Network management and control method and device and electronic equipment
阅读说明:本技术 一种网络管控方法、装置以及电子设备 (Network management and control method and device and electronic equipment ) 是由 陈招君 于 2018-08-24 设计创作,主要内容包括:本申请公开了一种网络管控方法、装置以及电子设备,该方法包括:采集网络流量;提取所述网络流量中的图片流;基于所述图片流的特征信息,识别出异常图片流;识别与所述异常图片流对应的远程监控行为。本申请实施例将识别异常远控行为的过程与异常图片流的识别过程相关联,以达到网络管控目的,相较于现有技术更具有普适性,且针对远程监控行为的识别成功率更高。(The application discloses a network management and control method, a network management and control device and electronic equipment, wherein the method comprises the following steps: collecting network flow; extracting a picture stream in the network traffic; identifying an abnormal picture flow based on the feature information of the picture flow; remote monitoring behavior corresponding to the abnormal picture flow is identified. The method and the device for identifying the abnormal remote control behaviors correlate the process of identifying the abnormal remote control behaviors with the process of identifying the abnormal picture flow so as to achieve the purpose of network management and control, and compared with the prior art, the method and the device for identifying the abnormal remote control behaviors have universality and are higher in identification success rate aiming at the remote monitoring behaviors.)
1. A network management and control method is characterized by comprising the following steps:
collecting network flow;
extracting a picture stream in the network traffic;
identifying an abnormal picture flow based on the feature information of the picture flow;
remote monitoring behavior corresponding to the abnormal picture flow is identified.
2. The network management and control method according to claim 1, wherein the identifying an abnormal picture flow based on the feature information of the picture flow includes:
comparing the characteristic information of the picture flow with a preset filtering set by a comparison and screening method, wherein the picture flow with a non-accordant comparison result is an abnormal picture flow; the filter set is a feature set of a predetermined normal picture stream.
3. The network management and control method according to claim 2, wherein the filtering set includes at least one of:
a baseline flow rate;
the picture stream is whitelisted.
4. The network management and control method according to claim 1, further comprising, before extracting the picture stream in the network traffic:
carrying out flow identification on the acquired network flow;
correspondingly, the extracting the picture stream in the network traffic includes:
after the acquired network traffic is subjected to traffic identification, if unknown traffic which is not matched with the known traffic exists, picture stream identification is carried out on the unknown traffic, and picture streams in the unknown traffic are extracted.
5. The network management and control method according to claim 4, wherein the performing picture flow recognition on the unknown traffic includes:
and carrying out picture stream identification on the unknown flow through a picture stream identification model.
6. The network management and control method according to claim 5, wherein the picture flow identification model is obtained by:
acquiring picture stream reference data;
preprocessing the picture stream reference data to obtain a picture stream training set and a picture stream testing set;
training the picture stream training set to generate a picture stream initial identification model; and evaluating the recognition effect of the picture flow initial recognition model by using the picture flow test set, and determining the picture flow recognition model according to an evaluation result or performing secondary training on the picture flow initial recognition model.
7. The network management and control method according to claim 6, wherein the obtaining picture stream reference data includes:
simulating the network communication process of the picture, and acquiring picture stream reference data; alternatively, the first and second electrodes may be,
and generating picture stream reference data by using a remote control application program.
8. The network management and control method according to claim 4, wherein the performing traffic identification on the collected network traffic includes:
and carrying out flow identification on the acquired network flow according to the type of the network flow.
9. The network management and control method according to claim 8, wherein the performing traffic identification on the collected network traffic according to the category of the network traffic includes:
carrying out flow identification on the acquired network flow according to the type of a network application layer protocol;
correspondingly, the unknown flow rate includes:
network traffic that does not match the known network application layer protocol type.
10. The network management and control method according to claim 4, wherein the performing traffic identification on the collected network traffic includes:
and carrying out flow identification on the acquired network flow by adopting a machine learning-based method.
11. The network management and control method according to claim 1, further comprising:
blocking the remote monitoring behavior.
