CN105939311A - Method and device for determining network attack behavior - Google Patents
Method and device for determining network attack behavior Download PDFInfo
- Publication number
- CN105939311A CN105939311A CN201510489691.0A CN201510489691A CN105939311A CN 105939311 A CN105939311 A CN 105939311A CN 201510489691 A CN201510489691 A CN 201510489691A CN 105939311 A CN105939311 A CN 105939311A
- Authority
- CN
- China
- Prior art keywords
- vulnerability scanning
- attack
- server
- information
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for determining a network attack behavior. The method comprises the steps that after detecting attack information aiming at a server, an IPS device judges that whether the attack information complies with a pre-configured vulnerability scanning linkage strategy; if yes, the IPS device sends vulnerability scanning reference information to a vulnerability scanning device, and the vulnerability scanning device utilizes the vulnerability scanning reference information to scan vulnerabilities; and the IPS device receives a vulnerability scanning result returned by the vulnerability scanning device, and utilizes the attack information and the vulnerability scanning result to determine the network attack behavior aiming at the server. According to the technical scheme of the invention, by linking the attack information of the IPS device with the vulnerability scanning result of the vulnerability scanning device, for the detected attacks, the IPS device can detect the existence of the attack behaviors, and also can detect that whether the attacks threaten or damage the server, thus being more accurate to filter the attacks.
Description
Technical field
The present invention relates to communication technical field, the determination method and apparatus of a kind of attack.
Background technology
Increasingly go deep into the live and work of people along with network application, various network attacks also emerge in an endless stream,
The most all may be faced with new network attack means, especially some important network traffics nodes,
Such as large enterprise's unit, government organs, operator etc., all suffer from substantial amounts of network attack all the time
Threaten.In this case, to IPS (Intrusion Prevention System, intrusion prevention system)
Equipment proposes requirements at the higher level.IPS equipment is network security facility, is to anti-virus software and fire wall
Supplement, be the Network Security Device of the network data transport behavior that can monitor network or the network equipment,
Can immediately interrupt, adjust or isolate abnormal or there is nocuous network data transport behavior.
In the network attack that IPS equipment Inspection goes out, a large amount of invalid attack often occurs, such as
The XSS (Cross Site Scripting, cross-site scripting attack) of server attacks or SQL (Structured
Query Language, SQL) injection attacks.Wherein, XSS attack refers to: maliciously
Assailant, in Web (the Internet) page, inserts HTML (the Hyper Text Markup of malice
Language, HyperText Markup Language) code, when user browses this Web page, it is embedded in it
In HTML code can be performed, thus reach the specific purposes of malicious attack user.SQL injects and attacks
Hit and refer to: by sql command is inserted into Web list submitting to or input domain name or the looking into of page request
Ask character string, be finally reached spoofing server and perform the sql command of malice;Concrete, SQL injects and attacks
Hitting is to utilize existing application program, the sql command of (maliciously) is injected into background data base engine and holds
The ability of row, can obtain one there is peace by inputting (maliciously) SQL statement in Web list
Data base on the website of full leak rather than be intended to go to perform SQL statement according to designer.
For the attack detected, IPS equipment is only able to detect the existence of aggressive behavior, can not know
Whether these attack and threaten server generation or destruction.After manager sees attack logs, equally
Cannot tell these attack whether be really potential threat, be typically only capable to the specialty dimension to manufacturer server
The personnel of protecting solve, or detect server, and this process can consume a large amount of manpower and materials, inefficiency.
Summary of the invention
The present invention provides a kind of determination method of attack, said method comprising the steps of:
Intrusion prevention system IPS equipment is after detecting for the attack information of server, it is judged that described
Whether attack information meets the vulnerability scanning linkage strategy being pre-configured with;
If it is, vulnerability scanning reference information is sent to vulnerability scanning equipment by described IPS equipment, by
Vulnerability scanning reference information described in described vulnerability scanning equipment utilization carries out vulnerability scanning;
Described IPS equipment receives the vulnerability scanning result that described vulnerability scanning equipment returns, and utilizes described
Attack information and described vulnerability scanning result determine the attack for described server.
Attack information described in described IPS equipment utilization and described vulnerability scanning result determines for described service
The attack of device, specifically includes:
When described vulnerability scanning result is to there is leak on described server, described IPS equipment utilization institute
State attack information and described vulnerability scanning result, determine that the attack for described server exists;
When described vulnerability scanning result is to there is not leak on described server, described in described IPS equipment utilization
Attack information and described vulnerability scanning result, determine that the attack for described server does not exists.
