CN106470214A - Attack detection method and device - Google Patents
Attack detection method and device Download PDFInfo
- Publication number
- CN106470214A CN106470214A CN201610919494.2A CN201610919494A CN106470214A CN 106470214 A CN106470214 A CN 106470214A CN 201610919494 A CN201610919494 A CN 201610919494A CN 106470214 A CN106470214 A CN 106470214A
- Authority
- CN
- China
- Prior art keywords
- message
- request message
- attack
- undetermined
- described request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a kind of attack detection method and device, and methods described is applied to WAF equipment, including:Receiving after the request message of terminal unit, described request message is being detected;When determining that described request message is attack message, described request message is abandoned;When determining that described request message is message undetermined, the destination slogan of described request message is revised as default detection again and after port numbers, is sent to described server, so that described server detects to described request message, and when determining that described request message is attack message, described request message is abandoned;When determining that described request message is legal message, described request message is sent to described server.Technical scheme can break through the process bottleneck of WAF equipment, and the recognition accuracy improving attack message.
Description
Technical field
The application is related to communication technical field, more particularly, to a kind of attack detection method and device.
Background technology
With the high speed development of the Internet, web application is more and more abundanter, and the security threat that web server faces also by
Cumulative many.For security from attacks, person steals to server data, generally can dispose WAF between terminal unit and server
(Web Application Firewall, web application firewall) equipment, is sent to asking of server for detection terminal equipment
Ask whether message is attack message.When the visit capacity of server is huge, WAF equipment can receive substantial amounts of request message, such as
What breaks through the process bottleneck of WAF equipment, and the recognition accuracy of raising attack message, just seems very crucial.
Content of the invention
In view of this, the application provides a kind of attack detection method and device, is existed with solving WAF equipment in correlation technique
Process bottleneck and the low problem of recognition accuracy.
Specifically, the application is achieved by the following technical solution:
In a first aspect, the application provides a kind of attack detection method, methods described is applied to WAF equipment, including:
Receiving after the request message of terminal unit, described request message is being detected;
When determining that described request message is attack message, described request message is abandoned;
When determining that described request message is message undetermined, the destination slogan of described request message is revised as default
It is sent to described server after detecting port numbers again, so that described server detects to described request message, and determining
When described request message is attack message, described request message is abandoned;
When determining that described request message is legal message, described request message is sent to described server.
Second aspect, the application provides a kind of attack detection method, and methods described is applied to server, including:
After the request message receiving the transmission of WAF equipment, detect whether the destination slogan of described request message is pre-
If detect port numbers again;
If the destination slogan of described request message detects port numbers it is determined that described request message is again for default
Message undetermined, and detect whether described message undetermined is attack message;
When determining that described message undetermined is attack message, by described packet loss undetermined.
The third aspect, the application provides a kind of attack detecting device, and described device is applied to WAF equipment, including:
Detector unit, for receiving after the request message of terminal unit, detects to described request message;
Discarding unit, for when determining that described request message is attack message, described request message being abandoned;
First transmitting element, for when determining that described request message is message undetermined, by the purpose of described request message
Port numbers be revised as default detect port numbers again after be sent to described server, so that described server is to described request message
Detected, and when determining that described request message is attack message, described request message is abandoned;
Second transmitting element, when determining that described request message is legal message, described request message is sent to described
Server.
Fourth aspect, the application provides a kind of attack detecting device, and described device is applied to server, including:
Port numbers detector unit, for, after the request message receiving the transmission of WAF equipment, detecting described request message
Whether destination slogan is default to detect port numbers again;
Packet check unit, if the destination slogan for described request message detects port numbers again for default,
Determine that described request message is message undetermined, and detect whether described message undetermined is attack message;
Discarding unit, for when determining that described message undetermined is attack message, by described packet loss undetermined.
Analysis technique scheme understands, WAF equipment can be detected to the request message receiving to determine its institute
Belong to type, for the request message being defined as attack message and legal message, WAF equipment may be referred to the process in correlation technique
Flow process is processed to it, and for needing the message undetermined that detects further, WAF equipment then can forward it to service
Device, is detected to described message undetermined further by server.Compared with correlation technique, when visit capacity is huge, can be by taking
Business device carries out further attack detecting to message undetermined, thus can reduce the processing pressure of WAF equipment.
Brief description
Fig. 1 is a kind of flow chart of the attack detection method shown in the application one exemplary embodiment;
Fig. 2 is the flow chart of another kind of attack detection method shown in the application one exemplary embodiment;
Fig. 3 is a kind of hardware structure diagram of the attack detecting device place equipment shown in the application one exemplary embodiment;
Fig. 4 is the hardware configuration of another kind of attack detecting device place equipment shown in the application one exemplary embodiment
Figure;
Fig. 5 is a kind of block diagram of the attack detecting device shown in the application one exemplary embodiment;
Fig. 6 is the block diagram of another kind of attack detecting device shown in the application one exemplary embodiment.
Specific embodiment
Here will in detail exemplary embodiment be illustrated, its example is illustrated in the accompanying drawings.Explained below is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with such as appended
The example of the consistent apparatus and method of some aspects being described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, and be not intended to be limiting the application.
" a kind of ", " described " and " being somebody's turn to do " of singulative used in the application and appended claims is also intended to including most
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wraps
Containing one or more associated any or all possible combination listing project.
It will be appreciated that though various information may be described using term first, second, third, etc. in the application, but this
A little information should not necessarily be limited by these terms.These terms are only used for same type of information is distinguished from each other out.For example, without departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
In correlation technique, when realizing browsing the Internet services such as webpage by terminal unit, terminal unit is permissible for user
Set up HTTP with server to be connected, and connect to server transmission request message based on this HTTP, to obtain associated traffic data.
Server, after receiving this request message, can carry the response message of associated traffic data for this request message construction
It is sent to terminal unit.For security from attacks, person is launched a offensive to server using request message, can be in terminal unit and clothes
WAF equipment is disposed, the request message that WAF equipment can be sent to server to terminal unit detects between business device.Work as WAF
When equipment determines a certain request message for attack message, this packet loss can be attacked to server with taking precautions against attacker
Hit.
With reference to Fig. 1, it is a kind of flow chart of the retransmission method of message shown in the application one exemplary embodiment, the method
Can apply to WAF equipment, comprise the following steps:
Step 101:Receiving after the request message of terminal unit, described request message is being detected.
In the present embodiment, set up after HTTP is connected in terminal unit and server, terminal unit can be sent out to server
Send request message, to obtain associated traffic data, and the WAF equipment being deployed between terminal unit and server can receive
This request message.WAF equipment, after receiving this request message, can first detect to this request message, to determine this request
The affiliated type of message, subsequently can have different handling processes to different types of request message.
In an optional embodiment, WAF equipment can detect whether described request message carries the default first kind
Condition code, and detect whether described request message mates default characterization rules, to determine the affiliated type of this request message, institute
State first kind condition code and characterization rules all can be pre-entered by user and be saved in WAF equipment, described characterization rules can
For searching the character string meeting some complex rules.Specifically, WAF equipment can first detect whether described request message carries
Whether described first kind condition code, when described request message carries described first kind condition code, then detect described request message
Mate described characterization rules;When described request message does not carry described first kind condition code, then detect described request message
Whether carry, in header field or default critical field, the coded data that cannot parse.
For example, attacker can utilize SQL (Structured Query Language, SQL)
Injection attacks Receive message server data database data, and the part field of SQL injection attacks message is as shown in table 1 below:
SELECT | Column name | FROM | Table name |
Table 1
Reference table 1, when attacker want from server to obtain in the database table of the entitled Persons of storage entitled
The content of the row of LastName, then can use SELECT LastName this SQL statement of FROM Persons.Therefore in inspection
When whether the request message that survey receives is SQL injection attacks message, SELECT can be set to first kind condition code, and set
Put characterization rules to detect beginning for word SELECT, centre is arbitrarily non-line feed character, and ending is the character string of word FROM,
In actual realization, it is possible to use regular expression bSELECT b.* bFROM b detecting such character string.If WAF
Equipment detects SELECT in certain request message, and this request message and features described above rule match, then this request report is described
Literary composition meets SQL syntax rule, possesses the function of obtaining server data database data, that is, this request message is SQL injection attacks report
Literary composition.Therefore, for both carrying default first kind condition code, and the request message mating with default characterization rules, WAF equipment
Can determine that this request message is attack message.If WAF equipment detects SELECT in certain request message, but this request report
Literary composition is mismatched with features described above rule, then illustrate that this request message does not meet SQL syntax rule, but due to legal request message
Generally do not carry SELECT it is possible to this request message is defined as message undetermined.Therefore, for carrying the default first kind
Condition code, but the unmatched request message with default characterization rules, WAF equipment can determine that this request message is report undetermined
Literary composition.And for both not carrying default first kind condition code, and the unmatched request message with default characterization rules, WAF sets
Standby can determine that this request message is legal message.
It should be noted that above-mentioned detection scheme generally cannot detect whether the request message after coding carries the first kind
Condition code.Therefore, attacker can be by carrying out encoding the attack detecting avoiding WAF equipment to first kind condition code.Another
In individual example, when carrying coded data in the header field of the request message receiving or default critical field, WAF equipment is permissible
Based on preset algorithm, described request message is parsed, and detect whether the request message after parsing carries the default first kind
Condition code, described critical field can be pre-set by user.But the coded data that carries when certain request message is complex
When, this request message is carried out with parsing, and time-consuming, and needs to take the process resource of more WAF equipment, and therefore WAF equipment is permissible
This request message is not parsed, and transferred to server to carry out attack detecting.For such header field or default pass
The request message of the coded data that cannot parse is carried, WAF equipment can also determine that this request message is report undetermined in key field
Literary composition.
Step 102:When determining that described request message is attack message, described request message is abandoned.
In the present embodiment, the testing result based on abovementioned steps 101, when WAF equipment determines that described request message is to attack
When hitting message, this request message can be abandoned, without this request message is transmitted to server, to protect the server will not
Under attack.
In an optional embodiment, this can be attacked by WAF equipment when determining that this request message is attack message
The source IP address of message adds blacklist, subsequently by blacklist, this attack message can be identified, need not detect again,
Improve the recognition efficiency of attack message.
Step 103:When determining that described request message is message undetermined, by the destination slogan modification of described request message
It is sent to described server for default detection again after port numbers, so that described server detects to described request message,
And when determining that described request message is attack message, described request message is abandoned.
In the present embodiment, the testing result based on abovementioned steps 101, when WAF equipment determines that described request message is to treat
When determining message, the destination slogan of described request message can be revised as default detecting the service that is sent to after port numbers again
Device, wherein said detects that port numbers can be configured by management personnel, again for identifying message undetermined.Server is receiving
Destination slogan is after this detects the request message of port numbers again it may be determined that this request message is message undetermined, and server needs
Further this message undetermined is detected, to determine this message undetermined whether as attack message.When server detects this
When message undetermined is attack message, can be by this packet loss undetermined, to protect server under attack.
Step 104:When described request message is legal message, described request message is sent to described server.
In the present embodiment, the testing result based on abovementioned steps 101, when WAF equipment had both detected described request message
It is not attack message, be not during message undetermined it may be determined that described request message is legal message yet, and this request message is turned
Issue server.Server, after receiving this request message, can be responded for this request message, and that is, construction carries phase
Close the response message of business datum, and this response message is sent to terminal unit, to realize customer service.
As seen from the above-described embodiment, WAF equipment can be detected to the request message receiving to determine its affiliated class
Type, for the request message being defined as attack message and legal message, WAF equipment may be referred to the handling process in correlation technique
It is processed, and for needing the message undetermined that detects further, WAF equipment then can forward it to server, by
Server is detected further to described message undetermined.Compared with correlation technique, when visit capacity is huge, can be by server pair
Message undetermined carries out further attack detecting, thus can reduce the processing pressure of WAF equipment.
With reference to Fig. 2, it is the flow chart of the retransmission method of another kind of message shown in the application one exemplary embodiment, the party
Method can apply to server, comprises the following steps:
Step 201:After the request message receiving the transmission of WAF equipment, detect the destination slogan of described request message
It is whether default to detect port numbers again.
In the present embodiment, determining described request message for message undetermined in conjunction with abovementioned steps 103 and 104, WAF equipment
When, can by the destination slogan of this request message be revised as default detect port numbers again, and by amended request message
It is sent to server, according to the destination slogan of the request message receiving, therefore server can determine that this request message is
Message undetermined or legal message.Specifically, server, after the request message receiving the transmission of WAF equipment, can first detect this
The destination slogan of request message be whether default detect port numbers again, in actual realization, port can be detected again at this
When listening to message, determine that this message is message undetermined.If so, then illustrate that this request message is message undetermined, server needs
This message undetermined is detected further, to determine this message undetermined whether as attack message;This request message is otherwise described
For legal message, server can be responded for this legal message, that is, construct the response message carrying associated traffic data,
And this response message is sent to terminal unit, to realize customer service.
Step 202:If the destination slogan of described request message detects port numbers it is determined that described please again for default
Ask message to be message undetermined, and detect whether described message undetermined is attack message.
In the present embodiment, the testing result based on abovementioned steps 201, if the destination slogan of described request message is
Default detect port numbers again, then illustrate this request message be message undetermined, server need traveling one is entered to this message undetermined
Whether step detection, determine this message undetermined as attack message.
