CN111404949A - Flow detection method, device, equipment and storage medium - Google Patents
Flow detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111404949A CN111404949A CN202010207822.2A CN202010207822A CN111404949A CN 111404949 A CN111404949 A CN 111404949A CN 202010207822 A CN202010207822 A CN 202010207822A CN 111404949 A CN111404949 A CN 111404949A
- Authority
- CN
- China
- Prior art keywords
- flow
- abnormal
- detection result
- traffic
- abnormal feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 170
- 238000000034 method Methods 0.000 claims abstract description 28
- 230000002159 abnormal effect Effects 0.000 claims description 231
- 238000004590 computer program Methods 0.000 claims description 12
- 230000005856 abnormality Effects 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 241000700605 Viruses Species 0.000 description 9
- 230000006399 behavior Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000009471 action Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a flow detection method, a flow detection device, flow detection equipment and a storage medium. The method comprises the following steps: reading network flow data; analyzing flow parameters respectively corresponding to a plurality of target parameter types in the network flow data; and carrying out comprehensive detection on each flow parameter to obtain a flow detection result. The method realizes the comprehensive detection of multiple parameter dimensions in the network flow data based on various types of flow parameters in the network flow, and relatively ensures the overall reliability of the flow detection in the internal network host. In addition, the application also provides a flow detection device, equipment and a storage medium, and the beneficial effects are as described above.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method, an apparatus, a device, and a storage medium for detecting traffic.
Background
In the current network scenario, the intranet host often has a risk of being controlled by an attacker host and becoming a zombie host. When the intranet host is controlled maliciously, a series of malicious operations can be performed, including forcibly terminating the process of the operating system of the intranet host, sending system information to an attacker host, or continuously downloading malicious files, and the like.
After an attacker invades a system of the intranet host, a malicious program is often implanted into the intranet host, and the malicious program further controls the intranet host to communicate with the attacker host after being started, so that the purpose of controlling the intranet host to respond to the attacker host and execute corresponding abnormal operation is achieved, and therefore, whether the intranet host shows abnormal operation behavior within a period of time or not is directly associated with the content of network flow data of the intranet host.
Therefore, it is seen that providing a traffic detection method to implement network security detection for an intranet host based on network traffic data is a problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a flow detection method, a flow detection device, flow detection equipment and a storage medium, so as to realize network security detection of an intranet host based on network flow data.
In order to solve the above technical problem, the present application provides a flow detection method, including:
reading network flow data;
analyzing flow parameters respectively corresponding to a plurality of target parameter types in the network flow data;
and carrying out comprehensive detection on each flow parameter to obtain a flow detection result.
Preferably, before the comprehensive detection is performed on each flow parameter to obtain the flow detection result, the method further includes:
acquiring an abnormal feature set, wherein the abnormal feature set comprises abnormal features of each target parameter type;
carrying out comprehensive detection on each flow parameter to obtain a flow detection result, wherein the flow detection result comprises the following steps:
and counting the matching degree between each flow parameter and the corresponding abnormal feature in the abnormal feature set, and generating a flow detection result based on the matching degree.
Preferably, the step of counting the matching degree between each flow parameter and the corresponding abnormal feature in the abnormal feature set, and generating a flow detection result based on the matching degree includes:
judging whether each flow parameter accords with the corresponding abnormal feature in the abnormal feature set;
and if all the flow parameters conform to the corresponding abnormal features in the abnormal feature set, generating a flow detection result recorded with abnormal information.
Preferably, before generating the traffic detection result recorded with the abnormal information, the method further includes:
acquiring a malicious degree value corresponding to the abnormal feature set;
if all the flow parameters conform to the corresponding abnormal features in the abnormal feature set, generating a flow detection result recorded with abnormal information, and the method comprises the following steps:
and if all the flow parameters accord with the corresponding abnormal features in the abnormal feature set, generating an abnormal detection result recorded with the malicious degree value.
Preferably, when the number of the abnormal feature sets is greater than 1, counting a matching degree between each flow parameter and a corresponding abnormal feature in the abnormal feature set, and generating a flow detection result based on the matching degree, including:
counting a target abnormal feature set matched with the abnormal features and the flow parameters;
and generating a flow detection result recorded with abnormal information according to the incidence relation among the target abnormal feature sets.
Preferably, before generating a traffic detection result recorded with abnormal information according to the association relationship between the target abnormal feature sets, the method further includes:
acquiring a malicious degree value corresponding to each target abnormal feature set;
generating a flow detection result recorded with abnormal information according to the incidence relation among the target abnormal feature sets, wherein the flow detection result comprises the following steps:
and according to the incidence relation among the target abnormal feature sets, performing weighted operation on each malicious degree value to obtain an abnormal detection result recorded with the malicious degree value.