12. A network management and control apparatus, comprising:
the network flow acquisition unit is used for acquiring network flow;
a picture stream extracting unit, configured to extract a picture stream in the network traffic;
the abnormal picture flow identification unit is used for identifying an abnormal picture flow based on the characteristic information of the picture flow;
and the remote monitoring behavior identification unit is used for identifying the remote monitoring behavior corresponding to the abnormal picture flow.
13. An electronic device, comprising:
a processor;
the memory is used for storing a network management and control program, and after the equipment is powered on and runs the network management and control program through the processor, the following steps are executed:
collecting network flow; extracting a picture stream in the network traffic; identifying an abnormal picture flow based on the feature information of the picture flow; remote monitoring behavior corresponding to the abnormal picture flow is identified.
Technical Field
The present application relates to the field of network technologies, and in particular, to a network management and control method. The application also relates to a network control device and an electronic device.
Background
Remote control refers to a technology in which one terminal (a master control end) on a network remotely controls another terminal (a controlled end) by using remote control software, and is widely applied to various application occasions such as remote office, remote education, remote command and the like.
However, the remote control technology is utilized by hackers to perform network attacks, such as common APT attacks, and is characterized in that before an attack is initiated, accurate information collection is performed on a service flow and a target system of an attack object by using an information collection manner such as a phisher, and then a long-term persistent attack is performed on the attack object by using the remote control technology. The phenomenon that the remote control technology is applied to the abnormal network application environment is called abnormal remote control behavior.
Since the abnormal remote control behavior has great harm to the controlled end, identifying the abnormal remote control behavior in the network is an important defense line in network security construction.
Disclosure of Invention
The application provides a network management and control method, which aims to solve the problems that the abnormal remote control flow cannot be identified and the abnormal remote control behavior cannot be identified due to the difficulty in extracting the effective characteristics of the abnormal remote control flow. The application further provides a network management and control device and an electronic device.
The application provides a network management and control method, which comprises the following steps:
collecting network flow;
extracting a picture stream in the network traffic;
identifying an abnormal picture flow based on the feature information of the picture flow;
remote monitoring behavior corresponding to the abnormal picture flow is identified.
Optionally, the identifying an abnormal picture flow based on the feature information of the picture flow includes:
comparing the characteristic information of the picture flow with a preset filtering set by a comparison and screening method, wherein the picture flow with a non-accordant comparison result is an abnormal picture flow; the filter set is a feature set of a predetermined normal picture stream.
Optionally, the filtering set includes at least one of:
a baseline flow rate;
the picture stream is whitelisted.
Optionally, before extracting the picture stream in the network traffic, the method further includes:
carrying out flow identification on the acquired network flow;
correspondingly, the extracting the picture stream in the network traffic includes:
after the acquired network traffic is subjected to traffic identification, if unknown traffic which is not matched with the known traffic exists, picture stream identification is carried out on the unknown traffic, and picture streams in the unknown traffic are extracted.
Optionally, the performing picture stream identification on the unknown traffic includes:
and carrying out picture stream identification on the unknown flow through a picture stream identification model.
Optionally, the picture stream identification model is obtained by the following steps:
acquiring picture stream reference data;
preprocessing the picture stream reference data to obtain a picture stream training set and a picture stream testing set;
training the picture stream training set to generate a picture stream initial identification model; and evaluating the recognition effect of the picture flow initial recognition model by using the picture flow test set, and determining the picture flow recognition model according to an evaluation result or performing secondary training on the picture flow initial recognition model.
Optionally, the obtaining picture stream reference data includes:
simulating the network communication process of the picture, and acquiring picture stream reference data; alternatively, the first and second electrodes may be,
and generating picture stream reference data by using a remote control application program.
Optionally, the performing traffic identification on the acquired network traffic includes:
and carrying out flow identification on the acquired network flow according to the type of the network flow.
Optionally, the performing traffic identification on the acquired network traffic according to the category of the network traffic includes:
carrying out flow identification on the acquired network flow according to the type of a network application layer protocol;
correspondingly, the unknown flow rate includes:
network traffic that does not match the known network application layer protocol type.
Optionally, the performing traffic identification on the acquired network traffic includes:
and carrying out flow identification on the acquired network flow by adopting a machine learning-based method.
Optionally, the method further includes:
blocking the remote monitoring behavior.
The present application further provides a network management and control device, including:
the network flow acquisition unit is used for acquiring network flow;
a picture stream extracting unit, configured to extract a picture stream in the network traffic;
the abnormal picture flow identification unit is used for identifying an abnormal picture flow based on the characteristic information of the picture flow;
and the remote monitoring behavior identification unit is used for identifying the remote monitoring behavior corresponding to the abnormal picture flow.
The present application further provides an electronic device, comprising:
a processor; and
the memory is used for storing a network management and control program, and after the equipment is powered on and runs the network management and control program through the processor, the following steps are executed:
collecting network flow;
extracting a picture stream in the network traffic;
identifying an abnormal picture flow based on the feature information of the picture flow;
remote monitoring behavior corresponding to the abnormal picture flow is identified.
Compared with the prior art, the method has the following advantages:
according to the network management and control method, the characteristic that the desktop remote control behavior accounts for a large proportion of the abnormal remote control behaviors and the characteristic that the desktop remote control behavior is realized in a picture flow mode are utilized, the process of identifying the abnormal remote control behaviors is associated with the identification process of the abnormal picture flow, the picture flow in network flow is extracted firstly, then the abnormal picture flow in the picture flow is identified based on the characteristic information of the picture flow, and finally the remote monitoring behavior corresponding to the abnormal picture flow is identified, so that the purpose of network management and control is achieved. Compared with the existing identification technology based on the fixed remote control protocol characteristics, the method has the advantages that the effective characteristics are difficult to extract, the identification process of the abnormal picture flow replaces the matching identification process of the characteristic field, the method is more universal, and the identification success rate for the remote monitoring behavior is higher.
Drawings
Fig. 1 is a flowchart of a network management and control method according to a first embodiment of the present application;
fig. 2 is a flowchart of constructing a picture stream recognition model according to a first embodiment of the present application;
fig. 3 is a block diagram of a network management and control apparatus unit according to a second embodiment of the present application;
fig. 4 is a schematic diagram of an electronic device according to a third embodiment of the present application.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. This application is capable of implementation in many different ways than those herein set forth and of similar import by those skilled in the art without departing from the spirit of this application and is therefore not limited to the specific implementations disclosed below.
Among a plurality of remote control technologies, the desktop remote control technology occupies a great proportion, and the desktop remote control technology refers to the technology of continuously capturing the screen desktop of a controlled end and feeding back the captured images to a control end after the captured images are transmitted through a network in a picture stream mode so as to achieve the purpose of monitoring the screen and controlling the screen in real time. At present, the desktop remote control technology is utilized by more and more abnormal remote control behaviors.
Aiming at the condition that continuous network attack on a network terminal by utilizing a desktop remote control mode is a comparatively large attack means in a plurality of network attack means at the present stage, the application provides a network control method, a network control device and electronic equipment.
A first embodiment of the present application provides a network management and control method, which can be applied to the remote control behavior memorability identification of the existing network attack using desktop remote control. Please refer to fig. 1 to understand the embodiment, and fig. 1 is a flowchart of the method of the embodiment.
As shown in fig. 1, the network management and control method provided in this embodiment includes the following steps:
s101, collecting network flow.
The method comprises the steps of acquiring original network flow running on a network, wherein the original network flow is to-be-identified flow, and a subsequent link takes the original network flow as basic flow for analysis and processing.
Network traffic refers to the amount of data transmitted over a network and received and transmitted in the form of network streams, and is an important vehicle for recording and reflecting the activities of the network and its users. In the application, the network flow can reflect the current network live condition, can be acquired in advance in the running network through the network acquisition equipment, and then is transmitted to a preset analysis center for analysis and processing, and can also be acquired, analyzed and processed on line in real time.
The process of collecting the network flow comprises two parts of collecting and flow grouping, wherein the collecting refers to collecting high-speed network data messages, and the collecting process comprises the following steps: capturing data packets on network equipment such as a running network link, a switch or a router, and capturing a flow record consisting of original data packets by using a port mirroring method in the embodiment; the flow grouping refers to grouping captured packets into a network data flow to recover the network traffic, and since the network flow is composed of packets having the same five-tuple (source IP, destination IP, source port, destination port, transport layer protocol) at a certain time interval, the grouping of the packets can be realized by matching the five-tuple in this embodiment, so as to obtain the network traffic.