In an optional embodiment, when determining that the request message receiving is message undetermined, server can be right
This message undetermined carries out attack detecting, now the code executing attack detecting function in server can be referred to as agent.Specifically
Ground, described agent first can carry out feature detection to this message undetermined.Similar to WAF equipment, described agent can also be based on
Preset algorithm parses to this message undetermined, with the impact to attack detecting for the exclusive PCR factor.Wherein, described interference factor
Can include:Interference code, coding etc..For example, described agent can first identify and remove the interference code in message undetermined,
For example:Can recognize that and compress space, identify and replace annotation, capital and small letter conversion, rewrite identification etc..Additionally, described agent also may be used
To be decoded to multiple coded data that message undetermined carries, for example:Html entity decoding, URL decoding, Unicode decoding
Deng.Described agent exclude above-mentioned interference factor after it is also possible to detect whether this message undetermined carries first kind condition code, with
And whether matching characteristic is regular to detect this message undetermined, described first kind condition code and characterization rules can be user inputs and protect
In presence server.When this message undetermined carries described first kind condition code, and mate described characterization rules when it may be determined that
This message undetermined is attack message.
It should be noted that the attack detecting flow process of the above-mentioned attack detecting flow process of server and WAF equipment can be
Overlap, in case leak-stopping inspection.In the present embodiment, complex removal interference code and decoding process are transferred to server to execute,
And WAF equipment only needs to execute relatively simple rejecting interference and decoding process, adopt and be conducive to reduction WAF to set in such a way
Standby processing pressure.
If based on above-mentioned handling process, described agent still cannot determine whether certain message undetermined is attack message, can
So that response is simulated to this message undetermined by the virtual server building.Specifically, described virtual server can construct this
The response message of message undetermined, described agent can detect whether this response message carries default sensitive information, for example:Clothes
User privacy information preserving in business device etc., described sensitive information can be pre-entered by user and preserve in the server.When
This response message carries during described sensitive information it may be determined that the corresponding message undetermined of this response message is attack message.Now
The response message of described virtual server construction will not be sent to terminal unit by server, pacified with the data protecting server
Entirely.
In another example, if described agent detects certain response message and do not carry described sensitive information, permissible
Message undetermined corresponding for this response message is compared, whether both detections carry identical information.When this response
Message and this message undetermined carry during identical information it may be determined that this message undetermined is attack message.Now server is not
The response message of described virtual server construction can be sent to terminal unit, to protect the data safety of server.
Step 203:When determining that described message undetermined is attack message, by described packet loss undetermined.
In the present embodiment, the testing result based on abovementioned steps 202, when server determines that described message undetermined is to attack
During message, can be by this packet loss undetermined, without being responded for this message undetermined, to protect server will not be subject to
Attack.
In an optional embodiment, in conjunction with abovementioned steps 202, when the response message described message undetermined is detected is taken
When carrying default sensitive information, server can determine that this message undetermined is attack message, now can construct and carry this attack
The attack of the source IP address of message notifies, and this attack is notified to be sent to WAF equipment.WAF equipment receive this attack lead to
When knowing, the source IP address of this attack message can be added blacklist, subsequently may be used according to the IP address that carry in this attack notice
To be identified to this attack message by blacklist, need not detect again, improve the recognition efficiency of attack message.
When described message undetermined is detected and its response message carries identical information, server can determine that this is treated
Determining message is attack message, now can construct the source IP address carrying this attack message, and the attacking of described identical information
Hit notice, and this attack is notified to be sent to WAF equipment.WAF equipment is receiving when this attack notifies it is also possible to attack this
The IP address carrying in notice adds blacklist, preserves it is also possible that stating identical information as Equations of The Second Kind condition code simultaneously.
Subsequently for the source IP address the receiving not request message in blacklist, whether WAF equipment also can detect this request message
Carry described Equations of The Second Kind condition code.If this request message is detected to carry described Equations of The Second Kind condition code, WAF equipment can be true
This request message fixed is attack message, and this request message is abandoned, and need not carry out subsequent detection to this request message again.If
This request message is detected and do not carry described Equations of The Second Kind condition code, then combine abovementioned steps 101, WAF equipment can detect described
Whether request message carries default first kind condition code, and detects whether described request message mates default feature rule
Then, to determine the affiliated type of this request message.Adopt the processing pressure that can reduce WAF equipment in such a way further, with
When can improve the recognition accuracy to attack message for the WAF equipment.
In another example, WAF equipment can also notify to generate daily record according to the attack receiving, so that user looks into
See.This daily record can record the IP address having added blacklist, can also record the reason this IP address is added blacklist, example
As:Carry sensitive information, carry Equations of The Second Kind condition code etc..
As seen from the above-described embodiment, WAF equipment can be detected to the request message receiving to determine its affiliated class
Type, for the request message being defined as attack message and legal message, WAF equipment may be referred to the handling process in correlation technique
It is processed, and for needing the message undetermined that detects further, WAF equipment then can forward it to server, by
Server is detected further to described message undetermined.Compared with correlation technique, when visit capacity is huge, can be by server pair
Message undetermined carries out further attack detecting, thus can reduce the processing pressure of WAF equipment.In addition, based on server
The virtual server running is simulated response to described message undetermined, determines that this is undetermined according to the response message of this message undetermined
Whether message is attack message, can also detect that the attack message that in correlation technique, WAF equipment cannot detect, and improves and attacks
The recognition accuracy of message.Server can also be by the source IP address of attack message and described response message and described message undetermined
The information jointly carrying is sent to WAF equipment, so that WAF equipment learns to new attack message, and for follow-up
Attack detecting, reduce WAF equipment processing pressure while it is also possible to improve attack message recognition accuracy.
Corresponding with the embodiment of aforementioned attack detection method, present invention also provides the embodiment of attack detecting device.
The embodiment of the application attack detecting device can be applied respectively on WAF equipment with server.Device embodiment
Can be realized by software it is also possible to realize by by way of hardware or software and hardware combining.As a example implemented in software, as one
Device on individual logical meaning, is will be corresponding in nonvolatile memory with the processor of server by its place WAF equipment
Computer program instructions read in internal memory run formed.For hardware view, as shown in figure 3, attacking for the application
A kind of hardware structure diagram of detection means place WAF equipment, as shown in figure 4, be the application attack detecting device place server
A kind of hardware structure diagram, except the processor shown in Fig. 3 and Fig. 4, internal memory, network interface and nonvolatile memory it
Outward, the WAF equipment that in embodiment, device is located can also include it with server generally according to the actual functional capability of this attack detecting
His hardware, repeats no more to this.
Refer to Fig. 5, be a kind of block diagram of the attack detecting device shown in the application one exemplary embodiment, this attack is examined
Survey device 500 and can apply to the WAF equipment shown in Fig. 3, including:
Detector unit 501, for receiving after the request message of terminal unit, examines to described request message
Survey;
First discarding unit 502, for when determining that described request message is attack message, described request message being lost
Abandon;
First transmitting element 503, for when determining that described request message is message undetermined, by the mesh of described request message
Port numbers be revised as default detect port numbers again after be sent to described server so that described server to described request report
Literary composition is detected, and when determining that described request message is attack message, described request message is abandoned;
Second transmitting element 504, when determining that described request message is legal message, described request message is sent to institute
State server.
In an optional embodiment, described detector unit 501 can include:
Feature detection subelement 5011, for detecting whether described request message carries default first kind condition code, with
And detect whether described request message mates default characterization rules;
First determination subelement 5012, for when described request message carry described first kind condition code and with described feature
During rule match, determine that described request message is attack message;
Second determination subelement 5013, for when described request message carry described first kind condition code but with described feature
When rule mismatches, or carry, in the header field when described request message or default critical field, the coded data that cannot parse
When, determine that described request message is message undetermined.
Refer to Fig. 6, be the block diagram of another kind of attack detecting device shown in the application one exemplary embodiment, this attack
Detection means 600 can apply to the server shown in Fig. 4, including:
Port numbers detector unit 601, for, after the request message receiving the transmission of WAF equipment, the described request of detection is reported
Whether the destination slogan of literary composition is default to detect port numbers again;
Packet check unit 602, if the destination slogan for described request message detects port numbers again for default,
Then determine that described request message is message undetermined, and detect whether described message undetermined is attack message;
Second discarding unit 603, for when determining that described message undetermined is attack message, described message undetermined being lost
Abandon.
In an optional embodiment, described packet check unit 602 can include:
Construction subelement 6021, for constructing the response message of described message undetermined based on virtual server;
Response detection sub-unit 6022, for detecting whether described response message carries default sensitive information;
3rd determination subelement 6023, for when described response message carries described sensitive information, determining described undetermined
Message is attack message.
In said apparatus, the process of realizing of the function of unit and effect specifically refers to corresponding step in said method
Realize process, will not be described here.
For device embodiment, because it corresponds essentially to embodiment of the method, thus real referring to method in place of correlation
The part applying example illustrates.Device embodiment described above is only schematically, wherein said as separating component
The unit illustrating can be or may not be physically separate, as the part that unit shows can be or can also
It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to actual
Need to select the purpose to realize application scheme for some or all of module therein.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and to implement.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all essences in the application
Within god and principle, any modification, equivalent substitution and improvement done etc., should be included within the scope of the application protection.
Claims (10)
1. a kind of attack detection method, methods described is applied to web application firewall WAF equipment it is characterised in that methods described
Including:
Receiving after the request message of terminal unit, described request message is being detected;
When determining that described request message is attack message, described request message is abandoned;
When determining that described request message is message undetermined, the destination slogan of described request message is revised as default examining again
It is sent to described server after surveying port numbers, so that described server detects to described request message and described determining
When request message is attack message, described request message is abandoned;
When determining that described request message is legal message, described request message is sent to described server.
