阅读说明：本技术 网络入侵检测方法和装置 (Network intrusion detection method and device ) 是由 刘俊杰 李务军 朱林 郑凯莉 蒋纯杰 于 2018-08-08 设计创作，主要内容包括：本发明公开了网络入侵检测方法和装置，涉及计算机技术领域。该方法的一具体实施方式包括：采用多模匹配算法遍历当前网络的每个报文，当该报文中存在特征单词库中的特征单词时，获取该报文中的特征单词；确定该报文中每个特征单词所映射的正则表达式；根据每个特征单词所映射的正则表达式对当前网络进行入侵检测。该实施方式能够能够大大降低算法复杂度，提高入侵检测效率，进而提高实时大流量下的监控能力。(The invention discloses a network intrusion detection method and a network intrusion detection device, and relates to the technical field of computers. One embodiment of the method comprises: traversing each message of the current network by adopting a multi-mode matching algorithm, and acquiring a characteristic word in the message when the characteristic word in the characteristic word library exists in the message; determining a regular expression mapped by each feature word in the message; and carrying out intrusion detection on the current network according to the regular expression mapped by each feature word. The implementation method can greatly reduce the algorithm complexity, improve the intrusion detection efficiency and further improve the monitoring capability under real-time large flow.)

1. A method for network intrusion detection, comprising:

traversing each message of the current network by adopting a multi-mode matching algorithm, and acquiring a characteristic word in the message when the characteristic word in a characteristic word library exists in the message;

determining a regular expression mapped by each feature word in the message;

and carrying out intrusion detection on the current network according to the regular expression mapped by each feature word.

2. The method of claim 1, wherein traversing each packet using a multi-mode matching algorithm comprises: for each message, extracting connection information of the message, wherein the connection information comprises: a protocol type; determining a feature word library matched with the protocol type of the message; and traversing the message by adopting a multi-mode matching algorithm, and determining whether the message has the characteristic words in the characteristic word library.

3. The method of claim 1, wherein after obtaining the feature words in the message, further comprising: determining the characteristic identifier of each characteristic word in the message according to the first mapping relation; the first mapping relation is a one-to-one correspondence relation between the feature words and the corresponding feature identifications;

determining the regular expression mapped by each feature word in the message, including: determining the regular expression mapped by each feature identifier according to the second mapping relation; the second mapping relation is the corresponding relation between the feature identifications and the regular expressions corresponding to the feature identifications.

4. The method of claim 2, wherein the connection information further comprises: message abstraction; carrying out intrusion detection on the current network according to the regular expression mapped by each feature word, wherein the intrusion detection comprises the following steps: and for the regular expression mapped by each feature word, determining that the intrusion attack exists in the current network when the regular expression is matched with the message abstract.

5. The method of claim 2, wherein the connection information further comprises at least one of: source IP, destination IP, source port, destination port, start time, end time, number of bytes currently transmitted in uplink, number of bytes currently transmitted in downlink, and protocol field.

6. The method of claim 3, wherein determining the feature identifier for each feature word in the message further comprises: storing the connection information, the feature words and the feature identification of each feature word of the message into an ES database as a data record; and the number of the first and second groups,

and reading the data records in the ES database by using Spark to determine the regular expression mapped by each characteristic word in the message, and carrying out intrusion detection on the current network according to the regular expression mapped by each characteristic word.

7. The method of claim 4, wherein after determining that the intrusion attack is present on the current network, further comprising: and acquiring alarm information corresponding to the regular expression matched with the message abstract so as to perform alarm processing.

8. A network intrusion detection device, comprising:

the acquisition module is used for traversing each message of the current network by adopting a multi-mode matching algorithm, and acquiring the characteristic words in the message when the characteristic words in the characteristic word library exist in the message;

the analysis module is used for determining the regular expression mapped by each characteristic word in the message; and carrying out intrusion detection on the current network according to the regular expression mapped by each feature word.

9. The apparatus of claim 8, wherein the obtaining module traverses each packet using a multi-mode matching algorithm, comprising: for each message, extracting connection information of the message, wherein the connection information comprises: a protocol type; determining a feature word library matched with the protocol type of the message; and traversing the message by adopting a multi-mode matching algorithm, and determining whether the message has the characteristic words in the characteristic word library.

10. The apparatus of claim 8, wherein the acquisition module is further to: after the characteristic words in the message are obtained, determining the characteristic identification of each characteristic word in the message according to a first mapping relation; the first mapping relation is a one-to-one correspondence relation between the feature words and the corresponding feature identifications;

the analysis module determines a regular expression mapped by each feature word in the message, and the method comprises the following steps: determining the regular expression mapped by each feature identifier according to the second mapping relation; the second mapping relation is the corresponding relation between the feature identifications and the regular expressions corresponding to the feature identifications.

11. The apparatus of claim 9, wherein the connection information further comprises: message abstraction; the analysis module carries out intrusion detection on the current network according to the regular expression mapped by each feature word, and the intrusion detection comprises the following steps: and for the regular expression mapped by each feature word, determining that the intrusion attack exists in the current network when the regular expression is matched with the message abstract.

12. The apparatus of claim 9, wherein the connection information further comprises at least one of: source IP, destination IP, source port, destination port, start time, end time, number of bytes currently transmitted in uplink, number of bytes currently transmitted in downlink, and protocol field.

13. The apparatus of claim 10, wherein the acquisition module is further configured to: after determining the feature identifier of each feature word in the message, storing the connection information, the feature words and the feature identifier of each feature word of the message as a data record to an ES database; and the number of the first and second groups,

and the analysis module reads the data records in the ES database by using Spark to determine the regular expression mapped by each characteristic word in the message, and performs intrusion detection on the current network according to the regular expression mapped by each characteristic word.

14. The apparatus of claim 11, wherein the analysis module is further to: and after the intrusion attack of the current network is determined, acquiring alarm information corresponding to the regular expression matched with the message abstract so as to perform alarm processing.

15. A network intrusion detection electronic device, comprising:

one or more processors;

a storage device for storing one or more programs,

when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.

16. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.