CN110430191A - Safe early warning method and device in dispatch data net based on protocol identification - Google Patents
Safe early warning method and device in dispatch data net based on protocol identification Download PDFInfo
- Publication number
- CN110430191A CN110430191A CN201910720036.XA CN201910720036A CN110430191A CN 110430191 A CN110430191 A CN 110430191A CN 201910720036 A CN201910720036 A CN 201910720036A CN 110430191 A CN110430191 A CN 110430191A
- Authority
- CN
- China
- Prior art keywords
- protocol
- data
- port
- information
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000008569 process Effects 0.000 claims abstract description 21
- 238000004458 analytical method Methods 0.000 claims abstract description 20
- 238000013507 mapping Methods 0.000 claims description 25
- 238000000605 extraction Methods 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 13
- 239000000284 extract Substances 0.000 claims description 11
- 230000003542 behavioural effect Effects 0.000 claims description 9
- 238000001914 filtration Methods 0.000 claims description 6
- 238000011160 research Methods 0.000 claims description 6
- 230000006978 adaptation Effects 0.000 claims description 5
- 238000007405 data analysis Methods 0.000 claims description 5
- 238000009472 formulation Methods 0.000 claims description 4
- 239000000203 mixture Substances 0.000 claims description 4
- 238000012216 screening Methods 0.000 claims description 4
- 238000007781 pre-processing Methods 0.000 claims description 3
- 230000006399 behavior Effects 0.000 abstract description 14
- 238000012544 monitoring process Methods 0.000 abstract description 5
- 230000008901 benefit Effects 0.000 abstract description 4
- 230000005540 biological transmission Effects 0.000 description 8
- 230000006854 communication Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 102000006479 Heterogeneous-Nuclear Ribonucleoproteins Human genes 0.000 description 1
- 108010019372 Heterogeneous-Nuclear Ribonucleoproteins Proteins 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000004907 flux Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses the safe early warning methods and device in dispatch data net based on protocol identification, which comprises the data come in network flow entrance pre-process;Protocol identification is carried out to by pretreated data;Depth analysis and early warning will be carried out by the data of protocol identification;The present invention has the advantages that the risk behaviors such as malicious intrusions present in dispatch data net are carried out safe early warning by monitoring and security protection to data in entire dispatch data net.
Description
Technical field
The present invention relates to the monitoring of dispatch data net, it is more particularly to the peace based on protocol identification in a kind of dispatch data net
Full method for early warning and device.
Background technique
Industrial control system carries out horizontal and vertical visit mainly by forward and reverse isolating device and longitudinal encryption equipment in dispatch data net
It asks control, but lacks effective monitoring, preventive means inside each region.In order to improve reliability, the availability of network
With controlled property, it is necessary to analyze the protocol identification feature of network communication protocol, i.e. network protocol communications fingerprint, just there is energy in this way
Power controls information flow-rate and behavior on network, the propagation of information and content.Network protocol identification feature is studied,
It is academia and the hot and difficult issue that industry is all paid close attention to.It is network management control, quality of service guarantee, network measure, net
The important foundation research of the work such as network safety and software security.
China Patent Publication No. CN109388930A discloses a kind of fingerprint protocol identification system based on information in power dispatching center
System and its recognition methods, including fingerprint management module, for the typing of fingerprint, deletion and other changes comprising fingerprint record
Enter unit, fingerprint deletes unit and fingerprint base;User identification module acquires for user fingerprints and determines the user's
Identity level comprising user fingerprints acquisition unit and user identity level matching unit;Privilege feature module is used for different bodies
The distribution and enforcement of the privilege feature of part level user comprising privilege feature judging unit, privilege feature exercise unit sum number
According to library;And system manager's module, for system manager to the fingerprint typing, deletion, change of each identity level user with
And the privilege feature of each identity level user is allocated;It the advantage is that, be avoided that the unauthorized operation behavior of user and lead
The information in power dispatching center security hidden trouble of cause.But only solve electric power tune caused by the unauthorized operation behavior of user
Degree is effectively monitored according to security hidden trouble, to the data deficiency in entire dispatch data net and security protection, for scheduling
The risk behaviors such as malicious intrusions present in data network not can be carried out safe early warning.
Summary of the invention
Technical problem to be solved by the present invention lies in the prior arts cannot be to the monitoring of data in entire dispatch data net
And security protection, the problem of safe early warning not can be carried out for risk behaviors such as malicious intrusions present in dispatch data net.
The present invention is to solve above-mentioned technical problem by the following technical programs: based on protocol identification in dispatch data net
Safe early warning method, which comprises
Step 1: the data come in network flow entrance pre-process;
Step 2: protocol identification is carried out to by pretreated data;
Step 3: depth analysis and early warning will be carried out by the data of protocol identification.
Preferably, pretreatment includes: data packet head processing, application layer port mapping, link information pipe in the step 1
Reason and outer net IP mapping,
Data packet head processing, including the network layer of network packet come in network flow entrance and transport layer
The extraction of header packet information;
The application layer port mapping, including identifying port corresponding with the port numbers according to the port numbers in header packet information
Network protocol;
The link information management, including identifying that the control stream in header packet information, parsing control stream information obtain business
The address of stream and port information establish contingency table and come storage address and port information, then according to the address and end in contingency table
Mouth goes to identify Business Stream corresponding to the control stream;
The outer net IP mapping, including the agreement with fixed server IP address in identification header packet information.
Preferably, the step 2 includes: using protocol characteristic fingerprint base, to by pretreated network packet
Content carries out characteristic matching, judges the protocol type of network packet.
Preferably, the characteristic matching includes simple fingerprint matching, the fingerprint matching of canonical formula and customized fingerprint matching,
The simple fingerprint matching, including according to collected network protocol message, the source/destination IP that will be interacted in the period
Address, source/destination port, transport layer protocol, IP data package size, source/destination ethernet address and agreement fingerprint characteristic library into
Row adaptation provides information reminding to the information for being different from agreement fingerprint characteristic library and not lets pass;
The canonical formula fingerprint matching carries out in key including being based on regular expression to the control stream information parsed
Hold and extract, then by the source/destination IP address of host equipment each in network environment, source/destination port, transport layer protocol, IP
Data package size, source/destination ethernet address are adapted to agreement fingerprint characteristic library, if cannot be adapted to, are not put
Row;
The customized fingerprint matching, including to simple fingerprint matching and the fingerprint matching of canonical formula and agreement fingerprint characteristic library
The information that cannot be adapted to carries out independent analysis and statistics, carries out the formulation of customized recognition rule.
Preferably, the establishment process in agreement fingerprint characteristic library are as follows:
Step 51): protocol data packet is screened according to the protocol data of acquisition and the preliminary rule of definition;
Step 52): carrying out manual analysis to the protocol data packet after screening, formulates protocol rule according to research standard;
Step 53): data analysis is carried out to similar protocol data packet according to protocol rule and extracts similar features;
Step 54): the similar features of extraction summarize with generating agreement fingerprint characteristic library.
As the further improvement of previous step scheme, the similar features include port diagnostic, application layer payload content spy
Any one of sign, the statistical nature based on flow, transport layer behavioural characteristic.
Preferably, the step 3 includes: the number through protocol identification in net for dispatching data according to protocol characteristic fingerprint base
According to being analyzed in real time, the rule of protocol filtering is established, to malicious intrusions behavior, carries out safe early warning.
The present invention also provides, based on the safety early warning device of protocol identification, described device includes: in dispatch data net
Preprocessing module, the data for coming in network flow entrance pre-process;
Protocol identification module, for carrying out protocol identification to by pretreated data;
Warning module, the data for that will pass through protocol identification carry out depth analysis and early warning.
Preferably, it includes: data packet head processing, application layer that the data come in network flow entrance, which carry out pretreatment,
Port mapping, link information management and outer net IP mapping,
Data packet head processing, including the network layer of network packet come in network flow entrance and transport layer
The extraction of header packet information;
The application layer port mapping, including identifying port corresponding with the port numbers according to the port numbers in header packet information
Network protocol;
The link information management, including identifying that the control stream in header packet information, parsing control stream information obtain business
The address of stream and port information establish contingency table and come storage address and port information, then according to the address and end in contingency table
Mouth goes to identify Business Stream corresponding to the control stream;
The outer net IP mapping, including the agreement with fixed server IP address in identification header packet information.
Preferably, the protocol identification module includes: using protocol characteristic fingerprint base, to by pretreated network data
Content in packet carries out characteristic matching, judges the protocol type of network packet.
The present invention has the advantage that the present invention is carried out by the data come in network flow entrance compared with prior art
Pretreatment and protocol identification additionally set up in dispatch data net and assist so that data are monitored and obtained with the information of needs
Fingerprint characteristic library is discussed, according to agreement fingerprint characteristic, the network flow in net carries out analysis in real time and identification for dispatching data, passes through
Establish the rule of protocol filtering, discovery wherein malicious intrusions behavior that may be present and early warning, thus to entire dispatch data net
Security protection is carried out, guarantees network security.
Detailed description of the invention
Fig. 1 is the process of the safe early warning method based on protocol identification in dispatch data net provided in an embodiment of the present invention
Figure;
Fig. 2 is that the principle of the safe early warning method based on protocol identification in dispatch data net provided in an embodiment of the present invention is shown
It is intended to;
Fig. 3 is that agreement refers in the safe early warning method based on protocol identification in dispatch data net provided in an embodiment of the present invention
The flow chart of the establishment process of line feature database;
Fig. 4 is that agreement refers in the safe early warning method based on protocol identification in dispatch data net provided in an embodiment of the present invention
The schematic illustration of the establishment process of line feature database;
Specific embodiment
It elaborates below to the embodiment of the present invention, the present embodiment carries out under the premise of the technical scheme of the present invention
Implement, the detailed implementation method and specific operation process are given, but protection scope of the present invention is not limited to following implementation
Example.
As shown in Figure 1, for the safe early warning method based on protocol identification in dispatch data net provided in an embodiment of the present invention
Flow chart, as shown in Fig. 2, for the safe early warning method based on protocol identification in dispatch data net provided in an embodiment of the present invention
Schematic illustration, the safe early warning method based on protocol identification includes: in dispatch data net provided by the invention
Step S1: the data come in network flow entrance pre-process;
The pretreatment includes: that data packet head processing, application layer port mapping, link information management and outer net IP map,
Data packet head processing, including the network layer of network packet come in network flow entrance and transport layer
The extraction of header packet information;The header packet information of extraction includes: source IP address, source PORT COM, purpose IP address, purpose communication terminal
Mouth, transport protocol type.Extract the process of header packet information are as follows: first according to the head format of network packet, by calling head lattice
Formula obtains the source IP address of the network packet, source PORT COM, purpose IP address, purpose PORT COM, transport protocol type,
And the information for the network packet that will acquire is stored;The network packet of fragment is recombinated, there will be identical five yuan
The data flow token of the network packet of group information is same stream, and transmits to next layer.Wherein, five-tuple information refers to
Source IP address, source PORT COM, purpose IP address, purpose PORT COM, transport protocol type.
The application layer port mapping, including identifying port corresponding with the port numbers according to the port numbers in header packet information
Network protocol;It is corresponding that recognition methods based on port only needs the port numbers in detection data packet header information to may recognize that
Network protocol, therefore it is the method for recognizing flux of most simple, the fastest victory of step.But more and more network applications
With agreement in order to hide detection, commonly using the port numbers of random jump, some can also occupy standard port, such as certain classes are answered
Carried out data transmission with will use port.Under this situation, Port Identification Method will fail.So for entering to network flow
The data that mouth is come in, which are pre-processed, not only to be selected application layer port mapping also while having carried out data packet head processing, link information
Management and outer net IP mapping, to guarantee that recognition methods is effective, guarantee that each data packet can be identified, and avoid because of single identification
The problem of limitation of method leads to loss of data.
The link information management, the control stream in header packet information, parsing control stream information obtain business out for identification
The address of stream and port information establish contingency table and come storage address and port information, then according to the address and end in contingency table
Mouth goes to identify Business Stream corresponding to the control stream;Link information management is directed to some control streams and business flow separation
Data service.This kind of network protocol does not transmit data in same stream, using control stream and the separated side of Business Stream
Formula is communicated.Data flow individually detects every stream in this case and is difficult to guarantee the standard of identification often without obvious characteristic
True rate and hit rate.For control stream, analysis is found respectively with Business Stream, and controlling stream is to connect with server and Signalling exchange
There is flow this to apply apparent feature, and Business Stream is typically all to transmit clear data text, no obvious characteristic.But the two
Between have a close connection: control stream always is built upon before Business Stream, and control flow in include Business Stream address
With the information such as port, so, application layer gateway technology is exactly to first pass through " feature " to identify control stream, parsing control stream information,
To obtain address and the port information of Business Stream, a contingency table is established to store these addresses and port information, then root
It goes to identify Business Stream corresponding to the control stream according in contingency table and port.
The outer net IP mapping, including the agreement with fixed server IP address in identification header packet information.Pass through analysis
The data message generated during certain application communication, extracts the feature string of the application, unknown stream is identified according to these features
Amount, feature string can be the agreement with fixed server IP address, so final outer net IP mapping can identify header packet information
In with fixed server IP address agreement.
Step S2: protocol identification is carried out to by pretreated data;
The step S2 include: using protocol characteristic fingerprint base, to by the content in pretreated network packet into
Row characteristic matching judges the protocol type of network packet.
The characteristic matching includes simple fingerprint matching, the fingerprint matching of canonical formula and customized fingerprint matching,
The simple fingerprint matching, including according to collected network protocol message, the source/destination IP that will be interacted in the period
Address, source/destination port, transport layer protocol, IP data package size, source/destination ethernet address and agreement fingerprint characteristic library into
Row adaptation provides information reminding to the information for being different from agreement fingerprint characteristic library and not lets pass;
The canonical formula fingerprint matching carries out in key including being based on regular expression to the control stream information parsed
Hold and extract, then by the source/destination IP address of host equipment each in network environment, source/destination port, transport layer protocol, IP
Data package size, source/destination ethernet address are adapted to agreement fingerprint characteristic library, if cannot be adapted to, are not put
Row;
The customized fingerprint matching, including to simple fingerprint matching and the fingerprint matching of canonical formula and agreement fingerprint characteristic library
The information that cannot be adapted to carries out independent analysis and statistics, carries out the formulation of customized recognition rule.
Specifically, as shown in figure 3, pre- for the safety in dispatch data net provided in an embodiment of the present invention based on protocol identification
The flow chart of the establishment process in agreement fingerprint characteristic library in alarm method, Fig. 4 are in dispatch data net provided in an embodiment of the present invention
The schematic illustration of the establishment process in agreement fingerprint characteristic library in safe early warning method based on protocol identification;The agreement fingerprint
The establishment process of feature database are as follows:
S51): protocol data packet being screened according to the protocol data of acquisition and the preliminary rule of definition;
S52): manual analysis being carried out to the protocol data packet after screening, protocol rule is formulated according to research standard;
S53): data analysis being carried out to similar protocol data packet according to protocol rule and extracts similar features;It is similar
Protocol data packet refers to the protocol data packet with similar features, and similar features refer to having same attribute or same sentence
The feature for rule of breaking, similar features include that port diagnostic, application layer payload content feature, statistics based on flow are special in the present invention
Any one of sign, transport layer behavioural characteristic, each feature described in detail below.
Port diagnostic is that transport layer protocol is multiplexed and is demultiplexed to application layer protocol according to port, therefore in data packet
Transport layer port specifies its affiliated application layer protocol classification.However the use of port has no mandatory provision, IANA (The
Internet Assigned Numbers Authority interconnects network data distributor gear) what is provided is to suggest port, association
Port used can be voluntarily selected during the specific implementation of view.To the agreement for using fixed port, using port as protocol characteristic
Also not necessarily accurate, 8000 end UDP is used using different port, such as QQ text chat agreement because not can guarantee different agreement
Mouthful, sudden peal of thunder download service equally uses 8000 port UDP.In short, using standard application layer agreement as the agreement of bearing bed,
Identification based on port can generate more useless result.The extraction of middle port feature of the present invention is come in network flow entrance
The transport protocol type of network packet counted, have port special the transport layer port of same transport protocol type
Sign, for the network packet with port diagnostic, stores its transport layer port and corresponding transport protocol type.
Application layer payload content feature: network protocol includes three grammer, semanteme and timing elements.Syntactic definition data
The format of packet, semantical definition behavior that the understanding of exchanged data and needs are taken, time sequence definition data exchange it is suitable
Sequence, three collectively form the process and content of both sides' interaction in data communication.These contents basic phase in multiple communication process
Together, i.e., the semantic information that both sides need to express has certain stability, thereby ensures that there may be certain in protocol data
Content value is relatively fixed.In most cases, agreement can mostly reserve certain in design in view of work such as subsequent extension upgradings
A little spaces, referred to as reserved field, existing version realize in and do not use, be arranged to random value or fixed value.When these reservations
When domain is arranged to fixed value, the value for showing as certain contents in protocol data immobilizes.To sum up, these fix value
Protocol data constitute it is existing based in application layer payload content feature identification technique through frequently with character string or byte serial
Feature, typical characteristic formp can be from the fixed feature strings of position, the feature string of variable position, tactic multiple features
String etc. goes to be studied.The extraction of application layer payload content feature is to extract to have in network packet to fix in the present invention
The feature string of position, the feature string of variable position or tactic multiple feature strings by the feature string of fixed position, can be changed
Any one of the feature string of position or tactic multiple feature strings are used as application layer payload content feature, all-network
The feature string of fixed position having the same in data packet, the feature string of variable position or tactic multiple feature strings
Data packet is the network packet with application layer payload content feature.
Statistical nature based on flow: the network packet of different agreement shows some more solid in its transmission process
Fixed external feature, such as VoIP protocol, packet time distance maintaining is near a fixed value, and data packet is smaller, long
Degree is close, hence it is evident that distinguishes over block transmission class agreement.Block transmission class protocol data inter packet gap is not fixed, to make full use of Netowrk tape
Width reduces the additional informations such as packet header to the occupancy of bandwidth, and transmission is carried out using data packet as big as possible.Traffic statistics feature
The behavior of application layer protocol is depended in the presence of a part, a part depends on specific network environment, the identification based on traffic statistics
Mode can reject influence caused by certain network environments, carry out protocol identification using these feature construction identification models.This
The extraction of statistical nature in invention based on flow is repeatedly to transmit repeatedly to network packet progress in advance, is remembered in transmission process
Record the feature of the exclusive fixation of each network packet, this feature can be packet time distance maintaining in a fixed value,
Identification model is constructed, it being capable of foundation since model stores the feature of each data packet for the network packet of current transmission
The head format of feature corresponding network data packet obtains the transport protocol type of network packet, for the net of feature having the same
The information of network data packet extracts and stores Ji Wei extracting the similar statistical nature based on flow.
