Host-oriented suspicious network connection identification method

A network connection and identification method technology, which is applied in the field of suspicious network connection identification, and can solve problems such as false positives

Inactive Publication Date: 2017-08-18
CHINA ELECTRONICS STANDARDIZATION INST
View PDF4 Cites 8 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] At present, many APT attack detection methods use malicious code detection, that is, to detect APT attacks by detecting the spread of malicious code in APT attacks. However, many APT attacks use methods such as social engineering to implant Trojan hor

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Examples

Experimental program
Comparison scheme
Effect test

Example Embodiment

[0015] Example:

[0016] A host-oriented method for identifying suspicious network connections, which utilizes the characteristics of various types of abnormal network connections in the attack process of APT attacks, and these suspicious network connections are different from the normal network connections related to the normal business of the host. By adopting the clustering method, it is easy to distinguish suspicious network connections related to APT attacks from normal network connections related to normal services of the host, so as to detect various suspicious network connections related to APT attacks, which can be used for subsequent APT attacks. The continuous tracking provided an important breakthrough.

[0017] A host-oriented method for identifying suspicious network connections includes the following steps:

[0018] A) determine each network connection feature used to realize network connection type clustering, and construct a network connection multidimensiona...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a host-oriented suspicious network connection identification method. The host-oriented suspicious network connection identification method comprises the steps of: (A), determining various network connection characteristics used for realizing network connection type clustering, and constructing a multi-dimensional space based on the network connection characteristics, so that each network connection is mapped into one point in the multi-dimensional space; and (B), collecting all in and out network flow of an appointed host within a unit time period, mapping all network connections in the flows to the points in the multi-dimensional space constructed in the step (A) one by one, clustering the mapped points to obtain multiple sub-types composed of the points corresponding to the network connections, and judging that all the network connections corresponding to the sub-types, the point number of which is less than the appointed threshold value, as suspicious network connections. By means of the host-oriented suspicious network connection identification method disclosed by the invention, the suspicious network connections are continuously tracked, so that detection and continuous tracking of all kinds of APT attacks can be realized.

Description

technical field [0001] The invention belongs to the field of methods for identifying abnormal network traffic, and in particular relates to a host-oriented method for identifying suspicious network connections. Background technique [0002] At present, APT (Advanced Persistent Threat) attack has become an important attack method that seriously threatens the security of information systems. It has the characteristics of rapid changes and no obvious attack characteristics. Attackers can use it to steal and tamper with information systems. and destruction purposes. The detection of APT attacks is a current difficulty. [0003] At present, many APT attack detection methods use malicious code detection, that is, to detect APT attacks by detecting the spread of malicious code in APT attacks. Detection of code propagation can lead to false negatives. [0004] Although APT attacks have no obvious attack characteristics, we found through research on existing APT attacks that an AP...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
CPCH04L63/1425H04L63/1441H04L63/30
Inventor 叶润国刘贤刚范科峰蔡磊胡影任泽君
Owner CHINA ELECTRONICS STANDARDIZATION INST
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap