Unlock instant, AI-driven research and patent intelligence for your innovation.

Method and device for detecting and backtracking collapsed host based on real-time stream processing

A real-time streaming, host technology, applied in the field of network security, which can solve the problems such as limited threat intelligence quality, lack of historical retrospective means, and undetectable attack behavior.

Inactive Publication Date: 2020-04-03
中电福富信息科技有限公司
View PDF5 Cites 4 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The detection of compromised host attacks based on signature signatures cannot provide early warning of new features, such as newly generated attack behaviors that have not been supplemented in the signature database; the behavior of compromised hosts is becoming more and more hidden, and it is becoming more and more difficult to identify based on statistical laws; simply The identification of compromised hosts based on threat intelligence is limited by the quality of threat intelligence; there is no effective historical retrospective means for the behavior process of compromised hosts, and this method has the limitation that it must be based on a specific scenario

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for detecting and backtracking collapsed host based on real-time stream processing
  • Method and device for detecting and backtracking collapsed host based on real-time stream processing
  • Method and device for detecting and backtracking collapsed host based on real-time stream processing

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0030] Such as figure 1 or figure 2 As shown, the present invention discloses a method for detecting a compromised host based on real-time stream processing and backtracking, which includes the following steps:

[0031] Step 1. Obtain network data packets from each node of the network and retain the corresponding original network data packets based on configuration requirements, and extract host behavior data from network data packets based on DPI technology through analysis probes;

[0032] Step 2, compare the current real-time behavior data with the historical data for anomaly detection and judge whether there is a difference; if yes, go to step 3; otherwise, go to step 1;

[0033] Step 3, save the original network data packet of the host whose data is detected to be abnormal and record the network behavior data of the host in detail, and judge whether it is an abnormal host by analyzing the corresponding data file; step 1;

[0034] Step 4, match the information of the s...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method and a device for detecting and backtracking a collapsed host based on real-time stream processing, and relates to the technical scheme and device for discovering the collapsed host through an exception detection algorithm. According to the method, the network connection behavior of the host serves as an analysis standing point, a machine learning anomaly detectionalgorithm is realized by adopting a real-time stream processing technology, and massive historical data is brought into host behavior pattern recognition, so that the detection has more real-time andlanding. Meanwhile, the abnormal host flow is reserved, flow backtracking analysis can be carried out, and the accuracy of the detection result is improved. Meanwhile, the threat information is updated, and the research and judgment rate of the subsequent abnormal host is increased.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method and device for detecting a compromised host based on real-time stream processing and backtracking. Background technique [0002] The CKC (Cyber ​​Kill Chain) model proposed by Lockheed Martin decomposes the advanced threat process. With the gradual deepening of the attack process, the target host locked by the attacker will go through several stages such as intrusion, control, and malicious behavior. . After the target host is compromised, it will establish a connection with the remote C&C server and continue to be controlled by the attacker. It will often be used as a springboard to launch scanning attacks, denial of service attacks, malicious website access, and vulnerability intrusions on new targets on the intranet or extranet. , data theft and a series of activities. [0003] Existing host security is mostly identified through anti-virus software deployed...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06G06N20/00
CPCH04L63/1416H04L63/1425G06N20/00
Inventor 任竹艳高儒振金潇陈伟郝玉虎刘欣
Owner 中电福富信息科技有限公司