CN116232612A - Abnormal flow detection method, device and computer readable storage medium - Google Patents

Abstract

The present application discloses a method, device, and computer-readable storage medium for detecting abnormal traffic. The method for detecting abnormal traffic includes: obtaining traffic data of a terminal; comparing the traffic data with preset features in a sandbox model to obtain The first comparison result; determine the first normal flow data in the flow data according to the first comparison result, and classify the first normal flow data; filter the classified first normal flow data, and determine the first normal flow data according to the screening result The first abnormal flow data in the normal flow data. In the present application, the abnormal flow data is determined by secondary detection and classification of the flow data, and the detection accuracy of the APT is improved.

Description

Abnormal flow detection method, device and computer readable storage medium

Technical Field

The present application relates to the field of network security technology, and in particular to a method, device and computer-readable storage medium for detecting abnormal traffic.

Background Art

At present, with the rapid popularization and development of computer communications and mobile networks, Advanced Persistent Threat (APT) network attacks are causing us major economic and social security problems. Malware/payloads in APT attacks usually carry out malicious communication behaviors in order to steal data, download new malware, etc. Based on this, the existing "sandbox solution" or anomaly-based detection solution is generally used for APT detection, but the existing APT detection accuracy is low.

Summary of the invention

The embodiments of the present application provide a method, device and computer-readable storage medium for detecting abnormal traffic, aiming to solve the problem of low APT detection accuracy.

To achieve the above objectives, the present application provides, on one hand, a method for detecting abnormal traffic, the method comprising:

Get the terminal's traffic data;

Comparing the traffic data with preset features in the sandbox model to obtain a first comparison result;

Determine first normal flow data in the flow data according to the first comparison result, and classify the first normal flow data;

The classified first normal traffic data is screened, and first abnormal traffic data in the first normal traffic data is determined according to the screening result.

Optionally, the step of determining first normal flow data in the flow data according to the first comparison result, and classifying the first normal flow data comprises:

Determine first normal flow data and second abnormal flow data in the flow data according to the first comparison result;

storing the first normal traffic data in a first virtual area, and storing the second abnormal traffic data in a second virtual area;

The first normal traffic data stored in the first virtual area is classified.

Optionally, the step of classifying the first normal traffic data includes:

Acquire the traffic type of the first normal traffic data;

The first normal traffic data is classified according to the traffic type.

Optionally, the step of screening the classified first normal traffic data includes:

Acquire the classified communication characteristics of the first normal traffic data, and compare the communication characteristics with the communication characteristics of the abnormal traffic data;

The first normal flow data is screened according to the second comparison result.

Optionally, after the step of determining the first abnormal flow data in the first normal flow data according to the screening result, the following steps are included:

Determine second normal flow data in the first normal flow data according to the screening result;

The second normal traffic data is stored in a virtual safety area, and the first abnormal traffic data is stored in a virtual recovery area, and alarm information is output, wherein both the virtual safety area and the virtual recovery area are sub-areas of the first virtual area.

Optionally, after the step of determining the first abnormal flow data in the first normal flow data according to the screening result, the following steps are included:

Acquire the storage space of the virtual security area and the storage time of the second normal traffic data in the virtual security area;

The second normal traffic data in the virtual safety area is deleted according to the storage space and/or the storage duration.

Optionally, the method further comprises:

Construct an attack scenario graph;

Obtaining a weight value of each attack phase in each of the attack scenario graphs, and a score of each of the attack phases;

Determine the score value of each of the attack scenario graphs according to the weight value and the score value of each of the attack stages;

When the score value is greater than a set threshold, an alarm message is output.

In addition, to achieve the above-mentioned purpose, the present application also provides an abnormal flow detection device on the other hand, the abnormal flow detection device includes an acquisition module, a comparison module, a classification module and a screening module, wherein:

The acquisition module is used to acquire the flow data of the terminal;

The comparison module is used to compare the traffic data with the preset features in the sandbox model to obtain a first comparison result;

The classification module is used to determine first normal flow data in the flow data according to the first comparison result, and classify the first normal flow data;

The screening module is used to screen the classified first normal traffic data and determine the first abnormal traffic data in the first normal traffic data according to the screening result.

In addition, to achieve the above-mentioned purpose, the present application also provides an abnormal traffic detection device on the other hand, which includes a memory, a processor, and an abnormal traffic detection program stored in the memory and running on the processor, and when the abnormal traffic detection program is executed by the processor, the steps of the abnormal traffic detection method described above are implemented.

In addition, to achieve the above-mentioned purpose, the present application also provides a computer-readable storage medium on the other hand, on which a program for detecting abnormal traffic is stored, and when the program for detecting abnormal traffic is executed by a processor, the steps of the method for detecting abnormal traffic as described above are implemented.

The present application proposes a method for detecting abnormal traffic, which obtains traffic data of a terminal; compares the traffic data with preset features in a sandbox model to obtain a first comparison result; determines first normal traffic data in the traffic data according to the first comparison result, and classifies the first normal traffic data; screens the classified first normal traffic data, and determines first abnormal traffic data in the first normal traffic data according to the screening result. The present application improves the detection accuracy of APT by performing secondary detection and classification on the traffic data to determine abnormal traffic data.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of a terminal structure of a hardware operating environment involved in an embodiment of the present application;

FIG2 is a flow chart of a first embodiment of a method for detecting abnormal traffic in the present application;

FIG3 is a flow chart of a second embodiment of a method for detecting abnormal traffic in the present application;

FIG4 is a flow chart of a specific embodiment of the abnormal flow detection method of the present application;

FIG5 is a module diagram of the abnormal traffic detection method of the present application.

The realization of the purpose, functional features and advantages of this application will be further explained in conjunction with embodiments and with reference to the accompanying drawings.

DETAILED DESCRIPTION

It should be understood that the specific embodiments described herein are only used to explain the present application and are not used to limit the present application.

The main solution of the embodiment of the present application is: obtain the traffic data of the terminal; compare the traffic data with the preset features in the sandbox model to obtain a first comparison result; determine the first normal traffic data in the traffic data according to the first comparison result, and classify the first normal traffic data; filter the classified first normal traffic data, and determine the first abnormal traffic data in the first normal traffic data according to the filtering result.

Since the detection accuracy is low when using the "sandbox solution" or anomaly-based detection solution for APT detection. Based on this, the present application proposes a solution, which obtains the traffic data of the terminal; compares the traffic data with the preset features in the sandbox model to obtain a first comparison result; determines the first normal traffic data in the traffic data according to the first comparison result, and classifies the first normal traffic data; screens the classified first normal traffic data, and determines the first abnormal traffic data in the first normal traffic data according to the screening result. The present application improves the detection accuracy of APT by performing secondary detection and classification on the traffic data to determine the abnormal traffic data.

As shown in FIG. 1 , FIG. 1 is a schematic diagram of the terminal structure of the hardware operating environment involved in the embodiment of the present application.

As shown in Figure 1, the terminal may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, and a communication bus 1002. Among them, the communication bus 1002 is used to realize the connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 may be a high-speed RAM memory, or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also be a storage device independent of the aforementioned processor 1001.

Those skilled in the art will appreciate that the terminal structure shown in FIG. 1 does not constitute a limitation on the terminal device, and may include more or fewer components than shown in the figure, or a combination of certain components, or a different arrangement of components.

As shown in FIG. 1 , the memory 1005 as a computer-readable storage medium may include an abnormal traffic detection program.

In the terminal shown in FIG. 1 , the network interface 1004 is mainly used for data communication with the background server; the user interface 1003 is mainly used for data communication with the client (user end); the processor 1001 can be used to call the abnormal traffic detection program in the memory 1005 and perform the following operations:

Get the terminal's traffic data;

Comparing the traffic data with preset features in the sandbox model to obtain a first comparison result;

Determine first normal flow data in the flow data according to the first comparison result, and classify the first normal flow data;

The classified first normal traffic data is screened, and first abnormal traffic data in the first normal traffic data is determined according to the screening result.

Refer to FIG. 2 , which is a flow chart of a first embodiment of a method for detecting abnormal traffic in the present application.

An embodiment of the present application provides a method for detecting abnormal traffic. It should be noted that although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that shown here.