Preferably, the performing a weighted operation on each malicious degree value to obtain an anomaly detection result recorded with the malicious degree value includes:
carrying out weighted operation on each malicious degree value to obtain a malicious degree value;
judging whether the malicious degree value reaches a preset threshold value or not;
if the malicious degree value reaches a preset threshold value, generating an abnormal detection result containing the malicious degree value;
otherwise, no processing is performed.
Preferably, obtaining the abnormal feature set comprises:
acquiring an abnormal network flow data sample;
and performing feature extraction on sample parameters of the target parameter types in the abnormal network traffic data samples to obtain an abnormal feature set.
Preferably, the target parameter types include a traffic UR L type, a traffic request path type, a traffic request header data type, and a traffic responder type.
In addition, this application still provides a flow detection device, includes:
the flow reading module is used for reading network flow data;
the parameter analysis module is used for analyzing the flow parameters corresponding to the target parameter types in the network flow data;
and the comprehensive detection module is used for comprehensively detecting each flow parameter to obtain a flow detection result.
In addition, this application still provides a flow detection equipment, its characterized in that includes:
a memory for storing a computer program;
a processor for implementing the steps of the flow detection method as described above when executing the computer program.
Furthermore, the present application also provides a computer readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the flow detection method as described above.
The flow detection method provided by the application reads the network flow data, further analyzes the flow parameters respectively corresponding to the target parameter types in the network flow data, and further performs comprehensive detection on each flow parameter to obtain the flow detection result after obtaining the flow parameter of each target parameter type. The method realizes the comprehensive detection of multiple parameter dimensions in the network flow data based on various types of flow parameters in the network flow, and relatively ensures the overall reliability of the flow detection in the internal network host. In addition, the application also provides a flow detection device, equipment and a storage medium, and the beneficial effects are as described above.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a flow detection method disclosed in an embodiment of the present application;
fig. 2 is a flowchart of a specific flow detection method disclosed in an embodiment of the present application;
fig. 3 is a flowchart of a specific flow detection method disclosed in an embodiment of the present application;
fig. 4 is a flowchart of a specific flow detection method disclosed in an embodiment of the present application;
fig. 5 is a flowchart of a specific flow detection method disclosed in an embodiment of the present application;
fig. 6 is a flowchart of a specific flow detection method disclosed in an embodiment of the present application;
fig. 7 is a schematic structural diagram of a flow rate detection device disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
After an attacker invades a system of the intranet host, a malicious program is often implanted into the intranet host, and the malicious program further controls the intranet host to communicate with the attacker host after being started, so that the purpose of controlling the intranet host to respond to the attacker host and execute corresponding abnormal operation is achieved, and therefore, whether the intranet host shows abnormal operation behavior within a period of time or not is directly associated with the content of network flow data of the intranet host.
Therefore, the core of the application is to provide a flow detection method to realize network security detection of the intranet host based on the network flow data.
Referring to fig. 1, an embodiment of the present application discloses a flow detection method, including:
step S10: and reading the network traffic data.
It should be noted that the execution subject of this embodiment may specifically be a network security device such as a firewall or an arithmetic device that can be used to perform arithmetic analysis on network traffic data.
The network flow data is read in this step, and may specifically be the network flow data generated by the intranet host, so as to analyze and determine whether the intranet host is maliciously controlled by an attacker host in the subsequent steps according to the network flow data. In addition, the reading of the network traffic data may specifically be reading the network traffic in a network traffic log corresponding to the intranet host. In the actual application scenario, when there are multiple intranet hosts to be subjected to flow detection, the step should take the intranet hosts as a unit, respectively read the network flow data corresponding to each intranet host, and respectively perform subsequent detection operations on the read network flow data of each intranet host.
In addition, the network traffic data read in this step may be HTTP network traffic data generated based on an HTTP protocol in a specific case. The specific amount of the network traffic data is determined according to actual situations, and is not particularly limited herein.
Step S11: and analyzing the flow parameters corresponding to the multiple target parameter types in the network flow data.
Since the complete network traffic data is considered to be composed of multiple types of parameters, after the network traffic data is read, the step further analyzes the traffic parameters of multiple target parameter types in the network traffic, so as to detect the network traffic data through the traffic parameters of multiple types of dimensions in the subsequent step.
Step S12: and carrying out comprehensive detection on each flow parameter to obtain a flow detection result.
