[go: up one dir, main page]

CN115766175A - Network intrusion detection method and electronic device - Google Patents

Network intrusion detection method and electronic device Download PDF

Info

Publication number
CN115766175A
CN115766175A CN202211400133.9A CN202211400133A CN115766175A CN 115766175 A CN115766175 A CN 115766175A CN 202211400133 A CN202211400133 A CN 202211400133A CN 115766175 A CN115766175 A CN 115766175A
Authority
CN
China
Prior art keywords
detection
data packet
detected
target detection
network intrusion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211400133.9A
Other languages
Chinese (zh)
Inventor
李�浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Radico Microelectronics Technology Tianjin Co ltd
Original Assignee
Radico Microelectronics Technology Tianjin Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Radico Microelectronics Technology Tianjin Co ltd filed Critical Radico Microelectronics Technology Tianjin Co ltd
Priority to CN202211400133.9A priority Critical patent/CN115766175A/en
Publication of CN115766175A publication Critical patent/CN115766175A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a network intrusion detection method and electronic equipment, and relates to the technical field of network security. The network intrusion detection method comprises the following steps: and responding to the received data packet to be detected, and determining a target detection chain, wherein the target detection chain comprises a plurality of detection nodes, and each detection node is respectively used for identifying different network intrusion types. And determining the detection sequence of each detection node to the data packet to be detected according to the detection priority of each detection node. And determining a target detection node required by detecting the data packet to be detected according to the detection sequence, and detecting the data packet to be detected by using the target detection node. And after detecting that the data packet to be detected is abnormal, marking the data packet to be detected according to the network intrusion type corresponding to the target detection node, and stopping detection. Therefore, the network intrusion behavior can be detected through limited computing resources.

Description

网络入侵检测方法和电子设备Network intrusion detection method and electronic device

【技术领域】【Technical field】

本申请涉及网络安全技术领域,尤其涉及一种网络入侵检测方法和电子设备。The present application relates to the technical field of network security, in particular to a network intrusion detection method and electronic equipment.

【背景技术】【Background technique】

随着物联网技术的广泛应用,各种物联网设备与人们日常生产生活的关联越来越紧密。出于维护用户数据安全等目的,物联网设备应具备检测网络入侵行为的能力。With the wide application of Internet of Things technology, various Internet of Things devices are more and more closely related to people's daily production and life. For purposes such as maintaining user data security, IoT devices should have the ability to detect network intrusions.

然而,物联网设备往往存储空间小、运行内存低、CPU主频低,而检测网络入侵行为又要求很强的数据处理能力。因此,如何在资源受限的物联网设备上实现对网络入侵行为的检测,是有待解决的问题。However, IoT devices often have small storage space, low operating memory, and low CPU frequency, and detecting network intrusion requires strong data processing capabilities. Therefore, how to realize the detection of network intrusion on resource-constrained IoT devices is a problem to be solved.

【发明内容】【Content of invention】

本申请实施例提供了一种网络入侵检测方法和电子设备,可用于在资源受限的物联网设备上实现对网络入侵行为的检测。Embodiments of the present application provide a network intrusion detection method and an electronic device, which can be used to detect network intrusion behaviors on Internet of Things devices with limited resources.

第一方面,本申请实施例提供一种网络入侵检测方法,包括:响应于接收到的待测数据包,确定检测待测数据包所需的目标检测链,目标检测链包含多个检测节点,各个检测节点分别用于识别不同的网络入侵类型;根据各个检测节点的检测优先级,确定各个检测节点对待测数据包的检测次序;按照检测次序,确定检测待测数据包所需的目标检测节点;利用目标检测节点对待测数据包进行检测;在检测到待测数据包异常的情况下,根据目标检测节点对应的网络入侵类型标记待测数据包、并停止检测。In the first aspect, the embodiment of the present application provides a network intrusion detection method, including: in response to the received data packet to be tested, determine the target detection chain required to detect the data packet to be tested, the target detection chain includes a plurality of detection nodes, Each detection node is used to identify different types of network intrusions; according to the detection priority of each detection node, determine the detection order of each detection node for the data packet to be tested; according to the detection order, determine the target detection node required to detect the data packet to be tested ;Use the target detection node to detect the data packet to be tested; in the case of detecting the abnormality of the data packet to be tested, mark the data packet to be tested according to the network intrusion type corresponding to the target detection node, and stop the detection.

通过上述技术方案,可基于有限的运算资源,优先对用户更关注的网络入侵类型进行检测,仅输出最高优先级的网络入侵类型,从而可通过有限的运算资源实现对网络入侵行为的检测。Through the above technical solution, based on limited computing resources, the type of network intrusion that users are more concerned about can be preferentially detected, and only the network intrusion type with the highest priority is output, so that the detection of network intrusion behavior can be realized through limited computing resources.

其中一种可能的实现方式中,响应于接收到的待测数据包,确定检测待测数据包所需的目标检测链,包括:响应于接收到的待测数据包,确定待测数据包对应的协议类型;根据待测数据包对应的协议类型,确定检测待测数据包所需的目标检测链。In one of the possible implementations, in response to the received data packet to be tested, determining the target detection chain required to detect the data packet to be tested includes: in response to the received data packet to be tested, determining the corresponding the protocol type; determine the target detection chain required to detect the data packet to be tested according to the protocol type corresponding to the data packet to be tested.

本实现方式中,使用不同的检测链检测不同协议类型的待测数据包,从而可便于后续将不同协议类型的待测数据包的检测结果输出给用户。In this implementation, different detection chains are used to detect the data packets to be tested of different protocol types, so that the subsequent detection results of the data packets to be tested of different protocol types can be easily output to the user.

其中一种可能的实现方式中,各个检测节点分别配置有使能控制位;利用目标检测节点对待测数据包进行检测之前,上述方法还包括:根据目标检测节点的使能控制位,确定目标检测节点处于已使能状态。In one of the possible implementations, each detection node is configured with an enable control bit; before using the target detection node to detect the data packet to be tested, the above method also includes: according to the enable control bit of the target detection node, determine the target detection Node is enabled.

本实现方式中,可将有限的运算资源用于检测用户关注的网络入侵类型,减少不必要的检测流程,并且,待检测的网络入侵类型可基于用户需求以及网络环境变化而动态变化,从而可在节约运算资源的同时满足用户对网络入侵检测的需求。In this implementation, limited computing resources can be used to detect the types of network intrusions that users are concerned about, reducing unnecessary detection processes, and the types of network intrusions to be detected can change dynamically based on user needs and changes in the network environment, so that It meets users' needs for network intrusion detection while saving computing resources.

其中一种可能的实现方式中,利用目标检测节点对待测数据包进行检测,包括:利用目标检测节点内预先配置的入侵行为参数,对待测数据包进行参数匹配。In one possible implementation manner, using the target detection node to detect the data packet to be tested includes: using pre-configured intrusion behavior parameters in the target detection node to perform parameter matching on the data packet to be tested.

其中一种可能的实现方式中,检测到待测数据包异常,包括:检测到待测数据包的行为参数与目标检测节点内预先配置的入侵行为参数一致。In one possible implementation manner, detecting an abnormality of the data packet to be tested includes: detecting that a behavior parameter of the data packet to be tested is consistent with a pre-configured intrusion behavior parameter in the target detection node.

本实现方式中,可通过预先设置的入侵行为参数,仅对具备特征行为特征的网络入侵行为进行检测,从而可进一步减小对运算资源的消耗。In this implementation manner, only network intrusion behaviors with characteristic behavior characteristics can be detected through preset intrusion behavior parameters, thereby further reducing the consumption of computing resources.