Transport layer behavioural characteristic is a kind of protocol characteristic in larger scope, and the agreement of some network architectures naturally shows
Certain features for being different from the agreement using master-slave network framework out, are such as communicated with certain Single port on particular host remote
Hold the distribution situation of port.It is mainly used in the identification of flow, it is fixed by the information of the multiple sessions for belonging to same agreement of synthesis
The behavioural characteristic of adopted agreement.It is to belong in the all-network data packet for transmission together that transport layer behavioural characteristic is extracted in the present invention
The network data package informatin of one transport protocol is defined as transport layer behavioural characteristic, for the data with transport layer behavioural characteristic into
Row is extracted and is stored.
S54): the similar features of extraction summarize with generating agreement fingerprint characteristic library.
Step S3: depth analysis and early warning will be carried out by the data of protocol identification.
The step S3 includes: according to protocol characteristic fingerprint base, and the data in net through protocol identification carry out for dispatching data
Analysis in real time, establishes the rule of protocol filtering, to malicious intrusions behavior, carries out safe early warning.
The present invention also provides, based on the safety early warning device of protocol identification, described device includes: in dispatch data net
Preprocessing module, the data for coming in network flow entrance pre-process;
Protocol identification module, for carrying out protocol identification to by pretreated data;
Warning module, the data for that will pass through protocol identification carry out depth analysis and early warning.
Specifically, it includes: data packet head processing, application layer that the data come in network flow entrance, which carry out pretreatment,
Port mapping, link information management and outer net IP mapping,
Data packet head processing, including the network layer of network packet come in network flow entrance and transport layer
The extraction of header packet information;
The application layer port mapping, including identifying port corresponding with the port numbers according to the port numbers in header packet information
Network protocol;
The link information management, including identifying that the control stream in header packet information, parsing control stream information obtain business
The address of stream and port information establish contingency table and come storage address and port information, then according to the address and end in contingency table
Mouth goes to identify Business Stream corresponding to the control stream;
The outer net IP mapping, including the agreement with fixed server IP address in identification header packet information.
Specifically, the protocol identification module includes: using protocol characteristic fingerprint base, to by pretreated network data
Content in packet carries out characteristic matching, judges the protocol type of network packet.
Specifically, the characteristic matching includes simple fingerprint matching, the fingerprint matching of canonical formula and customized fingerprint matching,
The simple fingerprint matching, including according to collected network protocol message, the source/destination IP that will be interacted in the period
Address, source/destination port, transport layer protocol, IP data package size, source/destination ethernet address and agreement fingerprint characteristic library into
Row adaptation provides information reminding to the information for being different from agreement fingerprint characteristic library and not lets pass;
The canonical formula fingerprint matching carries out in key including being based on regular expression to the control stream information parsed
Hold and extract, then by the source/destination IP address of host equipment each in network environment, source/destination port, transport layer protocol, IP
Data package size, source/destination ethernet address are adapted to agreement fingerprint characteristic library, if cannot be adapted to, are not put
Row;
The customized fingerprint matching, including to simple fingerprint matching and the fingerprint matching of canonical formula and agreement fingerprint characteristic library
The information that cannot be adapted to carries out independent analysis and statistics, carries out the formulation of customized recognition rule.
Specifically, as shown in figure 3, pre- for the safety in dispatch data net provided in an embodiment of the present invention based on protocol identification
The flow chart of the establishment process in agreement fingerprint characteristic library in alarm method, Fig. 4 are in dispatch data net provided in an embodiment of the present invention
The schematic illustration of the establishment process in agreement fingerprint characteristic library in safe early warning method based on protocol identification;The agreement fingerprint
The establishment process of feature database are as follows:
S51): protocol data packet being screened according to the protocol data of acquisition and the preliminary rule of definition;
S52): manual analysis being carried out to the protocol data packet after screening, protocol rule is formulated according to research standard;
S53): data analysis being carried out to similar protocol data packet according to protocol rule and extracts similar features;
S54): the similar features of extraction summarize with generating agreement fingerprint characteristic library.
The similar features include port diagnostic, application layer payload content feature, the statistical nature based on flow, transport layer
Any one of behavioural characteristic.
The warning module is also used to according to protocol characteristic fingerprint base, for dispatching data in net the data through protocol identification into
Row analysis in real time, establishes the rule of protocol filtering, to malicious intrusions behavior, carries out safe early warning.
By above technical scheme, safe early warning method in dispatch data net provided by the invention based on protocol identification and
Device has the monitoring and security protection to data in entire dispatch data net, for dispatching data malicious intrusions present in net etc.
Risk behavior carries out the advantages of safe early warning, and the present invention is by being collected network packet, by network data package,
It defines preliminary rule to be screened, sums up its general characteristics, and the model and its formalized description method of research agreement fingerprint.
Protocol format and protocol rule are researched and analysed in conjunction with for existing industry control consensus standard and design philosophy.Finally, by right
The long-term follow of all types data packet of a certain agreement extracts its corresponding finger print data, establishes agreement in dispatch data net and refers to
Line feature database.According to agreement fingerprint characteristic, the flow in net carries out analysis in real time and identification for dispatching data.By establishing agreement
The rule of filtering, find wherein malicious intrusions behavior that may be present, i.e., when system is under attack can instant discovery attack
Network data flow is hit, to guarantee the network security of industrial control system.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.
Claims (10)
1. based on the safe early warning method of protocol identification in dispatch data net, which is characterized in that the described method includes:
Step 1: the data come in network flow entrance pre-process;
Step 2: protocol identification is carried out to by pretreated data;
Step 3: depth analysis and early warning will be carried out by the data of protocol identification.
2. based on the safe early warning method of protocol identification in dispatch data net according to claim 1, which is characterized in that institute
Stating pretreatment in step 1 includes: that data packet head processing, application layer port mapping, link information management and outer net IP map,
Data packet head processing, the packet header including the network layer of network packet and transport layer come in network flow entrance
The extraction of information;
The application layer port mapping, the net including identifying port corresponding with the port numbers according to the port numbers in header packet information
Network agreement;
The link information management, including identifying that the control stream in header packet information, parsing control stream information obtain Business Stream
Address and port information establish contingency table and come storage address and port information, then according in contingency table address and port go
Identify Business Stream corresponding to the control stream;
The outer net IP mapping, including the agreement with fixed server IP address in identification header packet information.
3. based on the safe early warning method of protocol identification in dispatch data net according to claim 2, which is characterized in that institute
Stating step 2 includes: to carry out characteristic matching to by the content in pretreated network packet using protocol characteristic fingerprint base,
Judge the protocol type of network packet.
4. based on the safe early warning method of protocol identification in dispatch data net according to claim 3, which is characterized in that institute
Stating characteristic matching includes simple fingerprint matching, the fingerprint matching of canonical formula and customized fingerprint matching,
The simple fingerprint matching, including according to collected network protocol message, by the source/destination IP interacted in the period
Location, source/destination port, transport layer protocol, IP data package size, source/destination ethernet address and agreement fingerprint characteristic library carry out
Adaptation provides information reminding to the information for being different from agreement fingerprint characteristic library and not lets pass;
The canonical formula fingerprint matching is mentioned including being based on regular expression progress key content to the control stream information parsed
It takes, then by the source/destination IP address of host equipment each in network environment, source/destination port, transport layer protocol, IP data
Packet size, source/destination ethernet address are adapted to agreement fingerprint characteristic library, if cannot be adapted to, are not let pass;
The customized fingerprint matching, including cannot to simple fingerprint matching and the fingerprint matching of canonical formula and agreement fingerprint characteristic library
Information in adaptation carries out independent analysis and statistics, carries out the formulation of customized recognition rule.
5. based on the safe early warning method of protocol identification in dispatch data net according to claim 3, which is characterized in that institute
State the establishment process in agreement fingerprint characteristic library are as follows:
Step 51): protocol data packet is screened according to the protocol data of acquisition and the preliminary rule of definition;
Step 52): carrying out manual analysis to the protocol data packet after screening, formulates protocol rule according to research standard;
Step 53): data analysis is carried out to similar protocol data packet according to protocol rule and extracts similar features;
Step 54): the similar features of extraction summarize with generating agreement fingerprint characteristic library.
6. based on the safe early warning method of protocol identification in dispatch data net according to claim 5, which is characterized in that institute
State similar features include port diagnostic, application layer payload content feature, the statistical nature based on flow, in transport layer behavioural characteristic
It is any.
7. based on the safe early warning method of protocol identification in dispatch data net according to claim 1, which is characterized in that institute
Stating step 3 includes: according to protocol characteristic fingerprint base, and the data through protocol identification are analyzed in real time in net for dispatching data, is built
The rule of vertical protocol filtering carries out safe early warning to malicious intrusions behavior.
8. based on the safety early warning device of protocol identification in dispatch data net, which is characterized in that described device includes:
Preprocessing module, the data for coming in network flow entrance pre-process;
Protocol identification module, for carrying out protocol identification to by pretreated data;
Warning module, the data for that will pass through protocol identification carry out depth analysis and early warning.
9. based on the safety early warning device of protocol identification in dispatch data net according to claim 8, which is characterized in that institute
Stating and carrying out pretreatment to the data that network flow entrance is come in includes: data packet head processing, application layer port mapping, link information
Management and outer net IP mapping,
Data packet head processing, the packet header including the network layer of network packet and transport layer come in network flow entrance
The extraction of information;
The application layer port mapping, the net including identifying port corresponding with the port numbers according to the port numbers in header packet information
Network agreement;
The link information management, including identifying that the control stream in header packet information, parsing control stream information obtain Business Stream
Address and port information establish contingency table and come storage address and port information, then according in contingency table address and port go
Identify Business Stream corresponding to the control stream;
The outer net IP mapping, including the agreement with fixed server IP address in identification header packet information.