S102, extracting the picture flow in the network flow.
This step is used to extract the picture stream from the collected network traffic. The picture stream refers to network traffic formed when pictures are transmitted in a network, and includes normal picture traffic and abnormal picture traffic, where the normal picture traffic is network traffic generated in a running process of a normal application program, and the abnormal picture traffic is network traffic generated by an abnormal application (such as desktop remote control used in network attack).
In this embodiment, before extracting the picture stream in the network traffic, traffic identification needs to be performed on the acquired network traffic, and correspondingly, the extracting of the picture stream in the network traffic may be performed after performing traffic identification on the acquired network traffic, and if there is an unknown traffic that does not match with a known network traffic, the picture stream identification is performed on the unknown traffic, and the picture stream in the unknown traffic is extracted.
In this embodiment, the performing traffic identification on the collected network traffic refers to performing traffic identification on the collected network traffic according to a category of the network traffic, where the category of the network traffic includes, for example, audio/video traffic, search traffic, recommended traffic, and the like. In this embodiment, the collected network traffic is identified according to a network application layer protocol type, specifically, various applications corresponding to the network traffic are identified by analyzing characteristics and attributes of the network traffic, the identified network application layer protocol type to which the application belongs is compared with a known network application layer protocol type, and if there is network traffic that does not match with the known network application layer protocol type, the network traffic is unknown traffic.
The existing traffic identification methods mainly include port-based identification methods, packet analysis-based identification methods, and machine learning-based identification methods. The port-based identification method is suitable for the flow identification of a small number of stable ports, such as DNS and the like; the identification method based on the data packet analysis is mainly suitable for traffic which is not encrypted and has obvious load characteristic character strings; machine learning based identification methods can be used to identify traffic that cannot be identified using the two identification methods described above. The network traffic identification method based on machine learning mainly comprises the following steps: the traffic classification method of supervised machine learning, which utilizes the network data traffic marked with the network application layer protocol type as a training set to train a traffic classification model; the unsupervised traffic classification method is characterized in that network data traffic without marked network application layer protocol types is used as a training set to train a traffic classification model; and a semi-supervised traffic classification method for training a traffic classification model by using a training set consisting of a small number of labeled samples and a large number of unlabeled samples.
In this embodiment, a traffic classification method with supervised machine learning is adopted for traffic identification, and the identification process includes a stage of establishing a classification model and performing classification identification on a flow sample by using the established classification model.
The establishment of the classification model comprises a data preprocessing stage and a classification model training generation stage, wherein the data preprocessing stage comprises links such as network traffic acquisition, flow grouping, flow statistical characteristic value calculation, flow marking and the like. The process of collecting and organizing network traffic is consistent with the principle and process of collecting and organizing network traffic in the step S101, except that the collecting and organizing network traffic in the step S101 is collected for the network traffic to be identified, and the step is to collect the original information for establishing the classification model; the flow statistical characteristic value calculation refers to calculating and extracting the statistical characteristic value (such as average packet length, packet arrival time interval and the like) of each network flow so as to construct a characteristic vector of each network flow and finish the characterization processing; the flow marking refers to marking a network application layer protocol type for each network flow in the network flow, matching and marking can be performed according to a regular expression or a port number of a message load characteristic field, and automatic marking can also be performed in a monitoring data packet mode, in this embodiment, an automatic marking method is selected, and specifically, the method includes: monitoring all the received and sent data packets by a monitoring program, and recording the corresponding relation between the name of the network application layer protocol type and the network flow summary information so as to finish automatic marking.
After the data preprocessing stage, dividing the obtained data set into a training set and a testing set, wherein the feature sets of the training set and the testing set are consistent, and then inputting the training set into a preselected learner for training to generate a classification model; meanwhile, the classifier is verified by using the test set to evaluate the classification performance of the classifier, and the flow classification algorithm is further optimized and improved according to the classification performance feedback, so that the classification model is perfected. In the process, the training set and the test set can be processed according to actual conditions, for example, redundant features and features irrelevant to classification in the training set and the test set can be removed through a feature selection algorithm to obtain effective features; as another example, when dealing with the imbalance-like problem of flow data, the flow data may be resampled to obtain a training set and a test set with a relatively balanced flow number distribution.
After the classification model is generated, the flow sample needs to be input into the classification model for identification and classification, and the process of establishing the flow sample mainly comprises the following steps: and calculating the flow statistical characteristic value of the network flow collected in the step S101. In this embodiment, the flow statistical feature value of the flow sample is consistent with the feature set adopted by the training set when the classification model is generated, and the network flow feature value calculation is performed according to the feature set, so that the characterization processing of the flow sample can be completed.
And inputting the stream samples subjected to the characterization processing into a classification model, and after the classification model classifies the stream samples according to a preset classification rule, outputting network application layer protocol types corresponding to a plurality of network flows in the network flows by the classification model, such as http, https, ftp, dns and the like. The network flow which cannot output the network application layer protocol type is the unrecognized network flow corresponding to the known network application layer protocol type.
After the traffic identification method is used, for network traffic which is not identified and corresponds to a known network application layer protocol type, picture stream identification is performed on the unknown traffic through a picture stream identification model, specifically: and inputting the unknown flow into a picture stream identification model for identification and matching so as to identify the picture stream in the picture stream identification model.
In this embodiment, the picture flow identification model is similar to the classification model used in the traffic classification method with supervised machine learning in terms of construction, usage, and design, and is used to input traffic to be identified into the classification model for identification.
In this embodiment, please refer to fig. 2 for a construction process of the picture stream identification model, as shown in fig. 2, the picture stream identification model is obtained through the following steps:
s1021, picture stream reference data is acquired.
The picture stream reference data is original information of the picture stream when the picture stream is transmitted in a network, and can be acquired by simulating desktop remote Control (network communication process of pictures) or directly generated by using remote Control application programs such as Control, gray pigeon, wolf and the like.
In this embodiment, the picture stream reference data is obtained by simulating desktop remote control (network communication process of pictures), and the specific process is as follows: a desktop screenshot tool is used at a sending end to screenshot the whole screen of the terminal, the number of the screenshots needs to meet the basic training data volume, and the number of the screenshots is 1W in the embodiment; then, compressing the intercepted screen picture into a corresponding picture format by adopting a picture compression algorithm, wherein the picture compression algorithm comprises common picture compression algorithms such as JPEG, JPEG2000, JPEG XR, PNG and the like; and transmitting the compressed picture data to a receiving end so as to imitate the network communication process of the picture to form a picture stream. And a flow collector is arranged in advance at the receiving end and is used for collecting the picture stream formed after network transmission, and the collected picture stream is the picture stream reference data.
And S1022, preprocessing the picture stream reference data to obtain a picture stream training set and a picture stream testing set.
The picture stream training set is used for training to generate a picture stream identification model, the picture stream test set is used for evaluating the identification performance of the picture stream identification model, and the picture stream training set and the picture stream test set have the same flow characteristic set. Preprocessing the reference data of the picture stream, wherein the preprocessing comprises stream grouping, feature extraction, feature selection and the like, the stream grouping is consistent with the stream grouping method, and the feature extraction refers to mining the picture stream through a preset feature extraction mode so as to extract feature information of the picture stream; the feature selection mainly has the effects that the data dimensionality is reduced, the most appropriate and easily-recognized flow features are selected by using a feature selection algorithm, and data processing methods such as resampling and the like can be performed on the selected flow features to obtain an effective picture flow training set and a picture flow testing set. Since the model is only used for identifying the picture stream, and the picture stream training set and the picture stream test set only contain the feature set of the picture stream, the application of the class mark is not needed.
In this embodiment, the selected traffic characteristics are the packet length (average packet length), the communication frequency (packet arrival time interval), and the first 50 bytes, where the first 50 bytes are respectively taken as 50 dimensions and basically include the header portion of the packet, and the header portion of the packet includes important characteristics of the network application; for selecting the packet length and the communication frequency as the traffic characteristics, the purpose is to combine the actual application scenario, for example, the application scenario in this embodiment is to simulate desktop remote control, that is: and (3) after the screen picture is intercepted, compressing and network transmission are carried out so as to simulate remote control behaviors, and under the scene, the packet length and the communication frequency are fixed in a certain range and can be used as distinguishing characteristics.
S1023, training the picture stream training set to generate a picture stream initial identification model; and meanwhile, evaluating the recognition effect of the picture stream initial recognition model by using the picture stream test set, and determining the picture stream recognition model according to the evaluation result or performing secondary training on the picture stream initial recognition model.
The method for training the picture stream training set comprises the following steps: and training the picture stream training set through a classification method based on machine learning to generate a picture stream initial recognition model. The common classification method based on machine learning comprises decision tree, Bayes, association rule learning, neural network and the like, wherein the decision tree is a classification rule method for deducing a decision tree representation form from a disordered and irregular training sample set, each branch of the classification rule represents a test output, and each leaf node represents a category; bayesian classification is a method for classifying by using probability statistical knowledge, which predicts the probability of each class of a sample of unknown class and selects the class with the highest probability as the final class of the sample; the association rule learning is to firstly mine relevant association rules by using a standard association rule mining algorithm and then construct a classifier based on the rules; the neural network is a group of input/output units which are connected with each other, each connection between the units is associated with a weight, and the network realizes the correspondence between the input samples and the corresponding classes thereof by adjusting the weights.
In this embodiment, the neural network classification algorithm in the above classification method is used to perform classification calculation on the picture stream training set, so as to complete training of the picture stream initial recognition model, specifically: and inputting the picture stream training set into a neural network model, and self-learning the model inside so as to abstract the recognition rule of the picture stream.
The process of evaluating the recognition effect of the picture stream initial recognition model by using the picture stream test set specifically comprises the following steps: inputting a picture stream test set with the same characteristic set as the picture stream training set into the picture stream initial identification model, testing the classification performance of the picture stream initial identification model, and evaluating the qualified picture stream initial identification model as the picture stream identification model; and performing secondary training on the image flow initial identification model which is evaluated to be unqualified so as to realize further optimization, and circulating the steps until the image flow identification model which is evaluated to be qualified is obtained.
And inputting the unrecognized flow into a picture stream recognition model for recognition and matching, and then recognizing the picture stream in the unknown flow.
S103, identifying abnormal picture flows based on the feature information of the picture flows.
After the picture stream in the unknown flow is acquired through the above steps, this step is used to identify an abnormal picture stream in the picture stream, and specifically includes: comparing the feature information of the picture stream with a preset filtering set by a comparison and screening method, wherein the picture stream with a non-matching comparison result is an abnormal picture stream, and the filtering set is a predetermined feature set of a normal picture stream, which can be a set of normal application programs for sending, transmitting and receiving pictures, or a behavior feature set of the picture stream during normal operation in a network. The normal picture stream refers to a picture stream generated when a normal web application is running.
In this embodiment, the filtering set is at least one of a baseline traffic and a white list of picture streams.
The baseline traffic refers to a set of various normal traffic in the network during a period of time, for example, traffic occurring n days ago, and if the traffic still occurs n days later, the traffic is considered as normal traffic, and the normal traffic can be one of the baseline traffic. The value of n is preset according to the actual application scenario, and the value of n in this embodiment is 3, because: in this embodiment, mainly for an abnormal picture stream generated in the desktop remote control process, the abnormal picture stream itself is easy to expose its own behavior, and the phenomenon of performing desktop remote control for a long time is rare, so that when traffic for the same destination IP and the same destination port occurs within 3 days, the traffic is baseline traffic.
The picture stream white list refers to a set of normal applications that can transmit picture stream data in a normal use process, for example, remote control software such as radmin (remote administrator), Virtual Network Console (VNC), and the like.
The method for comparing the picture stream with the preset filtering set may be: and matching the picture stream with the baseline flow, or matching the picture stream with a picture stream white list, or matching the picture stream with the baseline flow and the picture stream white list. In this embodiment, a method for matching is selected, and the process specifically includes: firstly, matching the picture stream with the baseline flow, if the matching result is accordant, indicating that the picture stream is a normal picture stream, if the matching result is not accordant, continuing to match the picture stream with the picture stream white list, if the matching result is accordant with the picture stream white list, indicating that the picture stream is a normal picture stream, and if the matching result is not accordant, considering that the picture stream is an abnormal picture stream. The process of matching the picture stream with the baseline traffic and with the picture stream white list can be implemented by comparing the four tuples (source IP, destination IP, source port, destination port).
And S104, identifying the remote monitoring behavior corresponding to the abnormal picture flow.
After the abnormal picture flow existing in the network flow is identified in the above step, the step is used for identifying the abnormal picture flow and obtaining the remote monitoring behavior corresponding to the abnormal picture flow.
Identifying the remote monitoring behavior corresponding to the abnormal picture stream may refer to identifying a terminal being remotely monitored and identifying a type of the remote monitoring behavior, for example, when an abnormal picture stream is identified in network traffic related to a certain terminal, it indicates that the terminal may be controlled by the abnormal remote control behavior, the type of the abnormal remote control behavior needs to be identified, and the abnormal remote control behavior is located, checked and processed to make a prevention scheme and counterattack measures for the abnormal remote control behavior. For example, the traffic characteristics of the abnormal picture stream are compared with the traffic characteristics corresponding to a known remote monitoring behavior (such as a remote trojan horse), so as to determine the type of the remote monitoring behavior, and a corresponding control strategy is established to block, limit, interfere and the like the abnormal picture stream, and the traffic characteristics of the abnormal picture stream can be stored in a database as basic data for subsequently identifying the abnormal remote control behavior.
According to the network management and control method provided by the embodiment, by utilizing the characteristic that the desktop remote control behavior accounts for a relatively large proportion in the abnormal remote control behavior and the characteristic that the desktop remote control behavior is realized in a picture flow mode, the process of identifying the abnormal remote control behavior is associated with the identification process of the abnormal picture flow, the picture flow in the network flow is firstly extracted, then the abnormal picture flow in the picture flow is identified based on the characteristic information of the picture flow, and finally the remote monitoring behavior corresponding to the abnormal picture flow is identified, so that the purpose of network management and control is achieved. Compared with the existing identification technology based on the fixed remote control protocol characteristics, the method has the advantages that the effective characteristics are difficult to extract, the identification process of the abnormal picture flow replaces the matching identification process of the characteristic field, the method is more universal, and the identification success rate for the remote monitoring behavior is higher.
Referring to fig. 3, fig. 3 is a block diagram of a network monitoring apparatus according to a second embodiment of the present application.
As shown in fig. 3, the apparatus includes:
a network
a picture
an abnormal picture
and the remote monitoring
Optionally, the abnormal picture
Optionally, the filtering set is at least one of a baseline traffic and a white list of picture streams.
The baseline traffic refers to a set of various normal traffic in the network during a period of time, for example, traffic occurring n days before, and if the traffic still occurs n days after, the traffic is considered as normal traffic, and the normal traffic may be one of the baseline traffic. The value of n is preset according to the actual application scenario, and the value of n in this embodiment is 3, because: in the embodiment, the abnormal picture flow generated in the desktop remote control process is mainly aimed at, the abnormal picture flow is easy to expose the behavior of the abnormal picture flow, and the phenomenon of performing desktop remote control for a long time is rare, so that when the flow aiming at the same destination IP and the same destination port occurs within 3 days, the flow enters the baseline flow.
The picture stream white list refers to a set of normal applications that can transmit picture stream data in a normal use process, for example, remote control software such as radmin (remote administrator), Virtual Network Console (VNC), and the like.
The method for comparing the picture stream with the preset filtering set may be: and matching the picture stream with the baseline flow, or matching the picture stream with a picture stream white list, or matching the picture stream with the baseline flow and the picture stream white list. In this embodiment, a method for matching is selected, and the process specifically includes: firstly, matching the picture stream with the baseline flow, if the matching result is accordant, indicating that the picture stream is a normal picture stream, if the matching result is not accordant, continuing to match the picture stream with the picture stream white list, if the matching result is accordant with the picture stream white list, indicating that the picture stream is a normal picture stream, and if the matching result is not accordant, considering that the picture stream is an abnormal picture stream. The process of matching the picture stream with the baseline traffic and with the picture stream white list can be implemented by comparing the four tuples (source IP, destination IP, source port, destination port).
Optionally, the apparatus further comprises: the network traffic identification unit is configured to perform traffic identification on the acquired network traffic, specifically perform traffic identification on the acquired network traffic according to a type of the network traffic, for example, perform traffic identification on the acquired network traffic according to a type of a network application layer protocol.
Correspondingly, the picture
Optionally, the image stream recognition on the unknown traffic may be performed by using an image stream recognition model.
Optionally, the obtaining of the picture stream recognition model may be implemented by the following sub-units:
picture stream reference data obtaining subunit: the method is used for acquiring the picture stream reference data, and the picture stream reference data can be acquired by simulating the network communication process of the picture or generated by utilizing a remote control application program.
The picture stream reference data preprocessing subunit is used for preprocessing the picture stream reference data to acquire a picture stream training set and a picture stream testing set;
the picture stream initial identification model generation subunit is used for training the picture stream training set to generate a picture stream initial identification model; and evaluating the recognition effect of the picture stream initial recognition model by using the picture stream test set, and determining the picture stream recognition model according to the evaluation result or performing secondary training on the picture stream initial recognition model.
Optionally, the network traffic identification unit is specifically configured to: and carrying out flow identification on the acquired network flow by adopting a machine learning-based method.
This device still includes: and the remote monitoring behavior blocking unit is used for blocking the remote monitoring behavior.
A third embodiment of the present application provides an electronic device, please refer to fig. 4, where fig. 4 is a schematic diagram of the embodiment. Since the apparatus embodiments are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for relevant points. The device embodiments described below are merely illustrative.
The electronic device provided by the embodiment comprises: a
collecting network flow;
extracting a picture stream in network traffic;
identifying abnormal picture flows based on the feature information of the picture flows;
and identifying remote monitoring behaviors corresponding to the abnormal picture streams.
Optionally, identifying an abnormal picture stream based on the feature information of the picture stream includes:
comparing the characteristic information of the picture stream with a preset filtering set by a comparison and screening method, wherein the picture stream with a non-accordant comparison result is an abnormal picture stream; the filter set is a feature set of a predetermined normal picture stream.
Optionally, the filtering set includes at least one of:
a baseline flow rate;
the picture stream is whitelisted.
Optionally, before extracting the picture stream in the network traffic, the method further includes:
carrying out flow identification on the acquired network flow;
correspondingly, extracting the picture stream in the network traffic includes:
after the acquired network traffic is subjected to traffic identification, if unknown traffic which does not obtain an identification result exists, picture stream identification is carried out on the unknown traffic, and picture streams in the unknown traffic are extracted.
Optionally, the image stream recognition on the unknown traffic includes:
and carrying out picture stream identification on the unknown flow through the picture stream identification model.
Optionally, the picture stream identification model is obtained through the following steps:
acquiring picture stream reference data;
preprocessing the reference data of the picture stream to obtain a picture stream training set and a picture stream testing set;
training the picture stream training set to generate a picture stream initial identification model; and evaluating the recognition effect of the picture stream initial recognition model by using the picture stream test set, and determining the picture stream recognition model according to the evaluation result or performing secondary training on the picture stream initial recognition model.
Optionally, the obtaining of the picture stream reference data includes:
simulating the network communication process of the picture, and acquiring picture stream reference data; alternatively, the first and second electrodes may be,
and generating picture stream reference data by using a remote control application program.
Optionally, the performing traffic identification on the collected network traffic includes:
and carrying out flow identification on the acquired network flow according to the type of the network flow.
Optionally, performing traffic identification on the acquired network traffic according to the category of the network traffic, including:
carrying out flow identification on the acquired network flow according to the type of the network application layer protocol;
correspondingly, the unknown traffic includes: network traffic that does not match the known network application layer protocol type.
Optionally, the performing traffic identification on the collected network traffic includes:
and carrying out flow identification on the acquired network flow by adopting a machine learning-based method.
Optionally, the method further includes: blocking remote monitoring behavior.
Although the present application has been described with reference to the preferred embodiments, it is not intended to limit the present application, and those skilled in the art can make variations and modifications without departing from the spirit and scope of the present application, therefore, the scope of the present application should be determined by the claims that follow.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
1. Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.
2. As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
- 上一篇:一种医用注射器针头装配设备
- 下一篇:桥接通信的方法和设备