The abnormal traffic detection method of this embodiment is applied to a video ring back tone platform, and includes the following steps:

Step S10, obtaining the flow data of the terminal;

It should be noted that, at present, sandbox solutions and anomaly-based detection solutions are generally used to detect APT. However, the biggest difficulty of the sandbox solution lies in the diversity of the test environment. Since the sandbox has restrictions on the operating system type, browser version and related plug-ins, if there is a lack of a suitable test environment, malicious code in the traffic may not be detected, resulting in missed reports. The anomaly-based detection solution can only detect the behavior of known botnets and Trojan communications. Therefore, most of the current APT detection methods cannot detect abnormal traffic from the terminal, which will reduce the protection capability. Although there are methods for detecting abnormal traffic from the terminal, the detection accuracy is low. Based on this, the present application proposes a method for detecting abnormal traffic to solve the above problems.

This embodiment mainly captures and stores the traffic data flowing through the network adapter.

Optionally, since each user has different network usage habits in different time periods of the day, different collection time periods can be defined based on this: from 11pm to 8am the next day and from 12pm to 2pm, the overall traffic will be small due to rest; from 8am to 12pm working hours and from 2pm to 6pm working hours, more traffic data may be generated due to work needs; from 6pm to 11pm, more traffic data may also be generated due to evening entertainment activities. In this way, by collecting traffic data in different time periods, the accuracy for different time periods can be improved.

Optionally, you can also determine the frequency of traffic collection and the collection frequency in different time periods. For example, in the two time periods from 11 pm to 8 am the next day and from 12 noon to 2 pm, the collection frequency can be set to collect once every 15 minutes, and in the two time periods from 8 am to 12 noon and from 2 pm to 6 pm, the collection frequency can be set to collect once every 5 minutes.

Step S20, comparing the traffic data with preset features in the sandbox model to obtain a first comparison result;

The present application pre-establishes a sandbox model for the first screening of traffic data, wherein the sandbox model is constructed using traffic generated by normal behavior in the network, and at the same time, the sandbox model stores a malicious code library, which stores communication characteristics of abnormal traffic data.

After the traffic data is input into the sandbox model, the sandbox model compares the traffic data with the malicious code library, for example, extracts the communication features of the traffic data, and compares the communication features with the communication features of the abnormal traffic data in the malicious code library to determine whether there is abnormal traffic data in the traffic data. If the matching degree between the communication features of the traffic data and the communication features of the abnormal traffic data reaches a set threshold (such as 95%), it means that there is abnormal traffic data in the traffic data. If the matching degree is less than the set threshold, it means that there is no abnormal traffic data in the traffic data.

Optionally, a sandbox (also known as sandbox, sand table) is installed on the terminal, and a first virtual area (virtual temporary folder 1) and a second virtual area (such as virtual temporary folder 2) are established in the sandbox, and then multiple virtual classification areas (such as virtual classification folders) are established in the first virtual area. At the same time, a virtual security area (such as a virtual security folder) and a virtual recycling area (such as a virtual garbage folder) are established in the virtual classification area. After determining the first normal traffic data and the second abnormal traffic data in the traffic data according to the first comparison result, the first normal traffic data is stored in the first virtual area, and the second abnormal traffic data is stored in the second virtual area, and then the first normal traffic data stored in the first virtual area is classified.

Optionally, a traffic type of the first normal traffic data is obtained, and the first normal traffic data is classified according to the traffic type. For example, the traffic type includes video traffic, image traffic, audio traffic, etc., and video traffic data, image traffic data, audio traffic data, web page traffic data, application traffic data, etc. are extracted from the traffic data based on the traffic type, and at the same time, these different types of traffic data are stored in different virtual classification areas.

Step S40: screening the classified first normal traffic data, and determining first abnormal traffic data in the first normal traffic data according to the screening result.

In this embodiment, the classified first normal traffic data is screened, and then the first abnormal traffic data in the first normal traffic data is determined according to the screening result. Specifically, the communication characteristics of the classified first normal traffic data are obtained, and then the communication characteristics are compared with the communication characteristics of the abnormal traffic data. If the matching degree of the communication characteristics and the communication characteristics of the abnormal traffic data reaches a set threshold (such as 95%), it means that the first normal traffic data contains abnormal traffic data, and if the matching degree is less than the set threshold, it means that the first normal traffic data does not contain abnormal traffic data.

Optionally, the second normal traffic data in the first normal traffic data is determined based on the screening result, and then the second normal traffic data is stored in the virtual security area, and the first abnormal traffic data is stored in the virtual recycling area, and an alarm message is output, for example, the second normal traffic data is stored in the virtual security folder, and the first abnormal traffic data is stored in the virtual trash folder.

Optionally, in order to save storage space in the virtual security area, it is necessary to regularly clean up the traffic data in the virtual security area. Specifically, the storage space (remaining storage space) of the virtual security area and the storage duration of the second normal traffic data in the virtual security area are obtained, and it is determined whether the remaining storage space is less than a preset space value (such as 30%), and whether the storage duration is greater than or equal to a preset duration (such as 12 hours or 1 day). If the remaining storage space is less than the preset space value, and/or the storage duration is greater than or equal to the preset duration, the second normal traffic data in the virtual security area is deleted to release more space.

This embodiment has the effect of improving detection accuracy and speed by classifying the traffic; it has the effect of further improving detection accuracy by performing secondary detection on the traffic, and it has the effect of solving the problem that malicious code in the traffic may not be detected and cause missed reports if there is a lack of a suitable testing environment.

Further, referring to FIG3 , FIG3 is a flow chart of a second embodiment of the abnormal traffic detection method of the present application.

The method further comprises:

Step S50, constructing an attack scenario graph;

Step S60, obtaining a weight value of each attack stage in each of the attack scenario graphs, and a score of each of the attack stages;

Step S70, determining the score value of each of the attack scenario graphs according to the weight value and the score value of each of the attack stages;

Step S80: When the score value is greater than a set threshold, an alarm message is output.

It should be noted that the purpose of constructing the attack scenario graph in this embodiment is to track attackers and effectively identify APT attack organizations in subsequent events to defend against new APT attacks.

In this embodiment, a TTP rule (i.e., an attack scenario rule) is obtained, and an APT attack scenario graph is constructed according to the TTP rule. Then, a score value (i.e., a total score) of each APT attack scenario graph is determined. Optionally, the total score T of each APT attack scenario graph is calculated according to the following formula:

Where, _wi is the weight of the i-th attack stage of the APT attack scenario graph in the TTP specification, n=7, and _Si is the score of the i-th attack stage of the APT attack scenario graph in the TTP specification.

Furthermore, the APT attack scenario graphs are sorted according to the total score T of all APT attack scenario graphs to delete most nodes and edges that are not related to the APT attack activity, which can effectively distinguish between attack and benign scenarios. In one embodiment, the APT attack scenario graph is run in a benign activity, and the maximum total score of the APT attack scenario graph when it is running is defined as the benign score; the APT attack scenario graph is run in a malignant activity, and the minimum total score of the APT attack scenario graph when it is running is defined as the malignant score; then, a value is selected between the benign score and the malignant score, which is defined as the alarm threshold, and when it is detected that the total score of the APT attack scenario graph when it is running in real time is greater than the alarm threshold, an alarm message is output.

Optionally, refer to Table 1, which is an example of TTP rules.

Table 1

Among them, the TTP specification mainly uses two methods to map the original audit log data to the attack steps: the first is to use the general rules formulated by expert experience to map, and the second is to use the information flow (i.e. path correlation) between the nodes involved in the TTPs to map.

In Table 1, the first column indicates the APT attack stage, the second column indicates the associated TTP name, and the third column indicates the severity level associated with each TTP: L, M, H, C represent low, medium, high, and very high, respectively; the fourth column indicates the TTP rule, where S.ip does not belong to {Trusted IP Addresses} and P0.name belongs to {Sensitive Commands}, and the first mapping method mentioned above (using the general rule mapping formulated by expert experience) is adopted. Path correlation (P0, F) <= path thres adopts the second mapping method mentioned above (using the information flow mapping between the nodes involved in TTPs), where pathcorrelation is the path correlation calculation function, and path thres is an empirical value that can be determined based on the actual scenario test situation. The last column is an explanation of the TTP rule.