After the flow parameters corresponding to the multiple target parameter types are obtained, the step further performs comprehensive detection on the flow parameters to obtain corresponding flow detection results. In essence, the step is to determine whether the network traffic data is abnormal based on multiple traffic parameters in the network traffic data, so that the detection of the network traffic data is more comprehensive than the detection of the network traffic data based on only one traffic parameter in the network traffic data.
The flow detection method provided by the application reads the network flow data, further analyzes the flow parameters respectively corresponding to the target parameter types in the network flow data, and further performs comprehensive detection on each flow parameter to obtain the flow detection result after obtaining the flow parameter of each target parameter type. The method realizes the comprehensive detection of multiple parameter dimensions in the network flow data based on various types of flow parameters in the network flow, and relatively ensures the overall reliability of the flow detection in the internal network host.
Referring to fig. 2, an embodiment of the present application discloses a flow detection method, including:
step S20: and reading the network traffic data.
Step S21: and analyzing the flow parameters corresponding to the multiple target parameter types in the network flow data.
Step S22: and acquiring an abnormal feature set, wherein the abnormal feature set comprises abnormal features of each target parameter type.
It should be noted that after the traffic parameters in the network traffic data are obtained, an abnormal feature set is further obtained in this step, where the abnormal feature set includes abnormal features corresponding to target parameter types, where the abnormal features refer to features that are possessed when the traffic parameters in the network traffic data are abnormal parameters, and further, the abnormal feature set includes abnormal features corresponding to the traffic parameters of each target parameter type, so that the traffic parameters of each corresponding target parameter type in the network traffic data can be integrally and abnormally matched based on the abnormal features of each target parameter type in the abnormal feature set.
Step S23: and counting the matching degree between each flow parameter and the corresponding abnormal feature in the abnormal feature set, and generating a flow detection result based on the matching degree.
After the acquired abnormal feature set is obtained, the matching degree between each flow parameter and the corresponding abnormal feature in the abnormal feature set is further counted, and then a flow detection result is generated based on the matching degree. The matching degree referred to herein can be understood as the percentage of abnormal parameters in the traffic parameters of each target parameter type of the network traffic data.
In this embodiment, the accuracy of the flow detection result is further ensured by obtaining the abnormal feature set including the abnormal features of each target parameter type, and generating the flow detection result based on the matching degree between each flow parameter and the corresponding abnormal feature in the abnormal feature set.
On the basis of the foregoing embodiment, as a preferred implementation manner, acquiring an abnormal feature set includes:
acquiring an abnormal network flow data sample;
and performing feature extraction on sample parameters of the target parameter types in the abnormal network traffic data samples to obtain an abnormal feature set.
It should be noted that the abnormal feature set in this embodiment is specifically obtained based on a manner of extracting a network abnormal traffic data sample, and specifically, after the abnormal network traffic data sample is obtained, further, feature extraction is performed on sample parameters having target parameter types in the abnormal network traffic data sample, so as to obtain an abnormal feature set including abnormal features corresponding to each target parameter type. The abnormal network traffic data sample in this embodiment may specifically be network traffic data related to currently known network viruses. By extracting the abnormal feature set from the network traffic data related to the currently known network virus, the embodiment can relatively ensure the accuracy of the abnormal features of each target parameter type in the abnormal feature set, and further ensure the overall accuracy of traffic detection.
Referring to fig. 3, an embodiment of the present application discloses a flow detection method, including:
step S30: and reading the network traffic data.
Step S31: and analyzing the flow parameters corresponding to the multiple target parameter types in the network flow data.
Step S32: and acquiring an abnormal feature set, wherein the abnormal feature set comprises abnormal features of each target parameter type.
Step S33: and judging whether each flow parameter accords with the corresponding abnormal feature in the abnormal feature set, if so, executing the step S34, otherwise, executing the step S35.
It should be noted that, after the abnormal feature set is obtained, in this embodiment, it is further determined whether each traffic parameter meets a corresponding abnormal feature in the abnormal feature set, that is, it is determined whether each traffic parameter of each target parameter type in the network traffic meets a corresponding abnormal feature.
Step S34: and generating a flow detection result recorded with abnormal information.
Step S35: and generating a flow detection result recorded with normal information.
And when the flow parameters of each target parameter type in the network flow accord with the corresponding abnormal characteristics, determining that the network flow data is abnormal, and further generating a flow detection result recorded with abnormal information, otherwise, further determining that the network flow data is normal. The present embodiment further ensures overall accuracy for flow detection.
Referring to fig. 4, an embodiment of the present application discloses a flow detection method, including:
step S40: and reading the network traffic data.
Step S41: and analyzing the flow parameters corresponding to the multiple target parameter types in the network flow data.
Step S42: and acquiring an abnormal feature set, wherein the abnormal feature set comprises abnormal features of each target parameter type.
Step S43: and judging whether each flow parameter accords with the corresponding abnormal feature in the abnormal feature set, if so, executing the step S44 to the step S45, and otherwise, executing the step S46.
Step S44: and acquiring a malicious degree value corresponding to the abnormal feature set.
Step S45: and generating an abnormal detection result recorded with the malicious degree value.
Step S46: and generating a flow detection result recorded with normal information.
It should be noted that the important point of this embodiment is that when it is determined that each traffic parameter conforms to a corresponding abnormal feature in the abnormal feature set, that is, when the network traffic data is abnormal, a malicious degree value corresponding to the abnormal feature set is further obtained, where the malicious degree value is used to describe a security threat degree of the abnormal feature set to which the network traffic data conforms, and after the malicious degree value corresponding to the abnormal feature set is obtained, an abnormality detection result in which the malicious degree value is recorded is further generated. The embodiment can further ensure the readability of the abnormality detection result by the user.
Referring to fig. 5, when the number of abnormal feature sets is greater than 1, the embodiment of the present application discloses a traffic detection method, including:
step S50: and reading the network traffic data.
Step S51: and analyzing the flow parameters corresponding to the multiple target parameter types in the network flow data.
Step S52: and acquiring an abnormal feature set, wherein the abnormal feature set comprises abnormal features of each target parameter type.
Step S53: and counting a target abnormal feature set with abnormal features matched with the flow parameters.
It should be noted that the present embodiment is mainly characterized in that a plurality of abnormal feature sets exist, abnormal features of different abnormal feature sets may be partially or completely different, and further, on the basis of the plurality of abnormal feature sets, a target abnormal feature set matching the abnormal features and the flow parameters is further counted, where the abnormal features are matched with the flow parameters, which may specifically refer to complete matching between each flow parameter and a corresponding abnormal feature in the abnormal feature set, or a matching degree between each flow parameter and a corresponding abnormal feature in the abnormal feature set reaches a preset threshold.
Step S54: and generating a flow detection result recorded with abnormal information according to the incidence relation among the target abnormal feature sets.
After the target abnormal feature set is obtained, the flow detection result recorded with the abnormal information is comprehensively generated according to the incidence relation between the target abnormal feature sets.
In this embodiment, when the traffic parameter of the network traffic data has an abnormal feature in the plurality of target abnormal feature sets, the traffic detection result recorded with the abnormal information is further generated based on the association between the target abnormal feature sets, so that the accuracy of the traffic detection result can be further ensured.
Referring to fig. 6, when the number of abnormal feature sets is greater than 1, the embodiment of the present application discloses a traffic detection method, including:
step S60: and reading the network traffic data.
Step S61: and analyzing the flow parameters corresponding to the multiple target parameter types in the network flow data.
Step S62: and acquiring an abnormal feature set, wherein the abnormal feature set comprises abnormal features of each target parameter type.
Step S63: and counting a target abnormal feature set with abnormal features matched with the flow parameters.
Step S64: and acquiring a malicious degree value corresponding to each target abnormal feature set.
Step S65: and according to the incidence relation among the target abnormal feature sets, performing weighted operation on each malicious degree value to obtain an abnormal detection result recorded with the malicious degree value.
It should be noted that the key point of this embodiment is to further obtain a corresponding malicious degree value of each target abnormal feature set after counting the target abnormal feature sets matched with the flow parameters, where the corresponding malicious degree value of each target abnormal feature set is used to represent the security threat degree of the corresponding target abnormal feature set, and further perform a weighted operation on each malicious degree value according to the association relationship between the target abnormal feature sets after obtaining the corresponding malicious degree value of each target abnormal feature set to obtain an abnormal detection result recorded with the malicious degree value, so as to comprehensively represent the abnormal degree corresponding to the abnormal detection result by the malicious degree value. The embodiment can further ensure the accuracy of the flow detection result.
On the basis of the foregoing embodiment, as a preferred implementation manner, performing a weighted operation on each malicious degree value to obtain an abnormality detection result recorded with the malicious degree value includes:
carrying out weighted operation on each malicious degree value to obtain a malicious degree value;
judging whether the malicious degree value reaches a preset threshold value or not;
if the malicious degree value reaches a preset threshold value, generating an abnormal detection result containing the malicious degree value;
otherwise, no processing is performed.