其中一种可能的实现方式中,响应于接收到的待测数据包,在确定检测待测数据包所需的目标检测链之前,上述方法还包括:根据网络入侵检测的检测开关标识,确定网络入侵检测处于启动状态;其中,检测开关标识的取值根据预先接收到的检测指令设置。In one possible implementation, in response to the received data packet to be tested, before determining the target detection chain required to detect the data packet to be tested, the above method further includes: according to the detection switch identification of the network intrusion detection, determine the network The intrusion detection is in the activated state; wherein, the value of the detection switch identifier is set according to the pre-received detection instruction.

本实现方式中,可仅在用户启动网络入侵检测时对接收到的数据包进行检测,从而能够以较少的运算资源实现抵御网络攻击的目的。In this implementation manner, the received data packets can be detected only when the user starts the network intrusion detection, so that the purpose of defending against network attacks can be realized with less computing resources.

其中一种可能的实现方式中,根据网络入侵检测的检测开关标识,确定网络入侵检测处于启动状态之后,上述方法还包括:将待测数据包携带的设备信息与检测白名单内包含的设备信息进行比对;根据比对结果,确定待测数据包的收发设备均为不可信设备。In one possible implementation, after determining that the network intrusion detection is in the activated state according to the detection switch identification of the network intrusion detection, the above method further includes: comparing the device information carried by the data packet to be tested with the device information contained in the detection white list Perform a comparison; according to the comparison result, it is determined that the sending and receiving devices of the data packets to be tested are all untrusted devices.

本实现方式中,可仅对待检测设备的数据包进行网络入侵检测,从而能够以较少的运算资源实现抵御网络攻击的目的。In this implementation manner, network intrusion detection can be performed only on the data packets of the device to be detected, so that the purpose of defending against network attacks can be achieved with less computing resources.

其中一种可能的实现方式中,在检测到待测数据包正常的情况下,上述方法还包括:按照检测次序确定新的目标检测节点,并利用新的目标检测节点对待测数据包进行检测。In one possible implementation manner, when it is detected that the data packet to be tested is normal, the above method further includes: determining a new target detection node according to the detection order, and using the new target detection node to detect the data packet to be tested.

第二方面,本申请实施例提供一种电子设备,包括:至少一个处理器;以及与所述处理器通信连接的至少一个存储器,其中:所述存储器存储有可被所述处理器执行的程序指令,所述处理器调用所述程序指令能够执行如第一方面所述的方法。In a second aspect, the embodiment of the present application provides an electronic device, including: at least one processor; and at least one memory connected in communication with the processor, wherein: the memory stores a program executable by the processor Instructions, the processor invokes the program instructions to execute the method as described in the first aspect.

第三方面,本申请实施例提供一种芯片,所述芯片包括处理器与数据接口,所述处理器通过所述数据接口读取存储器上存储的指令,能够执行如第一方面所述的方法。In the third aspect, the embodiment of the present application provides a chip, the chip includes a processor and a data interface, the processor reads the instructions stored in the memory through the data interface, and can execute the method as described in the first aspect .

第四方面,本申请实施例提供一种计算机可读存储介质,所述计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行如第一方面所述的方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the method as described in the first aspect.

【附图说明】【Description of drawings】

为了更清楚地说明本申请实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following will briefly introduce the accompanying drawings that need to be used in the embodiments. Obviously, the accompanying drawings in the following description are only some embodiments of the present application. Those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort.

图1为本申请实施例提供的一种物联网设备的结构示意图;FIG. 1 is a schematic structural diagram of an Internet of Things device provided by an embodiment of the present application;

图2为本申请实施例提供的一种网络入侵检测方法的流程图;FIG. 2 is a flowchart of a network intrusion detection method provided in an embodiment of the present application;

图3为本申请实施例提供的一种检测链的结构示意图;FIG. 3 is a schematic structural diagram of a detection chain provided in an embodiment of the present application;

图4为本申请实施例提供的另一种网络入侵检测方法的流程图;FIG. 4 is a flowchart of another network intrusion detection method provided by the embodiment of the present application;

图5为本申请实施例提供的一种网络入侵检测装置的结构示意图;FIG. 5 is a schematic structural diagram of a network intrusion detection device provided in an embodiment of the present application;

图6为本申请实施例提供的一种电子设备的结构示意图。FIG. 6 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.

【具体实施方式】【Detailed ways】

为了更好的理解本申请的技术方案,下面结合附图对本申请实施例进行详细描述。In order to better understand the technical solutions of the present application, the embodiments of the present application will be described in detail below in conjunction with the accompanying drawings.

应当明确,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其它实施例,都属于本申请保护的范围。It should be clear that the described embodiments are only some of the embodiments of the present application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of this application.

在本申请实施例中使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请。在本申请实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。Terms used in the embodiments of the present application are only for the purpose of describing specific embodiments, and are not intended to limit the present application. The singular forms "a", "said" and "the" used in the embodiments of this application and the appended claims are also intended to include plural forms unless the context clearly indicates otherwise.

本申请可提供一种物联网设备,该物联网设备可以是任意类型的物联网设备,该物联网设备还可具备存储空间小、运行内存低、CPU主频低等特点。本申请提供的物联网设备可用于执行本申请提供的网络入侵检测方法,从而基于有限的运算资源,实现对网络入侵行为的有效检测。The present application may provide an Internet of Things device. The Internet of Things device may be any type of Internet of Things device. The Internet of Things device may also have the characteristics of small storage space, low operating memory, and low CPU main frequency. The IoT device provided in this application can be used to implement the network intrusion detection method provided in this application, so as to realize effective detection of network intrusion based on limited computing resources.

图1为本申请实施例提供的一种物联网设备的结构示意图。如图1所示,本申请实施例提供的物联网设备100可包含三个功能单元,分别为接口单元11、数据接收单元12以及网络入侵检测单元13。FIG. 1 is a schematic structural diagram of an Internet of Things device provided by an embodiment of the present application. As shown in FIG. 1 , the IoT device 100 provided by the embodiment of the present application may include three functional units, namely an interface unit 11 , a data receiving unit 12 and a network intrusion detection unit 13 .

其中,接口单元11可用于接收指令信息,该指令信息可以是用户在物联网设备100上触发的AT(Attention)命令,或者可以是用户在其他物联网设备上触发的AT命令,并由其他物联网设备发送给物联网设备100。本申请中,接口单元11接收的各个指令信息的具体内容将在后续说明。Wherein, the interface unit 11 can be used to receive instruction information, and the instruction information can be an AT (Attention) command triggered by the user on the Internet of Things device 100, or can be an AT command triggered by the user on other Internet of Things devices, and is triggered by other things. The networked device sends to the IoT device 100. In this application, the specific content of each command information received by the interface unit 11 will be described later.

数据接收单元12可用于与传输控制协议/网际协议(Transmission ControlProtocol/Internet Protocol,TCP/IP)协议栈的接口适配,接收其他物联网设备200发送的网络数据包。The data receiving unit 12 can be adapted to an interface of a Transmission Control Protocol/Internet Protocol (TCP/IP) protocol stack, and receive network data packets sent by other IoT devices 200 .

网络入侵检测单元13可用于执行本申请提供的网络入侵检测方法。The network intrusion detection unit 13 may be used to implement the network intrusion detection method provided in this application.

下面对本申请提供的网络入侵检测方法的具体实现方式进行说明。The specific implementation of the network intrusion detection method provided by this application will be described below.

图2为本申请实施例提供的一种网络入侵检测方法的流程图,如图2所示,上述网络入侵检测方法可以包括:Fig. 2 is a flow chart of a network intrusion detection method provided in the embodiment of the present application. As shown in Fig. 2, the above-mentioned network intrusion detection method may include:

步骤101,响应于接收到的待测数据包,确定检测待测数据包所需的目标检测链,目标检测链包含多个检测节点,各个检测节点分别用于识别不同的网络入侵类型。Step 101, in response to the received data packet to be tested, determine a target detection chain required to detect the data packet to be tested, the target detection chain includes a plurality of detection nodes, and each detection node is used to identify different types of network intrusions.

本申请实施例中,物联网设备内可预先配置有多个检测链。每个检测链分别可用于检测不同协议类型的待测数据包,且每个检测链均可包含多个检测节点,每个检测节点可用于识别不同的网络入侵类型。示例性的,不同协议类型可包括但不限于TCP、用户数据报协议(User Datagram Protocol,UDP)、互联网控制消息协议(Internet ControlMessage Protocol,ICMP)等。各个协议类型下的网络入侵类型可包括但不限于flood攻击、主机服务探测攻击(对特定端口发起的扫描)、端口扫描攻击(不区分特定端口的连续扫描)、协议异常数据包攻击等。In the embodiment of the present application, multiple detection chains may be pre-configured in the IoT device. Each detection chain can be used to detect data packets of different protocol types to be tested, and each detection chain can include multiple detection nodes, and each detection node can be used to identify different network intrusion types. Exemplarily, different protocol types may include but not limited to TCP, User Datagram Protocol (User Datagram Protocol, UDP), Internet Control Message Protocol (Internet ControlMessage Protocol, ICMP) and so on. Network intrusion types under each protocol type may include, but are not limited to, flood attacks, host service detection attacks (scans initiated on specific ports), port scan attacks (continuous scans that do not distinguish specific ports), protocol abnormal packet attacks, and the like.

基于上述说明,在接收到其他物联网设备发送的待测数据包之后,可先对待测数据包的协议类型进行识别。具体的,可根据待测数据包携带的协议号,确定待测数据包的协议类型。然后,可根据识别到的协议类型,从各个检测链中确定出检测待测数据包所需的目标检测链。Based on the above description, after receiving the data packets to be tested sent by other IoT devices, the protocol type of the data packets to be tested can be identified first. Specifically, the protocol type of the data packet to be tested can be determined according to the protocol number carried by the data packet to be tested. Then, according to the recognized protocol type, the target detection chain required to detect the data packet to be tested can be determined from each detection chain.

通过上述实现方式,可使用不同的检测链检测不同协议类型的待测数据包,从而可便于后续将不同协议类型的待测数据包的检测结果输出给用户。Through the above implementation, different detection chains can be used to detect data packets of different protocol types to be tested, so that the subsequent detection results of data packets to be tested of different protocol types can be easily output to the user.

步骤102,根据各个检测节点的检测优先级,确定各个检测节点对待测数据包的检测次序。Step 102, according to the detection priority of each detection node, determine the detection sequence of the data packets to be tested by each detection node.

本申请实施例中,用户可根据当前网络环境下的检测需求,对各检测链中各个检测节点的检测优先级进行动态配置。In the embodiment of the present application, the user can dynamically configure the detection priority of each detection node in each detection chain according to the detection requirements in the current network environment.

具体的,物联网设备可基于接口单元11,接收用户发出的检测优先级设置指令。检测优先级设置指令例如可以以AT命令的方式下发给物联网设备。进而,网络入侵检测单元13可根据检测优先级设置指令,对各检测链中各个检测节点的检测优先级进行配置。Specifically, the Internet of Things device may receive a detection priority setting instruction from a user based on the interface unit 11 . The detection priority setting instruction can be sent to the IoT device in the form of an AT command, for example. Furthermore, the network intrusion detection unit 13 may configure the detection priority of each detection node in each detection chain according to the detection priority setting instruction.

图3给出了检测链的一个结构示意图。如图3所示,检测链中可包含多个检测节点,检测节点配置有检测优先级,且每个检测优先级对应的检测节点的数量可以是一个也可以是多个。以图3为例,0可表示最高检测优先级,检测优先级为1的检测节点例如可以有2个。Figure 3 shows a schematic diagram of the structure of the detection chain. As shown in FIG. 3 , the detection chain may include multiple detection nodes, and the detection nodes are configured with detection priorities, and the number of detection nodes corresponding to each detection priority may be one or more. Taking FIG. 3 as an example, 0 may represent the highest detection priority, and there may be, for example, two detection nodes with a detection priority of 1.

在接收到待测数据包之后,可根据预先配置的检测优先级,分别确定各个检测节点对待测数据包的检测次序。本申请实施例中,检测优先级越高,对待测数据包的检测次序越靠前。检测优先级相同的各个检测节点的检测次序可以任意设置。After receiving the data packets to be tested, the detection order of the data packets to be tested by each detection node can be respectively determined according to the pre-configured detection priority. In the embodiment of the present application, the higher the detection priority, the higher the detection order of the data packets to be tested. The detection order of each detection node with the same detection priority can be set arbitrarily.

通过此种实现方式,可基于有限的运算资源,优先对用户更关注的网络入侵类型进行检测。Through this implementation method, based on limited computing resources, the type of network intrusion that users are more concerned about can be preferentially detected.

步骤103,按照检测次序,确定检测待测数据包所需的目标检测节点。Step 103, according to the detection order, determine the target detection node required to detect the data packet to be tested.

一种可能的实现方式中,同一检测优先级对应的检测节点的数量为一个。此时,目标检测节点的数量为一个。那么,在下述步骤104中,利用目标检测节点对待测数据包进行检测可以是,利用该一个目标检测节点对待测数据包进行检测。In a possible implementation manner, the number of detection nodes corresponding to the same detection priority is one. At this time, the number of object detection nodes is one. Then, in the following step 104, using the target detection node to detect the data packet to be tested may be to use the one target detection node to detect the data packet to be tested.

另一种可能的实现方式中,同一检测优先级对应的检测节点的数量为多个。此时,目标检测节点的数量为多个。那么,在下述步骤104中,利用目标检测节点对待测数据包进行检测可以是,依次利用该多个目标检测节点对待测数据包进行检测,且该多个目标检测节点的检测次序不受限制,可以以任意顺序进行检测。In another possible implementation manner, there are multiple detection nodes corresponding to the same detection priority. At this time, the number of target detection nodes is multiple. Then, in the following step 104, using the target detection nodes to detect the data packets to be tested may be to sequentially use the multiple target detection nodes to detect the data packets to be tested, and the detection order of the multiple target detection nodes is not limited, Detection can be performed in any order.

步骤104,利用目标检测节点对待测数据包进行检测。Step 104, using the target detection node to detect the data packet to be tested.

本申请实施例中,如图3所示,各个检测节点中还可配置有使能控制位,使能控制位可用于表示检测节点的使能状态。用户可根据当前网络环境下需要检测的网络入侵类型,对各检测链中各个检测节点的使能状态进行动态配置。对于需要检测的网络入侵类型,可将对应的检测节点的使能控制位设置为已使能状态;相反的,对于不需要检测的网络入侵类型,可将对应的检测节点的使能控制位设置为未使能状态。In the embodiment of the present application, as shown in FIG. 3 , each detection node may also be configured with an enable control bit, and the enable control bit may be used to indicate the enable state of the detection node. Users can dynamically configure the enabling status of each detection node in each detection chain according to the type of network intrusion that needs to be detected in the current network environment. For the type of network intrusion that needs to be detected, the enable control bit of the corresponding detection node can be set to the enabled state; on the contrary, for the type of network intrusion that does not need to be detected, the enable control bit of the corresponding detection node can be set to is not enabled.

对使能状态的配置也可以是基于接口单元11接收AT命令实现,具体可参考前述对检测优先级的配置过程,此处不再赘述。The configuration of the enabled state can also be realized based on the interface unit 11 receiving an AT command. For details, refer to the aforementioned configuration process of the detection priority, which will not be repeated here.

通过上述实现方式,可将有限的运算资源用于检测用户关注的网络入侵类型,减少不必要的检测流程,并且,待检测的网络入侵类型可基于用户需求以及网络环境变化而动态变化,从而可在节约运算资源的同时满足用户对网络入侵检测的需求。Through the above implementation, limited computing resources can be used to detect the type of network intrusion that users are concerned about, reducing unnecessary detection processes, and the type of network intrusion to be detected can be dynamically changed based on user needs and changes in the network environment, so that It meets users' needs for network intrusion detection while saving computing resources.

基于上述说明,在利用任意一个目标检测节点对待测数据包进行检测时,首先,可确定该目标检测节点使能控制位的使能状态。然后,在确定目标检测节点处于已使能状态的情况下,可利用目标检测节点对待测数据包进行检测。相反的,在确定目标检测节点处于未使能状态的情况下,可跳过该目标检测节点,返回步骤103,按照检测次序,确定下一个对待测数据包进行检测的目标检测节点。Based on the above description, when any target detection node is used to detect the data packet to be tested, first, the enable state of the enable control bit of the target detection node can be determined. Then, when it is determined that the target detection node is in an enabled state, the target detection node may be used to detect the data packet to be tested. On the contrary, when it is determined that the target detection node is in the disabled state, the target detection node may be skipped, return to step 103, and determine the next target detection node to detect the data packet to be tested according to the detection order.

下面对利用任意一个检测节点对待测数据包进行检测的具体方式进行说明。The specific manner of using any detection node to detect the data packet to be tested will be described below.

本申请实施例中,根据各个检测节点所识别的网络入侵类型的不同,可预先在各个检测节点内配置入侵行为参数,入侵行为参数与检测节点所识别的网络入侵类型相匹配。In the embodiment of the present application, according to the different network intrusion types identified by each detection node, intrusion behavior parameters can be configured in each detection node in advance, and the intrusion behavior parameters match the network intrusion types identified by the detection nodes.

举例来说,当检测节点所识别的网络入侵类型为协议异常数据包攻击时,检测节点内配置的入侵行为参数可以是异常协议报文组合。由于异常协议报文中各字段的组合方式多样,如果全部进行检测则需要占用大量的运算资源,因此,本申请实施例中,检测节点内配置的异常协议报文组合可以仅包括用户最为关注的异常协议报文组合,具体可由用户根据当前网络环境的需要自行配置,从而可节约运算资源。For example, when the type of network intrusion identified by the detection node is a protocol abnormal data packet attack, the intrusion behavior parameter configured in the detection node may be a combination of abnormal protocol packets. Due to the various combinations of fields in the abnormal protocol message, if all of them are detected, it will take up a lot of computing resources. Therefore, in the embodiment of this application, the abnormal protocol message combination configured in the detection node can only include the most concerned by the user. The combination of abnormal protocol packets can be configured by the user according to the needs of the current network environment, thus saving computing resources.

为方便理解,对上述异常协议报文组合进行说明。可以理解,数据包报文通常包含多个字段,每个字段不同的赋值具备不同的特定含义。当发生协议异常数据包攻击时,数据包报文的各个字段存在异常,此种异常可包括某个字段的值异常、各个字段均正常但其中若干个字段的组合异常(例如各个字段的值含义相悖等)。For the convenience of understanding, the above abnormal protocol packet combination is described. It can be understood that a data packet usually includes multiple fields, and different assignments of each field have different specific meanings. When a protocol abnormal data packet attack occurs, there is an abnormality in each field of the data packet message. This abnormality may include an abnormal value of a certain field, and each field is normal but the combination of several fields is abnormal (for example, the value meaning of each field contrary, etc.).

在另外的示例中,当检测节点所识别的网络入侵类型为flood攻击时,检测节点内配置的入侵行为参数可以是数据包发送频率阈值。当待测数据包的发送频率达到检测节点内设置的阈值时,检测节点可确定待测数据包异常,存在flood攻击。In another example, when the type of network intrusion identified by the detection node is a flood attack, the intrusion behavior parameter configured in the detection node may be a data packet sending frequency threshold. When the sending frequency of the data packets to be tested reaches the threshold set in the detection node, the detection node can determine that the data packets to be tested are abnormal and there is a flood attack.

其他的网络入侵类型对应的入侵行为参数的配置方式与上述类似,不做赘述。The configuration methods of intrusion behavior parameters corresponding to other network intrusion types are similar to the above, and will not be repeated here.

基于上述说明,对于任意一个检测节点,可利用该检测节点内预先配置的入侵行为参数,对待测数据包进行参数匹配。在确定待测数据包的行为参数与检测节点内配置的入侵行为参数一致的情况下,可确定待测数据包为异常数据包。此时,可执行下述步骤106。相反的,在确定待测数据包的行为参数与检测节点内配置的入侵行为参数不一致的情况下,可确定待测数据包为正常数据包。此时,可返回上述步骤103,确定新的目标检测节点,利用新的目标检测节点继续对待测数据包进行检测,以确定待测数据包是否属于其他类型的网络入侵。Based on the above description, for any detection node, the parameters of the data packets to be tested can be matched by using the pre-configured intrusion behavior parameters in the detection node. When it is determined that the behavior parameter of the data packet to be tested is consistent with the intrusion behavior parameter configured in the detection node, it can be determined that the data packet to be tested is an abnormal data packet. At this time, the following step 106 may be performed. On the contrary, when it is determined that the behavior parameter of the data packet to be tested is inconsistent with the intrusion behavior parameter configured in the detection node, it can be determined that the data packet to be tested is a normal data packet. At this point, the above step 103 can be returned to determine a new target detection node, and use the new target detection node to continue detecting the data packet to be tested to determine whether the data packet to be tested belongs to other types of network intrusion.

步骤105,确定是否检测到待测数据包异常。如果是,执行步骤106;否则,返回步骤103。Step 105, determine whether an abnormality is detected in the data packet to be tested. If yes, execute step 106; otherwise, return to step 103.

步骤106,根据目标检测节点对应的网络入侵类型标记待测数据包、并停止检测。Step 106: Mark the data packet to be tested according to the network intrusion type corresponding to the target detection node, and stop the detection.

一种可能的实现方式中,同一检测优先级的检测节点的数量为一个。此时,可根据该单个检测节点对应的网络入侵类型标记待测数据包,并停止利用后续低检测优先级的检测节点进行检测。从而,可以仅输出最高优先级的网络入侵类型,节约运算资源。In a possible implementation manner, the number of detection nodes with the same detection priority is one. At this point, the data packet to be tested can be marked according to the network intrusion type corresponding to the single detection node, and detection by subsequent detection nodes with low detection priority is stopped. Therefore, only the network intrusion type with the highest priority can be output, saving computing resources.

一种可能的实现方式中,同一检测优先级的检测节点的数量为多个。此时,可在该多个检测节点均检测完毕之后,根据该多个检测节点各自对应的网络入侵类型,标记待测数据包,并停止利用后续低检测优先级的检测节点进行检测。从而,可以在输出最高优先级的网络入侵类型的基础上,输出多种网络入侵类型。该多种网络入侵类型之间的关系例如可以是相互包含或者相互独立。In a possible implementation manner, there are multiple detection nodes with the same detection priority. At this time, after the multiple detection nodes are all detected, the data packets to be tested can be marked according to the network intrusion types corresponding to the multiple detection nodes, and the detection by subsequent detection nodes with low detection priority is stopped. Therefore, multiple network intrusion types may be output on the basis of outputting the network intrusion type with the highest priority. The relationship between the multiple network intrusion types may be, for example, mutually contained or mutually independent.

通过上述技术方案,可通过有限的运算资源实现对各类网络入侵行为的检测,从而有利于在资源受限的物联网设备上实现对网络入侵行为的检测。Through the above technical solution, the detection of various network intrusion behaviors can be realized through limited computing resources, which is beneficial to the detection of network intrusion behaviors on Internet of Things devices with limited resources.

图4为本申请实施例提供的另一种网络入侵检测方法的流程图,如图4所示,响应于接收到的待测数据包,在前述实施例确定检测待测数据包所需的目标检测链之前,本申请实施例提供的网络入侵检测方法还可以包括:Fig. 4 is a flowchart of another network intrusion detection method provided by the embodiment of the present application. As shown in Fig. 4, in response to the received data packet to be tested, the target required for detecting the data packet to be tested is determined in the foregoing embodiment Before detecting the chain, the network intrusion detection method provided in the embodiment of the present application may also include:

步骤201,响应于接收到的待测数据包,根据检测开关标识,确定网络入侵检测处于启动状态。Step 201, in response to the received data packet to be tested, determine that the network intrusion detection is in the activated state according to the detection switch identification.

本申请实施例中,用户还可根据自身需要或网络环境的变化,动态启动网络入侵检测功能。In the embodiment of the present application, the user can also dynamically activate the network intrusion detection function according to his own needs or changes in the network environment.

具体的,物联网设备可基于接口单元11,接收用户发出的检测指令,检测指令可包括检测启动指令或检测关闭指令。检测启动指令、检测关闭指令例如可以以AT命令的方式发送。响应于接收到的检测启动指令,物联网设备可将检测开关标识设置为第一取值,第一取值可用于表征网络入侵检测处于启动状态。响应于接收到的检测关闭指令,物联网设备可将检测开关标识设置为第二取值,第二取值可用于表征网络入侵检测处于关闭状态。Specifically, the Internet of Things device may receive a detection instruction from a user based on the interface unit 11, and the detection instruction may include a detection startup instruction or a detection shutdown instruction. The detection startup instruction and detection shutdown instruction may be sent in the form of AT commands, for example. In response to the received detection start instruction, the Internet of Things device may set the detection switch identifier to a first value, and the first value may be used to represent that the network intrusion detection is in a start state. In response to the received detection disabling instruction, the Internet of Things device may set the detection switch identifier to a second value, and the second value may be used to indicate that the network intrusion detection is in a disabling state.

基于上述说明,在接收到待测数据包之后,可先读取检测开关标识的值,并根据检测开关标识的值,确定网络入侵检测是否处于启动状态。当确定网络入侵检测处于启动状态后,可正常执行下述步骤202;否则,可停止当前流程,直至检测到网络入侵检测处于启动状态。Based on the above description, after receiving the data packet to be tested, the value of the detection switch identification can be read first, and according to the value of the detection switch identification, it can be determined whether the network intrusion detection is in the activated state. When it is determined that the network intrusion detection is in the activated state, the following step 202 can be normally performed; otherwise, the current process can be stopped until it is detected that the network intrusion detection is in the activated state.

通过上述实现方式,可仅在用户启动网络入侵检测时对接收到的数据包进行检测,从而能够减少不必要的检测消耗,以较少的运算资源实现抵御网络攻击的目的。Through the above implementation, the received data packets can be detected only when the user starts the network intrusion detection, thereby reducing unnecessary detection consumption and realizing the purpose of defending against network attacks with less computing resources.

步骤202,根据预先配置的检测白名单,确定待测数据包的收发设备均为不可信设备。Step 202, according to the pre-configured detection white list, it is determined that the sending and receiving devices of the data packets to be tested are all untrusted devices.

本申请实施例中,进一步的,物联网设备中还可配置有检测白名单。检测白名单中可包含可信设备的设备信息,例如可信设备的五元组信息等。并且,检测白名单中可信设备的信息可由用户动态配置,例如增加可信设备、删除部分可信设备等。In the embodiment of the present application, further, the IoT device may also be configured with a detection whitelist. The detection whitelist may include device information of trusted devices, such as quintuple information of trusted devices. Moreover, the information for detecting trusted devices in the whitelist can be dynamically configured by the user, such as adding trusted devices, deleting some trusted devices, and so on.

基于已配置的检测白名单,在确定用户启动了网络入侵检测功能的情况下,可进一步检测待测数据包的收发设备是否为检测白名单中的可信设备。具体的,可将待测数据包携带的设备信息,与检测白名单中包含的可信设备的设备信息进行比对。其中,待测数据包携带的设备信息例如可以是收发设备的五元组信息。在待测数据包携带的设备信息与检测白名单中任意可信设备的设备信息一致的情况下,说明待测数据包的收发设备为可信设备,此时,可终止对待测数据包的检测流程。相反的,在待测数据包携带的设备信息与检测白名单中全部可信设备的设备信息均不一致的情况下,说明待测数据包的收发设备均为不可信设备,此时,可进一步执行前述实施例的步骤101,确定检测待测数据包所需的目标检测链,启动对待测数据包的检测流程。Based on the configured detection white list, if it is determined that the user has activated the network intrusion detection function, it can further detect whether the sending and receiving device of the data packet to be tested is a trusted device in the detection white list. Specifically, the device information carried in the data packet to be tested may be compared with the device information of trusted devices included in the detection white list. Wherein, the device information carried in the data packet to be tested may be, for example, 5-tuple information of the sending and receiving device. If the device information carried by the data packet to be tested is consistent with the device information of any trusted device in the detection whitelist, it means that the sending and receiving device of the data packet to be tested is a trusted device. At this time, the detection of the data packet to be tested can be terminated process. On the contrary, if the device information carried by the data packet to be tested is inconsistent with the device information of all trusted devices in the detection whitelist, it means that the sending and receiving devices of the data packet to be tested are all untrusted devices. At this time, further execution In step 101 of the foregoing embodiment, the target detection chain required for detecting the data packet to be tested is determined, and the detection process of the data packet to be tested is started.

在另外的实现方式中,可替换的,上述检测白名单例如还可以是检测黑名单,检测黑名单中可包含不可信设备的设备信息。从而可仅对检测黑名单中记录的不可信设备的数据包进行检测,本申请对此不做限制。In another implementation manner, alternatively, the foregoing detection whitelist may also be, for example, a detection blacklist, and the detection blacklist may include device information of untrustworthy devices. Therefore, only the data packets of the untrusted devices recorded in the blacklist can be detected, which is not limited in the present application.

通过本实现方式,可仅对待检测设备的数据包进行网络入侵检测,从而能够减小不必要的检测消耗、节约运算资源,以较少的运算资源实现抵御网络攻击的目的。Through this implementation, network intrusion detection can be performed only on the data packets of the device to be detected, thereby reducing unnecessary detection consumption, saving computing resources, and achieving the purpose of defending against network attacks with less computing resources.

图5为本申请实施例提供的一种网络入侵检测装置的结构示意图。如图5所示,上述装置可以包括:响应模块51、第一确定模块52、第二确定模块53、执行模块54以及标记模块55。FIG. 5 is a schematic structural diagram of a network intrusion detection device provided by an embodiment of the present application. As shown in FIG. 5 , the above apparatus may include: a response module 51 , a first determination module 52 , a second determination module 53 , an execution module 54 and a marking module 55 .

响应模块51,用于响应于接收到的待测数据包,确定检测待测数据包所需的目标检测链,目标检测链包含多个检测节点,各个检测节点分别用于识别不同的网络入侵类型。The response module 51 is configured to determine the target detection chain required to detect the data packet to be tested in response to the received data packet to be tested. The target detection chain includes a plurality of detection nodes, and each detection node is used to identify different types of network intrusions .

第一确定模块52,用于根据各个检测节点的检测优先级,确定各个检测节点对待测数据包的检测次序。The first determination module 52 is configured to determine the detection order of the data packets to be tested by each detection node according to the detection priority of each detection node.

第二确定模块53,用于按照检测次序,确定检测待测数据包所需的目标检测节点。The second determination module 53 is configured to determine the target detection nodes required to detect the data packets to be detected according to the detection order.

执行模块54,用于利用目标检测节点对待测数据包进行检测。The execution module 54 is configured to use the target detection node to detect the data packet to be tested.

标记模块55,用于在检测到待测数据包异常后,根据目标检测节点对应的网络入侵类型标记待测数据包、并停止检测。The marking module 55 is configured to mark the data packet to be tested according to the network intrusion type corresponding to the target detection node and stop the detection after detecting the abnormality of the data packet to be tested.

一种具体的实现方式中,响应模块51具体用于,响应于接收到的待测数据包,确定待测数据包对应的协议类型;根据待测数据包对应的协议类型,确定检测待测数据包所需的目标检测链。In a specific implementation manner, the response module 51 is specifically used to, in response to the received data packet to be tested, determine the protocol type corresponding to the data packet to be tested; Package required object detection chain.

一种具体的实现方式中,各个检测节点分别配置有使能控制位;执行模块54还用于,根据目标检测节点的使能控制位,确定目标检测节点处于已使能状态。In a specific implementation manner, each detection node is configured with an enable control bit; the execution module 54 is also configured to determine that the target detection node is in an enabled state according to the enable control bit of the target detection node.

一种具体的实现方式中,执行模块54具体用于,利用目标检测节点内预先配置的入侵行为参数,对待测数据包进行参数匹配。In a specific implementation manner, the execution module 54 is specifically configured to perform parameter matching on the data packets to be tested by using the intrusion behavior parameters pre-configured in the target detection node.

一种具体的实现方式中,执行模块54具体用于,检测到待测数据包的行为参数与目标检测节点内预先配置的入侵行为参数一致。In a specific implementation manner, the execution module 54 is specifically configured to detect that the behavior parameter of the data packet to be tested is consistent with the pre-configured intrusion behavior parameter in the target detection node.

一种具体的实现方式中,响应模块51还用于,根据网络入侵检测的检测开关标识,确定网络入侵检测处于启动状态;其中,检测开关标识的取值根据预先接收到的检测指令设置。In a specific implementation manner, the response module 51 is further configured to determine that the network intrusion detection is in the activated state according to the detection switch identification of the network intrusion detection; wherein, the value of the detection switch identification is set according to the detection instruction received in advance.

一种具体的实现方式中,响应模块51还用于,将待测数据包携带的设备信息与检测白名单内包含的设备信息进行比对;根据比对结果,确定待测数据包的收发设备均为不可信设备。In a specific implementation, the response module 51 is also used to compare the device information carried by the data packet to be tested with the device information contained in the detection white list; determine the sending and receiving device of the data packet to be tested according to the comparison result Both are untrusted devices.

一种具体的实现方式中,在检测到待测数据包正常的情况下,第二确定模块53还用于,按照检测次序确定新的目标检测节点,执行模块54还用于,利用所述新的目标检测节点对所述待测数据包进行检测。In a specific implementation manner, when it is detected that the data packet to be tested is normal, the second determination module 53 is also used to determine a new target detection node according to the detection sequence, and the execution module 54 is also used to use the new target detection node The target detection node detects the data packet to be tested.

通过上述技术方案,可在资源受限的物联网设备上实现对网络入侵行为的检测。Through the above technical solution, the detection of network intrusion behavior can be realized on the Internet of Things device with limited resources.

图6为本申请实施例提供的另一种电子设备的结构示意图。如图6所示,上述电子设备可以包括至少一个处理器;以及与上述处理器通信连接的至少一个存储器,其中:存储器存储有可被处理器执行的程序指令,上述处理器调用上述程序指令能够执行本申请实施例提供的网络入侵检测方法。FIG. 6 is a schematic structural diagram of another electronic device provided by an embodiment of the present application. As shown in Figure 6, the above-mentioned electronic device may include at least one processor; and at least one memory connected in communication with the above-mentioned processor, wherein: the memory stores program instructions executable by the processor, and the above-mentioned processor calls the above-mentioned program instructions to be able to Execute the network intrusion detection method provided in the embodiment of the present application.

本实施例对上述电子设备的具体形态不作限定。This embodiment does not limit the specific form of the above-mentioned electronic equipment.

图6示出了适于用来实现本申请实施方式的示例性电子设备的框图。图6显示的电子设备仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。FIG. 6 shows a block diagram of an exemplary electronic device suitable for implementing embodiments of the present application. The electronic device shown in FIG. 6 is only an example, and should not limit the functions and scope of use of the embodiment of the present application.

如图6所示,电子设备以通用计算设备的形式表现。电子设备的组件可以包括但不限于:一个或者多个处理器410,存储器430,连接不同系统组件(包括存储器430和处理器410)的通信总线440。As shown in Figure 6, the electronic device takes the form of a general-purpose computing device. The components of the electronic device may include, but are not limited to: one or more processors 410, a memory 430, and a communication bus 440 connecting different system components (including the memory 430 and the processor 410).

通信总线440表示几类总线结构中的一种或多种,包括存储器总线或者存储器控制器,外围总线,图形加速端口,处理器或者使用多种总线结构中的任意总线结构的局域总线。举例来说,这些体系结构包括但不限于工业标准体系结构(Industry StandardArchitecture;以下简称:ISA)总线,微通道体系结构(Micro Channel Architecture;以下简称:MAC)总线,增强型ISA总线、视频电子标准协会(Video Electronics StandardsAssociation;以下简称:VESA)局域总线以及外围组件互连(Peripheral ComponentInterconnection;以下简称:PCI)总线。Communication bus 440 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus structures. For example, these architectures include but are not limited to Industry Standard Architecture (Industry Standard Architecture; hereinafter referred to as: ISA) bus, Micro Channel Architecture (Micro Channel Architecture; hereinafter referred to as: MAC) bus, enhanced ISA bus, video electronics standard Association (Video Electronics Standards Association; hereinafter referred to as: VESA) local bus and peripheral component interconnection (Peripheral Component Interconnection; hereinafter referred to as: PCI) bus.

电子设备典型地包括多种计算机系统可读介质。这些介质可以是任何能够被电子设备访问的可用介质,包括易失性和非易失性介质,可移动的和不可移动的介质。Electronic devices typically include a variety of computer system readable media. These media can be any available media that can be accessed by the electronic device and include both volatile and nonvolatile media, removable and non-removable media.

存储器430可以包括易失性存储器形式的计算机系统可读介质,例如随机存取存储器(Random Access Memory;以下简称:RAM)和/或高速缓存存储器。电子设备可以进一步包括其它可移动/不可移动的、易失性/非易失性计算机系统存储介质。尽管图6中未示出,可以提供用于对可移动非易失性磁盘(例如“软盘”)读写的磁盘驱动器,以及对可移动非易失性光盘(例如:光盘只读存储器(Compact Disc Read Only Memory;以下简称:CD-ROM)、数字多功能只读光盘(Digital Video Disc Read Only Memory;以下简称:DVD-ROM)或者其它光介质)读写的光盘驱动器。在这些情况下,每个驱动器可以通过一个或者多个数据介质接口与通信总线440相连。存储器430可以包括至少一个程序产品,该程序产品具有一组(例如至少一个)程序模块,这些程序模块被配置以执行本申请各实施例的功能。The memory 430 may include a computer system-readable medium in the form of a volatile memory, such as a random access memory (Random Access Memory; RAM for short) and/or a cache memory. The electronic device may further include other removable/non-removable, volatile/nonvolatile computer system storage media. Although not shown in FIG. 6, a disk drive for reading and writing to a removable nonvolatile disk (such as a "floppy disk") may be provided, as well as a disk drive for a removable nonvolatile disk (such as a CD-ROM (Compact Disc Read Only Memory (hereinafter referred to as: CD-ROM), Digital Video Disc Read Only Memory (hereinafter referred to as: DVD-ROM) or other optical media) read and write optical disc drives. In these cases, each drive may be connected to communication bus 440 through one or more data media interfaces. The memory 430 may include at least one program product having a set (for example, at least one) of program modules configured to perform the functions of the various embodiments of the present application.

具有一组(至少一个)程序模块的程序/实用工具,可以存储在存储器430中,这样的程序模块包括——但不限于——操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。程序模块通常执行本申请所描述的实施例中的功能和/或方法。A program/utility having a set (at least one) of program modules may be stored in memory 430, such program modules including - but not limited to - an operating system, one or more application programs, other program modules, and program data , each or some combination of these examples may include implementations of network environments. The program modules generally perform the functions and/or methods in the embodiments described herein.

电子设备也可以与一个或多个外部设备(例如键盘、指向设备、显示器等)通信,还可与一个或者多个使得用户能与该电子设备交互的设备通信,和/或与使得该电子设备能与一个或多个其它计算设备进行通信的任何设备(例如网卡,调制解调器等等)通信。这种通信可以通过通信接口420进行。并且,电子设备还可以通过网络适配器(图6中未示出)与一个或者多个网络(例如局域网(Local Area Network;以下简称:LAN),广域网(Wide AreaNetwork;以下简称:WAN)和/或公共网络,例如因特网)通信,上述网络适配器可以通过通信总线440与电子设备的其它模块通信。应当明白,尽管图6中未示出,可以结合电子设备使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、磁盘阵列(Redundant Arrays of Independent Drives;以下简称:RAID)系统、磁带驱动器以及数据备份存储系统等。The electronic device can also communicate with one or more external devices (e.g., keyboards, pointing devices, displays, etc.), and with one or more devices that enable a user to interact with the electronic device, and/or communicate with one or more Any device (eg, network card, modem, etc.) capable of communicating with one or more other computing devices communicates. Such communication may occur through communication interface 420 . Moreover, the electronic device can also communicate with one or more networks (such as a local area network (Local Area Network; hereinafter referred to as: LAN), a wide area network (Wide Area Network; hereinafter referred to as: WAN) and/or public network, such as the Internet), the above-mentioned network adapter can communicate with other modules of the electronic device through the communication bus 440 . It should be appreciated that although not shown in FIG. 6 , other hardware and/or software modules may be used in conjunction with the electronic device, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, disk arrays (Redundant Arrays of Independent Drives; hereinafter referred to as: RAID) system, tape drive and data backup storage system, etc.

处理器410通过运行存储在存储器430中的程序,从而执行各种功能应用以及网络入侵检测,例如实现本申请实施例提供的网络入侵检测方法。The processor 410 executes various functional applications and network intrusion detection by running the program stored in the memory 430, for example, implements the network intrusion detection method provided in the embodiment of the present application.

本申请实施例还提供一种计算机可读存储介质,上述计算机可读存储介质存储计算机指令,上述计算机指令使上述计算机执行本申请实施例提供的网络入侵检测方法。The embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the network intrusion detection method provided in the embodiment of the present application.

上述计算机可读存储介质可以采用一个或多个计算机可读的介质的任意组合。计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机存取存储器(RAM)、只读存储器(ReadOnly Memory;以下简称:ROM)、可擦式可编程只读存储器(Erasable Programmable ReadOnly Memory;以下简称:EPROM)或闪存、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本文件中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。Any combination of one or more computer-readable storage media may be used for the above-mentioned computer-readable storage medium. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (non-exhaustive list) of computer-readable storage media include: electrical connections with one or more conductors, portable computer disks, hard disks, random access memory (RAM), read-only memory (ReadOnly Memory; hereinafter referred to as: ROM), erasable programmable read-only memory (Erasable Programmable ReadOnly Memory; hereinafter referred to as: EPROM) or flash memory, optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, Or any suitable combination of the above. In this document, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.

计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括——但不限于——电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。A computer readable signal medium may include a data signal carrying computer readable program code in baseband or as part of a carrier wave. Such propagated data signals may take many forms, including - but not limited to - electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in conjunction with an instruction execution system, apparatus, or device. .

计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括——但不限于——无线、电线、光缆、RF等等,或者上述的任意合适的组合。Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including - but not limited to - wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本申请的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。In the description of this specification, descriptions referring to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structure, material or characteristic is included in at least one embodiment or example of the present application. In this specification, the schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the described specific features, structures, materials or characteristics may be combined in any suitable manner in any one or more embodiments or examples. In addition, those skilled in the art can combine and combine different embodiments or examples and features of different embodiments or examples described in this specification without conflicting with each other.

此外,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。在本申请的描述中,“多个”的含义是至少两个,例如两个,三个等,除非另有明确具体的限定。In addition, the terms "first" and "second" are used for descriptive purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly specifying the quantity of indicated technical features. Thus, the features defined as "first" and "second" may explicitly or implicitly include at least one of these features. In the description of the present application, "plurality" means at least two, such as two, three, etc., unless otherwise specifically defined.

流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或更多个用于实现定制逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分,并且本申请的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被本申请的实施例所属技术领域的技术人员所理解。Any process or method descriptions in flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code comprising one or more executable instructions for implementing custom logical functions or steps of a process , and the scope of preferred embodiments of the present application includes additional implementations in which functions may be performed out of the order shown or discussed, including in substantially simultaneous fashion or in reverse order depending on the functions involved, which shall It should be understood by those skilled in the art to which the embodiments of the present application belong.

在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。例如,以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined Or it can be integrated into another system, or some features can be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.

以上所述仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。The above is only a preferred embodiment of the application, and is not intended to limit the application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the application should be included in the application. within the scope of protection.

Claims (12)

1. A method for network intrusion detection, comprising:
determining a target detection chain required for detecting the data packet to be detected in response to the received data packet to be detected, wherein the target detection chain comprises a plurality of detection nodes, and each detection node is respectively used for identifying different network intrusion types;
determining the detection sequence of each detection node to the data packet to be detected according to the detection priority of each detection node;
determining a target detection node required for detecting the data packet to be detected according to the detection sequence;
detecting the data packet to be detected by using the target detection node;
and under the condition that the data packet to be detected is detected to be abnormal, marking the data packet to be detected according to the network intrusion type corresponding to the target detection node, and stopping detection.
2. The method of claim 1, wherein determining a target detection chain required for detecting the data packet to be detected in response to the received data packet to be detected comprises:
responding to a received data packet to be detected, and determining a protocol type corresponding to the data packet to be detected;
and determining a target detection chain required for detecting the data packet to be detected according to the protocol type corresponding to the data packet to be detected.
3. The method of claim 1, wherein each of the detection nodes is configured with an enable control bit; before the target detection node is used to detect the data packet to be detected, the method further includes:
and determining that the target detection node is in an enabled state according to the enable control bit of the target detection node.
4. The method as claimed in claim 1 or 3, wherein detecting the data packet to be detected by the target detection node comprises:
and carrying out parameter matching on the data packet to be detected by utilizing the intrusion behavior parameters pre-configured in the target detection node.
5. The method of claim 4, wherein detecting the anomaly in the data packet to be tested comprises:
and detecting that the behavior parameters of the data packet to be detected are consistent with the intrusion behavior parameters pre-configured in the target detection node.
6. The method of claim 1, wherein in response to a received data packet under test, prior to determining a target detection chain required to detect the data packet under test, the method further comprises:
determining that the network intrusion detection is in a starting state according to a detection switch identifier of the network intrusion detection;
and the value of the detection switch identification is set according to a detection instruction received in advance.
7. The method of claim 6, wherein after determining that the network intrusion detection is in the enabled state according to the detection switch identifier of the network intrusion detection, the method further comprises:
comparing the equipment information carried by the data packet to be detected with the equipment information contained in the detection white list;
and according to the comparison result, determining that the receiving and sending equipment of the data packet to be tested is all untrustworthy equipment.
8. The method according to claim 1, wherein in case that it is detected that the data packet to be tested is normal, the method further comprises:
and determining a new target detection node according to the detection sequence, and detecting the data packet to be detected by using the new target detection node.
9. A network intrusion detection device, comprising:
the system comprises a response module, a detection module and a processing module, wherein the response module is used for responding to a received data packet to be detected and determining a target detection chain required for detecting the data packet to be detected, the target detection chain comprises a plurality of detection nodes, and each detection node is respectively used for identifying different network intrusion types;
a first determining module, configured to determine, according to the detection priority of each detection node, a detection order of each detection node for the data packet to be detected;
a second determining module, configured to determine, according to the detection order, a target detection node required for detecting the data packet to be detected;
the execution module is used for detecting the data packet to be detected by using the target detection node;
and the marking module is used for marking the data packet to be detected according to the network intrusion type corresponding to the target detection node and stopping detection under the condition of detecting the abnormality of the data packet to be detected.
10. An electronic device, comprising:
at least one processor; and
at least one memory communicatively coupled to the processor, wherein:
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 8.
11. A computer-readable storage medium, storing computer instructions, the computer instructions causing the computer to perform the method of any of claims 1 to 8.
12. A chip, characterized in that it comprises a processor and a data interface, the processor being able to execute the method according to any one of claims 1 to 8 by reading instructions stored on a memory via the data interface.
CN202211400133.9A 2022-11-09 2022-11-09 Network intrusion detection method and electronic device Pending CN115766175A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211400133.9A CN115766175A (en) 2022-11-09 2022-11-09 Network intrusion detection method and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211400133.9A CN115766175A (en) 2022-11-09 2022-11-09 Network intrusion detection method and electronic device

Publications (1)

Publication Number Publication Date
CN115766175A true CN115766175A (en) 2023-03-07

Family

ID=85368803

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211400133.9A Pending CN115766175A (en) 2022-11-09 2022-11-09 Network intrusion detection method and electronic device

Country Status (1)

Country Link
CN (1) CN115766175A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116488947A (en) * 2023-06-21 2023-07-25 北京锐服信科技有限公司 Security element treatment method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040260945A1 (en) * 2003-06-20 2004-12-23 Amit Raikar Integrated intrusion detection system and method
US20090178140A1 (en) * 2008-01-09 2009-07-09 Inventec Corporation Network intrusion detection system
CN111294332A (en) * 2020-01-13 2020-06-16 交通银行股份有限公司 Traffic anomaly detection and DNS channel anomaly detection system and method
CN111526121A (en) * 2020-03-24 2020-08-11 杭州迪普科技股份有限公司 Intrusion prevention method and device, electronic equipment and computer readable medium
EP3806518A1 (en) * 2019-10-10 2021-04-14 Honeywell International Inc. Hybrid intrusion detection model for cyber-attacks in avionics internet gateways using edge analytics
CN113242266A (en) * 2021-07-12 2021-08-10 深圳市永达电子信息股份有限公司 NFV-based dynamic intrusion detection method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040260945A1 (en) * 2003-06-20 2004-12-23 Amit Raikar Integrated intrusion detection system and method
US20090178140A1 (en) * 2008-01-09 2009-07-09 Inventec Corporation Network intrusion detection system
EP3806518A1 (en) * 2019-10-10 2021-04-14 Honeywell International Inc. Hybrid intrusion detection model for cyber-attacks in avionics internet gateways using edge analytics
CN111294332A (en) * 2020-01-13 2020-06-16 交通银行股份有限公司 Traffic anomaly detection and DNS channel anomaly detection system and method
CN111526121A (en) * 2020-03-24 2020-08-11 杭州迪普科技股份有限公司 Intrusion prevention method and device, electronic equipment and computer readable medium
CN113242266A (en) * 2021-07-12 2021-08-10 深圳市永达电子信息股份有限公司 NFV-based dynamic intrusion detection method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116488947A (en) * 2023-06-21 2023-07-25 北京锐服信科技有限公司 Security element treatment method
CN116488947B (en) * 2023-06-21 2023-09-26 北京锐服信科技有限公司 Security element treatment method

Similar Documents

Publication Publication Date Title
CN113228589B (en) Secure Network-Based Computing Resources Using Tags
US10110562B2 (en) Method to enable deep packet inspection (DPI) in openflow-based software defined network (SDN)
US20180063160A1 (en) Isolated Network Stack to Manage Security for Virtual Machines
US8683576B1 (en) Systems and methods for detecting a process to establish a backdoor connection with a computing device
US11258812B2 (en) Automatic characterization of malicious data flows
CN1853393A (en) Method, apparatus and system for detection of and reaction to rogue access points
US20090077631A1 (en) Allowing a device access to a network in a trusted network connect environment
US10235516B2 (en) Method for authenticating a networked endpoint using a physical (power) challenge
JP2012195940A (en) Device capable of providing packet filtering of system-on-chip board, and packet filtering method
CN111786971A (en) Host blasting attack defense method and device and computer equipment
Osman et al. Transparent microsegmentation in smart home {IoT} networks
CN113765846B (en) Intelligent detection and response method and device for network abnormal behaviors and electronic equipment
US20130055044A1 (en) Method And Apparatus For Restricting The Operation Of USB Devices
CN102668502B (en) A method and system for fraud detection
CN115834091A (en) Network flow control method and related system
KR20110006399A (en) Host-based Network Separation Apparatus and Method
JP2010263310A (en) Wireless communication apparatus, wireless communication monitoring system, wireless communication method, and program
CN115766175A (en) Network intrusion detection method and electronic device
CN105991679A (en) Method and device for realizing network sharing
US20060107055A1 (en) Method and system to detect a data pattern of a packet in a communications network
US11374977B2 (en) Endpoint risk-based network protection
CN112929197A (en) Network communication method, device, equipment and storage medium
CN112702739B (en) Wireless network sharing method and device, readable storage medium and mobile terminal
CN115086068B (en) A network intrusion detection method and device
KR100976602B1 (en) File Transfer Security Method and Device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination