CN-121619181-B - Abnormal flow collaborative detection method and system

Abstract

The invention discloses a cooperative detection method and a cooperative detection system for abnormal traffic, which relate to the field of network communication, wherein the method comprises the steps of carrying out protocol self-adaptive identification and dynamic attack detection on a northbound WAF layer, generating attack fingerprints and binding global session IDs; the method comprises the steps of carrying out full link monitoring on application behaviors in an east-west RASP layer, realizing context association and threat analysis through a session ID, aggregating WAF and RASP data based on the session ID, constructing an attack feature propagation map and evaluating attack chain confidence, extracting attack features by the RASP layer and generating a virtual patch rule when the confidence exceeds a threshold, feeding back to the WAF layer for real-time updating, and finally realizing collaborative blocking through a bidirectional confidence fusion decision of the WAF and the RASP. The invention solves the problem that the detection of the cleavage in the north-south direction and the east-west direction in the prior art can not effectively block the cross-layer attack chain, and realizes the accurate and dynamic protection of complex attacks, especially the encryption traffic and the transverse penetration.

Inventors

• WANG YI
• CHEN SHUHUA
• YU LAIBAO
• YANG ZHONGYUAN
• XUE JIANJUN
• XUE MING
• LIU JUN
• ZHANG YU

Assignees

• 武汉城市职业学院
• 武汉烽火技术服务有限公司
• 烽火通信科技股份有限公司

Dates

Publication Date

20260508

Application Date

20260203

Claims (7)

1. 1. The abnormal flow collaborative detection method is characterized by comprising the following steps of: S1, carrying out protocol self-adaptive identification and dynamic attack detection on traffic at a south-north WAF layer, generating an attack fingerprint when an attack session is detected, generating and binding a globally unique session ID for the attack session, and storing the attack fingerprint and the session ID in an associated manner; S2, in an east-west RASP layer, probe clusters are deployed at an application node, full-link pile-inserting monitoring is conducted on application behaviors, the session ID is extracted from traffic and transmitted in a penetrating mode, and monitored behavior data are associated with the session ID to form behavior data with context marks; S3, taking the session ID as a key index, aggregating the attack fingerprint generated in the S1 and the behavior data with the context mark generated in the S2, constructing a cross-layer attack characteristic propagation map, analyzing the map based on a preset rule, and dynamically evaluating the confidence coefficient of an attack chain; The step S3 specifically comprises the following steps: S31, with the session ID as a primary key, aggregating attack fingerprints reported by a WAF layer and node threat scores and behavior contexts with session ID marks reported by a RASP layer, and constructing structured data with network nodes as vertexes and attack propagation relations as edges; S32, importing the aggregated data into a graph database, and dynamically constructing and updating an attack characteristic propagation graph; S33, carrying out confidence quantitative evaluation on the identified attack propagation path, wherein an evaluation factor at least comprises average threat scores and attack propagation depths of nodes in the path, and obtaining the attack chain confidence by adopting normalization processing; s4, when the estimated attack chain confidence exceeds a first threshold, extracting key attack characteristics based on the attack chain and associated behavior context identified in the S3, converting the key attack characteristics into virtual patch rules executable by the WAF layer, and injecting the virtual patch rules into a WAF layer rule library in real time; S5, calculating final combined confidence between the WAF layer and the RASP layer based on the WAF confidence and the RASP confidence, and executing blocking action cooperatively between the WAF layer and the RASP layer when the final combined confidence exceeds a second threshold; The step S5 specifically comprises the following steps: S51, WAF confidence coefficient calculated by the WAF layer based on the rule matching degree and RASP confidence coefficient calculated by the RASP layer based on the node threat are respectively obtained, and final combined confidence coefficient is obtained through calculation of a weighted fusion formula; S52, when the final combined confidence coefficient exceeds the second threshold value, synchronously triggering blocking actions of the WAF layer and the RASP layer, wherein the WAF layer executes network layer blocking and records an attack source, and the RASP layer terminates a malicious operation thread in an application and rolls back dangerous transactions; And S53, recording the execution result of the collaborative blocking, and dynamically adjusting the weight coefficient of the confidence fusion formula in S51 according to the situation that the blocking is successful or misjudgment occurs.
2. 2. The method for collaborative detection of abnormal traffic according to claim 1, wherein step S1 is specifically as follows: S11, deploying a protocol analysis plug-in, and realizing the self-adaptive identification of HTTP/HTTPS and non-HTTP by analyzing the flow packet header characteristics, the protocol identification of the pre-preset bytes or extracting the flow element statistical characteristics; S12, carrying out dynamic attack detection on the identified traffic, namely detecting deformation attack on the non-encrypted traffic by adopting a mode of combining rule matching and abstract syntax tree analysis, extracting only an extension field of the encrypted traffic for preliminary judgment, and marking the encrypted traffic as a session to be observed; And S13, when an attack or a mark to be observed is detected, generating a globally unique session ID, inserting the globally unique session ID into a protocol header or a metadata field of the traffic, and storing an attack fingerprint or the mark to be observed and the session ID in a distributed cache in an associated manner.
3. 3. The method for collaborative detection of abnormal traffic according to claim 1, wherein step S2 comprises the following steps: S21, inserting piles to key classes of the application through a byte code enhancement technology, monitoring application behaviors including SQL execution, file operation and RPC call, and capturing specific parameters and contexts of the behaviors; S22, when the application node processes the incoming request, the session ID is analyzed from the protocol header or the metadata and is bound to the context of the current processing thread; when cross-service call is carried out, the session ID is automatically injected into an outbound request, so that the through transmission of the session ID among service links is realized; s23, marking and transmitting monitoring are carried out on user input based on a stain tracking technology, and when pollution data trigger preset high-risk operation, threat scores of the current node are calculated by combining vulnerability basic scores and input controllability.
4. 4. The method for collaborative detection of abnormal traffic according to claim 1, wherein step S4 comprises: s41, when the confidence coefficient of the attack chain exceeds the first threshold value, extracting an attack characteristic mode which appears at high frequency on an attack propagation path from RASP behavior data triggering the attack chain to form a minimum attack characteristic set; S42, converting the minimum attack feature set into a WAF compatible defense rule, and dynamically giving weight to the defense rule according to the confidence level of an attack chain for generating the rule; S43, pushing the defending rule with the weight to the north-south WAF engine through the real-time communication channel, triggering the WAF rule hot loading mechanism to be effective, and setting the rule non-matching automatic elimination strategy.
5. 5. The abnormal traffic cooperative detection method according to claim 1, wherein the attack characteristic propagation map constructed in the step S32 is used for dynamically executing the following determination rules: If the threat score of a certain node in the map exceeds a third threshold value and there is high-risk operation of pointing to the node from the data stream input by a user, marking the node as an attack node; And a second rule is that if a path which is propagated from the WAF entry node through at least one service node exists in the map and the average threat score of all nodes on the path exceeds a fourth threshold value, a cross-layer attack chain is judged to exist.
6. 6. The method for collaborative detection of abnormal traffic according to claim 1, wherein in step S53, the strategy for dynamically adjusting the weight coefficient is: If the cooperative blocking is confirmed to be false killing, the weight ratio of the WAF confidence coefficient in the fusion formula is reduced by a preset step length; if the cooperative blocking fails to prevent the attack from being successful, the weight ratio of the RASP confidence coefficient in the fusion formula is increased by a preset step.
7. 7. An abnormal flow cooperative detection system, characterized by comprising: The north-south detection module is deployed on a network boundary and is used for carrying out protocol self-adaptive identification and dynamic attack detection on traffic, generating an attack fingerprint when an attack session is detected, generating and binding a globally unique session ID for the attack session, and storing the attack fingerprint and the session ID in an associated manner; The east-west detection module is deployed in the application node cluster and is used for carrying out full-link pile inserting monitoring on application behaviors, extracting and penetrating the session ID from the flow, associating the monitored behavior data with the session ID to form behavior data with a context mark, and calculating node threat scores based on a stain tracking technology; The attack pattern constructing and analyzing module is connected with the north-south detection module and the east-west detection module and is used for aggregating attack fingerprints and behavior data with context marks by taking the session ID as a key index, constructing a cross-layer attack characteristic propagation pattern, analyzing the pattern based on a preset rule and dynamically evaluating the confidence coefficient of an attack chain; the attack pattern construction and analysis module specifically comprises: The session ID is used as a primary key, attack fingerprints reported by a WAF layer and node threat scores and behavior contexts with session ID marks reported by a RASP layer are aggregated, and structured data with network nodes as vertexes and attack propagation relations as edges are constructed; the aggregated data is imported into a graph database, and an attack characteristic propagation graph is dynamically constructed and updated; Carrying out confidence quantitative evaluation on the identified attack propagation path, wherein an evaluation factor at least comprises average threat scores and attack propagation depths of nodes in the path, and obtaining the attack chain confidence by adopting normalization processing; The virtual patch generation and injection module is connected with the attack pattern construction and analysis module and is used for extracting key attack characteristics based on the identified attack chains and associated behavior contexts when the attack chain confidence exceeds a first threshold, converting the key attack characteristics into WAF executable rules and injecting the WAF executable rules into a rule base of the north-south detection module in real time; The collaborative blocking decision and execution module is respectively connected with the north-south detection module, the east-west detection module and the attack pattern construction and analysis module and is used for calculating final combined confidence coefficient based on WAF confidence coefficient and RASP confidence coefficient, and when the final combined confidence coefficient exceeds a second threshold value, the collaborative blocking decision and execution module coordinates the north-south detection module and the east-west detection module to synchronously execute blocking action; The collaborative blocking decision and execution module specifically comprises: The WAF confidence coefficient calculated by the WAF layer based on the rule matching degree and the RASP confidence coefficient calculated by the RASP layer based on the node threat division are respectively obtained, and the final combined confidence coefficient is calculated through a weighted fusion formula; When the final combined confidence coefficient exceeds the second threshold value, synchronously triggering the blocking action of the WAF layer and the RASP layer, wherein the WAF layer executes network layer blocking and records an attack source, and the RASP layer terminates a malicious operation thread and rolls back dangerous transactions in the application; Recording the execution result of the collaborative blocking, and dynamically adjusting the weight coefficient of the confidence fusion formula in S51 according to the successful blocking or misjudgment.

Description

Abnormal flow collaborative detection method and system Technical Field The invention belongs to the field of network communication, and particularly relates to a cooperative detection method for abnormal traffic. Background In the network management and control process of a telecommunication transmission network, an external interface of a management and control system is called a north-south interface, and an interface inside the system or between systems of the same level is called an east-west interface. The management and control system mainly deploys WAF at the network boundary to identify abnormal traffic attack through rule matching, and uses RASP to monitor the abnormal traffic of the single service node in the management and control system. The main problems of the prior art are as follows: 1. limitations of north-south traffic detection (WAF technology): The method only supports HTTP/HTTPS protocol analysis, has no detection capability on non-Web traffic (such as RPC and private protocol), has the encryption traffic ratio of more than 90% for operators, has the performance loss of more than 40% caused by WAF forced decryption detection, and has the false alarm rate of more than 15% and the false alarm rate of more than 20% on deformation attacks (such as Obfuscated SQLi) and AI driven self-adaptive attacks based on a static rule detection mechanism. 2. Limitations of eastern western traffic detection (RASP technology): The single-node pile-inserting monitoring cannot be related to a cross-service attack path (such as API chained penetration), the capability of blocking the transverse flow among services in real time is lacking, and the success rate of the transverse diffusion of the attack is as high as 35%. In general, the prior art has serious fracture in the detection of the north-south direction and the east-west direction, and cannot cooperatively block a cross-level attack chain (such as WAF bypass-transverse penetration combined attack), so that certain hidden danger exists in network security. Disclosure of Invention The invention aims to solve the technical problem that serious cracks exist in detection in the north-south direction and the east-west direction in the prior art, and a cross-level attack chain cannot be blocked cooperatively, and provides an abnormal flow cooperative detection method. In order to achieve the aim of the invention, the technical scheme adopted by the invention is that the abnormal flow collaborative detection method comprises the following steps: S1, carrying out protocol self-adaptive identification and dynamic attack detection on traffic at a south-north WAF layer, generating an attack fingerprint when an attack session is detected, generating and binding a globally unique session ID for the attack session, and storing the attack fingerprint and the session ID in an associated manner; S2, in an east-west RASP layer, probe clusters are deployed at an application node, full-link pile-inserting monitoring is conducted on application behaviors, the session ID is extracted from traffic and transmitted in a penetrating mode, and monitored behavior data are associated with the session ID to form behavior data with context marks; s3, using the session ID as a key index, aggregating the attack fingerprint generated in the first step and the behavior data with the context mark generated in the second step, constructing a cross-layer attack characteristic propagation map, analyzing the map based on a preset rule, and dynamically evaluating the confidence coefficient of an attack chain; S4, when the estimated attack chain confidence exceeds a first threshold, extracting key attack characteristics based on the attack chain and associated behavior context identified in the third step, converting the key attack characteristics into virtual patch rules executable by the WAF layer, and injecting the virtual patch rules into a WAF layer rule library in real time; S5, performing bidirectional confidence fusion calculation between the WAF layer and the RASP layer based on the attack fingerprint, the behavior context threat score and the attack chain confidence, and executing blocking action cooperatively between the WAF layer and the RASP layer when the final confidence after fusion exceeds a second threshold. An abnormal flow collaborative detection system, comprising: The north-south detection module is deployed on a network boundary and is used for carrying out protocol self-adaptive identification and dynamic attack detection on traffic, generating an attack fingerprint when an attack session is detected, generating and binding a globally unique session ID for the attack session, and storing the attack fingerprint and the session ID in an associated manner; The east-west detection module is deployed in the application node cluster and is used for carrying out full-link pile inserting monitoring on application behaviors, extracting and penetrating the session ID from the fl