Network behavior model construction method and device and computer readable medium
阅读说明:本技术 网络行为模型构建方法、装置和计算机可读介质 (Network behavior model construction method and device and computer readable medium ) 是由 唐文 于 2019-06-17 设计创作,主要内容包括:网络行为模型构建方法、装置和计算机可读介质,该网络行为模型构建方法包括:从运营技术系统的网络流量中获取第一网络节点和第二网络节点之间通过目标通信协议和目标应用层数据通道传输的至少一个第一数据报文;根据至少一个第一数据报文确定至少一个序列模式,其中,每一个序列模式用于表征第一网络节点和第二网络节点之间的一种信息交互逻辑;针对每一个序列模式,利用文法推断构建与该序列模式相对应的确定有限自动机DFA;将构建出的各个确定有限自动机DFA进行组合,获得第一网络节点和第二网络节点之间通过目标通信协议和目标应用层数据通道进行通信时的网络行为模型。上述方法能够降低所构建网络行为模型的复杂性。(The network behavior model construction method comprises the following steps: acquiring at least one first data message transmitted between a first network node and a second network node through a target communication protocol and a target application layer data channel from network flow of an operation technology system; determining at least one sequence mode according to at least one first data message, wherein each sequence mode is used for representing an information interaction logic between a first network node and a second network node; constructing a Deterministic Finite Automata (DFA) corresponding to each sequence mode by utilizing grammar inference aiming at each sequence mode; and combining the established DFAs to obtain a network behavior model when the first network node and the second network node communicate through a target communication protocol and a target application layer data channel. The method can reduce the complexity of the constructed network behavior model.)
The network behavior model construction method is characterized by comprising the following steps:
acquiring at least one first data message when a first network node and a second network node communicate through a target communication protocol and a target application layer data channel from network flow of an operation technology system;
determining at least one sequence mode according to the at least one first data packet, wherein each sequence mode in the at least one sequence mode is used for representing an information interaction logic between the first network node and the second network node;
constructing a Deterministic Finite Automata (DFA) corresponding to each sequence mode by utilizing grammar inference aiming at each sequence mode;
and combining the established DFAs to obtain a network behavior model when the first network node and the second network node communicate through the target communication protocol and the target application layer data channel.
The method according to claim 1, wherein the obtaining at least one first data packet when the first network node and the second network node communicate with each other through the target communication protocol and the target application layer data channel from the network traffic of the operating technology system comprises:
acquiring at least one second data message which is communicated between the first network node and the second network node by adopting the target communication protocol from network flow of the operation technology system according to the target communication protocol and the IP addresses of the first network node and the second network node;
acquiring a first channel address for identifying the data channel of the target application layer;
for each of the second data packets, the first data packet is sent to the second data packet,
performing deep packet analysis on the application layer load of the second data packet to obtain a second channel address corresponding to the second data packet, where the second channel address is used to identify an application layer data channel for transmitting the second data packet between the first network node and the second network node;
judging whether the first channel address is the same as the second channel address;
and if the first channel address is the same as the second channel address, determining the second data message as the first data message.
The method of claim 1, wherein determining at least one sequence pattern from the at least one first data packet comprises:
for each first data message, mapping the first data message into a corresponding substitute symbol according to the operation type of the first data message, wherein the first data messages with different operation types are mapped into different substitute symbols;
sequencing the substitute symbols mapped with the first data messages according to the transmission sequence of the first data messages to obtain a substitute symbol sequence;
judging whether at least one sequence period exists in the alternative symbol sequence, wherein each sequence period corresponds to at least one alternative symbol group, the alternative symbol group comprises at least one alternative symbol, and the at least one alternative symbol group corresponding to the same sequence period repeatedly appears in the alternative symbol sequence according to the sequence period;
if the alternative symbol sequence has at least one sequence period, respectively determining the at least one alternative symbol group corresponding to each sequence period as one sequence mode;
and if the sequence period does not exist in the alternative symbol sequence, determining the alternative symbol sequence as a whole as the sequence mode.
The method of claim 3, wherein after said determining the set of substitute symbols for each of the sequence periods as one of the sequence patterns, respectively, further comprises:
removing all the substitute symbol groups from the substitute symbol sequence to obtain a residual substitute symbol sequence;
determining said remaining alternative symbol sequence as one of said sequence patterns if said remaining alternative symbol sequence includes at least one of said alternative symbols.
The method according to claim 3 or 4, wherein the combining the constructed DFAs to obtain the network behavior model when the first network node and the second network node communicate with the target application layer data channel via the target protocol comprises:
for each deterministic finite automata DFA, judging whether the sequence mode corresponding to the deterministic finite automata DFA has the sequence period;
determining the deterministic finite automata DFA as a first deterministic finite automata DFA if the sequence pattern corresponding to the deterministic finite automata DFA has the sequence period;
determining the deterministic finite automata DFA as a second deterministic finite automata DFA if the sequence pattern corresponding to the deterministic finite automata DFA does not have the sequence period;
aiming at each first deterministic finite automata DFA, acquiring the sequence period of the sequence mode corresponding to the first deterministic finite automata DFA, and associating the acquired sequence period with the first deterministic finite automata DFA to acquire a third deterministic finite automata DFA;
and combining each third deterministic finite automaton DFA with each second deterministic finite automaton DFA to obtain the network behavior model.
The method according to any of claims 1 to 5, further comprising, after the obtaining the network behavior model when communicating between the first network node and the second network node over the target communication protocol and the target application layer data channel:
acquiring at least one third data message communicated between the first network node and the second network node through the target communication protocol and the target application layer data channel from network traffic of an operation technology system;
judging whether the at least one third data message is matched with the network behavior model;
if the at least one third data message is not matched with the network behavior model, sending alarm information to a management terminal, wherein the alarm information is used for indicating that the at least one third data message is not matched with the network behavior model;
and after receiving a model updating instruction from the management terminal, adding an updated finite automaton (DFA) included by the model updating instruction into the network behavior model, or replacing the DFA corresponding to at least one third data message in the network behavior model by using the DFA included by the model updating instruction, wherein the at least one third data message is matched with the updated DFA, and the updated DFA is generated by the management terminal according to the triggering of a user.
The network behavior model building device is characterized by comprising the following components:
a first data packet obtaining module (901) for obtaining at least one first data packet when the first network node and the second network node communicate with each other through a target communication protocol and a target application layer data channel from a network flow of an operation technology system;
a pattern generating module (902) configured to determine at least one sequence pattern according to the at least one first data packet acquired by the first data packet acquiring module (901), wherein each sequence pattern in the at least one sequence pattern is used to characterize an information interaction logic between the first network node and the second network node;
an automaton construction module (903) for constructing a Deterministic Finite Automaton (DFA) corresponding to each of the sequence patterns generated by the pattern generation module (902) using grammar inference;
and the model construction module (904) is used for combining the determined finite automata DFAs constructed by the automata construction module (903) to obtain a network behavior model when the first network node and the second network node communicate with the target application layer data channel through the target communication protocol.
The apparatus according to claim 7, wherein the first datagram acquisition module (901) comprises:
a capturing unit (9011) configured to obtain, from network traffic of the operating technology system, at least one second data packet in which the target communication protocol is used for communication between the first network node and the second network node according to the target communication protocol and the IP addresses of the first network node and the second network node;
an address obtaining unit (9012) configured to obtain a first channel address, where the first channel address is used to identify the target application layer data channel;
and the screening unit (9013) is configured to perform deep packet analysis on an application layer load of each second data packet acquired by the capturing unit (9011), acquire a second channel address corresponding to the second data packet, determine whether the second channel address is the same as the first channel address acquired by the address acquisition unit (9012), and determine, if the second channel address is the same as the first channel address, the second data packet as the first data packet, where the second channel address is used to identify an application layer data channel through which the second data packet is transmitted between the first network node and the second network node.
The apparatus of claim 7, wherein the pattern generation module (902) comprises:
a mapping unit (9021), configured to map, for each of the first data packets, the first data packet into a corresponding substitute symbol according to an operation type of the first data packet, where different substitute symbols are mapped to the first data packets of different operation types;
a sorting unit (9022) configured to sort, according to a transmission order of each of the first data packets, each of the substitute symbols mapped with each of the first data packets mapped by the mapping unit (9021), so as to obtain a substitute symbol sequence;
a judging unit (9023) configured to judge whether at least one sequence period exists in the alternative symbol sequence obtained by the sorting unit (9022), where each sequence period corresponds to at least one alternative symbol group, the alternative symbol group includes at least one alternative symbol, and the at least one alternative symbol group corresponding to the same sequence period repeatedly appears in the alternative symbol sequence according to the sequence period;
a first mode determining unit (9024) configured to, according to a determination result of the determining unit (9023), if the substitute symbol sequence has at least one sequence period, determine the at least one substitute symbol group corresponding to each sequence period as one sequence mode, respectively;
and a second mode determining unit (9025) configured to determine, according to a determination result of the determining unit (9023), the substitute symbol sequence as a whole as the sequence mode if the sequence period does not exist in the substitute symbol sequence.
The apparatus of claim 9, wherein the pattern generation module (902) further comprises:
a sequence updating unit (9026) configured to remove all the substitute symbol groups from the substitute symbol sequence after the first pattern determining unit (9024) determines the substitute symbol group corresponding to each sequence period as one sequence pattern, respectively, to obtain a remaining substitute symbol sequence;
a third mode determining unit (9027) configured to determine the remaining alternative symbol sequence as one of the sequence modes if the remaining alternative symbol sequence obtained by the sequence updating unit (9026) includes at least one of the alternative symbols.
The apparatus of claim 9 or 10, wherein the model building module (904) comprises:
an automaton classification unit (9041) for judging, for each of the deterministic finite automata DFA, whether the sequence pattern corresponding to the deterministic finite automata DFA has the sequence period, determining the deterministic finite automata DFA as a first deterministic finite automata DFA if the sequence pattern corresponding to the deterministic finite automata DFA has the sequence period, and determining the deterministic finite automata DFA as a second deterministic finite automata DFA if the sequence pattern corresponding to the deterministic finite automata DFA does not have the sequence period;
a period association unit (9042) configured to, for each first deterministic finite automata DFA determined by the automata classification unit (9041), obtain the sequence period of the sequence pattern corresponding to the first deterministic finite automata DFA, associate the obtained sequence period with the first deterministic finite automata DFA, and obtain a third deterministic finite automata DFA;
and the automaton combination unit (9043) is used for combining each third deterministic finite automaton DFA obtained by the period association unit (9042) with each second deterministic finite automaton DFA determined by the automaton classification unit (9041) to obtain the network behavior model.
The apparatus of any of claims 7 to 11, further comprising:
a second data packet obtaining module (905) configured to obtain, from network traffic of an operating technology system, at least one third data packet in communication between the first network node and the second network node via the target communication protocol and the target application layer data channel;
a model matching module (906) for determining whether the at least one third data packet acquired by the second data packet acquisition module (905) matches the network behavior model constructed by the model construction module (904);
an alarm module (907) configured to send alarm information to a management terminal when the model matching module (906) determines that the at least one third data packet is not matched with the network behavior model, where the alarm information is used to indicate that the at least one third data packet is not matched with the network behavior model;
and the model updating module (908) is used for adding an updated finite automata (DFA) included by the model updating instruction into the network behavior model or replacing the Determined Finite Automata (DFA) corresponding to at least one third data message in the network behavior model by using the updated finite automata (DFA) included by the model updating instruction after the alarm module (907) sends the alarm information to the management terminal and after the model updating instruction from the management terminal is received, wherein the at least one third data message is matched with the updated Determined Finite Automata (DFA), and the updated Determined Finite Automata (DFA) is generated by the management terminal according to the triggering of a user.
The network behavior model building device is characterized by comprising the following components: at least one memory (1501) and at least one processor (1502);
the at least one memory (1501) for storing a machine readable program;
the at least one processor (1502) configured to invoke the machine readable program to perform the method of any of claims 1 to 6.
Computer readable medium, characterized in that it has stored thereon computer instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 6.