10. based on the safe early warning method of protocol identification in dispatch data net according to claim 9, which is characterized in that
The protocol identification module includes: to be carried out using protocol characteristic fingerprint base to by the content in pretreated network packet
Characteristic matching judges the protocol type of network packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910720036.XA CN110430191A (en) | 2019-08-06 | 2019-08-06 | Safe early warning method and device in dispatch data net based on protocol identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910720036.XA CN110430191A (en) | 2019-08-06 | 2019-08-06 | Safe early warning method and device in dispatch data net based on protocol identification |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110430191A true CN110430191A (en) | 2019-11-08 |
Family
ID=68414341
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910720036.XA Pending CN110430191A (en) | 2019-08-06 | 2019-08-06 | Safe early warning method and device in dispatch data net based on protocol identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110430191A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111200652A (en) * | 2019-12-31 | 2020-05-26 | 奇安信科技集团股份有限公司 | Application identification method, application identification device and computing device |
| CN111526121A (en) * | 2020-03-24 | 2020-08-11 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device, electronic equipment and computer readable medium |
| CN111786971A (en) * | 2020-06-19 | 2020-10-16 | 杭州安恒信息技术股份有限公司 | Host blasting attack defense method and device and computer equipment |
| CN112995207A (en) * | 2021-04-16 | 2021-06-18 | 远江盛邦(北京)网络安全科技股份有限公司 | Fingerprint identification and exposed surface risk assessment method for network assets |
| CN113204570A (en) * | 2021-04-14 | 2021-08-03 | 福建星瑞格软件有限公司 | Database protocol identification method and device based on data characteristics |
| CN113542275A (en) * | 2021-07-15 | 2021-10-22 | 国家能源集团科学技术研究院有限公司 | Vulnerability discovery method for power plant industrial control system |
| CN113608504A (en) * | 2021-04-21 | 2021-11-05 | 北京智慧空间科技有限责任公司 | Self-adaptive wind field information acquisition method and device, medium and wind power system |
| CN114095243A (en) * | 2021-11-18 | 2022-02-25 | 许昌许继软件技术有限公司 | A configuration-based data filtering method |
| CN114338244A (en) * | 2022-03-10 | 2022-04-12 | 中科边缘智慧信息科技(苏州)有限公司 | Equipment network behavior classification recording method and device and backtracking evidence-proving method and device |
| EP4224787A4 (en) * | 2020-11-10 | 2024-03-27 | Huawei Technologies Co., Ltd. | Network security protection method and device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102082762A (en) * | 2009-11-30 | 2011-06-01 | 华为技术有限公司 | Protocol identification method and device and system for same |
| US20120203877A1 (en) * | 2010-07-14 | 2012-08-09 | Domanicom Corporation | Devices, systems, and methods for enabling reconfiguration of services supported by a network of devices |
| CN103401863A (en) * | 2013-07-30 | 2013-11-20 | 北京奇虎科技有限公司 | Network data flow analysis method and network data flow analysis device based on cloud security |
| CN104320304A (en) * | 2014-11-04 | 2015-01-28 | 武汉虹信技术服务有限责任公司 | Multimode integration core network user traffic application identification method easy to expand |
| US9049099B2 (en) * | 2010-08-05 | 2015-06-02 | Cisco Technology, Inc. | Label distribution protocol advertisement of services provided by application nodes |
| CN106372513A (en) * | 2016-08-25 | 2017-02-01 | 北京知道未来信息技术有限公司 | Software fingerprint database-based software identification method and apparatus |
| CN107968791A (en) * | 2017-12-15 | 2018-04-27 | 杭州迪普科技股份有限公司 | A kind of detection method and device of attack message |
| CN109391700A (en) * | 2018-12-12 | 2019-02-26 | 北京华清信安科技有限公司 | Internet of Things safe cloud platform based on depth traffic aware |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
-
2019
- 2019-08-06 CN CN201910720036.XA patent/CN110430191A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102082762A (en) * | 2009-11-30 | 2011-06-01 | 华为技术有限公司 | Protocol identification method and device and system for same |
| US20120203877A1 (en) * | 2010-07-14 | 2012-08-09 | Domanicom Corporation | Devices, systems, and methods for enabling reconfiguration of services supported by a network of devices |
| US9049099B2 (en) * | 2010-08-05 | 2015-06-02 | Cisco Technology, Inc. | Label distribution protocol advertisement of services provided by application nodes |
| CN103401863A (en) * | 2013-07-30 | 2013-11-20 | 北京奇虎科技有限公司 | Network data flow analysis method and network data flow analysis device based on cloud security |
| CN104320304A (en) * | 2014-11-04 | 2015-01-28 | 武汉虹信技术服务有限责任公司 | Multimode integration core network user traffic application identification method easy to expand |
| CN106372513A (en) * | 2016-08-25 | 2017-02-01 | 北京知道未来信息技术有限公司 | Software fingerprint database-based software identification method and apparatus |
| CN107968791A (en) * | 2017-12-15 | 2018-04-27 | 杭州迪普科技股份有限公司 | A kind of detection method and device of attack message |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN109391700A (en) * | 2018-12-12 | 2019-02-26 | 北京华清信安科技有限公司 | Internet of Things safe cloud platform based on depth traffic aware |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111200652A (en) * | 2019-12-31 | 2020-05-26 | 奇安信科技集团股份有限公司 | Application identification method, application identification device and computing device |
| CN111526121B (en) * | 2020-03-24 | 2022-03-04 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device, electronic equipment and computer readable medium |
| CN111526121A (en) * | 2020-03-24 | 2020-08-11 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device, electronic equipment and computer readable medium |
| CN111786971A (en) * | 2020-06-19 | 2020-10-16 | 杭州安恒信息技术股份有限公司 | Host blasting attack defense method and device and computer equipment |
| EP4224787A4 (en) * | 2020-11-10 | 2024-03-27 | Huawei Technologies Co., Ltd. | Network security protection method and device |
| CN113204570A (en) * | 2021-04-14 | 2021-08-03 | 福建星瑞格软件有限公司 | Database protocol identification method and device based on data characteristics |
| CN112995207A (en) * | 2021-04-16 | 2021-06-18 | 远江盛邦(北京)网络安全科技股份有限公司 | Fingerprint identification and exposed surface risk assessment method for network assets |
| CN112995207B (en) * | 2021-04-16 | 2021-09-10 | 远江盛邦(北京)网络安全科技股份有限公司 | Fingerprint identification and exposed surface risk assessment method for network assets |
| CN113608504A (en) * | 2021-04-21 | 2021-11-05 | 北京智慧空间科技有限责任公司 | Self-adaptive wind field information acquisition method and device, medium and wind power system |
| CN113608504B (en) * | 2021-04-21 | 2022-07-19 | 北京智慧空间科技有限责任公司 | Self-adaptive wind field information acquisition method and device, medium and wind power system |
| CN113542275A (en) * | 2021-07-15 | 2021-10-22 | 国家能源集团科学技术研究院有限公司 | Vulnerability discovery method for power plant industrial control system |
| CN114095243A (en) * | 2021-11-18 | 2022-02-25 | 许昌许继软件技术有限公司 | A configuration-based data filtering method |
| CN114338244A (en) * | 2022-03-10 | 2022-04-12 | 中科边缘智慧信息科技(苏州)有限公司 | Equipment network behavior classification recording method and device and backtracking evidence-proving method and device |
| CN114338244B (en) * | 2022-03-10 | 2022-05-20 | 中科边缘智慧信息科技(苏州)有限公司 | Equipment network behavior classification recording method and device and backtracking evidence-proving method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110430191A (en) | Safe early warning method and device in dispatch data net based on protocol identification | |
| CN104937886B (en) | Log analysis device, information processing method | |
| CN105429977B (en) | Deep packet inspection device abnormal flow monitoring method based on comentropy measurement | |
| CN107135093B (en) | Internet of things intrusion detection method and detection system based on finite automaton | |
| WO2017084600A1 (en) | Internet of things system used for intelligent gas meter and information transmission method for internet of things system | |
| CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
| CN101645806B (en) | Network flow classifying system and network flow classifying method combining DPI and DFI | |
| CN109768952A (en) | A method for detecting abnormal behavior of industrial control network based on trusted model | |
| CN105025025B (en) | A kind of domain name active detecting method and system based on cloud platform | |
| CN109600317B (en) | Method and device for automatically identifying traffic and extracting application rules | |
| CN109167754A (en) | A kind of network application layer security protection system | |
| CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
| CN107360118B (en) | Advanced persistent threat attack protection method and device | |
| CN102316087A (en) | The detection method that network application is attacked | |
| CN109391599A (en) | A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis | |
| CN105491018B (en) | A method of network data security analysis based on DPI technology | |
| WO2001001272A3 (en) | Method and apparatus for monitoring traffic in a network | |
| CN110113350A (en) | A kind of monitoring of Internet of things system security threat and system of defense and method | |
| CN101562539B (en) | Adaptive Network Intrusion Detection System | |
| CN112333023A (en) | Intrusion detection system based on flow of Internet of things and detection method thereof | |
| CN101426008B (en) | Audit method and system based on back display | |
| CN109120733B (en) | A detection method using DNS for communication | |
| Born et al. | Ngviz: detecting dns tunnels through n-gram visualization and quantitative analysis | |
| CN101547127B (en) | Identification method of inside and outside network messages | |
| CN105100246A (en) | Network flow management and control method based on downloaded resource name |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191108 |