After described IPS equipment determines that the attack for described server exists, described method
Farther include: the alarm level of server described in described IPS equipment lifting, and after utilizing lifting
Warning strategies corresponding to alarm level, carries out safe handling to described server.
The parameter of described vulnerability scanning linkage strategy specifically includes one below or combination in any: IP ground
Location, port, agreement, time period, user name, attack frequency, OS Type, application software class
Type, IT resource type.Described vulnerability scanning reference information specifically includes: the IP address of described server,
OS Type and/or application software type.
The present invention provides the determination device of a kind of attack, the determination dress of described attack
Putting and apply on intrusion prevention system IPS equipment, the determination device of described attack includes:
Judge module, for after detecting for the attack information of server, it is judged that described attack is believed
Whether breath meets the vulnerability scanning linkage strategy being pre-configured with;
Sending module, for when judged result is for being, is sent to leak by vulnerability scanning reference information and sweeps
Retouch equipment, vulnerability scanning reference information described in described vulnerability scanning equipment utilization carry out vulnerability scanning;
Determine module, for receiving the vulnerability scanning result that described vulnerability scanning equipment returns, and utilize institute
State attack information and described vulnerability scanning result determines the attack for described server.
Described determine module, specifically for utilizing attack information and vulnerability scanning result to determine for service
During the attack of device, when described vulnerability scanning result is to there is leak on described server
Time, utilize described attack information and described vulnerability scanning result, determine that the network for described server is attacked
Behavior of hitting exists;When described vulnerability scanning result is to there is not leak on described server, utilize described
Attack information and described vulnerability scanning result, determine that the attack for described server does not exists.
Described determine module, be further used for determining that the attack for described server exists
Afterwards, promote the alarm level of described server, and utilize the announcement corresponding to the alarm level after lifting
Whip a horse on slightly, described server is carried out safe handling.
The parameter of described vulnerability scanning linkage strategy specifically includes one below or combination in any: IP ground
Location, port, agreement, time period, user name, attack frequency, OS Type, application software class
Type, IT resource type.Described vulnerability scanning reference information includes: the IP address of described server, behaviour
Make system type and/or application software type.
Based on technique scheme, in the embodiment of the present invention, by by the attack information of IPS equipment and
The vulnerability scanning result of vulnerability scanning equipment links, and for the attack detected, IPS equipment can
The existence of aggressive behavior detected, and also be able to detect that these are attacked and whether server produced threat
Or destroy, filter attack more accurately.In aforesaid way, set with IPS equipment and vulnerability scanning
Automatic linkage mechanism between Bei, instead of manually manual analyzing network attack information, then does server
Leak analysis, the mode of then manual setting defence policies, greatly improve the efficiency to attack analysis,
Improve the protection to internal server ageing, also save substantial amounts of cost of labor simultaneously.
Accompanying drawing explanation
Fig. 1 is the flow chart of the determination method of the attack in one embodiment of the present invention;
Fig. 2 is the hardware structure diagram of the IPS equipment in one embodiment of the present invention;
Fig. 3 is the structure chart of the determination device of the attack in one embodiment of the present invention.
Detailed description of the invention
For problems of the prior art, the embodiment of the present invention proposes a kind of attack
Determine in the system that method, the method are applied to include IPS equipment and vulnerability scanning equipment.Wherein, IPS
Equipment is by a large amount of attack defendings rule configured, and whether detection is sent in the data message of server deposit
In abnormal or attack load, and when existing in data message extremely or attack load, refusal is by number
It is sent to server, when not existing in data message extremely or attack load, it is allowed to by number according to message
It is sent to server according to message.Vulnerability scanning equipment, by carrying out vulnerability scanning, can clearly know service
There are some which type of leaks in operating system that device is used, application program etc..At above-mentioned application scenarios
Under, as it is shown in figure 1, the determination method of this attack specifically may comprise steps of:
Step 101, IPS equipment is after detecting for the attack information of server, it is judged that this attack is believed
Whether breath meets the vulnerability scanning linkage strategy being pre-configured with.If it is, perform step 102.
IPS equipment, when receiving data message, can detect in the data message being sent to server
Whether exist abnormal or attack load, if it is, the attack information for server can be detected.
Such as, when data message is the XSS attack for server or SQL injection attacks, IPS equipment
The XSS attack for server or SQL injection attacks can be detected.Now, IPS equipment can only
The existence of aggressive behavior detected, it is impossible to know that these are attacked and whether server generation is threatened or destruction.
In the embodiment of the present invention, IPS equipment is when the attack for server being detected, and IPS equipment is permissible
Directly obtaining the attack information for this server, this attack information specifically can include but not limited to following
One of or combination in any: (such as the IP address of server, it is purpose IP of data message in IP address
Address), port (such as the destination interface of data message), agreement is (such as the agreement carried in data message
Type), the time period (time period during aggressive behavior such as being detected), user name is (such as data message pair
The username information of the subscriber equipment answered), attack frequency (as produced by the attack of this server
Attack frequency), OS Type (as the OS Type corresponding to the attack of this server),
Application software type (as the application software type corresponding to the attack of this server), IT (information
Technology) resource type (as the IT resource type corresponding to the attack of this server).
In the embodiment of the present invention, the parameter of vulnerability scanning linkage strategy specifically can include but not limited to following
One of or combination in any: IP address, port, agreement, time period, user name, attack frequency, behaviour
Make system type, application software type, IT resource type.Such as, vulnerability scanning linkage strategy can be wrapped
Including: vulnerability scanning linkage strategy 1, this vulnerability scanning linkage strategy 1 is IP address A, port A, association
View A, time period A, user name A, attack frequency A, OS Type A, application software type
A, IT resource type A;Vulnerability scanning linkage strategy 2, this vulnerability scanning linkage strategy 2 is IP address
B, port B, agreement B, time period B, attack frequency B, OS Type B;Vulnerability scanning joins
Dynamic strategy 3, this vulnerability scanning linkage strategy 3 is IP address C, port C, agreement C, time period C,
Attack frequency C, OS Type C, application software Type C, IT resource type C.
Based on being actually needed, vulnerability scanning linkage strategy, this leak can be configured in advance on IPS equipment
Content in scanning linkage strategy can arbitrarily select, and concrete configuration mode does not repeats them here.
Based on above-mentioned vulnerability scanning linkage strategy, if each with vulnerability scanning linkage strategy of the information of attack
Parameter is mated, then illustrate that this attack information meets the vulnerability scanning linkage strategy being pre-configured with, perform step
102.If attack information is not mated with each parameter in vulnerability scanning linkage strategy, then illustrate that this attack is believed
Breath does not meets the vulnerability scanning linkage strategy being pre-configured with, and uses existing procedure to carry out subsequent treatment.
Such as, IP address A, port A, agreement A, time period A, use are specifically included when attack information
When name in an account book A, attack frequency A, OS Type A, application software type A, IT resource type A,
Then illustrate that this attack information meets the vulnerability scanning linkage strategy 1 being pre-configured with, perform step 102.
Step 102, vulnerability scanning reference information is sent to vulnerability scanning equipment by IPS equipment, by this leak
Scanning device utilizes this vulnerability scanning reference information to carry out vulnerability scanning.In the embodiment of the present invention, leak is swept
Retouch reference information specifically can include but not limited to: IP address (purpose IP such as data message of server
Address), OS Type (as the OS Type corresponding to the attack of this server) and/
Or application software type (as the application software type corresponding to the attack of this server).
In the embodiment of the present invention, vulnerability scanning equipment is receiving the vulnerability scanning reference from IPS equipment
After information, it is possible to use this vulnerability scanning reference information carries out vulnerability scanning.Vulnerability scanning equipment is utilizing
When the IP address of server, OS Type and/or application software type carry out vulnerability scanning, based on
The IP address of this server, can detect the OS Type on this server and/or application software
Whether type exists leak.If there is leak, then vulnerability scanning result is to there is leak on server;
If there is no leak, then vulnerability scanning result is to there is not leak on server.
Wherein, OS Type is the OS Type of server, as can be Windows system,
Linux system etc..Application software type is the software type that server support application is corresponding, as when supporting
During SMTP (Simple Mail Transfer Protocol, Simple Mail Transfer protocol) application, then apply
Software type is SMTP software, when support HTTP (Hyper Text Transfer Protocol, super civilian
This host-host protocol) application time, then application software type is HTTP software, when support SSH (Secure
Shell, safety shell protocol) application time, then application software type is SSH software.
In the embodiment of the present invention, vulnerability scanning equipment can be pre-configured with leak list, this leak list
Content can be pre-configured with or the most dynamically update, have recorded operation in this leak list
Corresponding relation between system type and/or application software type and vulnerability information.Based on this leak list,
Vulnerability scanning equipment is when utilizing OS Type and/or application software type carries out vulnerability scanning, permissible
Directly by this OS Type and/or this leak list of application software type queries.If this leak arranges
There is this OS Type and/or vulnerability information corresponding to application software type in table, then there is leakage in explanation
Hole, vulnerability scanning equipment knows that vulnerability scanning result is to there is leak on server;If this leak list
The most there is not this OS Type and/or vulnerability information corresponding to application software type, then illustrate not exist
Leak, vulnerability scanning equipment knows that vulnerability scanning result is to there is not leak on server.
In the another way of the embodiment of the present invention, vulnerability scanning equipment is receiving the leakage from IPS equipment
After hole scanning reference information, it is possible to use this vulnerability scanning reference information carries out vulnerability scanning.Vulnerability scanning
Equipment is swept utilizing the IP address of server, OS Type and/or application software type to carry out leak
When retouching, IP address based on this server, OS Type and/or application software type, leak is swept
The equipment of retouching can carry out vulnerability scanning to this server, and concrete vulnerability scanning mode does not repeats them here.
In the embodiment of the present invention, vulnerability scanning equipment is obtaining (the existence leakage on server of vulnerability scanning result
Leak is there is not on hole or server) after, vulnerability scanning result is sent to IPS equipment.
Step 103, IPS equipment receives the vulnerability scanning result that vulnerability scanning equipment returns, and utilizes attack
Information and vulnerability scanning result determine the attack for server.
In the embodiment of the present invention, information is attacked in IPS equipment utilization and vulnerability scanning result determines for service
The process of the attack of device, specifically can include but not limited to: when vulnerability scanning result is service
When there is leak on device, information and vulnerability scanning result are attacked in IPS equipment utilization, determine for server
Attack exist;When vulnerability scanning result is to there is not leak on server, IPS equipment
Utilize attack information and vulnerability scanning result, determine that the attack for server does not exists.
Wherein, when data message is the XSS attack for server or SQL injection attacks, IPS
Equipment can detect the XSS attack for server or SQL injection attacks, now, IPS equipment
Be only able to detect the existence of aggressive behavior, it is impossible to know these whether to attack server is produced threaten or
Destroy.When vulnerability scanning result is to there is leak on server, IPS equipment is permissible based on the information of attack
Confirming the existence of aggressive behavior, IPS equipment can confirm that based on vulnerability scanning result and there is leakage on server
Hole, therefore, IPS equipment based on attack information and vulnerability scanning as a result, it is possible to determine for server
Attack exists, and server is produced and threatens or destroy by the aggressive behavior i.e. detected.
Wherein, when data message is the XSS attack for server or SQL injection attacks, IPS
Equipment can detect the XSS attack for server or SQL injection attacks, now, IPS equipment
Be only able to detect the existence of aggressive behavior, it is impossible to know these whether to attack server is produced threaten or
Destroy.When vulnerability scanning result is to there is not leak on server, IPS equipment can based on the information of attack
To confirm the existence of aggressive behavior, IPS equipment can confirm that based on vulnerability scanning result and do not deposits on server
At leak, therefore, IPS equipment, based on the information of attack and vulnerability scanning result, determines for server
Attack does not exists, and server is not produced and threatens or destroy by the aggressive behavior i.e. detected.
In the embodiment of the present invention, after IPS equipment determines that the attack for server exists,
IPS equipment can also promote the alarm level of server, and utilizes corresponding to the alarm level after lifting
Warning strategies, server is carried out safe handling.Additionally, determine for server at IPS equipment
After attack does not exists, IPS equipment can also reduce the alarm level of server, and utilizes
The warning strategies corresponding to alarm level after reduction, carries out safe handling to server.
Wherein, according to alarm level order from low to high, corresponding warning strategies specifically can include but
It is not limited to: record alarm log, blocks flow, notify manager, closing server etc..
In the embodiment of the present invention, when warning strategies is for record alarm log, then IPS equipment is to server
The process carrying out safe handling specifically may include that IPS equipment record alarm log.When warning strategies is
When blocking flow, then IPS equipment carries out the process of safe handling and specifically may include that IPS server
Equipment abandons the data message being currently sending to server.When warning strategies is for notifying manager, then IPS
Equipment carries out the process of safe handling and specifically may include that IPS equipment notifies that manager is timely server
Repair corresponding leak.When warning strategies is closing server, then server is pacified by IPS equipment
The full process processed specifically may include that IPS equipment closing server, no longer sends message to server.
Based on technique scheme, in the embodiment of the present invention, by by the attack information of IPS equipment and
The vulnerability scanning result of vulnerability scanning equipment links, and for the attack detected, IPS equipment can
The existence of aggressive behavior detected, and also be able to detect that these are attacked and whether server produced threat
Or destroy, filter attack more accurately.In aforesaid way, IPS equipment can intelligence to net
Present in network, aggressive behavior is analyzed, and filters out the most invalid attack, thus alleviates manual maintenance
Cost.And, by the result of IPS equipment and vulnerability scanning equipment is carried out conjoint analysis so that
IPS equipment can filter attack more accurately.And, with between IPS equipment and vulnerability scanning equipment
Automatic linkage mechanism, instead of manually manual analyzing network attack information, then do server leak and divide
Analysis, the mode of then manual setting defence policies, greatly improve the efficiency to attack analysis, promote
Ageing to the protection of internal server, substantial amounts of cost of labor can also have been saved simultaneously.
Based on the inventive concept as said method, the embodiment of the present invention additionally provides a kind of network and attacks
Hitting the determination device of behavior, the determination device of this attack is applied on IPS equipment.Wherein,
The determination device of this attack can be realized by software, it is also possible to by hardware or software and hardware
In conjunction with mode realize.As a example by implemented in software, as the device on a logical meaning, it is by it
The processor of the IPS equipment at place, reads computer program instructions corresponding in nonvolatile memory
Formation is run in internal memory.For hardware view, as in figure 2 it is shown, the network proposed for the present invention
A kind of hardware structure diagram of the IPS equipment at the determination device place of aggressive behavior, except the place shown in Fig. 2
Outside reason device, network interface, internal memory and nonvolatile memory, IPS equipment can also include that other are hard
Part, such as the forwarding chip etc. of responsible process message;From the point of view of from hardware configuration, this IPS equipment is also possible to
It is distributed apparatus, potentially includes multiple interface card, in order to carry out the extension of Message processing at hardware view.
As it is shown on figure 3, be the structure of the determination device of the attack proposed in the embodiment of the present invention
Figure, the determination device of described attack specifically may include that
Judge module 11, for after detecting for the attack information of server, it is judged that described attack
Whether information meets the vulnerability scanning linkage strategy being pre-configured with;
Sending module 12, for when judged result is for being, is sent to leak by vulnerability scanning reference information
Scanning device, is carried out vulnerability scanning by vulnerability scanning reference information described in described vulnerability scanning equipment utilization;
Determine module 13, for receiving the vulnerability scanning result that described vulnerability scanning equipment returns, and utilize
Described attack information and described vulnerability scanning result determine the attack for described server.
Described determine module 13, specifically for utilizing attack information and vulnerability scanning result to determine for clothes
During the attack of business device, when vulnerability scanning result is to there is leak on described server,
Utilize described attack information and described vulnerability scanning result, determine the network attack row for described server
For existing;When described vulnerability scanning result is to there is not leak on described server, utilize described attack
Information and described vulnerability scanning result, determine that the attack for described server does not exists.
In the embodiment of the present invention, described determine module 13, be further used for determining for described server
Attack exist after, promote the alarm level of described server, and after utilizing lifting
Warning strategies corresponding to alarm level, carries out safe handling to described server.
In the embodiment of the present invention, the parameter of described vulnerability scanning linkage strategy specifically include one below or
Combination in any: IP address, port, agreement, time period, user name, attack frequency, operating system class
Type, application software type, IT resource type.Described vulnerability scanning reference information includes: described server
IP address, OS Type and/or application software type.
Wherein, the modules of apparatus of the present invention can be integrated in one, it is also possible to separates and disposes.Above-mentioned
Module can merge into a module, it is also possible to is further split into multiple submodule.
Through the above description of the embodiments, those skilled in the art is it can be understood that arrive this
Bright can add the mode of required general hardware platform by software and realize, naturally it is also possible to by hardware,
But the former is more preferably embodiment in the case of a lot.Based on such understanding, technical scheme
The part contributed prior art the most in other words can embody with the form of software product,
This computer software product is stored in a storage medium, including some instructions with so that a calculating
Machine equipment (can be personal computer, server, or the network equipment etc.) performs the present invention, and each is real
Execute the method described in example.It will be appreciated by those skilled in the art that accompanying drawing is the signal of a preferred embodiment
Figure, module or flow process in accompanying drawing are not necessarily implemented necessary to the present invention.
It will be appreciated by those skilled in the art that the module in the device in embodiment can describe according to embodiment
Carry out being distributed in the device of embodiment, it is also possible to carry out respective change and be disposed other than the one of the present embodiment
In individual or multiple device.The module of above-described embodiment can merge into a module, it is possible to splits further
Become multiple submodule.The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
The several specific embodiments being only the present invention disclosed above, but, the present invention is not limited to this,
The changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (10)
1. the determination method of an attack, it is characterised in that said method comprising the steps of:
Intrusion prevention system IPS equipment is after detecting for the attack information of server, it is judged that described
Whether attack information meets the vulnerability scanning linkage strategy being pre-configured with;
If it is, vulnerability scanning reference information is sent to vulnerability scanning equipment by described IPS equipment, by
Vulnerability scanning reference information described in described vulnerability scanning equipment utilization carries out vulnerability scanning;
Described IPS equipment receives the vulnerability scanning result that described vulnerability scanning equipment returns, and utilizes described
Attack information and described vulnerability scanning result determine the attack for described server.
