SSH protocol behavior pattern recognition and alarm method based on total traffic of bypass network

A pattern recognition, full flow technology, applied in the field of network security, can solve problems such as cumbersome operations, and achieve the effect of improving work efficiency, improving accuracy, and reducing complexity

Active Publication Date: 2019-04-05
广州广电研究院有限公司
View PDF6 Cites 22 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

This method needs to configure each server accordingly to obtain the log

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • SSH protocol behavior pattern recognition and alarm method based on total traffic of bypass network

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0028] The present invention will be further described in detail below in conjunction with the reaction scheme and specific examples.

[0029] A method for identifying and alerting SSH protocol behavior patterns based on bypass network full traffic, specifically comprising:

[0030] (1) The bypass monitoring device captures the mirrored traffic of the switch, separates the TCP traffic from it, and then filters out the traffic data of the SSH protocol according to the destination port.

[0031] (2) Clean the traffic data of the SSH protocol, and extract the five-tuple information (sip, dip, inpackets, outpackets, timeout_state) from each piece of data.

[0032] (3) Judging the five-tuple information, analyzing and confirming whether it belongs to the scanning process, brute force cracking process or successful login process. The specific judgment process is as follows:

[0033] If the data of "inpackets >=30 AND outpackets >=30" exists in the traffic data of the SSH protocol, ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to an SSH (Secure Shell) protocol behavior pattern recognition and alarm method based on the total traffic of a bypass network. User network traffic is received through switch bypass mirroring, TCP (Transmission Control Protocol) traffic is separated out, and the key features of SSH protocol traffic are extracted for behavior judgment. The behavior pattern of the traffic dataof each SSH protocol is judged according to the key feature information, the SSH protocol data is aggregated according to the source address and the destination address, and the overall communicationbehavior pattern of the current source address and destination address is considered and judged according to the behavior pattern of each piece of traffic data. Different patterns correspond to different alarm information, and the same type of alarms has different alarm levels. The invention provides an SSH protocol behavior pattern recognition and alarm method based on the total traffic of a bypass network, which has the advantages of simple acquisition of basic data, avoidance of the tedious traditional identification, wide application range, fast and simple identification and judgment andhigh accuracy.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to an SSH protocol behavior pattern recognition and alarm method based on full traffic of a bypass network. Background technique [0002] Secure Shell protocol (Secure Shell protocol), abbreviated as SSH, is a security protocol based on the application layer, which aims to provide secure remote login and other secure network services on insecure networks. [0003] Servers exposed to the Internet are subject to malicious SSH brute-force cracking attacks all the time. The common attack method is that the attacker tries to log in to the server through a password dictionary or a random combination of passwords. This attack behavior is generally not clear. Most of the attack targets directly scan the entire broadcast domain or network segment through scanning software to obtain information about servers that open SSH protocol ports, and then launch corresponding attacks. However...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L12/24
CPCH04L41/0681H04L63/1416H04L63/1425H04L63/168
Inventor 宋欢刘嘉奇
Owner 广州广电研究院有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap