CN101286979B - Network attack detecting method - Google Patents
Network attack detecting method Download PDFInfo
- Publication number
- CN101286979B CN101286979B CN200810044620XA CN200810044620A CN101286979B CN 101286979 B CN101286979 B CN 101286979B CN 200810044620X A CN200810044620X A CN 200810044620XA CN 200810044620 A CN200810044620 A CN 200810044620A CN 101286979 B CN101286979 B CN 101286979B
- Authority
- CN
- China
- Prior art keywords
- network
- instruction
- dis
- assembling
- network packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention provides a testing method for network attacks, which pertains to the field of computer network security. First of all, a network data packet is captured, and the payload sequence in the network data packet is extracted; then the maximum value MEL is calculated, which is in legal instructions that can disassemble from any position of the payload sequence of each network data packet; finally, judgment is carried out; if the MEL of certain network data packet exceeds a threshold value, the network data packet is deemed as a network attack data packet; if the MEL of certain network data packet is smaller than the threshold value, the network data packet is deemed as a normal communication data packet. The testing method can test unknown network attacks and has the advantages of high testing efficiency and low false alarm rate and can test the network attacks going through technological deformation by high-grade deformation technology. The testing method is disposed to the import and export of middle and small networks; if the testing method is required to be applied to the import and export of large high-speed networks, the testing method can be solidified on hardware in the way of hardware program or multiple computers are disposed to carry out parallel processing.
Description
Technical field
The invention belongs to computer network security field, be specifically related to a kind of method that is used for detection computations machine network attack.
Background technology
Abbreviation and Key Term definition:
Network Intrusion Detection System (NIDS): Network Intrusion Detection System.
Abstract Executable: byte serial Abstract Executable that is known as, if it can be interpreted as a string continuous valid instruction by dis-assembling.
Instruction Chains (IC): a valid instruction sequence that does not comprise jump instruction, usually with jump instruction or the ending of non-Abstract Executable byte.
Executalbe Length (EL): but byte sequence begins the bar number of the valid instruction of dis-assembling from certain position.
Maximun Executable Length (MEL): the MEL of a byte sequence, but be defined as beginning maximum the bar number of valid instruction of dis-assembling from the optional position of byte sequence.
Shellcode: can be with the undemanding attack code that is defined as of shellcode, its effect mainly contains lifting authority, file in download, executive program etc.
Sled: popular says, sled is arranged in exactly and attacks packet, before shellcode, move, and bring into operation from any position of sled all finally can true(-)running to shellcode.
Payload: remove the remaining part of decaptitating in the packet.
Along with popularizing rapidly and the continuous rise of diverse network new business of computer network, the diverse network commence firing is penetrated into many fields of computer application, and becomes more and more severeer.Network attack has comprised the DDOS attack, worm attack and hacker attacks etc., and mostly the method for employing and technology are the utilization of software vulnerability, and network attack is by in the leak target approach computer, and the controlled target computer damages object-computer then.For common pc user, impression should be a worm attack the most directly, and worm is a kind of the needs artificially to participate in just can finishing propagation automatically the binary program that infects and destroy.The Nimda network worm of calendar year 2001 outburst, the loss assessment data that it caused from 500,000,000 dollars soaring to 2,600,000,000 dollars, continued soaringly afterwards, be unable to estimate till now.The frequency of worm outburst at present is more and more faster, occurs a large amount of new worms and worm mutation in nearly 2 years.Therefore, press for a kind of efficiently, accurate network attack detecting method finds in time to find network attack, the spreading of containment network attack.
All with the operation of C/S structure, user's input is accepted in these network services, and is converted into output after treatment in many network services.The service end of C/S structure is understood the input data that the storage allocation space is used to store client usually; usually service routine can be resolved the input data; but can not make restriction to the length etc. of input data; therefore some unsafe character string functions may cause buffering area to overflow, and network attack side can utilize buffer-overflow vulnerability to carry out shellcode.Fig. 1 has listed the non-safe function of portion C language.Fig. 2 has provided the structure of the stack of standard, and the assailant can attack packet by structure cleverly, the return address of coverage function, and the return address pointed to assailant's shellcode, thus can reach the purpose of attacking and destroying server.
Whether successful key is the attack packet that the assailant constructs to network attack, can accurately point to shellcode to the function return address, if can not, attack so and will fail.Often the assailant can not accurately locate shellcode, and this and operating system version etc. have relation, but can determine shellcode roughly in some scopes, and therefore, the assailant can add sled in packet, a common attack packet such as a Fig. 3.Many one-byte instructions are arranged under the Intel architectural framework, these one-byte instructions also are of little use, and after carrying out whole procedure is not impacted, the assailant generally selects for use these instructions as sled because this sled that support to constitute satisfy naturally from the execution of any position can both correct execution to shellcode.Fig. 4 is the example of some one-byte instructions.One-byte instruction is not necessary, and the assailant make to utilize multiple byte instruction relatively more commonly used can construct sled equally by relating to of exquisiteness, and can guarantee same satisfy begin to carry out from any position can both correct execution to shellcode.Fig. 5 is exactly the example of a multiple byte instruction structure sled.
On the whole, assailant's attack means is more and more abundanter, becomes increasingly complex, conventional detection all can only or adopt the network attack of certain attack pattern to detect at a certain class, although present detection system is a lot, all there is open defect, general effect is also bad.
Most widely used in the market intruding detection system is the misuse detection system that is similar to snort, and its core technology is the condition code technology.Condition code is one or several byte sequence in the network attack packet, and condition code is after network attack is detected and catches sample, is extracted by the security expert.Testing process is exactly that use characteristic sign indicating number and network packet are carried out pattern matching, if the coupling would detect network attack.Misuse Network Intrusion Detection System based on condition code depends on the extraction of condition code and the pattern matching of condition code and network packet, therefore can only detect known network attack, and is just powerless for network attack unknown or distortion; In addition, the misuse detection technique has tangible hysteresis quality, and this remains because misuse detects and depends on condition code, and the extraction of condition code needs considerable time, usually need several hours even several days, and the just more difficult estimation of needed time of network attack sample collection.
As replenishing of misuse detection technique, the abnormality detection technology is the focus of academicly studying at present.An important research direction of abnormality detection technology is that behavior detects.Before detecting, earlier the network traffics behavior under the normal condition is learnt, the data of collecting are carried out the data mining formation rule, monitor network behavior in the time of detection if network behavior has been violated rule, is then thought network attack.
There is following shortcoming in the abnormality detection technology that detects based on behavior:
1, rate of false alarm height
Network attack detection based on behavior all is based under certain hypothesis prerequisite, such as: random scan, scanning fast, the bag content is similar etc.But in actual conditions, these assumed conditions not necessarily can both satisfy, and if the assailant known detection method, be easy to just can walk around detection.
At the executable code in the network attack packet, a large amount of research has been done by academia, and preliminary application is arranged in snort at present at present.Snort can detect NOP continuous in packet instruction, if detect N continuous OP instruction then think that this is a network attack bag.Fnord improves on the Snort basis, and it has an one-byte instruction table, is similar to Fig. 4, and the continuous byte of appearance has all occurred in the one-byte instruction table in the packet if detect, and then thinks network attack.
2, being difficult to tackle senior distortion attacks
Senior deformation technology can make sled be made of multiple byte instruction at present, even jump instruction can occur, and snort and Fnord can not detect this similar network attack that was out of shape through the high-level deformation technology.
Summary of the invention
The invention provides a kind of network attack detecting method, this method have detection efficiency height, rate of false alarm low, can detect unknown network and attack and can detect the network attack that passes through after the high-level deformation technology is out of shape.
Detailed technology scheme of the present invention is as follows:
A kind of network attack detecting method as shown in Figure 8, may further comprise the steps:
Step 1. capture network data bag.
The reference format of the agreement of the network packet institute foundation that step 2. is caught according to step 1 is resolved the network packet that step 1 is caught, and extracts the payload sequence in the network packet.
But the optional position of the payload sequence of each network packet that step 3. calculation procedure 2 is extracted begins the maximum MEL in the bar number of valid instruction of dis-assembling.
Core concept of the present invention is that the payload sequence in the network packet is analyzed and handled, and the quantity (MEL) of carrying out (Abstract Executable) instruction by the computing network packet detects Sled, thereby detects network attack.As Fig. 6, the MEL of normal HTTP request package can be greater than 10; And as Fig. 7, three different network attacks, minimum MEL has surpassed 250.Why can produce a kind of like this phenomenon, be because the overwhelming majority all is data in normal network requests, and have only only a few be the instruction and also be the instruction that agreement has defined, because it is mutual that normal network behavior all carries out in strict accordance with agreement, so only need the instruction of a small amount of standard just can finish function.If network attack packet, in order to realize characteristics such as better cross-platform, the assailant can be few as far as possible use by attacker's operating system, function, data structure etc., attack all instructions that must comprise the realization attack in the packet, therefore attacking the effective instruction quantity that comprises in the packet will be much larger than normal data packet.
Method provided by the invention and corresponding software system are fit to be deployed in the import and export of small-/medium-sized Intranet.If apply the present invention to the import and export of large high-speed network, can adopt following several method to improve detection speed: 1, the present invention to be solidificated on the hardware in the mode of hardware program; 2, dispose many computers and carry out parallel processing.
The invention has the beneficial effects as follows:
1, can detect unknown network attacks
Because the present invention does not rely on condition code, therefore can the network attack of the unknown be detected.
2, has higher detection efficiency
What the present invention is directed to is a kind of detection method of network attack packet itself, can detect the individual data bag, so can detect at the very start at network attack, and the packet that does not need to collect some detects afterwards again, has improved the efficient that detects greatly.
3, rate of false alarm is low
Partly detect because the present invention is the NOP Sled to packet payload, this part almost must occur in the network attack packet, and can not occur in normal network packet.Therefore, the detection method that the present invention proposes can not thought normal data packet by mistake to be attack packet, and the effect of bringing thus is exactly that rate of false alarm is very low.
4, can detect through the network attack after the distortion of high-level deformation technology
With regard to the development trend of present deformation technology, no matter how deformation technology improves, and all can not change the essence of NOP Sled: the long instruction sequence that can be executed correctly.Therefore, the present invention detects NOP Sled by the method for calculating effective instruction length and can tackle the network attack that passes through after the high-level deformation technology is out of shape.
Description of drawings
Fig. 1, non-safe C function schematic diagram.
Fig. 2, the stack architecture schematic diagram.
Fig. 3 attacks the packet schematic diagram.
Fig. 4, byte sled instruct schematic diagram.
Fig. 5, multibyte sled schematic diagram.
Fig. 6, the MEL schematic diagram of normal HTTP request package.
Fig. 7, the MEL schematic diagram of network attack packet.
Fig. 8, the schematic flow sheet of network attack detecting method of the present invention.
Embodiment
In the technical solution of the present invention, can screen according to the network packet that following two principles are caught step 1, do not need the network packet analyzed to remove: 1, because present network attack is confined to certain several agreement (as: Tcp, Udp), so can remove the network packet that those can not be used to do the agreement of network attack; 2,, has only header information and the network packet (as: TcpSYN) that do not have payload so can remove those because the present invention analyzes is the payload of network packet.
In the technical solution of the present invention, described step 3 specifically comprises following steps:
Step 31. begins to carry out dis-assembling from any byte location of the payload sequence of network packet, till dis-assembling operation can't obtain an effective instruction, but obtains the effective command sequence of a dis-assembling.
But the contained instruction strip number EL of the effective command sequence of the dis-assembling that step 32. calculation procedure 31 obtains.
But the maximum among the contained instruction strip number EL of the effective command sequence of all dis-assemblings that obtain in step 33. calculation procedure 32, but as the maximum MEL in the bar number of the valid instruction of the dis-assembling of the payload sequence of this network packet.
But wherein during the contained instruction strip number EL of the effective command sequence of the dis-assembling that obtains of the concrete calculation procedure 31 of step 32, specifically comprise following steps:
But step 321. is the instruction number of the effective command sequence of the dis-assembling that obtains of calculation procedure 31 itself at first, is designated as L;
If but the last item of the effective command sequence of the dis-assembling that step 322. step 31 obtains instruction is jump instruction, and the destination address of redirect is in command sequence, but any byte location of the payload sequence of network packet contained instruction strip number EL=L+1 of effective instruction sequence of beginning dis-assembling so;
If but the last item of the effective command sequence of the dis-assembling that step 323. step 31 obtains instruction is jump instruction, and the destination address of jump instruction is in command sequence, obtaining with the destination address is the command sequence of beginning, calculating is designated as L ' from destination address for the instruction number of command sequence of beginning, but any byte location of the payload sequence of network packet contained instruction strip number EL=L+L ' of effective instruction sequence of beginning dis-assembling so.
In the technical solution of the present invention, the threshold value described in the step 4 can be set to the natural number between 20 to 250.If the threshold value lower limit is less than normal, rate of false alarm will increase so, if upper threshold is bigger than normal, rate of failing to report will increase so.The setting of concrete threshold value should fully weigh rate of false alarm and rate of failing to report is selected.
Claims (3)
1. a network attack detecting method is characterized in that, comprises the following step:
Step 1. capture network data bag;
The reference format of the agreement of the network packet institute foundation that step 2. is caught according to step 1 is resolved the network packet that step 1 is caught, and extracts the payload sequence in the network packet;
But the optional position of the payload sequence of each network packet that step 3. calculation procedure 2 is extracted begins the maximum MEL in the bar number of valid instruction of dis-assembling; Specifically comprise following steps:
Step 31. begins to carry out dis-assembling from any byte location of the payload sequence of network packet, till dis-assembling operation can't obtain an effective instruction, but obtains the effective command sequence of a dis-assembling;
But the contained instruction strip number EL of the effective command sequence of the dis-assembling that step 32. calculation procedure 31 obtains; Specifically may further comprise the steps:
But step 321. is the instruction number of the effective command sequence of the dis-assembling that obtains of calculation procedure 31 itself at first, counts L;
If but the last item of the effective command sequence of the dis-assembling that step 322. step 31 obtains instruction is jump instruction, and the destination address of redirect is in command sequence, but any byte location of the payload sequence of network packet contained instruction strip number EL=L+1 of effective instruction sequence of beginning dis-assembling so;
If but the last item of the effective command sequence of the dis-assembling that step 333. step 31 obtains instruction is jump instruction, and the destination address of redirect is in command sequence, obtaining with the destination address is the command sequence of beginning, calculating is counted L ' from destination address for the instruction number of command sequence of beginning, but the contained instruction strip number EL=L+L ' of effective instruction sequence of the dis-assembling that begins of any byte location of the payload sequence of network packet so;
But the maximum among the contained instruction strip number EL of the effective command sequence of all dis-assemblings that obtain in step 33. calculation procedure 32, but as the maximum MEL in the bar number of the valid instruction of the dis-assembling of the payload sequence of this network packet;
Step 4. thinks that then this network packet is the network attack packet if but the maximum MEL that the optional position of the payload sequence of certain network packet begins in the bar number of valid instruction of dis-assembling surpasses threshold value; , think that then this network packet is the proper communication packet if but the maximum MEL that the optional position of the payload sequence of certain network packet begins in the bar number of valid instruction of dis-assembling is no more than threshold value.
2. network attack detecting method according to claim 1, it is characterized in that, the network packet that step 1 is caught is screened, do not need the network packet analyzed: remove the network packet that those can not be used to do the agreement of network attack to remove; Remove those and have only header information and the network packet that do not have payload.
3. network attack detecting method according to claim 1 is characterized in that the threshold value described in the step 4 is set to the natural number between 20 to 250.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810044620XA CN101286979B (en) | 2008-06-03 | 2008-06-03 | Network attack detecting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810044620XA CN101286979B (en) | 2008-06-03 | 2008-06-03 | Network attack detecting method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101286979A CN101286979A (en) | 2008-10-15 |
| CN101286979B true CN101286979B (en) | 2011-02-09 |
Family
ID=40058949
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810044620XA Expired - Fee Related CN101286979B (en) | 2008-06-03 | 2008-06-03 | Network attack detecting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101286979B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101848092A (en) * | 2009-03-25 | 2010-09-29 | 华为技术有限公司 | Malicious code detection method and device |
| CN102111308A (en) * | 2010-12-22 | 2011-06-29 | 成都天融信网络安全技术有限公司 | Automatic detection method of polymorphic worms |
| CN102622543B (en) * | 2012-02-06 | 2016-08-03 | 北京百度网讯科技有限公司 | A kind of method and apparatus of dynamic detection malicious web pages script |
| CN110535878B (en) * | 2019-09-23 | 2021-03-30 | 电子科技大学 | Threat detection method based on event sequence |
| CN113098832B (en) * | 2019-12-23 | 2022-09-27 | 四川大学 | Remote buffer overflow attack detection method based on machine learning |
| CN112765603B (en) * | 2021-01-28 | 2022-04-05 | 电子科技大学 | Abnormity tracing method combining system log and origin graph |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6789202B1 (en) * | 1999-10-15 | 2004-09-07 | Networks Associates Technology, Inc. | Method and apparatus for providing a policy-driven intrusion detection system |
| CN1725705A (en) * | 2005-05-09 | 2006-01-25 | 杭州华为三康技术有限公司 | Method for detecting flow attacking message characteristic of network equipment |
| CN101159732A (en) * | 2007-08-14 | 2008-04-09 | 电子科技大学 | Data flow analysis based hostile attack detecting method |
-
2008
- 2008-06-03 CN CN200810044620XA patent/CN101286979B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6789202B1 (en) * | 1999-10-15 | 2004-09-07 | Networks Associates Technology, Inc. | Method and apparatus for providing a policy-driven intrusion detection system |
| CN1725705A (en) * | 2005-05-09 | 2006-01-25 | 杭州华为三康技术有限公司 | Method for detecting flow attacking message characteristic of network equipment |
| CN101159732A (en) * | 2007-08-14 | 2008-04-09 | 电子科技大学 | Data flow analysis based hostile attack detecting method |
Non-Patent Citations (1)
| Title |
|---|
| Kohei Tatara,et al.AnalyzingMaximum Length of Instruction Sequence in Network Packets for Polymorphic Worm Detection.《Multimedia and Ubiquitous Engineering, 2008. MUE 2008. International Conference on》.2008,485-489. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101286979A (en) | 2008-10-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101286979B (en) | Network attack detecting method | |
| Le et al. | DoubleGuard: Detecting intrusions in multitier web applications | |
| CN103886252B (en) | Software Code Malicious Selection Evaluation Executed In Trusted Process Address Space | |
| CN101356535B (en) | A method and apparatus for detecting and preventing unsafe behavior of javascript programs | |
| CN102799814B (en) | A kind of fishing website seeking system and method | |
| JP2016224929A (en) | System and method for detecting fraudulent online transactions | |
| CN103051627B (en) | A kind of detection method of rebound trojan horse | |
| CN101964026A (en) | Method and system for detecting web page horse hanging | |
| CN111107096A (en) | Web site safety protection method and device | |
| CN109257393A (en) | XSS attack defence method and device based on machine learning | |
| US10412101B2 (en) | Detection device, detection method, and detection program | |
| KR102120200B1 (en) | Malware Crawling Method and System | |
| CN111049828B (en) | Network attack detection and response method and system | |
| CN114785563A (en) | Encrypted malicious flow detection method for soft voting strategy | |
| CN106485148A (en) | The implementation method of the malicious code behavior analysiss sandbox being combined based on JS BOM | |
| Kim et al. | Fraud and financial crime detection model using malware forensics | |
| CN110365625B (en) | Internet of things security detection method and device and storage medium | |
| EP3885946B1 (en) | Method of monitoring and protecting access to an online service | |
| CN102111308A (en) | Automatic detection method of polymorphic worms | |
| CN105653941A (en) | Heuristic detection method and system for phishing website | |
| CN102437936A (en) | Detection method of high speed network bot message based on double-filtering mechanism | |
| CN116208356B (en) | Virtual currency mining flow detection method based on deep learning | |
| CN102769607B (en) | Malicious code detecting method and system based on network packet | |
| CN104778407B (en) | A kind of multidimensional is without condition code malware detection methods | |
| CN109951484A (en) | The test method and system attacked for machine learning product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110209 Termination date: 20180603 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |