每一个威胁等级对应的威胁阈值进行比对,得到第一目标文件的威胁等级,以完成对第一目标文件的入侵检测。In this embodiment, the score value of the configuration item of the first target file is obtained by using the configuration item score value library, and the security reference value of the first target file is determined according to the score value of the configuration item of the first target file, by The security reference value is compared with the threat threshold corresponding to each threat level included in the first intrusion detection strategy to obtain the threat level of the first target file, so as to complete the intrusion detection of the first target file.

在步骤B1中,可以利用配置项分数值库对解析得到的第一目标文件的配置项进行分数值匹配,然后利用第一目标文件的配置项的分数值来计算安全参考值,以利于后续对第一目标文件进行入侵检测。In step B1, the configuration item score value library can be used to match the score value of the configuration item of the first target file obtained by parsing, and then use the score value of the configuration item of the first target file to calculate a security reference value, so as to facilitate subsequent The first object file is subjected to intrusion detection.

在一些实施方式中,步骤B1具体可以包括:In some embodiments, step B1 may specifically include:

采用如下公式得到当前第一目标文件的安全参考值:The following formula is used to obtain the safety reference value of the current first target file:

Figure 723669DEST_PATH_IMAGE005
Figure 723669DEST_PATH_IMAGE005

其中,S为当前第一目标文件的安全参考值,D j 为当前第一目标文件中第j个配置项的分数值,k为当前第一目标文件中的配置项的总个数。Wherein, S is the security reference value of the current first target file, Dj is the score value of the jth configuration item in the current first target file, and k is the total number of configuration items in the current first target file.

在本实施例中,将第一目标文件中所有配置项的分数值之和作为第一目标文件的安全参考值,相比将第一目标文件中所有配置项的分数值的平均值、最高值、最低值等数值作为第一目标文件的安全参考值的方式,前者方式可以防止当第一目标文件的配置项的数目较少且不同配置项的分数值差距较大时,仍然能够得到更加客观和准确的用于表征第一目标文件的威胁等级的安全参考值,如此可以提高对第一目标文件入侵检测的准确度。In this embodiment, the sum of the score values of all configuration items in the first target file is used as the safety reference value of the first target file, compared with the average value and the highest value of the score values of all configuration items in the first target file , the lowest value and other values as the safety reference value of the first target file, the former method can prevent more objective and an accurate security reference value for characterizing the threat level of the first target file, so that the accuracy of intrusion detection of the first target file can be improved.

当然,第一目标文件的安全参考值也可以采用其它方式确定,例如可以将第一目标文件中所有配置项的均值或配置项中的最高分数值作为安全参考值,在此对安全参考值的确定方式不进行具体限定。Of course, the safety reference value of the first target file can also be determined in other ways. For example, the mean value of all configuration items in the first target file or the highest score value in the configuration item can be used as the safety reference value. Here, the safety reference value The determination method is not specifically limited.

在一些实施方式中,步骤B2具体可以包括:In some embodiments, step B2 may specifically include:

将安全参考值和第一入侵检测策略包括的与每一个威胁等级对应的威胁阈值进行比对,得到当前第一目标文件的威胁等级,以完成对当前第一目标文件的入侵检测。The security reference value is compared with the threat threshold corresponding to each threat level included in the first intrusion detection strategy to obtain the threat level of the current first target file, so as to complete the intrusion detection of the current first target file.

举例来说,可以将得到的安全参考值与确定的各威胁等级对应的威胁阈值进行比较,若安全参考值大于等于高安全威胁的威胁阈值,即S≥V3时,则表示第一目标文件的威胁等级为高安全威胁级别;若安全参考值大于等于中安全威胁的威胁阈值,且小于高安全威胁的威胁阈值,即S<V3且S≥V2时,则表示第一目标文件的威胁等级为中安全威胁级别;若安全参考值大于等于低安全威胁的威胁阈值,且小于中安全威胁的威胁阈值,即S<V2且S≥V1时,则表示第一目标文件的威胁等级为低安全威胁级别。如此,就可以得到第一目标文件的入侵检测结果(即第一目标文件的威胁等级),然后就可以根据第一目标文件的威胁等级来执行对应的操作,例如禁止运行、弹框后由用户选择是否运行、允许运行等操作。For example, the obtained security reference value can be compared with the threat threshold corresponding to each determined threat level, and if the security reference value is greater than or equal to the threat threshold of high security threat, that is, S≥V3, it means that the first target file The threat level is a high security threat level; if the security reference value is greater than or equal to the threat threshold of the medium security threat and less than the threat threshold of the high security threat, that is, when S<V3 and S≥V2, it means that the threat level of the first target file is Medium security threat level; if the security reference value is greater than or equal to the threat threshold of low security threat and less than the threat threshold of medium security threat, that is, when S<V2 and S≥V1, it means that the threat level of the first target file is low security threat level. In this way, the intrusion detection result of the first target file (that is, the threat level of the first target file) can be obtained, and then corresponding operations can be performed according to the threat level of the first target file, such as prohibiting execution, and prompting the user to Choose whether to run, allow to run, and other operations.

在通过入侵检测得到第二目标文件后,首先将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾来得到目标二进制数据,即将不能被入侵检测系统识别的格式的文件转换为能被入侵检测系统识别的格式的文件(即包括PE文件和ELF文件),这样就可以对第二目标文件进行入侵检测,从而解决了入侵检测系统对其不能识别的格式的文件不能有效检测的问题,进而能够有效地提高网络入侵检测的检出率。After obtaining the second target file through intrusion detection, firstly connect the first binary data corresponding to the current second target file to the end of the second binary data corresponding to the preset security file to obtain the target binary data, namely Files in a format that cannot be recognized by the intrusion detection system are converted into files in a format that can be recognized by the intrusion detection system (that is, including PE files and ELF files), so that intrusion detection can be performed on the second target file, thereby solving the problem of intrusion detection system The problem that the files in the unrecognized format cannot be effectively detected can effectively improve the detection rate of network intrusion detection.

需要说明的是,“不能被入侵检测系统识别的格式”可以理解为:既不属于本领域技术人员所熟知的文件格式,也不属于预先设置于入侵检测系统中可识别的文件格式。相反,“能被入侵检测系统识别的格式”可以理解为:既可以属于本领域技术人员所熟知的文件格式,也可以属于预先设置于入侵检测系统中可识别的文件格式。It should be noted that "a format that cannot be recognized by the intrusion detection system" can be understood as: neither a file format well-known to those skilled in the art, nor a file format pre-set to be recognized by the intrusion detection system. On the contrary, "a format that can be recognized by the intrusion detection system" can be understood as: it can belong to a file format well known to those skilled in the art, or it can belong to a file format that is preset in the intrusion detection system and can be recognized.

其中,选用PE文件和ELF文件作为安全文件,这是考虑到这两种类型的文件可被计算机自身执行,因此有利于后续对目标二进制数据的入侵检测。Among them, PE files and ELF files are selected as security files, because these two types of files can be executed by the computer itself, so it is beneficial to the subsequent intrusion detection of the target binary data.

还需要说明的是,可移植的可执行文件(Portable Executable,PE)是一种用于可执行文件、目标文件和动态链接库的文件格式,主要使用在32位和64位的Windows操作系统上。“可移植的”是指该文件格式的通用性,可用于许多种不同的操作系统和体系结构中。PE文件格式封装了Windows操作系统加载可执行程序代码时所必需的一些信息。这些信息包括动态链接库、API导入和导出表、资源管理数据和线程局部存储数据。在WindowsNT操作系统中,PE文件格式主要用于EXE文件、DLL文件、SYS(驱动程序)和其他文件类型。可扩展固件接口(EFI)技术规范书中说明PE格式是EFI环境中的标准可执行文件格式,开头为DOS头部。It should also be noted that Portable Executable (PE) is a file format for executable files, object files, and dynamic link libraries, mainly used on 32-bit and 64-bit Windows operating systems . "Portable" refers to the generality of the file format, which can be used on many different operating systems and architectures. The PE file format encapsulates some information necessary for the Windows operating system to load executable program code. This information includes dynamic link libraries, API import and export tables, resource management data, and thread-local storage data. In the Windows NT operating system, the PE file format is mainly used for EXE files, DLL files, SYS (drivers) and other file types. The Extensible Firmware Interface (EFI) Technical Specification states that the PE format is a standard executable file format in the EFI environment, beginning with a DOS header.

可执行和可链接格式(Executable and Linkable Format,ELF),常被称为ELF格式,在计算机科学中,是一种用于执行档、目的档、共享库和核心转储的标准文件格式。Executable and Linkable Format (ELF), often referred to as the ELF format, is a standard file format for executables, object files, shared libraries, and core dumps in computer science.

为了保证对第二目标文件检测的全面性和准确性,可以考虑将目标二进制数据的数量和安全文件的数量设置为相同。也就是说,将第二目标文件对应的第一二进制数据复制多次,并将复制得到的每一组第一二进制数据分别接续到每一种不同类型的安全文件的第二二进制数据的末尾,从而得到多种目标二进制数据。In order to ensure the comprehensiveness and accuracy of the detection of the second target file, it may be considered to set the number of target binary data and the number of security files to be the same. That is to say, the first binary data corresponding to the second target file is copied multiple times, and each set of copied first binary data is respectively connected to the second binary data of each different type of security file. At the end of the binary data, a variety of target binary data can be obtained.

需要说明的是,入侵检测系统中预设的第二入侵检测策略可以是基于现有的成熟的检测策略得到,这些检测策略为本领域技术人员所熟知,在此对具体的检测策略不进行赘述。It should be noted that the second intrusion detection strategy preset in the intrusion detection system can be obtained based on existing mature detection strategies, which are well known to those skilled in the art, and the specific detection strategies will not be repeated here. .

如果入侵检测系统的检测结果为第二目标文件是危险文件,则说明该第二目标文件中存在恶意代码,后续很可能会被用户计算机中的相关恶意进程进行调用,以完成对用户计算机的感染。If the detection result of the intrusion detection system is that the second target file is a dangerous file, it means that there is malicious code in the second target file, and it is likely to be invoked by a related malicious process in the user's computer to complete the infection of the user's computer .

为了解决该技术问题,在一些实施方式中,还包括:In order to solve this technical problem, in some embodiments, it also includes:

响应于检测结果为第二目标文件是危险文件,将与第二目标文件对应的网络流量放行,以使接收网络流量的终端设备对调用第二目标文件的进程进行监视,从而可以将调用第二目标文件的进程确定为恶意进程。In response to the detection result that the second target file is a dangerous file, the network traffic corresponding to the second target file is released, so that the terminal device receiving the network traffic monitors the process of calling the second target file, so that the second target file can be called. The process of the target file is determined to be malicious.

在本实施例中,通过在确定第二目标文件是危险文件时,入侵检测系统可以将与第二目标文件对应的网络流量放行,这样在知晓第二目标文件是危险文件的前提下,反而将其对应的网络流量放行,有利于利用后续终端设备对与第二目标文件相关联的进程进行监视和分析。即,在确定第二目标文件是危险文件时,接收网络流量的终端设备(例如用户计算机)对调用第二目标文件的进程进行监视(例如采用hook技术),以将调用第二目标文件的进程确定为恶意进程,并可以对该恶意进程进行进一步处理(例如删除或做进一步相关分析),从而保证了用户计算机不会被病毒感染,同时也对此类病毒进行了相关分析,有利于工作人员掌握此类病毒的攻击习惯。In this embodiment, when it is determined that the second target file is a dangerous file, the intrusion detection system can release the network traffic corresponding to the second target file, so that on the premise that the second target file is known to be a dangerous file, it will instead The release of the corresponding network traffic is beneficial to monitor and analyze the process associated with the second target file by using the subsequent terminal device. That is, when it is determined that the second target file is a dangerous file, the terminal device (such as a user computer) receiving network traffic monitors (for example, using hook technology) the process that calls the second target file, so that the process that calls the second target file It is determined to be a malicious process, and the malicious process can be further processed (such as deletion or further related analysis), thus ensuring that the user's computer will not be infected by viruses, and at the same time, relevant analysis of such viruses is also carried out, which is beneficial to the staff Master the attack habits of such viruses.

如图2和图3所示,本发明实施例提供了一种网络入侵检测装置。装置实施例可以通过软件实现,也可以通过硬件或者软硬件结合的方式实现。从硬件层面而言,如图2所示,为本发明实施例提供的一种网络入侵检测装置所在电子设备的一种硬件架构图,除了图2所示的处理器、内存、网络接口、以及非易失性存储器之外,实施例中装置所在的电子设备通常还可以包括其它硬件,如负责处理报文的转发芯片等等。以软件实现为例,如图3所示,作为一个逻辑意义上的装置,是通过其所在电子设备的CPU将非易失性存储器中对应的计算机程序读取到内存中运行形成的。As shown in FIG. 2 and FIG. 3 , an embodiment of the present invention provides a network intrusion detection device. The device embodiments can be implemented by software, or by hardware or a combination of software and hardware. From the hardware level, as shown in Figure 2, it is a hardware architecture diagram of an electronic device where a network intrusion detection device is provided in an embodiment of the present invention, except for the processor, memory, network interface, and In addition to the non-volatile memory, the electronic device in which the device in the embodiment is located may generally include other hardware, such as a forwarding chip responsible for processing messages, and the like. Taking software implementation as an example, as shown in Figure 3, as a device in a logical sense, it is formed by reading the corresponding computer program in the non-volatile memory into the memory and running it through the CPU of the electronic device where it is located.

如图3所示,本实施例提供的一种网络入侵检测装置,包括:As shown in Figure 3, a network intrusion detection device provided in this embodiment includes:

解析模块,用于对从待检测网络设备中抓取的网络流量进行解析处理,得到解析数据;The parsing module is used for parsing and processing the network traffic captured from the network device to be detected to obtain parsing data;

检测模块,用于对所述解析数据进行入侵检测,得到目标文件;其中,所述目标文件包括第一目标文件和第二目标文件,所述第一目标文件为基于远程桌面协议的文件,所述第二目标文件为格式不能被识别的文件;A detection module, configured to perform intrusion detection on the parsed data to obtain a target file; wherein the target file includes a first target file and a second target file, the first target file is a file based on the remote desktop protocol, and the The second target file is a file whose format cannot be recognized;

第一执行模块,用于在得到所述第一目标文件时,执行如下操作:对当前第一目标文件进行解析处理,得到当前第一目标文件的配置项;基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测;其中,所述第一入侵检测策略是基于已知的基于远程桌面协议的文件的所有配置项进行确定的;The first execution module is configured to perform the following operations when obtaining the first target file: analyze and process the current first target file to obtain the configuration items of the current first target file; based on the preset first intrusion detection strategy and the configuration items of the current first target file, and perform intrusion detection on the current first target file; wherein, the first intrusion detection strategy is determined based on all configuration items of known remote desktop protocol-based files;

第二执行模块,用于在得到所述第二目标文件时,执行如下操作:将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾,得到目标二进制数据;基于预设的第二入侵检测策略,对所述目标二进制数据进行入侵检测;其中,所述安全文件包括PE文件和ELF文件,所述第二入侵检测策略与所述安全文件的类型相对应。The second execution module is configured to perform the following operations when obtaining the second target file: connect the first binary data corresponding to the current second target file to the second binary data corresponding to the preset security file At the end of , the target binary data is obtained; based on the preset second intrusion detection strategy, an intrusion detection is performed on the target binary data; wherein, the security file includes a PE file and an ELF file, and the second intrusion detection strategy and the corresponding to the type of security file described above.

在本发明的一个实施例中,所述第一入侵检测策略具体是基于如下方式进行确定的:In an embodiment of the present invention, the first intrusion detection strategy is specifically determined based on the following manner:

获取针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值;Obtain the score value assigned to each configuration item of a known remote desktop protocol-based file;

获取针对已知的基于远程桌面协议的文件的所有配置项进行的威胁等级分类的分类结果;Obtain the classification results of the threat level classification performed on all configuration items of known remote desktop protocol-based files;

基于所述分数值和所述分类结果,确定与每一个威胁等级对应的威胁阈值;determining a threat threshold corresponding to each threat level based on the score value and the classification result;

基于每一个威胁等级对应的威胁阈值,确定第一入侵检测策略。Based on the threat threshold corresponding to each threat level, a first intrusion detection strategy is determined.

在本发明的一个实施例中,所述基于所述分数值和所述分类结果,确定与每一个威胁等级对应的威胁阈值,包括:In an embodiment of the present invention, the determining a threat threshold corresponding to each threat level based on the score value and the classification result includes:

采用如下公式确定与每一个威胁等级对应的威胁阈值:Use the following formula to determine the threat threshold corresponding to each threat level:

Figure 916010DEST_PATH_IMAGE006
Figure 916010DEST_PATH_IMAGE006

其中,

Figure 735061DEST_PATH_IMAGE007
为第i个威胁等级的威胁阈值,为第i个威胁等级中第j个配置项的分数值,n为第i个威胁等级中的配置项的总个数。in,
Figure 735061DEST_PATH_IMAGE007
is the threat threshold of the i -th threat level, is the score value of the j -th configuration item in the i -th threat level, and n is the total number of configuration items in the i -th threat level.

在本发明的一个实施例中,第一执行模块,还用于执行如下操作:基于已知的基于远程桌面协议的文件的所有配置项和与每一个配置项对应的分数值,得到配置项分数值库;In one embodiment of the present invention, the first execution module is further configured to perform the following operations: based on all configuration items of known remote desktop protocol-based files and the score value corresponding to each configuration item, obtain the configuration item score numerical library;

第一执行模块在执行所述基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测时,用于执行如下操作:The first execution module is used to perform the following operations when performing intrusion detection on the current first target file based on the preset first intrusion detection strategy and configuration items of the current first target file:

基于所述配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值;Obtaining a security reference value of the current first target file based on the configuration item score database and the configuration items of the current first target file;

基于所述安全参考值和所述第一入侵检测策略,对当前第一目标文件进行入侵检测。Based on the security reference value and the first intrusion detection strategy, perform intrusion detection on the current first target file.

在本发明的一个实施例中,第一执行模块在执行所述基于所述配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值时,用于执行如下操作:In one embodiment of the present invention, when the first execution module executes the configuration item based on the configuration item score value database and the current first target file to obtain the security reference value of the current first target file, it is used to execute Do as follows:

采用如下公式得到当前第一目标文件的安全参考值:The following formula is used to obtain the safety reference value of the current first target file:

Figure 700743DEST_PATH_IMAGE005
Figure 700743DEST_PATH_IMAGE005

其中,S为当前第一目标文件的安全参考值,D j 为当前第一目标文件中第j个配置项的分数值,k为当前第一目标文件中的配置项的总个数。Wherein, S is the security reference value of the current first target file, Dj is the score value of the jth configuration item in the current first target file, and k is the total number of configuration items in the current first target file.

在本发明的一个实施例中,第一执行模块在执行所述基于所述安全参考值和所述第一入侵检测策略,对当前第一目标文件进行入侵检测时,用于执行如下操作:In one embodiment of the present invention, the first execution module is configured to perform the following operations when executing the intrusion detection on the current first target file based on the security reference value and the first intrusion detection strategy:

将所述安全参考值和所述第一入侵检测策略包括的与每一个威胁等级对应的威胁阈值进行比对,得到当前第一目标文件的威胁等级,以完成对当前第一目标文件的入侵检测。Comparing the security reference value with the threat threshold corresponding to each threat level included in the first intrusion detection strategy to obtain the threat level of the current first target file, so as to complete the intrusion detection of the current first target file .

在本发明的一个实施例中,第二执行模块,还用于执行如下操作:响应于检测结果为所述第二目标文件是危险文件,将与所述第二目标文件对应的网络流量放行,以使接收所述网络流量的终端设备对调用所述第二目标文件的进程进行监视,从而可以将调用所述第二目标文件的进程确定为恶意进程。In an embodiment of the present invention, the second execution module is further configured to perform the following operations: in response to the detection result that the second target file is a dangerous file, release the network traffic corresponding to the second target file, The terminal device receiving the network traffic monitors the process calling the second target file, so that the process calling the second target file can be determined as a malicious process.

可以理解的是,本发明实施例示意的结构并不构成对一种网络入侵检测装置的具体限定。在本发明的另一些实施例中,一种网络入侵检测装置可以包括比图示更多或者更少的部件,或者组合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件、软件或者软件和硬件的组合来实现。It can be understood that the structure shown in the embodiment of the present invention does not constitute a specific limitation on a network intrusion detection device. In other embodiments of the present invention, a network intrusion detection device may include more or fewer components than shown in the figure, or combine some components, or split some components, or arrange different components. The illustrated components may be realized in hardware, software, or a combination of software and hardware.

上述装置内的各模块之间的信息交互、执行过程等内容,由于与本发明方法实施例基于同一构思,具体内容可参见本发明方法实施例中的叙述,此处不再赘述。The information interaction and execution process among the modules in the above-mentioned device are based on the same concept as the method embodiment of the present invention, and the specific content can refer to the description in the method embodiment of the present invention, and will not be repeated here.

本发明实施例还提供了一种电子设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器执行所述计算机程序时,实现本发明任一实施例中的一种网络入侵检测方法。An embodiment of the present invention also provides an electronic device, including a memory and a processor, wherein a computer program is stored in the memory, and when the processor executes the computer program, a network in any embodiment of the present invention is implemented. Intrusion detection method.

本发明实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序在被处理器执行时,使所述处理器执行本发明任一实施例中的一种网络入侵检测方法。The embodiment of the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the processor executes any implementation of the present invention. A network intrusion detection method in the example.

具体地,可以提供配有存储介质的系统或者装置,在该存储介质上存储着实现上述实施例中任一实施例的功能的软件程序代码,且使该系统或者装置的计算机(或CPU或MPU)读出并执行存储在存储介质中的程序代码。Specifically, a system or device equipped with a storage medium may be provided, on which the software program code for realizing the functions of any of the above embodiments is stored, and the computer (or CPU or MPU of the system or device) ) to read and execute the program code stored in the storage medium.

在这种情况下,从存储介质读取的程序代码本身可实现上述实施例中任何一项实施例的功能,因此程序代码和存储程序代码的存储介质构成了本发明的一部分。In this case, the program code itself read from the storage medium can realize the function of any one of the above-mentioned embodiments, so the program code and the storage medium storing the program code constitute a part of the present invention.

用于提供程序代码的存储介质实施例包括软盘、硬盘、磁光盘、光盘(如CD-ROM、CD-R、CD-RW、DVD-ROM、DVD-RAM、DVD-RW、DVD+RW)、磁带、非易失性存储卡和ROM。可选择地,可以由通信网络从服务器计算机上下载程序代码。Examples of storage media for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), Tape, non-volatile memory card, and ROM. Alternatively, the program code can be downloaded from a server computer via a communication network.

此外,应该清楚的是,不仅可以通过执行计算机所读出的程序代码,而且可以通过基于程序代码的指令使计算机上操作的操作系统等来完成部分或者全部的实际操作,从而实现上述实施例中任意一项实施例的功能。In addition, it should be clear that not only by executing the program code read by the computer, but also by making the operating system on the computer complete part or all of the actual operations through instructions based on the program code, so as to realize the function of any one of the embodiments.

此外,可以理解的是,将由存储介质读出的程序代码写到插入计算机内的扩展板中所设置的存储器中或者写到与计算机相连接的扩展模块中设置的存储器中,随后基于程序代码的指令使安装在扩展板或者扩展模块上的CPU等来执行部分和全部实际操作,从而实现上述实施例中任一实施例的功能。In addition, it can be understood that the program code read from the storage medium is written into the memory provided in the expansion board inserted into the computer or written into the memory provided in the expansion module connected to the computer, and then based on the program code The instruction causes the CPU installed on the expansion board or the expansion module to perform some or all of the actual operations, thereby realizing the functions of any one of the above-mentioned embodiments.

需要说明的是,在本文中,诸如第一和第二之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其它变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其它要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个…”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同因素。It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that there is a relationship between these entities or operations. There is no such actual relationship or sequence. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising a" does not exclude the presence of additional same elements in the process, method, article or apparatus comprising said element.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储在计算机可读取的存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质中。Those of ordinary skill in the art can understand that all or part of the steps to realize the above method embodiments can be completed by program instructions related hardware, and the aforementioned programs can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (8)

1.一种网络入侵检测方法,其特征在于,包括:1. A network intrusion detection method, characterized in that, comprising: 对从待检测网络设备中抓取的网络流量进行解析处理,得到解析数据;Analyzing and processing the network traffic captured from the network device to be detected to obtain the analyzed data; 对所述解析数据进行入侵检测,得到目标文件;其中,所述目标文件包括第一目标文件和第二目标文件,所述第一目标文件为基于远程桌面协议的文件,所述第二目标文件为格式不能被入侵检测系统识别的文件;performing intrusion detection on the parsed data to obtain a target file; wherein, the target file includes a first target file and a second target file, the first target file is a file based on the remote desktop protocol, and the second target file It is a file whose format cannot be recognized by the intrusion detection system; 在得到所述第一目标文件时,执行如下操作:对当前第一目标文件进行解析处理,得到当前第一目标文件的配置项;基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测;其中,所述第一入侵检测策略是基于已知的基于远程桌面协议的文件的所有配置项进行确定的;When obtaining the first target file, perform the following operations: analyze and process the current first target file to obtain the configuration items of the current first target file; based on the preset first intrusion detection strategy and the current first target file Configuration items, performing intrusion detection on the current first target file; wherein, the first intrusion detection strategy is determined based on all configuration items of known remote desktop protocol-based files; 在得到所述第二目标文件时,执行如下操作:将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾,得到目标二进制数据;基于预设的第二入侵检测策略,对所述目标二进制数据进行入侵检测;其中,所述安全文件包括可移植的执行体PE文件和可执行与可链接格式ELF文件,所述第二入侵检测策略与所述安全文件的类型相对应。When obtaining the second target file, perform the following operations: connect the first binary data corresponding to the current second target file to the end of the second binary data corresponding to the preset security file to obtain the target binary data ; Based on the preset second intrusion detection strategy, perform intrusion detection on the target binary data; wherein, the security file includes a portable executable PE file and an executable and linkable format ELF file, and the second intrusion The detection policy corresponds to the type of the security file. 2.根据权利要求1所述的方法,其特征在于,所述第一入侵检测策略具体是基于如下方式进行确定的:2. The method according to claim 1, wherein the first intrusion detection strategy is specifically determined based on the following manner: 获取针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值;Obtain the score value assigned to each configuration item of a known remote desktop protocol-based file; 获取针对已知的基于远程桌面协议的文件的所有配置项进行的威胁等级分类的分类结果;Obtain the classification results of the threat level classification performed on all configuration items of known remote desktop protocol-based files; 基于所述分数值和所述分类结果,确定与每一个威胁等级对应的威胁阈值;determining a threat threshold corresponding to each threat level based on the score value and the classification result; 基于每一个威胁等级对应的威胁阈值,确定第一入侵检测策略。Based on the threat threshold corresponding to each threat level, a first intrusion detection strategy is determined. 3.根据权利要求2所述的方法,其特征在于,所述基于所述分数值和所述分类结果,确定与每一个威胁等级对应的威胁阈值,包括:3. The method according to claim 2, wherein said determining a threat threshold corresponding to each threat level based on said score value and said classification result comprises: 采用如下方式确定与每一个威胁等级对应的威胁阈值:The threat thresholds corresponding to each threat class are determined as follows:
Figure DEST_PATH_IMAGE001
Figure DEST_PATH_IMAGE001
 其中,V i 为第i个威胁等级的威胁阈值,C ij 为第i个威胁等级中第j个配置项的分数值,n为第i个威胁等级中的配置项的总个数。Among them, V i is the threat threshold of the i -th threat level, C ij is the score value of the j -th configuration item in the i -th threat level, and n is the total number of configuration items in the i -th threat level. 4.根据权利要求2所述的方法,其特征在于,在所述获取针对已知的基于远程桌面协议的文件的每一个配置项赋予的分数值之后,还包括:基于已知的基于远程桌面协议的文件的所有配置项和与每一个配置项对应的分数值,得到配置项分数值库;4. The method according to claim 2, characterized in that, after said obtaining the score value assigned to each configuration item of the file based on the known remote desktop protocol, further comprising: All the configuration items of the protocol file and the score value corresponding to each configuration item to obtain the configuration item score value database; 所述基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测,包括:The intrusion detection of the current first target file based on the preset first intrusion detection strategy and configuration items of the current first target file includes: 基于所述配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值;Obtaining a security reference value of the current first target file based on the configuration item score database and the configuration items of the current first target file; 基于所述安全参考值和所述第一入侵检测策略,对当前第一目标文件进行入侵检测。Based on the security reference value and the first intrusion detection strategy, perform intrusion detection on the current first target file. 5.根据权利要求4所述的方法,其特征在于,所述基于所述配置项分数值库和当前第一目标文件的配置项,得到当前第一目标文件的安全参考值,包括:5. The method according to claim 4, characterized in that, obtaining the security reference value of the current first target file based on the configuration item score database of the configuration item and the configuration item of the current first target file includes: 采用如下方式得到当前第一目标文件的安全参考值:The safety reference value of the current first target file is obtained in the following manner:
Figure DEST_PATH_IMAGE002
Figure DEST_PATH_IMAGE002
 其中,S为当前第一目标文件的安全参考值,D j 为基于所述配置项分数值库查找到的当前第一目标文件中第j个配置项的分数值,k为当前第一目标文件中的配置项的总个数。Wherein, S is the security reference value of the current first target file, D j is the score value of the jth configuration item in the current first target file found based on the configuration item score value database, and k is the current first target file The total number of configuration items in . 6.根据权利要求4所述的方法,其特征在于,所述基于所述安全参考值和所述第一入侵检测策略,对当前第一目标文件进行入侵检测,包括:6. The method according to claim 4, wherein said performing intrusion detection on the current first target file based on said security reference value and said first intrusion detection strategy comprises: 将所述安全参考值和所述第一入侵检测策略包括的与每一个威胁等级对应的威胁阈值进行比对,得到当前第一目标文件的威胁等级,以完成对当前第一目标文件的入侵检测。Comparing the security reference value with the threat threshold corresponding to each threat level included in the first intrusion detection strategy to obtain the threat level of the current first target file, so as to complete the intrusion detection of the current first target file . 7.根据权利要求1-6中任一项所述的方法,其特征在于,在所述对所述目标二进制数据进行入侵检测之后,还包括:7. The method according to any one of claims 1-6, further comprising: after the intrusion detection is performed on the target binary data: 响应于检测结果为所述第二目标文件是危险文件,将与所述第二目标文件对应的网络流量放行,以使接收所述网络流量的终端设备对调用所述第二目标文件的进程进行监视,从而可以将调用所述第二目标文件的进程确定为恶意进程。Responding to the detection result that the second target file is a dangerous file, release the network traffic corresponding to the second target file, so that the terminal device receiving the network traffic performs the process of invoking the second target file monitoring, so that the process calling the second target file can be determined as a malicious process. 8.一种网络入侵检测装置,其特征在于,包括:8. A network intrusion detection device, characterized in that it comprises: 解析模块,用于对从待检测网络设备中抓取的网络流量进行解析处理,得到解析数据;The parsing module is used for parsing and processing the network traffic captured from the network device to be detected to obtain parsing data; 检测模块,用于对所述解析数据进行入侵检测,得到目标文件;其中,所述目标文件包括第一目标文件和第二目标文件,所述第一目标文件为基于远程桌面协议的文件,所述第二目标文件为格式不能被识别的文件;A detection module, configured to perform intrusion detection on the parsed data to obtain a target file; wherein the target file includes a first target file and a second target file, the first target file is a file based on the remote desktop protocol, and the The second target file is a file whose format cannot be recognized; 第一执行模块,用于在得到所述第一目标文件时,执行如下操作:对当前第一目标文件进行解析处理,得到当前第一目标文件的配置项;基于预设的第一入侵检测策略和当前第一目标文件的配置项,对当前第一目标文件进行入侵检测;其中,所述第一入侵检测策略是基于已知的基于远程桌面协议的文件的所有配置项进行确定的;The first execution module is configured to perform the following operations when obtaining the first target file: analyze and process the current first target file to obtain the configuration items of the current first target file; based on the preset first intrusion detection strategy and the configuration items of the current first target file, and perform intrusion detection on the current first target file; wherein, the first intrusion detection strategy is determined based on all configuration items of known remote desktop protocol-based files; 第二执行模块,用于在得到所述第二目标文件时,执行如下操作:将当前第二目标文件对应的第一二进制数据接续到预设的安全文件对应的第二二进制数据的末尾,得到目标二进制数据;基于预设的第二入侵检测策略,对所述目标二进制数据进行入侵检测;其中,所述安全文件包括PE文件和ELF文件,所述第二入侵检测策略与所述安全文件的类型相对应。The second execution module is configured to perform the following operations when obtaining the second target file: connect the first binary data corresponding to the current second target file to the second binary data corresponding to the preset security file At the end of , the target binary data is obtained; based on the preset second intrusion detection strategy, an intrusion detection is performed on the target binary data; wherein, the security file includes a PE file and an ELF file, and the second intrusion detection strategy and the corresponding to the type of security file described above.
CN202210845301.9A 2022-07-19 2022-07-19 A network intrusion detection method and device Active CN115086068B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210845301.9A CN115086068B (en) 2022-07-19 2022-07-19 A network intrusion detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210845301.9A CN115086068B (en) 2022-07-19 2022-07-19 A network intrusion detection method and device

Publications (2)

Publication Number Publication Date
CN115086068A CN115086068A (en) 2022-09-20
CN115086068B true CN115086068B (en) 2022-11-08

Family

ID=83259812

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210845301.9A Active CN115086068B (en) 2022-07-19 2022-07-19 A network intrusion detection method and device

Country Status (1)

Country Link
CN (1) CN115086068B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319057B (en) * 2023-04-11 2024-10-11 华能信息技术有限公司 A method for restoring HTTP traffic

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102043915A (en) * 2010-11-03 2011-05-04 厦门市美亚柏科信息股份有限公司 Method and device for detecting malicious code contained in non-executable file
CN103401872A (en) * 2013-08-05 2013-11-20 北京工业大学 Method for preventing and detecting man-in-the-middle attack based on improved RDP (Remote Desktop Protocol)
CN111324890A (en) * 2018-12-14 2020-06-23 华为技术有限公司 Processing method, detection method and device of portable executive body file
CN111865981A (en) * 2020-07-20 2020-10-30 交通运输信息安全中心有限公司 Network security vulnerability assessment system and method
CN114036042A (en) * 2021-10-25 2022-02-11 杭州安恒信息技术股份有限公司 Model testing method, device, computer and readable storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8769127B2 (en) * 2006-02-10 2014-07-01 Northrop Grumman Systems Corporation Cross-domain solution (CDS) collaborate-access-browse (CAB) and assured file transfer (AFT)
US20210092136A1 (en) * 2019-09-24 2021-03-25 Pc Matic Inc Protecting Against Remote Desktop Protocol Intrusions
CN112333203A (en) * 2020-11-26 2021-02-05 哈尔滨工程大学 RDP conversation method of high-interaction honeypot system based on man-in-the-middle technology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102043915A (en) * 2010-11-03 2011-05-04 厦门市美亚柏科信息股份有限公司 Method and device for detecting malicious code contained in non-executable file
CN103401872A (en) * 2013-08-05 2013-11-20 北京工业大学 Method for preventing and detecting man-in-the-middle attack based on improved RDP (Remote Desktop Protocol)
CN111324890A (en) * 2018-12-14 2020-06-23 华为技术有限公司 Processing method, detection method and device of portable executive body file
CN111865981A (en) * 2020-07-20 2020-10-30 交通运输信息安全中心有限公司 Network security vulnerability assessment system and method
CN114036042A (en) * 2021-10-25 2022-02-11 杭州安恒信息技术股份有限公司 Model testing method, device, computer and readable storage medium

Also Published As

Publication number Publication date
CN115086068A (en) 2022-09-20

Similar Documents

Publication Publication Date Title
KR102580898B1 (en) System and method for selectively collecting computer forensics data using DNS messages
US11055411B2 (en) System and method for protection against ransomware attacks
CN101714931B (en) A kind of early warning method, equipment and system of unknown malicious code
US9306964B2 (en) Using trust profiles for network breach detection
US9178906B1 (en) Detecting and remediating malware dropped by files
US7752668B2 (en) Network virus activity detecting system, method, and program, and storage medium storing said program
US9094288B1 (en) Automated discovery, attribution, analysis, and risk assessment of security threats
US8239944B1 (en) Reducing malware signature set size through server-side processing
CN109583194B (en) System and method for detecting abnormal events based on popularity of convolution of events
US20160366159A1 (en) Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
US20150244730A1 (en) System And Method For Verifying And Detecting Malware
US20090178140A1 (en) Network intrusion detection system
US11258812B2 (en) Automatic characterization of malicious data flows
CN113810408B (en) Network attack organization detection method, device, equipment and readable storage medium
CA2545916A1 (en) Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
KR20090087437A (en) Traffic detection method and apparatus
CN105871883A (en) Advanced persistent threat detection method based on aggressive behavior analysis
CN113965419B (en) Method and device for judging attack success through reverse connection
US11973773B2 (en) Detecting and mitigating zero-day attacks
CN106797375A (en) The behavioral value of Malware agency
US12430437B2 (en) Specific file detection baked into machine learning pipelines
US20090276852A1 (en) Statistical worm discovery within a security information management architecture
US10296746B2 (en) Information processing device, filtering system, and filtering method
CN115086068B (en) A network intrusion detection method and device
US12445484B2 (en) Inline ransomware detection via server message block (SMB) traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant