Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Hadoop malicious node detection system based on network behavior analysis

A malicious node and behavior analysis technology, applied in transmission systems, digital transmission systems, data exchange networks, etc., can solve problems such as the waste of resources for verification nodes, the inability to effectively detect the framework, and the cache of popular tasks.

Active Publication Date: 2015-11-04
BEIJING INSTITUTE OF TECHNOLOGYGY
View PDF4 Cites 26 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The main idea of ​​these systems is almost based on network analysis, constructing a virtual network to trigger malicious programs, thereby locating malicious programs. However, there are relatively few researches on the detection of malicious nodes inside Hadoop. The current security assurance framework with relatively complete services mainly includes SecureMR. VIFA, etc., but all have certain limitations
[0004] 1) SecureMR: Secure MapReduce is a framework for enhancing and improving the mapping and simplification work in the MapReduce computing model, adding the Secure Committer and Secure Verifier modules, and designing and implementing the communication protocols of these modules, which can ensure non-collusion work The correctness and mapping of node calculation results, and the security of simplified nodes, but the framework cannot effectively detect the malicious behavior of a group of colluding malicious nodes.
[0005] 2) VIFA: Verification-based Integrity Assurance Framework. A verification-based service integrity assurance framework, which introduces high-level security and credible verification work nodes in cloud computing, and assumes that the simplified work nodes are credible. The calculation results of the mapping working nodes are verified by iH, and all tasks are copied and executed, and the calculation model of "reputation value" is introduced to effectively detect non-colluding and colluding malicious nodes, but each mapping task is Assigning two working nodes for repeated calculation will seriously affect the task processing performance of the cloud computing system; the verification node is a high-cost computing resource, which should be used more reasonably and efficiently. The calculation results are verified, and no caching mechanism is introduced to cache popular tasks, which will cause waste of resources for verification nodes
[0010] At present, the technology in this field lacks a comprehensive consideration of the tasks of the nodes in the cluster. For some Hadoop nodes, if they perform common tasks, their behavior will be very similar. However, if they perform different tasks, large differences are acceptable. , so when analyzing the malicious behavior of a node, the current task of the node must be taken into account, that is, we can start with the system log and analyze it in combination with network behavior

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Hadoop malicious node detection system based on network behavior analysis
  • Hadoop malicious node detection system based on network behavior analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0023] The Hadoop malicious node detection system based on network behavior analysis of the present invention is specifically implemented as follows:

[0024] (1) Network behavior monitoring module

[0025] Network behavior has different behavior expressions in different network layers. Malicious programs often generate a large number of one or more network requests in the following protocols, such as: DNS, ICMP, HTTP, FTP, SMTP, etc. The present invention simultaneously monitors the network behaviors of the following key protocols:

[0026] ICMP is a sub-protocol of the TCP / IP protocol suite, used to transfer control messages between IP hosts and routers. The control message refers to the message of the network itself, such as the unreachable network, whether the host is reachable, and whether the route is available. One of the usual purposes of this type of behavior is to request a large number of data packets and exhaust server resources. The second purpose is to build communica...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a Hadoop malicious node detection system based on network behavior analysis for protecting the internal security of a cluster in view of a present situation that most malicious programs have certain network behaviors and even permeate inside the cluster to perform malicious behaviors. The Hadoop malicious node detection system comprises a network behavior monitoring module, a node log analyzing module, a node load analyzing module, and a training evaluation module malicious detection module. The network behavior monitoring module, the node log analyzing module, and the node load analyzing module operate on each node to acquire, monitor and preliminarily analyze information. The training evaluation module malicious detection module operates in an analysis host, performs model training and malicious detection after receiving information acquired by each node, and updates and stores the model regularly.

Description

Technical field [0001] The invention relates to the field of network behaviors, in particular to a Hadoop malicious node detection system based on network behavior analysis. Background technique [0002] Based on malicious analysis of network behavior, first establish a monitoring module in the cluster to monitor the behavior of each node, and set the monitoring center to be responsible for recording the key behaviors of these nodes, and use these behaviors to train the evaluation model. Through continuous iterative training, Maintain a good evaluation model to evaluate the status of nodes in the cluster in real time. In a cluster, if a node is attacked and a malicious program is run, a large number of behaviors different from other nodes will be generated, which is the core condition of judgment. [0003] At present, the malicious program monitoring technology based on network behavior analysis has had many phased results, such as NICTER system, TrumanBox system, AMCAS system, et...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L12/26H04L29/06
Inventor 胡昌振薛静锋董骁赵小林余博
Owner BEIJING INSTITUTE OF TECHNOLOGYGY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com