It should be noted that, in the embodiment, the preset threshold is used as a basis for determining whether the detection result of the malicious level value is abnormal, if the malicious level value reaches the preset threshold, an abnormal detection result including the malicious level value is generated, and conversely, if the malicious level value does not reach the preset threshold, the detection result is considered to be normal, and further, no processing is performed. The embodiment further ensures the accuracy of the abnormality detection result.
Based on the above series of embodiments, as a preferred implementation, the target parameter types include a traffic UR L type, a traffic request path type, a traffic request header data type, and a traffic response body type.
In the embodiment, the analysis of the traffic parameters corresponding to the multiple target parameter types in the network traffic data is essentially the analysis of UR L (uniform resource locator), the traffic request path, the traffic request header data, and the traffic responder in the network traffic data, and since the UR L, the traffic request path, the traffic request header data, and the traffic responder can all represent the network behavior intention corresponding to the network traffic data, the embodiment can relatively ensure the richness of the parameter dimension based on the traffic detection process and the overall accuracy of the traffic detection.
In order to deepen understanding of the above embodiments, the following provides a flow detection embodiment in a practical application scenario.
Because some virus families have obvious behavior characteristics of network traffic data, for example, 8220 virus family can cause a controlled host to access
HTTP:// 93.174.93.149/in.php.
Further, in this scenario embodiment, a fingerprint feature library is preset and maintained, and features of each parameter type parameter in each known abnormal network traffic data, that is, abnormal features, are recorded in the fingerprint feature library. Each abnormal network flow data in the fingerprint feature library corresponds to a corresponding abnormal feature set.
Typically, after a host computer has been exposed to a virus, multiple requests are made over a period of time to transfer data or to request other executable files. For example, after an attacker utilizes a perpetual blue mode to invade a windows system, a Trojan downloader conhost.exe is implanted, and after the program is started, malicious connections http:// ok.xmr6b.ru/ok/down.html and http:// ok.xmr6b.ru/ok/64.html are accessed to obtain a download address of second-stage malicious codes. Therefore, the host accesses a plurality of virus families to generate corresponding network traffic data, and whether the host suffers from the virus can be further determined according to the network traffic data of the host. The abnormal network traffic data accessed by the host within a period of time is counted in the traffic detection process, whether the host is infected with the virus or not is identified through the relevance among the abnormal network traffic data (whether the abnormal network traffic data are generated by accessing the same virus family or not), each piece of network traffic data which needs to be checked whether the abnormal network traffic data are malicious behaviors or not is matched with the behavior fingerprint database, and if the abnormal network traffic data are matched, the abnormal network traffic data are classified according to the host for subsequent behavior analysis.
The method comprises the steps of obtaining a set classified according to hosts after multidimensional characteristic verification is carried out on network flow data, then carrying out score accumulation on abnormal network flow data accessed by each intranet host in a time period, and considering that the intranet hosts have abnormal behaviors in the time period if the scores of the hosts exceed a certain threshold value.
Referring to fig. 7, an embodiment of the present application discloses a flow rate detection device, including:
a traffic reading module 10, configured to read network traffic data;
the parameter analysis module 11 is configured to analyze traffic parameters corresponding to multiple target parameter types in the network traffic data;
and the comprehensive detection module 12 is used for comprehensively detecting each flow parameter to obtain a flow detection result.
The flow detection device provided by the application reads network flow data, further analyzes flow parameters corresponding to a plurality of target parameter types in the network flow data, and further performs comprehensive detection on each flow parameter to obtain a flow detection result after obtaining the flow parameter of each target parameter type. The device realizes the comprehensive detection of multiple parameter dimensions in the network flow data based on various types of flow parameters in the network flow, and relatively ensures the overall reliability of the flow detection in the internal network host.
On the basis of the foregoing embodiments, the embodiments of the present application further describe and optimize the detection device. Specifically, the method comprises the following steps:
in one embodiment, the apparatus further comprises:
the set acquisition module is used for acquiring an abnormal feature set, wherein the abnormal feature set comprises abnormal features of each target parameter type;
a comprehensive detection module 12 comprising:
and the characteristic matching module is used for counting the matching degree between each flow parameter and the corresponding abnormal characteristic in the abnormal characteristic set and generating a flow detection result based on the matching degree.
In one embodiment, the feature matching module includes:
the abnormal judgment module is used for judging whether each flow parameter accords with the corresponding abnormal characteristic in the abnormal characteristic set, if so, the abnormal result generation module is called, and otherwise, the normal result generation module is called;
the abnormal result generating module is used for generating a flow detection result recorded with abnormal information;
and the normal result generating module is used for generating the flow detection result recorded with the normal information.
In one embodiment, the apparatus further comprises:
the degree value acquisition module is used for acquiring a malicious degree value corresponding to the abnormal feature set;
an abnormal result generation module comprising:
and the abnormal value module is used for generating an abnormal detection result recorded with the malicious degree value.
In one embodiment, when the number of abnormal feature sets is greater than 1, the feature matching module includes:
the set counting module is used for counting a target abnormal feature set matched with the flow parameters;
and the incidence relation detection module is used for generating a flow detection result recorded with abnormal information according to the incidence relation among the target abnormal feature sets.
In one embodiment, the apparatus further comprises:
the set degree value acquisition module is used for acquiring malicious degree values corresponding to the target abnormal feature sets;
an association detection module comprising:
and the associated malicious value operation module is used for performing weighted operation on each malicious degree value according to the association relation among the target abnormal feature sets to obtain an abnormal detection result recorded with the malicious degree value.
In one embodiment, the association malicious value operation module includes:
the value operation module is used for carrying out weighted operation on each malicious degree value to obtain a malicious degree value;
the threshold value judging module is used for judging whether the malicious degree value reaches a preset threshold value, if so, the abnormal result generating module is called, and otherwise, the abnormal result generating module does not process;
and the abnormal result generating module is used for generating an abnormal detection result containing the malicious degree value.
In one embodiment, the set obtaining module includes:
the sample acquisition module is used for acquiring an abnormal network traffic data sample;
and the extraction module is used for extracting the characteristics of the sample parameters of the target parameter types in the abnormal network traffic data samples to obtain an abnormal characteristic set.
In one embodiment, the target parameter types include a traffic UR L type, a traffic request path type, a traffic request header data type, and a traffic response body type.
In addition, this application embodiment also discloses a flow detection device, includes:
a memory for storing a computer program;
a processor for implementing the steps of the flow detection method as described above when executing the computer program.
The flow detection device provided by the application reads network flow data, further analyzes flow parameters corresponding to a plurality of target parameter types in the network flow data, and further performs comprehensive detection on each flow parameter to obtain a flow detection result after obtaining the flow parameter of each target parameter type. The device realizes the comprehensive detection of multiple parameter dimensions in the network flow data based on various types of flow parameters in the network flow, and relatively ensures the overall reliability of the flow detection in the internal network host.
In addition, the embodiment of the application also discloses a computer readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the flow detection method are realized.
The computer-readable storage medium provided by the application reads network traffic data, further analyzes traffic parameters corresponding to a plurality of target parameter types in the network traffic data, and further performs comprehensive detection on each traffic parameter to obtain a traffic detection result after obtaining the traffic parameter of each target parameter type. The computer readable storage medium realizes the comprehensive detection of multiple parameter dimensions in the network flow data based on multiple types of flow parameters in the network flow, and relatively ensures the overall reliability of the flow detection in the internal network host.
The above provides a detailed description of a method, an apparatus, a device and a storage medium for detecting traffic. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (12)
1. A method for detecting traffic, comprising:
reading network flow data;
analyzing flow parameters respectively corresponding to a plurality of target parameter types in the network flow data;
and comprehensively detecting each flow parameter to obtain a flow detection result.
2. The flow rate detection method according to claim 1, wherein before the performing the comprehensive detection on each flow rate parameter to obtain the flow rate detection result, the method further comprises:
acquiring an abnormal feature set, wherein the abnormal feature set comprises abnormal features of each target parameter type;
the step of performing comprehensive detection on each flow parameter to obtain a flow detection result includes:
and counting the matching degree between each flow parameter and the corresponding abnormal feature in the abnormal feature set, and generating the flow detection result based on the matching degree.
3. The flow rate detection method according to claim 2, wherein the counting a matching degree between each flow rate parameter and the corresponding abnormal feature in the abnormal feature set, and generating the flow rate detection result based on the matching degree comprises:
judging whether each flow parameter accords with the corresponding abnormal feature in the abnormal feature set;
and if all the flow parameters accord with the corresponding abnormal features in the abnormal feature set, generating the flow detection result recorded with abnormal information.
4. The traffic detection method according to claim 3, wherein before the generating the traffic detection result in which the abnormality information is recorded, the method further comprises:
acquiring a malicious degree value corresponding to the abnormal feature set;
if each of the flow parameters meets the corresponding abnormal feature in the abnormal feature set, generating the flow detection result recorded with abnormal information, including:
and if all the flow parameters accord with the corresponding abnormal features in the abnormal feature set, generating the abnormal detection result recorded with the malicious degree value.
5. The traffic detection method according to claim 2, wherein when the number of the abnormal feature sets is greater than 1, the counting of the matching degree between each of the traffic parameters and the corresponding abnormal feature in the abnormal feature set, and generating the traffic detection result based on the matching degree includes:
counting a target abnormal feature set matched with the flow parameters by the abnormal features;
and generating the flow detection result recorded with abnormal information according to the incidence relation among the target abnormal feature sets.
6. The traffic detection method according to claim 5, wherein before the generating the traffic detection result recorded with abnormal information according to the association relationship between the target abnormal feature sets, the method further comprises:
acquiring a malicious degree value corresponding to each target abnormal feature set;
the generating the traffic detection result recorded with the abnormal information according to the association relationship between the target abnormal feature sets includes:
and according to the incidence relation among the target abnormal feature sets, performing weighted operation on each malicious degree value to obtain the abnormal detection result recorded with the malicious degree value.
7. The traffic detection method according to claim 6, wherein the performing a weighted operation on each malicious level value to obtain the anomaly detection result recorded with the malicious level value includes:
carrying out weighted operation on each malicious degree value to obtain the malicious degree value;
judging whether the malicious degree value reaches a preset threshold value or not;
if the malicious degree value reaches a preset threshold value, generating an abnormal detection result containing the malicious degree value;
otherwise, no processing is performed.
8. The flow detection method according to claim 2, wherein the acquiring an abnormal feature set includes:
acquiring an abnormal network flow data sample;
and performing feature extraction on the sample parameters of the target parameter types in the abnormal network traffic data samples to obtain the abnormal feature set.
9. The traffic detection method according to any one of claims 1 to 8, wherein the target parameter types include a traffic UR L type, a traffic request path type, a traffic request header data type, and a traffic response body type.
10. A flow sensing device, comprising:
the flow reading module is used for reading network flow data;
the parameter analysis module is used for analyzing the flow parameters corresponding to the target parameter types in the network flow data;
and the comprehensive detection module is used for comprehensively detecting each flow parameter to obtain a flow detection result.
11. A flow sensing device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the flow detection method according to any one of claims 1 to 9 when executing said computer program.
12. A computer-readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, carries out the steps of the flow detection method according to any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010207822.2A CN111404949A (en) | 2020-03-23 | 2020-03-23 | Flow detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010207822.2A CN111404949A (en) | 2020-03-23 | 2020-03-23 | Flow detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111404949A true CN111404949A (en) | 2020-07-10 |
Family
ID=71432820
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010207822.2A Pending CN111404949A (en) | 2020-03-23 | 2020-03-23 | Flow detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111404949A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112511559A (en) * | 2020-12-17 | 2021-03-16 | 中国农业银行股份有限公司 | Method and system for detecting transverse moving attack of intranet |
| CN112887327A (en) * | 2021-02-23 | 2021-06-01 | 深信服科技股份有限公司 | Method, device and storage medium for detecting malicious behaviors |
| CN114640492A (en) * | 2020-12-16 | 2022-06-17 | 深信服科技股份有限公司 | URL detection method, system, equipment and computer readable storage medium |
| CN114884843A (en) * | 2022-06-10 | 2022-08-09 | 三峡大学 | Flow monitoring system based on new network audio-visual media |
| CN119135434A (en) * | 2024-10-21 | 2024-12-13 | 天翼安全科技有限公司 | Data detection method and device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656616A (en) * | 2016-12-29 | 2017-05-10 | 北京天元创新科技有限公司 | Whole network flow analysis method of computer network |
| CN107483455A (en) * | 2017-08-25 | 2017-12-15 | 国家计算机网络与信息安全管理中心 | A kind of network node abnormality detection method and system based on stream |
| CN107508816A (en) * | 2017-08-31 | 2017-12-22 | 杭州迪普科技股份有限公司 | A kind of attack traffic means of defence and device |
| CN107888571A (en) * | 2017-10-26 | 2018-04-06 | 江苏省互联网行业管理服务中心 | A kind of various dimensions webshell intrusion detection methods and detecting system based on HTTP daily records |
| US20180115578A1 (en) * | 2016-10-26 | 2018-04-26 | Elastic Beam, Inc. | Methods and systems for deep learning based api traffic security |
| CN109474485A (en) * | 2017-12-21 | 2019-03-15 | 北京安天网络安全技术有限公司 | Method, system and storage medium based on network traffic information detection Botnet |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110336835A (en) * | 2019-08-05 | 2019-10-15 | 深信服科技股份有限公司 | Detection method, user equipment, storage medium and the device of malicious act |
-
2020
- 2020-03-23 CN CN202010207822.2A patent/CN111404949A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180115578A1 (en) * | 2016-10-26 | 2018-04-26 | Elastic Beam, Inc. | Methods and systems for deep learning based api traffic security |
| CN106656616A (en) * | 2016-12-29 | 2017-05-10 | 北京天元创新科技有限公司 | Whole network flow analysis method of computer network |
| CN107483455A (en) * | 2017-08-25 | 2017-12-15 | 国家计算机网络与信息安全管理中心 | A kind of network node abnormality detection method and system based on stream |
| CN107508816A (en) * | 2017-08-31 | 2017-12-22 | 杭州迪普科技股份有限公司 | A kind of attack traffic means of defence and device |
| CN107888571A (en) * | 2017-10-26 | 2018-04-06 | 江苏省互联网行业管理服务中心 | A kind of various dimensions webshell intrusion detection methods and detecting system based on HTTP daily records |
| CN109474485A (en) * | 2017-12-21 | 2019-03-15 | 北京安天网络安全技术有限公司 | Method, system and storage medium based on network traffic information detection Botnet |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110336835A (en) * | 2019-08-05 | 2019-10-15 | 深信服科技股份有限公司 | Detection method, user equipment, storage medium and the device of malicious act |
Non-Patent Citations (1)
| Title |
|---|
| 周畅等: "基于僵尸网络流量特征的深度学习检测", 《信息技术》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114640492A (en) * | 2020-12-16 | 2022-06-17 | 深信服科技股份有限公司 | URL detection method, system, equipment and computer readable storage medium |
| CN114640492B (en) * | 2020-12-16 | 2024-08-20 | 深信服科技股份有限公司 | URL detection method, system, equipment and computer readable storage medium |
| CN112511559A (en) * | 2020-12-17 | 2021-03-16 | 中国农业银行股份有限公司 | Method and system for detecting transverse moving attack of intranet |
| CN112887327A (en) * | 2021-02-23 | 2021-06-01 | 深信服科技股份有限公司 | Method, device and storage medium for detecting malicious behaviors |
| CN112887327B (en) * | 2021-02-23 | 2022-11-22 | 深信服科技股份有限公司 | Method, device and storage medium for detecting malicious behaviors |
| CN114884843A (en) * | 2022-06-10 | 2022-08-09 | 三峡大学 | Flow monitoring system based on new network audio-visual media |
| CN114884843B (en) * | 2022-06-10 | 2023-05-09 | 三峡大学 | A flow monitoring system based on network audio-visual new media |
| CN119135434A (en) * | 2024-10-21 | 2024-12-13 | 天翼安全科技有限公司 | Data detection method and device |
| CN119135434B (en) * | 2024-10-21 | 2025-09-26 | 天翼安全科技有限公司 | Data detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110324311B (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| CN109831465B (en) | Website intrusion detection method based on big data log analysis | |
| CN111404949A (en) | Flow detection method, device, equipment and storage medium | |
| CN107645503B (en) | A rule-based detection method for malicious domain names belonging to DGA family | |
| CN107302547B (en) | Web service anomaly detection method and device | |
| CN110602029B (en) | Method and system for identifying network attack | |
| CN107888571B (en) | Multi-dimensional webshell intrusion detection method and system based on HTTP log | |
| CN114003903B (en) | A method and device for tracing the source of a network attack | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN107247902B (en) | Malicious software classification system and method | |
| CN110336835B (en) | Malicious behavior detection method, user equipment, storage medium and device | |
| CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| CN114785567A (en) | Traffic identification method, device, equipment and medium | |
| CN114866296B (en) | Intrusion detection method, intrusion detection device, intrusion detection equipment and readable storage medium | |
| CN116155519A (en) | Threat warning information processing method, device, computer equipment and storage medium | |
| CN118445796A (en) | An information security risk assessment system based on the Internet of Things | |
| CN117319001A (en) | Network security assessment method, device, storage medium and computer equipment | |
| CN113852625B (en) | A weak password monitoring method, device, equipment and storage medium | |
| CN107426136B (en) | Network attack identification method and device | |
| CN110311888A (en) | A kind of Web anomalous traffic detection method, device, equipment and medium | |
| CN119210802B (en) | A DDoS attack detection method and device based on multi-level traffic analysis | |
| CN110691090B (en) | Website detection method, device, equipment and storage medium | |
| CN111444503A (en) | Method, device, system and medium for detecting Lessovirus | |
| CN115618283B (en) | Cross-site scripting attack detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200710 |
|
| RJ01 | Rejection of invention patent application after publication |