Method the most according to claim 1, it is characterised in that attack described in described IPS equipment utilization
Hit information and described vulnerability scanning result determine the attack for described server, specifically include:
When described vulnerability scanning result is to there is leak on described server, described IPS equipment utilization institute
State attack information and described vulnerability scanning result, determine that the attack for described server exists;
When described vulnerability scanning result is to there is not leak on described server, described in described IPS equipment utilization
Attack information and described vulnerability scanning result, determine that the attack for described server does not exists.
Method the most according to claim 2, it is characterised in that described IPS equipment determines for institute
After stating the attack existence of server, described method farther includes:
The alarm level of server described in described IPS equipment lifting, and utilize the alarm level after lifting
Corresponding warning strategies, carries out safe handling to described server.
4. according to the method described in any one of claim 1-3, it is characterised in that described vulnerability scanning joins
The parameter of dynamic strategy specifically includes one below or combination in any: IP address, port, agreement, time
Section, user name, attack frequency, OS Type, application software type, IT resource type.
5. according to the method described in any one of claim 1-3, it is characterised in that described vulnerability scanning is joined
The information of examining specifically includes: the IP address of described server, OS Type and/or application software type.
6. the determination device of an attack, it is characterised in that described attack is really
Determining device and apply on intrusion prevention system IPS equipment, the determination device of described attack includes:
Judge module, for after detecting for the attack information of server, it is judged that described attack is believed
Whether breath meets the vulnerability scanning linkage strategy being pre-configured with;
Sending module, for when judged result is for being, is sent to leak by vulnerability scanning reference information and sweeps
Retouch equipment, vulnerability scanning reference information described in described vulnerability scanning equipment utilization carry out vulnerability scanning;
Determine module, for receiving the vulnerability scanning result that described vulnerability scanning equipment returns, and utilize institute
State attack information and described vulnerability scanning result determines the attack for described server.
Device the most according to claim 6, it is characterised in that
Described determine module, specifically for utilizing attack information and vulnerability scanning result to determine for service
During the attack of device, when described vulnerability scanning result is to there is leak on described server
Time, utilize described attack information and described vulnerability scanning result, determine that the network for described server is attacked
Behavior of hitting exists;When described vulnerability scanning result is to there is not leak on described server, utilize described
Attack information and described vulnerability scanning result, determine that the attack for described server does not exists.
Device the most according to claim 7, it is characterised in that
Described determine module, be further used for determining that the attack for described server exists
Afterwards, promote the alarm level of described server, and utilize the announcement corresponding to the alarm level after lifting
Whip a horse on slightly, described server is carried out safe handling.
9. according to the device described in any one of claim 6-8, it is characterised in that described vulnerability scanning joins
The parameter of dynamic strategy specifically includes one below or combination in any: IP address, port, agreement, time
Section, user name, attack frequency, OS Type, application software type, IT resource type.
10. according to the device described in any one of claim 6-8, it is characterised in that described vulnerability scanning
Reference information includes: the IP address of described server, OS Type and/or application software type.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510489691.0A CN105939311A (en) | 2015-08-11 | 2015-08-11 | Method and device for determining network attack behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510489691.0A CN105939311A (en) | 2015-08-11 | 2015-08-11 | Method and device for determining network attack behavior |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105939311A true CN105939311A (en) | 2016-09-14 |
Family
ID=57152816
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510489691.0A Pending CN105939311A (en) | 2015-08-11 | 2015-08-11 | Method and device for determining network attack behavior |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105939311A (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106850675A (en) * | 2017-03-10 | 2017-06-13 | 北京安赛创想科技有限公司 | A kind of determination method and device of attack |
CN106888210A (en) * | 2017-03-10 | 2017-06-23 | 北京安赛创想科技有限公司 | The alarming method for power and device of a kind of network attack |
CN106888211A (en) * | 2017-03-10 | 2017-06-23 | 北京安赛创想科技有限公司 | The detection method and device of a kind of network attack |
CN107133180A (en) * | 2017-06-07 | 2017-09-05 | 腾讯科技(深圳)有限公司 | Method of testing, test device and the storage medium of dynamic page |
CN107171834A (en) * | 2017-05-05 | 2017-09-15 | 四川长虹电器股份有限公司 | Short Message Service Gateway service platform monitoring early-warning system and method based on gateway early warning pond |
CN107483502A (en) * | 2017-09-28 | 2017-12-15 | 深信服科技股份有限公司 | A kind of method and device for detecting remaining attack |
CN108011880A (en) * | 2017-12-04 | 2018-05-08 | 郑州云海信息技术有限公司 | The management method and computer-readable recording medium monitored in cloud data system |
CN109302401A (en) * | 2018-10-25 | 2019-02-01 | 国家电网有限公司 | Protecting information safety method and device |
CN109711166A (en) * | 2018-12-17 | 2019-05-03 | 北京知道创宇信息技术有限公司 | Leak detection method and device |
CN109818984A (en) * | 2019-04-10 | 2019-05-28 | 吉林亿联银行股份有限公司 | The defence method and device of loophole |
CN110417709A (en) * | 2018-04-27 | 2019-11-05 | 南宁富桂精密工业有限公司 | Extort the method for early warning, server and computer readable storage medium of software attacks |
CN110881043A (en) * | 2019-11-29 | 2020-03-13 | 杭州迪普科技股份有限公司 | Method and device for detecting web server vulnerability |
CN110909361A (en) * | 2019-11-08 | 2020-03-24 | 北京长亭未来科技有限公司 | Vulnerability detection method and device and computer equipment |
CN112702300A (en) * | 2019-10-22 | 2021-04-23 | 华为技术有限公司 | Security vulnerability defense method and device |
CN114531262A (en) * | 2020-11-23 | 2022-05-24 | 中国电信股份有限公司 | Method and device for identifying vulnerability scanning behaviors |
CN115549945A (en) * | 2022-07-29 | 2022-12-30 | 浪潮卓数大数据产业发展有限公司 | Information system security state scanning system and method based on distributed architecture |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1581089A (en) * | 2003-08-04 | 2005-02-16 | 联想(北京)有限公司 | Invasion detecting method |
CN1988439A (en) * | 2006-12-08 | 2007-06-27 | 亿阳安全技术有限公司 | Device and method for realizing network safety |
CN101873231A (en) * | 2010-07-06 | 2010-10-27 | 联想网御科技(北京)有限公司 | Network intrusion character configuration method and system |
US20100287615A1 (en) * | 2007-09-19 | 2010-11-11 | Antony Martin | Intrusion detection method and system |
CN102082659A (en) * | 2009-12-01 | 2011-06-01 | 厦门市美亚柏科信息股份有限公司 | Vulnerability scanning system oriented to safety assessment and processing method thereof |
-
2015
- 2015-08-11 CN CN201510489691.0A patent/CN105939311A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1581089A (en) * | 2003-08-04 | 2005-02-16 | 联想(北京)有限公司 | Invasion detecting method |
CN1988439A (en) * | 2006-12-08 | 2007-06-27 | 亿阳安全技术有限公司 | Device and method for realizing network safety |
US20100287615A1 (en) * | 2007-09-19 | 2010-11-11 | Antony Martin | Intrusion detection method and system |
CN102082659A (en) * | 2009-12-01 | 2011-06-01 | 厦门市美亚柏科信息股份有限公司 | Vulnerability scanning system oriented to safety assessment and processing method thereof |
CN101873231A (en) * | 2010-07-06 | 2010-10-27 | 联想网御科技(北京)有限公司 | Network intrusion character configuration method and system |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106888210A (en) * | 2017-03-10 | 2017-06-23 | 北京安赛创想科技有限公司 | The alarming method for power and device of a kind of network attack |
CN106888211A (en) * | 2017-03-10 | 2017-06-23 | 北京安赛创想科技有限公司 | The detection method and device of a kind of network attack |
CN106850675A (en) * | 2017-03-10 | 2017-06-13 | 北京安赛创想科技有限公司 | A kind of determination method and device of attack |
CN107171834B (en) * | 2017-05-05 | 2020-01-31 | 四川长虹电器股份有限公司 | Short message gateway service platform monitoring and early warning system and method based on gateway early warning pool |
CN107171834A (en) * | 2017-05-05 | 2017-09-15 | 四川长虹电器股份有限公司 | Short Message Service Gateway service platform monitoring early-warning system and method based on gateway early warning pond |
CN107133180A (en) * | 2017-06-07 | 2017-09-05 | 腾讯科技(深圳)有限公司 | Method of testing, test device and the storage medium of dynamic page |
CN107133180B (en) * | 2017-06-07 | 2021-03-23 | 腾讯科技(深圳)有限公司 | Dynamic page testing method, testing device and storage medium |
CN107483502A (en) * | 2017-09-28 | 2017-12-15 | 深信服科技股份有限公司 | A kind of method and device for detecting remaining attack |
CN108011880A (en) * | 2017-12-04 | 2018-05-08 | 郑州云海信息技术有限公司 | The management method and computer-readable recording medium monitored in cloud data system |
CN110417709B (en) * | 2018-04-27 | 2022-01-21 | 南宁富桂精密工业有限公司 | Early warning method for Lesso software attack, server and computer readable storage medium |
CN110417709A (en) * | 2018-04-27 | 2019-11-05 | 南宁富桂精密工业有限公司 | Extort the method for early warning, server and computer readable storage medium of software attacks |
CN109302401A (en) * | 2018-10-25 | 2019-02-01 | 国家电网有限公司 | Protecting information safety method and device |
CN109302401B (en) * | 2018-10-25 | 2021-07-09 | 国家电网有限公司 | Information security protection method and device |
CN109711166B (en) * | 2018-12-17 | 2020-12-11 | 北京知道创宇信息技术股份有限公司 | Vulnerability detection method and device |
CN109711166A (en) * | 2018-12-17 | 2019-05-03 | 北京知道创宇信息技术有限公司 | Leak detection method and device |
CN109818984A (en) * | 2019-04-10 | 2019-05-28 | 吉林亿联银行股份有限公司 | The defence method and device of loophole |
CN112702300A (en) * | 2019-10-22 | 2021-04-23 | 华为技术有限公司 | Security vulnerability defense method and device |
WO2021077987A1 (en) * | 2019-10-22 | 2021-04-29 | 华为技术有限公司 | Security vulnerability defense method and device |
CN110909361A (en) * | 2019-11-08 | 2020-03-24 | 北京长亭未来科技有限公司 | Vulnerability detection method and device and computer equipment |
CN110881043A (en) * | 2019-11-29 | 2020-03-13 | 杭州迪普科技股份有限公司 | Method and device for detecting web server vulnerability |
CN114531262A (en) * | 2020-11-23 | 2022-05-24 | 中国电信股份有限公司 | Method and device for identifying vulnerability scanning behaviors |
CN115549945A (en) * | 2022-07-29 | 2022-12-30 | 浪潮卓数大数据产业发展有限公司 | Information system security state scanning system and method based on distributed architecture |
CN115549945B (en) * | 2022-07-29 | 2023-10-31 | 浪潮卓数大数据产业发展有限公司 | Information system security state scanning system and method based on distributed architecture |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105939311A (en) | Method and device for determining network attack behavior | |
US11709945B2 (en) | System and method for identifying network security threats and assessing network security | |
US11463458B2 (en) | Protecting against and learning attack vectors on web artifacts | |
US10826928B2 (en) | System and method for simulating network security threats and assessing network security | |
CN107872456A (en) | Network intrusion prevention method, apparatus, system and computer-readable recording medium | |
US20180114018A1 (en) | Malware detection and classification based on memory semantic analysis | |
CN106650436A (en) | Safety detecting method and device based on local area network | |
CN104468632A (en) | Loophole attack prevention method, device and system | |
CN107493256A (en) | Security incident defence method and device | |
CN108200095B (en) | Method and device for determining vulnerability of Internet boundary security policy | |
CN106982188B (en) | Malicious propagation source detection method and device | |
CN111917705A (en) | System and method for automatic intrusion detection | |
CN113422779B (en) | Active security defense system based on centralized management and control | |
Gupta et al. | Automated discovery of JavaScript code injection attacks in PHP web applications | |
CN113992386A (en) | Method and device for evaluating defense ability, storage medium and electronic equipment | |
Gupta et al. | Cross site scripting (XSS) attack detection using intrustion detection system | |
CN112787985B (en) | Vulnerability processing method, management equipment and gateway equipment | |
Chaudhary et al. | Plague of cross-site scripting on web applications: a review, taxonomy and challenges | |
Caesarano et al. | Network forensics for detecting SQL injection attacks using NIST method | |
KR101372906B1 (en) | Method and system to prevent malware code | |
Tanakas et al. | A novel system for detecting and preventing SQL injection and cross-site-script | |
CN112422501B (en) | Forward and reverse tunnel protection method, device, equipment and storage medium | |
Bendiab et al. | IoT Security Frameworks and Countermeasures | |
CN106856477A (en) | A kind of threat treating method and apparatus based on LAN | |
Omeiza et al. | Web security investigation through penetration tests: A case study of an educational institution portal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
CB02 | Change of applicant information | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160914 |
|
RJ01 | Rejection of invention patent application after publication |