Optionally, refer to Table 2, which shows parameters corresponding to severity levels.

Table 2

Severity Score range average value L [0.2, 4.1) 2.0 M [5.0, 7.0) 6.0 H [8.0, 10.0) 9.0 C [9.0, 11.0) 10.0

In this embodiment, by constructing an APT attack scenario, attacks such as Trojan viruses and abnormal network behaviors can be detected, and an alarm can be issued for the detected malicious signals, which has the effect of terminating the malicious process and deleting the malware on the terminal, so that the system blocks the operation of the malware from the source and improves the protection capability.

In order to better illustrate the abnormal traffic detection method of the present application, refer to FIG. 4 , which is a flowchart of a specific embodiment of the abnormal traffic detection method of the present application.

In this embodiment, the abnormal traffic detection method includes the following implementation schemes:

1. Create a virtual folder: Install a sandbox on the terminal, and create a virtual temporary folder 1 and a virtual temporary folder 2 in the sandbox, then create multiple virtual classification folders in the virtual temporary folder 1, and create a virtual security folder and a virtual trash folder in the virtual classification folder.

2. Model building: Build a sandbox model based on the traffic generated by normal network behavior, in which all changes in the sandbox will not cause any loss to the operating system.

The sandbox runs the software in a restricted system environment and controls the resources that the program can use (such as file descriptors, memory, disk space, etc.).

Here are some specific implementations of the sandbox:

Jail: Restricted network access, restricted file system namespace, optional, software jail is most commonly used on virtual hosts.

Rule-based execution: Through the system security mechanism, certain access rights are assigned to users and programs according to a series of preset rules, fully controlling the program startup, code injection and network access. At the same time, the program's access to files and registries can also be controlled. Based on this, the chance of viruses and Trojans infecting the system will be reduced.

Virtual machine: simulates a complete host system.

Host local sandbox: Security researchers rely heavily on sandbox technology to analyze the behavior of malware. By creating an environment that simulates a real desktop, researchers can observe how malware infects a host. Several malware analysis services use sandbox technology.

Online judging system: used for program testing in programming competitions.

Secure computing mode (seccomp): A sandbox built into the Linux kernel. When enabled, seccomp only allows write(), read(), exit(), and sigreturn() system calls.

3. Preliminary screening: When running a browser or other program in a sandbox environment, the traffic will first be preliminarily screened through the sandbox model. If the traffic contains malicious network information, it will enter the virtual temporary folder 2 and issue an accurate alarm. If there is no malicious network information in the traffic, it will enter the virtual temporary folder 1 for temporary storage.

4. Classify to improve accuracy: When the traffic enters the temporary folder, the traffic is monitored and analyzed through the network traffic analysis software to obtain the corresponding information. Then, the traffic is classified into the corresponding virtual classification folder according to the corresponding information. Among them, for the classification standards, such as pictures or videos, they can be regarded as a separate category, so as to achieve fine classification of the traffic. By monitoring and analyzing the finely classified traffic, it has the effect of improving accuracy and increasing detection speed.

5. Secondary screening: When the traffic enters the corresponding virtual classification folder, the sandbox's file system, process, registry, network behavior, etc. are monitored, as well as Trojan viruses, abnormal network behavior, etc., to determine whether the traffic contains malicious network information and implement secondary screening. If the traffic contains malicious network information, the malicious network information will enter the virtual junk folder and an accurate alarm will be issued. If there is no malicious network information in the traffic, it will enter the virtual safe folder.

6. Free up space: Delete the traffic entering the virtual security folder to free up more space.

7. Find the source: Build an attack scenario and extract the alarm signal to find the source and delete it. Selective deletion can be performed based on the total score of each APT attack scenario graph.

This embodiment implements dynamic analysis of suspicious file samples by performing regular monitoring of different time periods and different traffic flows on suspicious file samples, thereby obtaining malicious network information, and then optimizing the policy configuration for abnormal traffic analysis based on the malicious network information obtained by analysis. The technical solution provided by this application improves the accuracy of traffic analysis, as well as the accuracy and effectiveness of APT detection. At the same time, when abnormal traffic from a terminal is detected, the relevant malicious network behavior is processed according to the malicious network information to terminate the malicious process and delete the malicious software on the terminal, so that the system blocks the operation of the malicious software from the source, improving the detection accuracy and protection capabilities.

In addition, the present application also provides an abnormal traffic detection device, the device includes a memory, a processor, and an abnormal traffic detection program stored in the memory and running on the processor, the device obtains the traffic data of the terminal; compares the traffic data with the preset features in the sandbox model to obtain a first comparison result; determines the first normal traffic data in the traffic data according to the first comparison result, and classifies the first normal traffic data; screens the classified first normal traffic data, and determines the first abnormal traffic data in the first normal traffic data according to the screening result. The present application improves the detection accuracy of APT by performing secondary detection and classification on the traffic data to determine the abnormal traffic data.

Further, referring to FIG5 , FIG5 is a module diagram of the abnormal traffic detection method of the present application.

The abnormal flow detection device 100 includes an acquisition module 10, a comparison module 20, a classification module 30 and a screening module 40, wherein:

The acquisition module 10 is used to acquire the flow data of the terminal;

The comparison module 20 is used to compare the traffic data with the preset features in the sandbox model to obtain a first comparison result;

The classification module 30 is used to determine first normal flow data in the flow data according to the first comparison result, and classify the first normal flow data;

The screening module 40 is used to screen the classified first normal traffic data, and determine the first abnormal traffic data in the first normal traffic data according to the screening result.

Further, the classification module 30 includes a determination unit, a storage unit and a classification unit;

The determining unit is used to determine first normal flow data and second abnormal flow data in the flow data according to the first comparison result;

The storage unit is used to store the first normal traffic data in a first virtual area, and store the second abnormal traffic data in a second virtual area;

The classification unit is used to classify the first normal traffic data stored in the first virtual area.

Furthermore, the classification module 30 also includes an acquisition unit;

The acquiring unit is used to acquire the traffic type of the first normal traffic data;

The classification unit is further used to classify the first normal traffic data according to the traffic type.

Further, the screening module 40 includes a comparison unit and a screening unit;

The comparison unit is used to obtain the communication characteristics of the first normal traffic data after classification, and compare the communication characteristics with the communication characteristics of the abnormal traffic data;

The screening unit is used to screen the first normal flow data according to the second comparison result.

Further, the screening module 40 also includes a first determination unit and a first storage unit;

The first determining unit is used to determine the second normal flow data in the first normal flow data according to the screening result;

The first storage unit is used to store the second normal traffic data in a virtual safety area, store the first abnormal traffic data in a virtual recovery area, and output alarm information. The virtual safety area and the virtual recovery area are both sub-areas of the first virtual area.

Further, the first storage unit includes an acquisition subunit and a deletion subunit;

The acquisition subunit is used to acquire the storage space of the virtual safety area and the storage time of the second normal traffic data in the virtual safety area;

The deleting subunit is used to delete the second normal traffic data in the virtual safety area according to the storage space and/or the storage duration.

Furthermore, the abnormal traffic detection device 100 also includes a construction module, a first acquisition module, a determination module and a judgment module.

The construction module is used to construct an attack scenario graph;

The first acquisition module is used to obtain the weight value of each attack stage in each of the attack scenario graphs, and the score of each of the attack stages;

The determination module is used to determine the score value of each of the attack scenario graphs according to the weight value and the score value of each of the attack stages;

The judgment module is used to output an alarm message when the score value is greater than a set threshold.

The implementation of the functions of each module of the abnormal flow detection device described above is similar to the process in the above method embodiment, and will not be described in detail here.

In addition, the present application also provides a computer-readable storage medium, on which a program for detecting a method for abnormal traffic is stored. When the program for detecting a method for abnormal traffic is executed by a processor, the steps of the above-mentioned method for detecting abnormal traffic are implemented.

Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment in combination with software and hardware. Moreover, the present application may adopt the form of a computer program product implemented in one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) that contain computer-usable program code.

The present application is described with reference to the flowchart and/or block diagram of the method, device (system) and computer program product according to the embodiment of the present application. It should be understood that each process and/or box in the flowchart and/or block diagram, and the combination of the process and/or box in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for realizing the function specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

It should be noted that in the claims, any reference signs placed between brackets shall not be construed as limiting the claims. The word "comprising" does not exclude the presence of components or steps not listed in the claims. The word "a" or "an" preceding a component does not exclude the presence of a plurality of such components. The present application may be implemented by means of hardware comprising several different components and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means may be embodied by the same item of hardware. The use of the words first, second, and third etc. does not indicate any order. These words may be interpreted as names.

Although the optional embodiments of the present application have been described, those skilled in the art, once informed of the basic creative concept, may make additional changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including optional embodiments and all changes and modifications falling within the scope of the present application.

Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (10)

1. A detection method for abnormal traffic, characterized in that the method comprises: Obtain the traffic data of the terminal; Comparing the traffic data with preset features in the sandbox model to obtain a first comparison result; determining the first normal flow data in the flow data according to the first comparison result, and classifying the first normal flow data; Filtering the classified first normal flow data, and determining first abnormal flow data in the first normal flow data according to the filtering result. 2. The method for detecting abnormal flow according to claim 1, wherein said first normal flow data in said flow data is determined according to said first comparison result, and said first normal flow data The steps to classify include: determining first normal flow data and second abnormal flow data in the flow data according to the first comparison result; storing the first normal traffic data in a first virtual area, and storing the second abnormal traffic data in a second virtual area; Classifying the first normal traffic data stored in the first virtual area. 3. The method for detecting abnormal traffic as claimed in claim 1, wherein the step of classifying the first normal traffic data comprises: Acquiring the traffic type of the first normal traffic data; Classifying the first normal flow data according to the flow type. 4. The method for detecting abnormal traffic as claimed in claim 1, wherein the step of screening the classified first normal traffic data comprises: Obtaining the communication characteristics of the first normal flow data after classification, and comparing the communication characteristics with the communication characteristics of the abnormal flow data; The first normal flow data is screened according to the second comparison result. 5. The method for detecting abnormal traffic according to claim 1, characterized in that, after the step of determining the first abnormal traffic data in the first normal traffic data according to the screening result, the method comprises: determining second normal flow data in the first normal flow data according to the screening result; storing the second normal traffic data in a virtual safe area, and storing the first abnormal traffic data in a virtual reclamation area, and outputting an alarm message, the virtual safe area and the virtual reclamation area being the first virtual A subregion of the region. 6. The method for detecting abnormal traffic according to claim 5, characterized in that, after the step of determining the first abnormal traffic data in the first normal traffic data according to the screening result, the method comprises: Obtaining the storage space of the virtual security area, and the storage duration of the second normal traffic data in the virtual security area; Deleting the second normal traffic data in the virtual security area according to the storage space and/or the storage duration. 7. The detection method of abnormal flow as claimed in claim 1, is characterized in that, described method also comprises: Build an attack scenario graph; Acquiring the weight value of each attack stage in each of the attack scene graphs, and the score of each attack stage; determining the score value of each attack scene graph according to the weight value of each attack stage and the score value; When the score value is greater than the set threshold, an alarm message is output. 8. A detection device for abnormal flow, characterized in that, the detection device for abnormal flow includes an acquisition module, a comparison module, a classification module and a screening module, wherein: The obtaining module is used to obtain the traffic data of the terminal; The comparison module is used to compare the traffic data with preset features in the sandbox model to obtain a first comparison result; The classification module is configured to determine the first normal flow data in the flow data according to the first comparison result, and classify the first normal flow data; The screening module is configured to screen the classified first normal traffic data, and determine the first abnormal traffic data in the first normal traffic data according to the screening results. 9. A detection device for abnormal flow, characterized in that the device includes a memory, a processor and a detection program stored on the memory and running on the processor, and the processor executes the abnormal flow The step of the method described in any one of claims 1 to 7 is realized during the detection procedure. 10. A computer-readable storage medium, wherein a detection program for abnormal traffic is stored on the computer-readable storage medium, and when the detection program for abnormal traffic is executed by a processor, the implementation as in claims 1 to 7 is achieved. The step of any described method.

Images