Search

CN-116055073-B - Bot host detection method, device, equipment and storage medium

CN116055073BCN 116055073 BCN116055073 BCN 116055073BCN-116055073-B

Abstract

The embodiment of the application discloses a zombie host detection method, a device, equipment and a storage medium, wherein the method comprises the steps of obtaining network flow NetFlow flow data of a host to be detected; and detecting the target characteristic information by utilizing a KNN algorithm model to determine whether the host to be detected is a zombie host. The method has the advantages that the target characteristic information conforming to the zombie host is extracted based on the NetFlow flow data, the detection efficiency is improved, and the detection accuracy is improved by using the KNN algorithm model, so that the zombie host can be rapidly identified, malicious requests initiated by the zombie host can be timely blocked, and the timeliness is good.

Inventors

  • WANG CHENGUANG
  • WANG XIAOMING
  • Wu Jundie

Assignees

  • 中移(杭州)信息技术有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260505
Application Date
20211027

Claims (13)

  1. 1. A zombie host detection method, the method comprising: acquiring network flow data of a host to be detected; extracting characteristics of the NetFlow flow data to obtain target characteristic information; Detecting the target characteristic information by using a KNN algorithm model, and determining whether the host to be detected is a zombie host or not; The step of extracting the characteristics of the NetFlow flow data to obtain target characteristic information comprises the following steps: determining a key field corresponding to the NetFlow flow data, wherein the key field has a corresponding relation with version information of the NetFlow flow data; extracting features of the NetFlow flow data by utilizing the key fields to obtain the target feature information; the target characteristic information comprises two pieces of flow average interval time, average flow duration time, average number of subsections, average number of packets, ratio of flow request and response and protocol entropy value; The method further comprises the step of determining whether the NetFlow flow data is the same NetFlow flow based on seven-tuple information, wherein the seven-tuple information comprises quintuple information, service type information and an input interface, and the quintuple information comprises a source IP address, a destination IP address, a source port, a destination port and a transmission protocol.
  2. 2. The method according to claim 1, wherein the performing feature extraction on the NetFlow flow data by using the key field to obtain the target feature information includes: Acquiring at least one section of NetFlow flow in a preset time window from the NetFlow flow data based on the preset time window; And extracting the characteristics of the at least one section of NetFlow flow by utilizing the key field to obtain the target characteristic information.
  3. 3. The method according to claim 1, wherein the determining the key field corresponding to the NetFlow flow data includes: detecting version information of the NetFlow flow data; If the version information of the NetFlow flow data is the first version, extracting key fields of the NetFlow flow data by using fixed fields to obtain key fields corresponding to the NetFlow flow data, or And if the version information of the NetFlow flow data is the second version, extracting key fields of the NetFlow flow data by using a preset template to obtain the key fields corresponding to the NetFlow flow data.
  4. 4. A method according to claim 3, wherein in case the version information of the NetFlow flow data is the first version, the method further comprises: And determining a fixed field corresponding to the first version, wherein the fixed field at least comprises a source IP address, a destination IP address, a next hop IP address, a source port, a destination port, a protocol type, a data packet number and a byte number.
  5. 5. A method according to claim 3, wherein in case the version information of the NetFlow flow data is the second version, the method further comprises: Determining a requirement field corresponding to the second version; and configuring a preset template corresponding to the second version according to the requirement field, wherein the requirement field at least comprises byte number, packet number, time stamp, source IP address, destination IP address, source port, destination port, protocol type and ToS type.
  6. 6. The method of claim 3, wherein the first version is NetFlow V5 version and the second version is NetFlow V9 version.
  7. 7. The method of claim 1, wherein detecting the target feature information using a KNN algorithm model to determine whether the host to be detected is a zombie host comprises: acquiring at least one group of training sample sets, wherein each group of training sample sets comprises sample data and corresponding category labels; Performing feature learning on sample data in the at least one training sample set to obtain feature information corresponding to each sample data; Comparing the target characteristic information with the characteristic information corresponding to each sample data, and selecting class labels corresponding to K groups of nearest neighbor sample data from the at least one group of training sample sets according to a comparison result, wherein K is an integer larger than zero; Determining a target class label from class labels corresponding to the K groups of sample data, and determining the target class label as a detection result, wherein the detection result is used for indicating whether the host to be detected is a zombie host or not.
  8. 8. The method according to claim 7, wherein comparing the target feature information with the feature information corresponding to each sample data, and selecting, according to the comparison result, class labels corresponding to K groups of sample data that are nearest neighbors from the at least one group of training sample sets, respectively, includes: calculating a similarity value between the target characteristic information and the characteristic information corresponding to each sample data based on a preset distance measurement mode; According to the similarity value, selecting front K groups of sample data with the highest similarity value from the at least one group of training sample sets, and determining class labels corresponding to the front K groups of sample data with the highest similarity value as class labels corresponding to the K groups of nearest neighbor sample data; The preset distance measurement mode at least comprises one of a Minkowski distance measurement mode, an Euclidean distance measurement mode, a Manhattan distance measurement mode, a Chebyshev distance measurement mode and a cosine distance measurement mode.
  9. 9. The method of claim 7, wherein determining the target category label from the category labels corresponding to each of the K sets of sample data comprises: and selecting the class label with the largest occurrence number from class labels corresponding to the K groups of sample data, and determining the class label with the largest occurrence number as the target class label.
  10. 10. The method according to any one of claims 7 to 9, further comprising: if the target class label is a zombie class, determining that the host to be detected is a zombie host; And if the target class label is a non-zombie class, determining that the host to be detected is a non-zombie host.
  11. 11. A zombie host detection device is characterized by comprising an acquisition unit, a feature extraction unit and a detection unit, wherein, The acquisition unit is configured to acquire NetFlow flow data of a host to be detected; The characteristic extraction unit is configured to perform characteristic extraction on the NetFlow flow data to obtain target characteristic information; The detection unit is configured to detect the target characteristic information by using a KNN algorithm model and determine whether the host to be detected is a zombie host or not; the characteristic extraction unit is specifically configured to determine a key field corresponding to the NetFlow flow data, wherein the key field has a corresponding relation with version information of the NetFlow flow data, and the key field is utilized to perform characteristic extraction on the NetFlow flow data to obtain the target characteristic information; the target characteristic information comprises two pieces of flow average interval time, average flow duration time, average number of subsections, average number of packets, ratio of flow request and response and protocol entropy value; The zombie host detecting device is further configured to determine whether the NetFlow flow data is the same NetFlow based on seven-tuple information, wherein the seven-tuple information comprises five-tuple information, service type information and an input interface, and the five-tuple information comprises a source IP address, a destination IP address, a source port, a destination port and a transmission protocol.
  12. 12. A detection device is characterized by comprising a memory and a processor, wherein, The memory is used for storing a computer program capable of running on the processor; the processor being adapted to perform the method of any of claims 1 to 10 when the computer program is run.
  13. 13. A computer storage medium storing a computer program which, when executed by at least one processor, implements the method of any one of claims 1 to 10.

Description

Bot host detection method, device, equipment and storage medium Technical Field The present application relates to the field of network security technologies, and in particular, to a zombie host detection method, apparatus, device, and storage medium. Background Botnet (Botnet) is a common threat in various networks, and sends malicious codes to user hosts through various forms such as mails, web scripts and the like and executes the malicious codes, so that the purpose of controlling the user hosts to be called as the bot hosts is achieved, a network which can be controlled in one-to-many mode is formed between an attacker and the bot hosts, the attacker spreads bot programs to infect a large number of hosts on the Internet through various ways, and after receiving instructions of the attacker, the bot hosts mainly jeopardize the attack of extranet services or steal enterprise sensitive information and the like, and once the attack acts occur, great consumption is generated on network resources, and enterprise confidentiality is revealed. In the related art, although a method for detecting a zombie host exists, the existing detection method has some defects, so that the time consumption is long, the zombie network cannot be detected in time and the damage is reduced, and the detection accuracy is low. Disclosure of Invention The application provides a zombie host detection method, a zombie host detection device, zombie host detection equipment and a storage medium, which can not only improve the detection accuracy, but also have high detection efficiency, and can rapidly identify the zombie host and timely block malicious requests initiated by the zombie host. In order to achieve the above purpose, the technical scheme of the application is realized as follows: In a first aspect, an embodiment of the present application provides a zombie host detection method, where the method includes: acquiring network flow data of a host to be detected; Extracting characteristics of the NetFlow flow data to obtain target characteristic information; and detecting the target characteristic information by using the KNN algorithm model, and determining whether the host to be detected is a zombie host. In a second aspect, the embodiment of the application provides a zombie host detection device, which comprises an acquisition unit, a feature extraction unit and a detection unit, wherein, An acquisition unit configured to acquire NetFlow flow data of a host to be detected; the characteristic extraction unit is configured to perform characteristic extraction on the NetFlow flow data to obtain target characteristic information; The detection unit is configured to detect the target characteristic information by using the KNN algorithm model and determine whether the host to be detected is a zombie host. In a third aspect, an embodiment of the present application provides a detection apparatus, where the detection apparatus includes a memory and a processor, where, A memory for storing a computer program capable of running on the processor; a processor for performing the method as described in the first aspect when the computer program is run. In a fourth aspect, embodiments of the present application provide a computer storage medium storing a computer program which, when executed by at least one processor, implements a method according to the first aspect. The zombie host detection method, device, equipment and storage medium provided by the embodiment of the application are used for acquiring NetFlow flow data of a host to be detected, extracting characteristics of the NetFlow data to obtain target characteristic information, detecting the target characteristic information by using a KNN algorithm model, and determining whether the host to be detected is the zombie host. The method has the advantages that the target characteristic information conforming to the zombie host is extracted based on the NetFlow flow data, the detection efficiency is improved, and the detection accuracy is improved by using the KNN algorithm model, so that the zombie host can be rapidly identified, malicious requests initiated by the zombie host can be timely blocked, and the timeliness is good. Drawings FIG. 1 is a schematic flow chart of a zombie host detection method provided by an embodiment of the application; FIG. 2 is a schematic flow chart of another zombie host detection method according to an embodiment of the present application; FIG. 3 is a schematic diagram of a constitution of a zombie host detecting device according to an embodiment of the present application; FIG. 4 is a schematic diagram of a constitution of another zombie host detecting device according to an embodiment of the present application; Fig. 5 is a schematic diagram of a composition structure of a detection device according to an embodiment of the present application; fig. 6 is a schematic diagram of a composition structure of another detecting device according to an embo