Method and device for detecting abnormal network behavior

网络异常行为检测方法及装置

Abstract

The invention provides a method and device for detecting an abnormal network behavior. The method comprises the steps of: acquiring historical log data of a network device; analyzing the historical log data to generate historical network behavior data; generating a white list, a blacklist and a keynote rule according to the historical network behavior data and a rule template; acquiring the current log data of the network device; analyzing the current log data to generate current network behavior data; filtering the current network behavior data according to the white list to obtain suspicious behavior data; filtering the suspicious behavior data according to the blacklist to obtain abnormal behavior data and unknown behavior data; comparing the unknown behavior data with the keynote rule corresponding to a doer identity in the unknown behavior data, and marking the unknown behavior data exceeding the keynote rule as the abnormal behavior data; and outputting alarm information comprising the abnormal behavior data.
本发明提供一种网络异常行为检测方法及装置。方法包括:获取网络设备的历史日志数据;解析所述历史日志数据,生成历史网络行为数据;根据所述历史网络行为数据和规则模板,生成白名单、黑名单和基调规则;获取所述网络设备的当前日志数据;解析所述当前日志数据,生成当前网络行为数据;根据所述白名单对所述当前网络行为数据进行过滤,得到可疑行为数据;根据所述黑名单对所述可疑行为数据进行过滤,得到异常行为数据和未知行为数据;将所述未知行为数据与所述未知行为数据中行为人身份对应的基调规则比较,将超出所述基调规则的未知行为数据标识为异常行为数据;输出包括所述异常行为数据的告警信息。

Claims

Description

Topics

Download Full PDF Version (Non-Commercial Use)

Patent Citations (4)

    Publication numberPublication dateAssigneeTitle
    CN-101355504-AJanuary 28, 2009成都市华为赛门铁克科技有限公司一种用户行为的确定方法和装置
    CN-101883017-ANovember 10, 2010北京启明星辰信息技术股份有限公司;北京启明星辰信息安全技术有限公司;上海市计算机病毒防范服务中心System and method for evaluating network safe state
    JP-2003263376-ASeptember 19, 2003Fujitsu Ltd, 富士通株式会社Security management method of fire wall and its management program
    US-2003188189-A1October 02, 2003Desai Anish P., Jiang Yuan John, Tarkington William C., Oliveto Jeff P.Multi-level and multi-platform intrusion detection and response system

NO-Patent Citations (0)

    Title

Cited By (10)

    Publication numberPublication dateAssigneeTitle
    CN-103179024-AJune 26, 2013北京二六三企业通信有限公司Method and device for filtering mails
    CN-103577991-AFebruary 12, 2014阿里巴巴集团控股有限公司User identification method and device
    CN-103581355-AFebruary 12, 2014北京千橡网景科技发展有限公司用户行为异常处理方法和设备
    CN-103593376-AFebruary 19, 2014阿里巴巴集团控股有限公司一种采集用户行为数据的方法及装置
    CN-103593376-BSeptember 15, 2017阿里巴巴集团控股有限公司一种采集用户行为数据的方法及装置
    CN-103716313-BJuly 13, 2016中国科学院信息工程研究所一种用户隐私信息保护方法及系统
    CN-104239197-ADecember 24, 2014浪潮电子信息产业股份有限公司Administrative user abnormal behavior detection method based on big data log analysis
    CN-104636494-AMay 20, 2015浪潮电子信息产业股份有限公司一种基于Spark大数据平台的日志审计倒查系统
    CN-104935601-ASeptember 23, 2015北京奇虎科技有限公司基于云的网站日志安全分析方法、装置及系统
    CN-105260662-AJanuary 20, 2016南京曼安信息科技有限公司Detection device and method of unknown application bug threat