CN105939311A - Method and device for determining network attack behavior - Google Patents

Method and device for determining network attack behavior Download PDF

Info

Publication number
CN105939311A
CN105939311A CN201510489691.0A CN201510489691A CN105939311A CN 105939311 A CN105939311 A CN 105939311A CN 201510489691 A CN201510489691 A CN 201510489691A CN 105939311 A CN105939311 A CN 105939311A
Authority
CN
China
Prior art keywords
vulnerability scanning
attack
server
information
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510489691.0A
Other languages
Chinese (zh)
Inventor
张宁
翟世兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201510489691.0A priority Critical patent/CN105939311A/en
Publication of CN105939311A publication Critical patent/CN105939311A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a device for determining a network attack behavior. The method comprises the steps that after detecting attack information aiming at a server, an IPS device judges that whether the attack information complies with a pre-configured vulnerability scanning linkage strategy; if yes, the IPS device sends vulnerability scanning reference information to a vulnerability scanning device, and the vulnerability scanning device utilizes the vulnerability scanning reference information to scan vulnerabilities; and the IPS device receives a vulnerability scanning result returned by the vulnerability scanning device, and utilizes the attack information and the vulnerability scanning result to determine the network attack behavior aiming at the server. According to the technical scheme of the invention, by linking the attack information of the IPS device with the vulnerability scanning result of the vulnerability scanning device, for the detected attacks, the IPS device can detect the existence of the attack behaviors, and also can detect that whether the attacks threaten or damage the server, thus being more accurate to filter the attacks.

Description

A kind of determination method and apparatus of attack
Technical field
The present invention relates to communication technical field, the determination method and apparatus of a kind of attack.
Background technology
Increasingly go deep into the live and work of people along with network application, various network attacks also emerge in an endless stream, The most all may be faced with new network attack means, especially some important network traffics nodes, Such as large enterprise's unit, government organs, operator etc., all suffer from substantial amounts of network attack all the time Threaten.In this case, to IPS (Intrusion Prevention System, intrusion prevention system) Equipment proposes requirements at the higher level.IPS equipment is network security facility, is to anti-virus software and fire wall Supplement, be the Network Security Device of the network data transport behavior that can monitor network or the network equipment, Can immediately interrupt, adjust or isolate abnormal or there is nocuous network data transport behavior.
In the network attack that IPS equipment Inspection goes out, a large amount of invalid attack often occurs, such as The XSS (Cross Site Scripting, cross-site scripting attack) of server attacks or SQL (Structured Query Language, SQL) injection attacks.Wherein, XSS attack refers to: maliciously Assailant, in Web (the Internet) page, inserts HTML (the Hyper Text Markup of malice Language, HyperText Markup Language) code, when user browses this Web page, it is embedded in it In HTML code can be performed, thus reach the specific purposes of malicious attack user.SQL injects and attacks Hit and refer to: by sql command is inserted into Web list submitting to or input domain name or the looking into of page request Ask character string, be finally reached spoofing server and perform the sql command of malice;Concrete, SQL injects and attacks Hitting is to utilize existing application program, the sql command of (maliciously) is injected into background data base engine and holds The ability of row, can obtain one there is peace by inputting (maliciously) SQL statement in Web list Data base on the website of full leak rather than be intended to go to perform SQL statement according to designer.
For the attack detected, IPS equipment is only able to detect the existence of aggressive behavior, can not know Whether these attack and threaten server generation or destruction.After manager sees attack logs, equally Cannot tell these attack whether be really potential threat, be typically only capable to the specialty dimension to manufacturer server The personnel of protecting solve, or detect server, and this process can consume a large amount of manpower and materials, inefficiency.
Summary of the invention
The present invention provides a kind of determination method of attack, said method comprising the steps of:
Intrusion prevention system IPS equipment is after detecting for the attack information of server, it is judged that described Whether attack information meets the vulnerability scanning linkage strategy being pre-configured with;
If it is, vulnerability scanning reference information is sent to vulnerability scanning equipment by described IPS equipment, by Vulnerability scanning reference information described in described vulnerability scanning equipment utilization carries out vulnerability scanning;
Described IPS equipment receives the vulnerability scanning result that described vulnerability scanning equipment returns, and utilizes described Attack information and described vulnerability scanning result determine the attack for described server.
Attack information described in described IPS equipment utilization and described vulnerability scanning result determines for described service The attack of device, specifically includes:
When described vulnerability scanning result is to there is leak on described server, described IPS equipment utilization institute State attack information and described vulnerability scanning result, determine that the attack for described server exists; When described vulnerability scanning result is to there is not leak on described server, described in described IPS equipment utilization Attack information and described vulnerability scanning result, determine that the attack for described server does not exists.
After described IPS equipment determines that the attack for described server exists, described method Farther include: the alarm level of server described in described IPS equipment lifting, and after utilizing lifting Warning strategies corresponding to alarm level, carries out safe handling to described server.
The parameter of described vulnerability scanning linkage strategy specifically includes one below or combination in any: IP ground Location, port, agreement, time period, user name, attack frequency, OS Type, application software class Type, IT resource type.Described vulnerability scanning reference information specifically includes: the IP address of described server, OS Type and/or application software type.
The present invention provides the determination device of a kind of attack, the determination dress of described attack Putting and apply on intrusion prevention system IPS equipment, the determination device of described attack includes:
Judge module, for after detecting for the attack information of server, it is judged that described attack is believed Whether breath meets the vulnerability scanning linkage strategy being pre-configured with;
Sending module, for when judged result is for being, is sent to leak by vulnerability scanning reference information and sweeps Retouch equipment, vulnerability scanning reference information described in described vulnerability scanning equipment utilization carry out vulnerability scanning;
Determine module, for receiving the vulnerability scanning result that described vulnerability scanning equipment returns, and utilize institute State attack information and described vulnerability scanning result determines the attack for described server.
Described determine module, specifically for utilizing attack information and vulnerability scanning result to determine for service During the attack of device, when described vulnerability scanning result is to there is leak on described server Time, utilize described attack information and described vulnerability scanning result, determine that the network for described server is attacked Behavior of hitting exists;When described vulnerability scanning result is to there is not leak on described server, utilize described Attack information and described vulnerability scanning result, determine that the attack for described server does not exists.
Described determine module, be further used for determining that the attack for described server exists Afterwards, promote the alarm level of described server, and utilize the announcement corresponding to the alarm level after lifting Whip a horse on slightly, described server is carried out safe handling.
The parameter of described vulnerability scanning linkage strategy specifically includes one below or combination in any: IP ground Location, port, agreement, time period, user name, attack frequency, OS Type, application software class Type, IT resource type.Described vulnerability scanning reference information includes: the IP address of described server, behaviour Make system type and/or application software type.
Based on technique scheme, in the embodiment of the present invention, by by the attack information of IPS equipment and The vulnerability scanning result of vulnerability scanning equipment links, and for the attack detected, IPS equipment can The existence of aggressive behavior detected, and also be able to detect that these are attacked and whether server produced threat Or destroy, filter attack more accurately.In aforesaid way, set with IPS equipment and vulnerability scanning Automatic linkage mechanism between Bei, instead of manually manual analyzing network attack information, then does server Leak analysis, the mode of then manual setting defence policies, greatly improve the efficiency to attack analysis, Improve the protection to internal server ageing, also save substantial amounts of cost of labor simultaneously.
Accompanying drawing explanation
Fig. 1 is the flow chart of the determination method of the attack in one embodiment of the present invention;
Fig. 2 is the hardware structure diagram of the IPS equipment in one embodiment of the present invention;
Fig. 3 is the structure chart of the determination device of the attack in one embodiment of the present invention.
Detailed description of the invention
For problems of the prior art, the embodiment of the present invention proposes a kind of attack Determine in the system that method, the method are applied to include IPS equipment and vulnerability scanning equipment.Wherein, IPS Equipment is by a large amount of attack defendings rule configured, and whether detection is sent in the data message of server deposit In abnormal or attack load, and when existing in data message extremely or attack load, refusal is by number It is sent to server, when not existing in data message extremely or attack load, it is allowed to by number according to message It is sent to server according to message.Vulnerability scanning equipment, by carrying out vulnerability scanning, can clearly know service There are some which type of leaks in operating system that device is used, application program etc..At above-mentioned application scenarios Under, as it is shown in figure 1, the determination method of this attack specifically may comprise steps of:
Step 101, IPS equipment is after detecting for the attack information of server, it is judged that this attack is believed Whether breath meets the vulnerability scanning linkage strategy being pre-configured with.If it is, perform step 102.
IPS equipment, when receiving data message, can detect in the data message being sent to server Whether exist abnormal or attack load, if it is, the attack information for server can be detected. Such as, when data message is the XSS attack for server or SQL injection attacks, IPS equipment The XSS attack for server or SQL injection attacks can be detected.Now, IPS equipment can only The existence of aggressive behavior detected, it is impossible to know that these are attacked and whether server generation is threatened or destruction.
In the embodiment of the present invention, IPS equipment is when the attack for server being detected, and IPS equipment is permissible Directly obtaining the attack information for this server, this attack information specifically can include but not limited to following One of or combination in any: (such as the IP address of server, it is purpose IP of data message in IP address Address), port (such as the destination interface of data message), agreement is (such as the agreement carried in data message Type), the time period (time period during aggressive behavior such as being detected), user name is (such as data message pair The username information of the subscriber equipment answered), attack frequency (as produced by the attack of this server Attack frequency), OS Type (as the OS Type corresponding to the attack of this server), Application software type (as the application software type corresponding to the attack of this server), IT (information Technology) resource type (as the IT resource type corresponding to the attack of this server).
In the embodiment of the present invention, the parameter of vulnerability scanning linkage strategy specifically can include but not limited to following One of or combination in any: IP address, port, agreement, time period, user name, attack frequency, behaviour Make system type, application software type, IT resource type.Such as, vulnerability scanning linkage strategy can be wrapped Including: vulnerability scanning linkage strategy 1, this vulnerability scanning linkage strategy 1 is IP address A, port A, association View A, time period A, user name A, attack frequency A, OS Type A, application software type A, IT resource type A;Vulnerability scanning linkage strategy 2, this vulnerability scanning linkage strategy 2 is IP address B, port B, agreement B, time period B, attack frequency B, OS Type B;Vulnerability scanning joins Dynamic strategy 3, this vulnerability scanning linkage strategy 3 is IP address C, port C, agreement C, time period C, Attack frequency C, OS Type C, application software Type C, IT resource type C.
Based on being actually needed, vulnerability scanning linkage strategy, this leak can be configured in advance on IPS equipment Content in scanning linkage strategy can arbitrarily select, and concrete configuration mode does not repeats them here.
Based on above-mentioned vulnerability scanning linkage strategy, if each with vulnerability scanning linkage strategy of the information of attack Parameter is mated, then illustrate that this attack information meets the vulnerability scanning linkage strategy being pre-configured with, perform step 102.If attack information is not mated with each parameter in vulnerability scanning linkage strategy, then illustrate that this attack is believed Breath does not meets the vulnerability scanning linkage strategy being pre-configured with, and uses existing procedure to carry out subsequent treatment.
Such as, IP address A, port A, agreement A, time period A, use are specifically included when attack information When name in an account book A, attack frequency A, OS Type A, application software type A, IT resource type A, Then illustrate that this attack information meets the vulnerability scanning linkage strategy 1 being pre-configured with, perform step 102.
Step 102, vulnerability scanning reference information is sent to vulnerability scanning equipment by IPS equipment, by this leak Scanning device utilizes this vulnerability scanning reference information to carry out vulnerability scanning.In the embodiment of the present invention, leak is swept Retouch reference information specifically can include but not limited to: IP address (purpose IP such as data message of server Address), OS Type (as the OS Type corresponding to the attack of this server) and/ Or application software type (as the application software type corresponding to the attack of this server).
In the embodiment of the present invention, vulnerability scanning equipment is receiving the vulnerability scanning reference from IPS equipment After information, it is possible to use this vulnerability scanning reference information carries out vulnerability scanning.Vulnerability scanning equipment is utilizing When the IP address of server, OS Type and/or application software type carry out vulnerability scanning, based on The IP address of this server, can detect the OS Type on this server and/or application software Whether type exists leak.If there is leak, then vulnerability scanning result is to there is leak on server; If there is no leak, then vulnerability scanning result is to there is not leak on server.
Wherein, OS Type is the OS Type of server, as can be Windows system, Linux system etc..Application software type is the software type that server support application is corresponding, as when supporting During SMTP (Simple Mail Transfer Protocol, Simple Mail Transfer protocol) application, then apply Software type is SMTP software, when support HTTP (Hyper Text Transfer Protocol, super civilian This host-host protocol) application time, then application software type is HTTP software, when support SSH (Secure Shell, safety shell protocol) application time, then application software type is SSH software.
In the embodiment of the present invention, vulnerability scanning equipment can be pre-configured with leak list, this leak list Content can be pre-configured with or the most dynamically update, have recorded operation in this leak list Corresponding relation between system type and/or application software type and vulnerability information.Based on this leak list, Vulnerability scanning equipment is when utilizing OS Type and/or application software type carries out vulnerability scanning, permissible Directly by this OS Type and/or this leak list of application software type queries.If this leak arranges There is this OS Type and/or vulnerability information corresponding to application software type in table, then there is leakage in explanation Hole, vulnerability scanning equipment knows that vulnerability scanning result is to there is leak on server;If this leak list The most there is not this OS Type and/or vulnerability information corresponding to application software type, then illustrate not exist Leak, vulnerability scanning equipment knows that vulnerability scanning result is to there is not leak on server.
In the another way of the embodiment of the present invention, vulnerability scanning equipment is receiving the leakage from IPS equipment After hole scanning reference information, it is possible to use this vulnerability scanning reference information carries out vulnerability scanning.Vulnerability scanning Equipment is swept utilizing the IP address of server, OS Type and/or application software type to carry out leak When retouching, IP address based on this server, OS Type and/or application software type, leak is swept The equipment of retouching can carry out vulnerability scanning to this server, and concrete vulnerability scanning mode does not repeats them here.
In the embodiment of the present invention, vulnerability scanning equipment is obtaining (the existence leakage on server of vulnerability scanning result Leak is there is not on hole or server) after, vulnerability scanning result is sent to IPS equipment.
Step 103, IPS equipment receives the vulnerability scanning result that vulnerability scanning equipment returns, and utilizes attack Information and vulnerability scanning result determine the attack for server.
In the embodiment of the present invention, information is attacked in IPS equipment utilization and vulnerability scanning result determines for service The process of the attack of device, specifically can include but not limited to: when vulnerability scanning result is service When there is leak on device, information and vulnerability scanning result are attacked in IPS equipment utilization, determine for server Attack exist;When vulnerability scanning result is to there is not leak on server, IPS equipment Utilize attack information and vulnerability scanning result, determine that the attack for server does not exists.
Wherein, when data message is the XSS attack for server or SQL injection attacks, IPS Equipment can detect the XSS attack for server or SQL injection attacks, now, IPS equipment Be only able to detect the existence of aggressive behavior, it is impossible to know these whether to attack server is produced threaten or Destroy.When vulnerability scanning result is to there is leak on server, IPS equipment is permissible based on the information of attack Confirming the existence of aggressive behavior, IPS equipment can confirm that based on vulnerability scanning result and there is leakage on server Hole, therefore, IPS equipment based on attack information and vulnerability scanning as a result, it is possible to determine for server Attack exists, and server is produced and threatens or destroy by the aggressive behavior i.e. detected.
Wherein, when data message is the XSS attack for server or SQL injection attacks, IPS Equipment can detect the XSS attack for server or SQL injection attacks, now, IPS equipment Be only able to detect the existence of aggressive behavior, it is impossible to know these whether to attack server is produced threaten or Destroy.When vulnerability scanning result is to there is not leak on server, IPS equipment can based on the information of attack To confirm the existence of aggressive behavior, IPS equipment can confirm that based on vulnerability scanning result and do not deposits on server At leak, therefore, IPS equipment, based on the information of attack and vulnerability scanning result, determines for server Attack does not exists, and server is not produced and threatens or destroy by the aggressive behavior i.e. detected.
In the embodiment of the present invention, after IPS equipment determines that the attack for server exists, IPS equipment can also promote the alarm level of server, and utilizes corresponding to the alarm level after lifting Warning strategies, server is carried out safe handling.Additionally, determine for server at IPS equipment After attack does not exists, IPS equipment can also reduce the alarm level of server, and utilizes The warning strategies corresponding to alarm level after reduction, carries out safe handling to server.
Wherein, according to alarm level order from low to high, corresponding warning strategies specifically can include but It is not limited to: record alarm log, blocks flow, notify manager, closing server etc..
In the embodiment of the present invention, when warning strategies is for record alarm log, then IPS equipment is to server The process carrying out safe handling specifically may include that IPS equipment record alarm log.When warning strategies is When blocking flow, then IPS equipment carries out the process of safe handling and specifically may include that IPS server Equipment abandons the data message being currently sending to server.When warning strategies is for notifying manager, then IPS Equipment carries out the process of safe handling and specifically may include that IPS equipment notifies that manager is timely server Repair corresponding leak.When warning strategies is closing server, then server is pacified by IPS equipment The full process processed specifically may include that IPS equipment closing server, no longer sends message to server.
Based on technique scheme, in the embodiment of the present invention, by by the attack information of IPS equipment and The vulnerability scanning result of vulnerability scanning equipment links, and for the attack detected, IPS equipment can The existence of aggressive behavior detected, and also be able to detect that these are attacked and whether server produced threat Or destroy, filter attack more accurately.In aforesaid way, IPS equipment can intelligence to net Present in network, aggressive behavior is analyzed, and filters out the most invalid attack, thus alleviates manual maintenance Cost.And, by the result of IPS equipment and vulnerability scanning equipment is carried out conjoint analysis so that IPS equipment can filter attack more accurately.And, with between IPS equipment and vulnerability scanning equipment Automatic linkage mechanism, instead of manually manual analyzing network attack information, then do server leak and divide Analysis, the mode of then manual setting defence policies, greatly improve the efficiency to attack analysis, promote Ageing to the protection of internal server, substantial amounts of cost of labor can also have been saved simultaneously.
Based on the inventive concept as said method, the embodiment of the present invention additionally provides a kind of network and attacks Hitting the determination device of behavior, the determination device of this attack is applied on IPS equipment.Wherein, The determination device of this attack can be realized by software, it is also possible to by hardware or software and hardware In conjunction with mode realize.As a example by implemented in software, as the device on a logical meaning, it is by it The processor of the IPS equipment at place, reads computer program instructions corresponding in nonvolatile memory Formation is run in internal memory.For hardware view, as in figure 2 it is shown, the network proposed for the present invention A kind of hardware structure diagram of the IPS equipment at the determination device place of aggressive behavior, except the place shown in Fig. 2 Outside reason device, network interface, internal memory and nonvolatile memory, IPS equipment can also include that other are hard Part, such as the forwarding chip etc. of responsible process message;From the point of view of from hardware configuration, this IPS equipment is also possible to It is distributed apparatus, potentially includes multiple interface card, in order to carry out the extension of Message processing at hardware view.
As it is shown on figure 3, be the structure of the determination device of the attack proposed in the embodiment of the present invention Figure, the determination device of described attack specifically may include that
Judge module 11, for after detecting for the attack information of server, it is judged that described attack Whether information meets the vulnerability scanning linkage strategy being pre-configured with;
Sending module 12, for when judged result is for being, is sent to leak by vulnerability scanning reference information Scanning device, is carried out vulnerability scanning by vulnerability scanning reference information described in described vulnerability scanning equipment utilization;
Determine module 13, for receiving the vulnerability scanning result that described vulnerability scanning equipment returns, and utilize Described attack information and described vulnerability scanning result determine the attack for described server.
Described determine module 13, specifically for utilizing attack information and vulnerability scanning result to determine for clothes During the attack of business device, when vulnerability scanning result is to there is leak on described server, Utilize described attack information and described vulnerability scanning result, determine the network attack row for described server For existing;When described vulnerability scanning result is to there is not leak on described server, utilize described attack Information and described vulnerability scanning result, determine that the attack for described server does not exists.
In the embodiment of the present invention, described determine module 13, be further used for determining for described server Attack exist after, promote the alarm level of described server, and after utilizing lifting Warning strategies corresponding to alarm level, carries out safe handling to described server.
In the embodiment of the present invention, the parameter of described vulnerability scanning linkage strategy specifically include one below or Combination in any: IP address, port, agreement, time period, user name, attack frequency, operating system class Type, application software type, IT resource type.Described vulnerability scanning reference information includes: described server IP address, OS Type and/or application software type.
Wherein, the modules of apparatus of the present invention can be integrated in one, it is also possible to separates and disposes.Above-mentioned Module can merge into a module, it is also possible to is further split into multiple submodule.
Through the above description of the embodiments, those skilled in the art is it can be understood that arrive this Bright can add the mode of required general hardware platform by software and realize, naturally it is also possible to by hardware, But the former is more preferably embodiment in the case of a lot.Based on such understanding, technical scheme The part contributed prior art the most in other words can embody with the form of software product, This computer software product is stored in a storage medium, including some instructions with so that a calculating Machine equipment (can be personal computer, server, or the network equipment etc.) performs the present invention, and each is real Execute the method described in example.It will be appreciated by those skilled in the art that accompanying drawing is the signal of a preferred embodiment Figure, module or flow process in accompanying drawing are not necessarily implemented necessary to the present invention.
It will be appreciated by those skilled in the art that the module in the device in embodiment can describe according to embodiment Carry out being distributed in the device of embodiment, it is also possible to carry out respective change and be disposed other than the one of the present embodiment In individual or multiple device.The module of above-described embodiment can merge into a module, it is possible to splits further Become multiple submodule.The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
The several specific embodiments being only the present invention disclosed above, but, the present invention is not limited to this, The changes that any person skilled in the art can think of all should fall into protection scope of the present invention.

Claims (10)

1. the determination method of an attack, it is characterised in that said method comprising the steps of:
Intrusion prevention system IPS equipment is after detecting for the attack information of server, it is judged that described Whether attack information meets the vulnerability scanning linkage strategy being pre-configured with;
If it is, vulnerability scanning reference information is sent to vulnerability scanning equipment by described IPS equipment, by Vulnerability scanning reference information described in described vulnerability scanning equipment utilization carries out vulnerability scanning;
Described IPS equipment receives the vulnerability scanning result that described vulnerability scanning equipment returns, and utilizes described Attack information and described vulnerability scanning result determine the attack for described server.
Method the most according to claim 1, it is characterised in that attack described in described IPS equipment utilization Hit information and described vulnerability scanning result determine the attack for described server, specifically include:
When described vulnerability scanning result is to there is leak on described server, described IPS equipment utilization institute State attack information and described vulnerability scanning result, determine that the attack for described server exists; When described vulnerability scanning result is to there is not leak on described server, described in described IPS equipment utilization Attack information and described vulnerability scanning result, determine that the attack for described server does not exists.
Method the most according to claim 2, it is characterised in that described IPS equipment determines for institute After stating the attack existence of server, described method farther includes:
The alarm level of server described in described IPS equipment lifting, and utilize the alarm level after lifting Corresponding warning strategies, carries out safe handling to described server.
4. according to the method described in any one of claim 1-3, it is characterised in that described vulnerability scanning joins The parameter of dynamic strategy specifically includes one below or combination in any: IP address, port, agreement, time Section, user name, attack frequency, OS Type, application software type, IT resource type.
5. according to the method described in any one of claim 1-3, it is characterised in that described vulnerability scanning is joined The information of examining specifically includes: the IP address of described server, OS Type and/or application software type.
6. the determination device of an attack, it is characterised in that described attack is really Determining device and apply on intrusion prevention system IPS equipment, the determination device of described attack includes:
Judge module, for after detecting for the attack information of server, it is judged that described attack is believed Whether breath meets the vulnerability scanning linkage strategy being pre-configured with;
Sending module, for when judged result is for being, is sent to leak by vulnerability scanning reference information and sweeps Retouch equipment, vulnerability scanning reference information described in described vulnerability scanning equipment utilization carry out vulnerability scanning;
Determine module, for receiving the vulnerability scanning result that described vulnerability scanning equipment returns, and utilize institute State attack information and described vulnerability scanning result determines the attack for described server.
Device the most according to claim 6, it is characterised in that
Described determine module, specifically for utilizing attack information and vulnerability scanning result to determine for service During the attack of device, when described vulnerability scanning result is to there is leak on described server Time, utilize described attack information and described vulnerability scanning result, determine that the network for described server is attacked Behavior of hitting exists;When described vulnerability scanning result is to there is not leak on described server, utilize described Attack information and described vulnerability scanning result, determine that the attack for described server does not exists.
Device the most according to claim 7, it is characterised in that
Described determine module, be further used for determining that the attack for described server exists Afterwards, promote the alarm level of described server, and utilize the announcement corresponding to the alarm level after lifting Whip a horse on slightly, described server is carried out safe handling.
9. according to the device described in any one of claim 6-8, it is characterised in that described vulnerability scanning joins The parameter of dynamic strategy specifically includes one below or combination in any: IP address, port, agreement, time Section, user name, attack frequency, OS Type, application software type, IT resource type.
10. according to the device described in any one of claim 6-8, it is characterised in that described vulnerability scanning Reference information includes: the IP address of described server, OS Type and/or application software type.
CN201510489691.0A 2015-08-11 2015-08-11 Method and device for determining network attack behavior Pending CN105939311A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510489691.0A CN105939311A (en) 2015-08-11 2015-08-11 Method and device for determining network attack behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510489691.0A CN105939311A (en) 2015-08-11 2015-08-11 Method and device for determining network attack behavior

Publications (1)

Publication Number Publication Date
CN105939311A true CN105939311A (en) 2016-09-14

Family

ID=57152816

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510489691.0A Pending CN105939311A (en) 2015-08-11 2015-08-11 Method and device for determining network attack behavior

Country Status (1)

Country Link
CN (1) CN105939311A (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850675A (en) * 2017-03-10 2017-06-13 北京安赛创想科技有限公司 A kind of determination method and device of attack
CN106888210A (en) * 2017-03-10 2017-06-23 北京安赛创想科技有限公司 The alarming method for power and device of a kind of network attack
CN106888211A (en) * 2017-03-10 2017-06-23 北京安赛创想科技有限公司 The detection method and device of a kind of network attack
CN107133180A (en) * 2017-06-07 2017-09-05 腾讯科技(深圳)有限公司 Method of testing, test device and the storage medium of dynamic page
CN107171834A (en) * 2017-05-05 2017-09-15 四川长虹电器股份有限公司 Short Message Service Gateway service platform monitoring early-warning system and method based on gateway early warning pond
CN107483502A (en) * 2017-09-28 2017-12-15 深信服科技股份有限公司 A kind of method and device for detecting remaining attack
CN108011880A (en) * 2017-12-04 2018-05-08 郑州云海信息技术有限公司 The management method and computer-readable recording medium monitored in cloud data system
CN109302401A (en) * 2018-10-25 2019-02-01 国家电网有限公司 Protecting information safety method and device
CN109711166A (en) * 2018-12-17 2019-05-03 北京知道创宇信息技术有限公司 Leak detection method and device
CN109818984A (en) * 2019-04-10 2019-05-28 吉林亿联银行股份有限公司 The defence method and device of loophole
CN110417709A (en) * 2018-04-27 2019-11-05 南宁富桂精密工业有限公司 Extort the method for early warning, server and computer readable storage medium of software attacks
CN110881043A (en) * 2019-11-29 2020-03-13 杭州迪普科技股份有限公司 Method and device for detecting web server vulnerability
CN110909361A (en) * 2019-11-08 2020-03-24 北京长亭未来科技有限公司 Vulnerability detection method and device and computer equipment
CN112702300A (en) * 2019-10-22 2021-04-23 华为技术有限公司 Security vulnerability defense method and device
CN114531262A (en) * 2020-11-23 2022-05-24 中国电信股份有限公司 Method and device for identifying vulnerability scanning behaviors
CN115549945A (en) * 2022-07-29 2022-12-30 浪潮卓数大数据产业发展有限公司 Information system security state scanning system and method based on distributed architecture

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1581089A (en) * 2003-08-04 2005-02-16 联想(北京)有限公司 Invasion detecting method
CN1988439A (en) * 2006-12-08 2007-06-27 亿阳安全技术有限公司 Device and method for realizing network safety
CN101873231A (en) * 2010-07-06 2010-10-27 联想网御科技(北京)有限公司 Network intrusion character configuration method and system
US20100287615A1 (en) * 2007-09-19 2010-11-11 Antony Martin Intrusion detection method and system
CN102082659A (en) * 2009-12-01 2011-06-01 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1581089A (en) * 2003-08-04 2005-02-16 联想(北京)有限公司 Invasion detecting method
CN1988439A (en) * 2006-12-08 2007-06-27 亿阳安全技术有限公司 Device and method for realizing network safety
US20100287615A1 (en) * 2007-09-19 2010-11-11 Antony Martin Intrusion detection method and system
CN102082659A (en) * 2009-12-01 2011-06-01 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof
CN101873231A (en) * 2010-07-06 2010-10-27 联想网御科技(北京)有限公司 Network intrusion character configuration method and system

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106888210A (en) * 2017-03-10 2017-06-23 北京安赛创想科技有限公司 The alarming method for power and device of a kind of network attack
CN106888211A (en) * 2017-03-10 2017-06-23 北京安赛创想科技有限公司 The detection method and device of a kind of network attack
CN106850675A (en) * 2017-03-10 2017-06-13 北京安赛创想科技有限公司 A kind of determination method and device of attack
CN107171834B (en) * 2017-05-05 2020-01-31 四川长虹电器股份有限公司 Short message gateway service platform monitoring and early warning system and method based on gateway early warning pool
CN107171834A (en) * 2017-05-05 2017-09-15 四川长虹电器股份有限公司 Short Message Service Gateway service platform monitoring early-warning system and method based on gateway early warning pond
CN107133180A (en) * 2017-06-07 2017-09-05 腾讯科技(深圳)有限公司 Method of testing, test device and the storage medium of dynamic page
CN107133180B (en) * 2017-06-07 2021-03-23 腾讯科技(深圳)有限公司 Dynamic page testing method, testing device and storage medium
CN107483502A (en) * 2017-09-28 2017-12-15 深信服科技股份有限公司 A kind of method and device for detecting remaining attack
CN108011880A (en) * 2017-12-04 2018-05-08 郑州云海信息技术有限公司 The management method and computer-readable recording medium monitored in cloud data system
CN110417709B (en) * 2018-04-27 2022-01-21 南宁富桂精密工业有限公司 Early warning method for Lesso software attack, server and computer readable storage medium
CN110417709A (en) * 2018-04-27 2019-11-05 南宁富桂精密工业有限公司 Extort the method for early warning, server and computer readable storage medium of software attacks
CN109302401A (en) * 2018-10-25 2019-02-01 国家电网有限公司 Protecting information safety method and device
CN109302401B (en) * 2018-10-25 2021-07-09 国家电网有限公司 Information security protection method and device
CN109711166B (en) * 2018-12-17 2020-12-11 北京知道创宇信息技术股份有限公司 Vulnerability detection method and device
CN109711166A (en) * 2018-12-17 2019-05-03 北京知道创宇信息技术有限公司 Leak detection method and device
CN109818984A (en) * 2019-04-10 2019-05-28 吉林亿联银行股份有限公司 The defence method and device of loophole
CN112702300A (en) * 2019-10-22 2021-04-23 华为技术有限公司 Security vulnerability defense method and device
WO2021077987A1 (en) * 2019-10-22 2021-04-29 华为技术有限公司 Security vulnerability defense method and device
CN110909361A (en) * 2019-11-08 2020-03-24 北京长亭未来科技有限公司 Vulnerability detection method and device and computer equipment
CN110881043A (en) * 2019-11-29 2020-03-13 杭州迪普科技股份有限公司 Method and device for detecting web server vulnerability
CN114531262A (en) * 2020-11-23 2022-05-24 中国电信股份有限公司 Method and device for identifying vulnerability scanning behaviors
CN115549945A (en) * 2022-07-29 2022-12-30 浪潮卓数大数据产业发展有限公司 Information system security state scanning system and method based on distributed architecture
CN115549945B (en) * 2022-07-29 2023-10-31 浪潮卓数大数据产业发展有限公司 Information system security state scanning system and method based on distributed architecture

Similar Documents

Publication Publication Date Title
CN105939311A (en) Method and device for determining network attack behavior
US11709945B2 (en) System and method for identifying network security threats and assessing network security
US11463458B2 (en) Protecting against and learning attack vectors on web artifacts
US10826928B2 (en) System and method for simulating network security threats and assessing network security
CN107872456A (en) Network intrusion prevention method, apparatus, system and computer-readable recording medium
US20180114018A1 (en) Malware detection and classification based on memory semantic analysis
CN106650436A (en) Safety detecting method and device based on local area network
CN104468632A (en) Loophole attack prevention method, device and system
CN107493256A (en) Security incident defence method and device
CN108200095B (en) Method and device for determining vulnerability of Internet boundary security policy
CN106982188B (en) Malicious propagation source detection method and device
CN111917705A (en) System and method for automatic intrusion detection
CN113422779B (en) Active security defense system based on centralized management and control
Gupta et al. Automated discovery of JavaScript code injection attacks in PHP web applications
CN113992386A (en) Method and device for evaluating defense ability, storage medium and electronic equipment
Gupta et al. Cross site scripting (XSS) attack detection using intrustion detection system
CN112787985B (en) Vulnerability processing method, management equipment and gateway equipment
Chaudhary et al. Plague of cross-site scripting on web applications: a review, taxonomy and challenges
Caesarano et al. Network forensics for detecting SQL injection attacks using NIST method
KR101372906B1 (en) Method and system to prevent malware code
Tanakas et al. A novel system for detecting and preventing SQL injection and cross-site-script
CN112422501B (en) Forward and reverse tunnel protection method, device, equipment and storage medium
Bendiab et al. IoT Security Frameworks and Countermeasures
CN106856477A (en) A kind of threat treating method and apparatus based on LAN
Omeiza et al. Web security investigation through penetration tests: A case study of an educational institution portal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant after: Hangzhou Dipu Polytron Technologies Inc

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant before: Hangzhou Dipu Technology Co., Ltd.

CB02 Change of applicant information
RJ01 Rejection of invention patent application after publication

Application publication date: 20160914

RJ01 Rejection of invention patent application after publication