2. method according to claim 1 is it is characterised in that described detect to described request message, including:
Detect whether described request message carries default first kind condition code, and it is pre- to detect whether described request message mates
If characterization rules;
When described request message is carried described first kind condition code and mated with described characterization rules, determine described request message
For attack message;
When described request message is carried described first kind condition code but mismatched with described characterization rules, or work as described request
When carrying, in the header field of message or default critical field, the coded data that cannot parse, determine that described request message is report undetermined
Literary composition.
3. method according to claim 2 is it is characterised in that methods described also includes:
When the attack receiving server transmission notifies, if described attack in notice carries Equations of The Second Kind condition code, preserve
Described Equations of The Second Kind condition code;Described attack notifies to be sent when determining described message undetermined for attack message by server, described
The information that Equations of The Second Kind condition code carries jointly for response message message undetermined corresponding with described response message, described response report
Literary composition is by the virtual server construction running on described server;
Described described request message is detected, also include:
Detect whether described request message carries described Equations of The Second Kind condition code;
When described request message carries described Equations of The Second Kind condition code, determine that described request message is attack message.
4. a kind of attack detection method, methods described is applied to server it is characterised in that methods described includes:
After the request message receiving the transmission of WAF equipment, detect whether the destination slogan of described request message is default
Detect port numbers again;
If the destination slogan of described request message detects port numbers it is determined that described request message is undetermined again for default
Message, and detect whether described message undetermined is attack message;
When determining that described message undetermined is attack message, by described packet loss undetermined.
5. method according to claim 4 is it is characterised in that whether the described message undetermined of described detection is attack message,
Including:
Construct the response message of described message undetermined based on virtual server;
Detect whether described response message carries default sensitive information;
When described response message carries described sensitive information, determine that described message undetermined is attack message.
6. method according to claim 5 is it is characterised in that whether the described message undetermined of described detection is attack message,
Also include:
Detect whether described response message and described message undetermined carry identical information;
When described response message carries identical information with described message undetermined, determine that described message undetermined is to attack report
Literary composition;
Send to attack to described WAF equipment and notify, described attack carries the source IP address of described message undetermined, Yi Jisuo in notifying
State identical information, so that described source IP address is added blacklist by described WAF equipment, using described identical information as second
Category feature code preserves, and when the request message receiving is detected and carrying described Equations of The Second Kind condition code, determines described request report
Literary composition is attack message.
7. a kind of attack detecting device, described device is applied to WAF equipment it is characterised in that described device includes:
Detector unit, for receiving after the request message of terminal unit, detects to described request message;
First discarding unit, for when determining that described request message is attack message, described request message being abandoned;
First transmitting element, for when determining that described request message is message undetermined, by the destination interface of described request message
Number be revised as default detect port numbers again after be sent to described server, so that described server is carried out to described request message
Detection, and when determining that described request message is attack message, described request message is abandoned;
Second transmitting element, when determining that described request message is legal message, described request message is sent to described service
Device.
8. device according to claim 7 is it is characterised in that described detector unit includes:
Feature detection subelement, for detecting whether described request message carries default first kind condition code, and detection institute
State whether request message mates default characterization rules;
First determination subelement, for when described request message carries described first kind condition code and mates with described characterization rules
When, determine that described request message is attack message;
Second determination subelement, for when described request message carry described first kind condition code but with described characterization rules not
When carrying, in timing, or the header field when described request message or default critical field, the coded data that cannot parse, determine
Described request message is message undetermined.
9. a kind of attack detecting device, described device is applied to server it is characterised in that described device includes:
Port numbers detector unit, for, after the request message receiving the transmission of WAF equipment, detecting the purpose of described request message
Whether port numbers are default to detect port numbers again;
Packet check unit, if for described request message destination slogan be default detect port numbers again it is determined that
Described request message is message undetermined, and detects whether described message undetermined is attack message;
Second discarding unit, for when determining that described message undetermined is attack message, by described packet loss undetermined.
10. device according to claim 9 is it is characterised in that described packet check unit includes:
Construction subelement, for constructing the response message of described message undetermined based on virtual server;
Response detection sub-unit, for detecting whether described response message carries default sensitive information;
3rd determination subelement, for when described response message carries described sensitive information, determining that described message undetermined is to attack
Hit message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610919494.2A CN106470214B (en) | 2016-10-21 | 2016-10-21 | Attack detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610919494.2A CN106470214B (en) | 2016-10-21 | 2016-10-21 | Attack detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106470214A true CN106470214A (en) | 2017-03-01 |
CN106470214B CN106470214B (en) | 2020-03-06 |
Family
ID=58230886
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610919494.2A Active CN106470214B (en) | 2016-10-21 | 2016-10-21 | Attack detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106470214B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107277025A (en) * | 2017-06-28 | 2017-10-20 | 维沃移动通信有限公司 | A kind of Secure Network Assecc method, mobile terminal and computer-readable recording medium |
CN107360162A (en) * | 2017-07-12 | 2017-11-17 | 北京奇艺世纪科技有限公司 | A kind of network application means of defence and device |
CN107634964A (en) * | 2017-10-13 | 2018-01-26 | 杭州迪普科技股份有限公司 | A kind of method of testing and device for WAF |
CN107979610A (en) * | 2017-12-14 | 2018-05-01 | 广东天网安全信息科技有限公司 | The safety protecting method that a kind of fire wall communicates in big data |
CN109040128A (en) * | 2018-09-18 | 2018-12-18 | 四川长虹电器股份有限公司 | A kind of WAF reverse proxy detection method based on offline pcap flow packet |
CN110381053A (en) * | 2019-07-16 | 2019-10-25 | 新华三信息安全技术有限公司 | A kind of message filtering method and device |
CN110912936A (en) * | 2019-12-20 | 2020-03-24 | 东软集团股份有限公司 | Media file security situation perception method and firewall |
CN112153001A (en) * | 2020-08-21 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | WAF-based network communication method, system, electronic device and storage medium |
CN113190838A (en) * | 2021-03-29 | 2021-07-30 | 贵州电网有限责任公司 | Web attack behavior detection method and system based on expression |
CN113630417A (en) * | 2021-08-12 | 2021-11-09 | 杭州安恒信息安全技术有限公司 | Data transmission method and device based on WAF, electronic device and storage medium |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1581803A (en) * | 2004-05-20 | 2005-02-16 | 中国科学院软件研究所 | Safety platform for network data exchange |
CN1996892A (en) * | 2006-12-25 | 2007-07-11 | 杭州华为三康技术有限公司 | Detection method and device for network attack |
CN101257388A (en) * | 2008-04-08 | 2008-09-03 | 华为技术有限公司 | Lawless exterior joint detecting method, apparatus and system |
CN101626345A (en) * | 2009-07-23 | 2010-01-13 | 中兴通讯股份有限公司 | Message processing method and real-time stream protocol application layer gateway in home gateway |
CN102404318A (en) * | 2011-10-31 | 2012-04-04 | 杭州迪普科技有限公司 | Method and device for prevention of DNS (Domain Name Server) cathe attack |
CN103475746A (en) * | 2013-08-09 | 2013-12-25 | 杭州华三通信技术有限公司 | Terminal service method and apparatus |
CN103532964A (en) * | 2013-10-22 | 2014-01-22 | 邱文乔 | Method for verifying TCP (transmission control protocol) connection security |
CN103856470A (en) * | 2012-12-06 | 2014-06-11 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method and device |
CN104219200A (en) * | 2013-05-30 | 2014-12-17 | 杭州迪普科技有限公司 | Device and method for protection from DNS cache attack |
CN104468267A (en) * | 2014-11-24 | 2015-03-25 | 国家电网公司 | Information safety penetration testing method for distribution automation system |
WO2015057558A1 (en) * | 2013-10-14 | 2015-04-23 | Alibaba Group Holding Limited | Login method for client application and corresponding server |
CN104853003A (en) * | 2015-04-30 | 2015-08-19 | 中国人民解放军国防科学技术大学 | Netfilter-based address and port hopping communication implementation method |
-
2016
- 2016-10-21 CN CN201610919494.2A patent/CN106470214B/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1581803A (en) * | 2004-05-20 | 2005-02-16 | 中国科学院软件研究所 | Safety platform for network data exchange |
CN1996892A (en) * | 2006-12-25 | 2007-07-11 | 杭州华为三康技术有限公司 | Detection method and device for network attack |
CN101257388A (en) * | 2008-04-08 | 2008-09-03 | 华为技术有限公司 | Lawless exterior joint detecting method, apparatus and system |
CN101626345A (en) * | 2009-07-23 | 2010-01-13 | 中兴通讯股份有限公司 | Message processing method and real-time stream protocol application layer gateway in home gateway |
CN102404318A (en) * | 2011-10-31 | 2012-04-04 | 杭州迪普科技有限公司 | Method and device for prevention of DNS (Domain Name Server) cathe attack |
CN103856470A (en) * | 2012-12-06 | 2014-06-11 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method and device |
CN104219200A (en) * | 2013-05-30 | 2014-12-17 | 杭州迪普科技有限公司 | Device and method for protection from DNS cache attack |
CN103475746A (en) * | 2013-08-09 | 2013-12-25 | 杭州华三通信技术有限公司 | Terminal service method and apparatus |
WO2015057558A1 (en) * | 2013-10-14 | 2015-04-23 | Alibaba Group Holding Limited | Login method for client application and corresponding server |
CN103532964A (en) * | 2013-10-22 | 2014-01-22 | 邱文乔 | Method for verifying TCP (transmission control protocol) connection security |
CN104468267A (en) * | 2014-11-24 | 2015-03-25 | 国家电网公司 | Information safety penetration testing method for distribution automation system |
CN104853003A (en) * | 2015-04-30 | 2015-08-19 | 中国人民解放军国防科学技术大学 | Netfilter-based address and port hopping communication implementation method |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107277025A (en) * | 2017-06-28 | 2017-10-20 | 维沃移动通信有限公司 | A kind of Secure Network Assecc method, mobile terminal and computer-readable recording medium |
CN107360162A (en) * | 2017-07-12 | 2017-11-17 | 北京奇艺世纪科技有限公司 | A kind of network application means of defence and device |
CN107634964A (en) * | 2017-10-13 | 2018-01-26 | 杭州迪普科技股份有限公司 | A kind of method of testing and device for WAF |
CN107979610A (en) * | 2017-12-14 | 2018-05-01 | 广东天网安全信息科技有限公司 | The safety protecting method that a kind of fire wall communicates in big data |
CN109040128B (en) * | 2018-09-18 | 2020-09-22 | 四川长虹电器股份有限公司 | WAF reverse proxy detection method based on offline pcap flow packet |
CN109040128A (en) * | 2018-09-18 | 2018-12-18 | 四川长虹电器股份有限公司 | A kind of WAF reverse proxy detection method based on offline pcap flow packet |
CN110381053A (en) * | 2019-07-16 | 2019-10-25 | 新华三信息安全技术有限公司 | A kind of message filtering method and device |
CN110912936A (en) * | 2019-12-20 | 2020-03-24 | 东软集团股份有限公司 | Media file security situation perception method and firewall |
CN110912936B (en) * | 2019-12-20 | 2022-02-18 | 东软集团股份有限公司 | Media file security situation perception method and firewall |
CN112153001A (en) * | 2020-08-21 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | WAF-based network communication method, system, electronic device and storage medium |
CN112153001B (en) * | 2020-08-21 | 2023-06-23 | 杭州安恒信息技术股份有限公司 | WAF-based network communication method, WAF-based network communication system, electronic device and storage medium |
CN113190838A (en) * | 2021-03-29 | 2021-07-30 | 贵州电网有限责任公司 | Web attack behavior detection method and system based on expression |
CN113630417A (en) * | 2021-08-12 | 2021-11-09 | 杭州安恒信息安全技术有限公司 | Data transmission method and device based on WAF, electronic device and storage medium |
CN113630417B (en) * | 2021-08-12 | 2023-09-26 | 杭州安恒信息安全技术有限公司 | WAF-based data transmission method, WAF-based data transmission device, WAF-based electronic device and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106470214B (en) | 2020-03-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106470214A (en) | Attack detection method and device | |
US11429625B2 (en) | Query engine for remote endpoint information retrieval | |
KR101005927B1 (en) | Method for detecting a web application attack | |
CN107122221B (en) | Compiler for regular expressions | |
US11848913B2 (en) | Pattern-based malicious URL detection | |
US8051484B2 (en) | Method and security system for indentifying and blocking web attacks by enforcing read-only parameters | |
Song et al. | Advanced evasion attacks and mitigations on practical ML‐based phishing website classifiers | |
US20150304350A1 (en) | Detection of malware beaconing activities | |
US10757135B2 (en) | Bot characteristic detection method and apparatus | |
CN102404318B (en) | A kind of method and device taking precautions against DNS cache attack | |
CN109698831B (en) | Data protection method and device | |
CN109413016B (en) | Rule-based message detection method and device | |
KR102152338B1 (en) | System and method for converting rule between NIDPS engines | |
CN107122657B (en) | Database agent device for defending SQL injection attack | |
KR20080026122A (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
US8812480B1 (en) | Targeted search system with de-obfuscating functionality | |
CN108256327A (en) | A kind of file test method and device | |
CN114726579A (en) | Method, apparatus, device, storage medium and program product for defending against network attacks | |
CN113328976B (en) | Security threat event identification method, device and equipment | |
CN112637171A (en) | Data traffic processing method, device, equipment, system and storage medium | |
KR101256463B1 (en) | Apparatus and method for inspecting malignant code | |
CN115514539B (en) | Network attack protection method and device, storage medium and electronic equipment | |
US8627462B2 (en) | Token processing | |
CN110460592B (en) | URL analysis method, device, equipment and medium | |
US20220207085A1 (en) | Data classification technology |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |