CN106470214A - Attack detection method and device - Google Patents

Attack detection method and device Download PDF

Info

Publication number
CN106470214A
CN106470214A CN201610919494.2A CN201610919494A CN106470214A CN 106470214 A CN106470214 A CN 106470214A CN 201610919494 A CN201610919494 A CN 201610919494A CN 106470214 A CN106470214 A CN 106470214A
Authority
CN
China
Prior art keywords
message
request message
attack
undetermined
described request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610919494.2A
Other languages
Chinese (zh)
Other versions
CN106470214B (en
Inventor
范毅波
王树太
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201610919494.2A priority Critical patent/CN106470214B/en
Publication of CN106470214A publication Critical patent/CN106470214A/en
Application granted granted Critical
Publication of CN106470214B publication Critical patent/CN106470214B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a kind of attack detection method and device, and methods described is applied to WAF equipment, including:Receiving after the request message of terminal unit, described request message is being detected;When determining that described request message is attack message, described request message is abandoned;When determining that described request message is message undetermined, the destination slogan of described request message is revised as default detection again and after port numbers, is sent to described server, so that described server detects to described request message, and when determining that described request message is attack message, described request message is abandoned;When determining that described request message is legal message, described request message is sent to described server.Technical scheme can break through the process bottleneck of WAF equipment, and the recognition accuracy improving attack message.

Description

Attack detection method and device
Technical field
The application is related to communication technical field, more particularly, to a kind of attack detection method and device.
Background technology
With the high speed development of the Internet, web application is more and more abundanter, and the security threat that web server faces also by Cumulative many.For security from attacks, person steals to server data, generally can dispose WAF between terminal unit and server (Web Application Firewall, web application firewall) equipment, is sent to asking of server for detection terminal equipment Ask whether message is attack message.When the visit capacity of server is huge, WAF equipment can receive substantial amounts of request message, such as What breaks through the process bottleneck of WAF equipment, and the recognition accuracy of raising attack message, just seems very crucial.
Content of the invention
In view of this, the application provides a kind of attack detection method and device, is existed with solving WAF equipment in correlation technique Process bottleneck and the low problem of recognition accuracy.
Specifically, the application is achieved by the following technical solution:
In a first aspect, the application provides a kind of attack detection method, methods described is applied to WAF equipment, including:
Receiving after the request message of terminal unit, described request message is being detected;
When determining that described request message is attack message, described request message is abandoned;
When determining that described request message is message undetermined, the destination slogan of described request message is revised as default It is sent to described server after detecting port numbers again, so that described server detects to described request message, and determining When described request message is attack message, described request message is abandoned;
When determining that described request message is legal message, described request message is sent to described server.
Second aspect, the application provides a kind of attack detection method, and methods described is applied to server, including:
After the request message receiving the transmission of WAF equipment, detect whether the destination slogan of described request message is pre- If detect port numbers again;
If the destination slogan of described request message detects port numbers it is determined that described request message is again for default Message undetermined, and detect whether described message undetermined is attack message;
When determining that described message undetermined is attack message, by described packet loss undetermined.
The third aspect, the application provides a kind of attack detecting device, and described device is applied to WAF equipment, including:
Detector unit, for receiving after the request message of terminal unit, detects to described request message;
Discarding unit, for when determining that described request message is attack message, described request message being abandoned;
First transmitting element, for when determining that described request message is message undetermined, by the purpose of described request message Port numbers be revised as default detect port numbers again after be sent to described server, so that described server is to described request message Detected, and when determining that described request message is attack message, described request message is abandoned;
Second transmitting element, when determining that described request message is legal message, described request message is sent to described Server.
Fourth aspect, the application provides a kind of attack detecting device, and described device is applied to server, including:
Port numbers detector unit, for, after the request message receiving the transmission of WAF equipment, detecting described request message Whether destination slogan is default to detect port numbers again;
Packet check unit, if the destination slogan for described request message detects port numbers again for default, Determine that described request message is message undetermined, and detect whether described message undetermined is attack message;
Discarding unit, for when determining that described message undetermined is attack message, by described packet loss undetermined.
Analysis technique scheme understands, WAF equipment can be detected to the request message receiving to determine its institute Belong to type, for the request message being defined as attack message and legal message, WAF equipment may be referred to the process in correlation technique Flow process is processed to it, and for needing the message undetermined that detects further, WAF equipment then can forward it to service Device, is detected to described message undetermined further by server.Compared with correlation technique, when visit capacity is huge, can be by taking Business device carries out further attack detecting to message undetermined, thus can reduce the processing pressure of WAF equipment.
Brief description
Fig. 1 is a kind of flow chart of the attack detection method shown in the application one exemplary embodiment;
Fig. 2 is the flow chart of another kind of attack detection method shown in the application one exemplary embodiment;
Fig. 3 is a kind of hardware structure diagram of the attack detecting device place equipment shown in the application one exemplary embodiment;
Fig. 4 is the hardware configuration of another kind of attack detecting device place equipment shown in the application one exemplary embodiment Figure;
Fig. 5 is a kind of block diagram of the attack detecting device shown in the application one exemplary embodiment;
Fig. 6 is the block diagram of another kind of attack detecting device shown in the application one exemplary embodiment.
Specific embodiment
Here will in detail exemplary embodiment be illustrated, its example is illustrated in the accompanying drawings.Explained below is related to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with such as appended The example of the consistent apparatus and method of some aspects being described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, and be not intended to be limiting the application. " a kind of ", " described " and " being somebody's turn to do " of singulative used in the application and appended claims is also intended to including most Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wraps Containing one or more associated any or all possible combination listing project.
It will be appreciated that though various information may be described using term first, second, third, etc. in the application, but this A little information should not necessarily be limited by these terms.These terms are only used for same type of information is distinguished from each other out.For example, without departing from In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determining ".
In correlation technique, when realizing browsing the Internet services such as webpage by terminal unit, terminal unit is permissible for user Set up HTTP with server to be connected, and connect to server transmission request message based on this HTTP, to obtain associated traffic data. Server, after receiving this request message, can carry the response message of associated traffic data for this request message construction It is sent to terminal unit.For security from attacks, person is launched a offensive to server using request message, can be in terminal unit and clothes WAF equipment is disposed, the request message that WAF equipment can be sent to server to terminal unit detects between business device.Work as WAF When equipment determines a certain request message for attack message, this packet loss can be attacked to server with taking precautions against attacker Hit.
With reference to Fig. 1, it is a kind of flow chart of the retransmission method of message shown in the application one exemplary embodiment, the method Can apply to WAF equipment, comprise the following steps:
Step 101:Receiving after the request message of terminal unit, described request message is being detected.
In the present embodiment, set up after HTTP is connected in terminal unit and server, terminal unit can be sent out to server Send request message, to obtain associated traffic data, and the WAF equipment being deployed between terminal unit and server can receive This request message.WAF equipment, after receiving this request message, can first detect to this request message, to determine this request The affiliated type of message, subsequently can have different handling processes to different types of request message.
In an optional embodiment, WAF equipment can detect whether described request message carries the default first kind Condition code, and detect whether described request message mates default characterization rules, to determine the affiliated type of this request message, institute State first kind condition code and characterization rules all can be pre-entered by user and be saved in WAF equipment, described characterization rules can For searching the character string meeting some complex rules.Specifically, WAF equipment can first detect whether described request message carries Whether described first kind condition code, when described request message carries described first kind condition code, then detect described request message Mate described characterization rules;When described request message does not carry described first kind condition code, then detect described request message Whether carry, in header field or default critical field, the coded data that cannot parse.
For example, attacker can utilize SQL (Structured Query Language, SQL) Injection attacks Receive message server data database data, and the part field of SQL injection attacks message is as shown in table 1 below:
SELECT Column name FROM Table name
Table 1
Reference table 1, when attacker want from server to obtain in the database table of the entitled Persons of storage entitled The content of the row of LastName, then can use SELECT LastName this SQL statement of FROM Persons.Therefore in inspection When whether the request message that survey receives is SQL injection attacks message, SELECT can be set to first kind condition code, and set Put characterization rules to detect beginning for word SELECT, centre is arbitrarily non-line feed character, and ending is the character string of word FROM, In actual realization, it is possible to use regular expression bSELECT b.* bFROM b detecting such character string.If WAF Equipment detects SELECT in certain request message, and this request message and features described above rule match, then this request report is described Literary composition meets SQL syntax rule, possesses the function of obtaining server data database data, that is, this request message is SQL injection attacks report Literary composition.Therefore, for both carrying default first kind condition code, and the request message mating with default characterization rules, WAF equipment Can determine that this request message is attack message.If WAF equipment detects SELECT in certain request message, but this request report Literary composition is mismatched with features described above rule, then illustrate that this request message does not meet SQL syntax rule, but due to legal request message Generally do not carry SELECT it is possible to this request message is defined as message undetermined.Therefore, for carrying the default first kind Condition code, but the unmatched request message with default characterization rules, WAF equipment can determine that this request message is report undetermined Literary composition.And for both not carrying default first kind condition code, and the unmatched request message with default characterization rules, WAF sets Standby can determine that this request message is legal message.
It should be noted that above-mentioned detection scheme generally cannot detect whether the request message after coding carries the first kind Condition code.Therefore, attacker can be by carrying out encoding the attack detecting avoiding WAF equipment to first kind condition code.Another In individual example, when carrying coded data in the header field of the request message receiving or default critical field, WAF equipment is permissible Based on preset algorithm, described request message is parsed, and detect whether the request message after parsing carries the default first kind Condition code, described critical field can be pre-set by user.But the coded data that carries when certain request message is complex When, this request message is carried out with parsing, and time-consuming, and needs to take the process resource of more WAF equipment, and therefore WAF equipment is permissible This request message is not parsed, and transferred to server to carry out attack detecting.For such header field or default pass The request message of the coded data that cannot parse is carried, WAF equipment can also determine that this request message is report undetermined in key field Literary composition.
Step 102:When determining that described request message is attack message, described request message is abandoned.
In the present embodiment, the testing result based on abovementioned steps 101, when WAF equipment determines that described request message is to attack When hitting message, this request message can be abandoned, without this request message is transmitted to server, to protect the server will not Under attack.
In an optional embodiment, this can be attacked by WAF equipment when determining that this request message is attack message The source IP address of message adds blacklist, subsequently by blacklist, this attack message can be identified, need not detect again, Improve the recognition efficiency of attack message.
Step 103:When determining that described request message is message undetermined, by the destination slogan modification of described request message It is sent to described server for default detection again after port numbers, so that described server detects to described request message, And when determining that described request message is attack message, described request message is abandoned.
In the present embodiment, the testing result based on abovementioned steps 101, when WAF equipment determines that described request message is to treat When determining message, the destination slogan of described request message can be revised as default detecting the service that is sent to after port numbers again Device, wherein said detects that port numbers can be configured by management personnel, again for identifying message undetermined.Server is receiving Destination slogan is after this detects the request message of port numbers again it may be determined that this request message is message undetermined, and server needs Further this message undetermined is detected, to determine this message undetermined whether as attack message.When server detects this When message undetermined is attack message, can be by this packet loss undetermined, to protect server under attack.
Step 104:When described request message is legal message, described request message is sent to described server.
In the present embodiment, the testing result based on abovementioned steps 101, when WAF equipment had both detected described request message It is not attack message, be not during message undetermined it may be determined that described request message is legal message yet, and this request message is turned Issue server.Server, after receiving this request message, can be responded for this request message, and that is, construction carries phase Close the response message of business datum, and this response message is sent to terminal unit, to realize customer service.
As seen from the above-described embodiment, WAF equipment can be detected to the request message receiving to determine its affiliated class Type, for the request message being defined as attack message and legal message, WAF equipment may be referred to the handling process in correlation technique It is processed, and for needing the message undetermined that detects further, WAF equipment then can forward it to server, by Server is detected further to described message undetermined.Compared with correlation technique, when visit capacity is huge, can be by server pair Message undetermined carries out further attack detecting, thus can reduce the processing pressure of WAF equipment.
With reference to Fig. 2, it is the flow chart of the retransmission method of another kind of message shown in the application one exemplary embodiment, the party Method can apply to server, comprises the following steps:
Step 201:After the request message receiving the transmission of WAF equipment, detect the destination slogan of described request message It is whether default to detect port numbers again.
In the present embodiment, determining described request message for message undetermined in conjunction with abovementioned steps 103 and 104, WAF equipment When, can by the destination slogan of this request message be revised as default detect port numbers again, and by amended request message It is sent to server, according to the destination slogan of the request message receiving, therefore server can determine that this request message is Message undetermined or legal message.Specifically, server, after the request message receiving the transmission of WAF equipment, can first detect this The destination slogan of request message be whether default detect port numbers again, in actual realization, port can be detected again at this When listening to message, determine that this message is message undetermined.If so, then illustrate that this request message is message undetermined, server needs This message undetermined is detected further, to determine this message undetermined whether as attack message;This request message is otherwise described For legal message, server can be responded for this legal message, that is, construct the response message carrying associated traffic data, And this response message is sent to terminal unit, to realize customer service.
Step 202:If the destination slogan of described request message detects port numbers it is determined that described please again for default Ask message to be message undetermined, and detect whether described message undetermined is attack message.
In the present embodiment, the testing result based on abovementioned steps 201, if the destination slogan of described request message is Default detect port numbers again, then illustrate this request message be message undetermined, server need traveling one is entered to this message undetermined Whether step detection, determine this message undetermined as attack message.
In an optional embodiment, when determining that the request message receiving is message undetermined, server can be right This message undetermined carries out attack detecting, now the code executing attack detecting function in server can be referred to as agent.Specifically Ground, described agent first can carry out feature detection to this message undetermined.Similar to WAF equipment, described agent can also be based on Preset algorithm parses to this message undetermined, with the impact to attack detecting for the exclusive PCR factor.Wherein, described interference factor Can include:Interference code, coding etc..For example, described agent can first identify and remove the interference code in message undetermined, For example:Can recognize that and compress space, identify and replace annotation, capital and small letter conversion, rewrite identification etc..Additionally, described agent also may be used To be decoded to multiple coded data that message undetermined carries, for example:Html entity decoding, URL decoding, Unicode decoding Deng.Described agent exclude above-mentioned interference factor after it is also possible to detect whether this message undetermined carries first kind condition code, with And whether matching characteristic is regular to detect this message undetermined, described first kind condition code and characterization rules can be user inputs and protect In presence server.When this message undetermined carries described first kind condition code, and mate described characterization rules when it may be determined that This message undetermined is attack message.
It should be noted that the attack detecting flow process of the above-mentioned attack detecting flow process of server and WAF equipment can be Overlap, in case leak-stopping inspection.In the present embodiment, complex removal interference code and decoding process are transferred to server to execute, And WAF equipment only needs to execute relatively simple rejecting interference and decoding process, adopt and be conducive to reduction WAF to set in such a way Standby processing pressure.
If based on above-mentioned handling process, described agent still cannot determine whether certain message undetermined is attack message, can So that response is simulated to this message undetermined by the virtual server building.Specifically, described virtual server can construct this The response message of message undetermined, described agent can detect whether this response message carries default sensitive information, for example:Clothes User privacy information preserving in business device etc., described sensitive information can be pre-entered by user and preserve in the server.When This response message carries during described sensitive information it may be determined that the corresponding message undetermined of this response message is attack message.Now The response message of described virtual server construction will not be sent to terminal unit by server, pacified with the data protecting server Entirely.
In another example, if described agent detects certain response message and do not carry described sensitive information, permissible Message undetermined corresponding for this response message is compared, whether both detections carry identical information.When this response Message and this message undetermined carry during identical information it may be determined that this message undetermined is attack message.Now server is not The response message of described virtual server construction can be sent to terminal unit, to protect the data safety of server.
Step 203:When determining that described message undetermined is attack message, by described packet loss undetermined.
In the present embodiment, the testing result based on abovementioned steps 202, when server determines that described message undetermined is to attack During message, can be by this packet loss undetermined, without being responded for this message undetermined, to protect server will not be subject to Attack.
In an optional embodiment, in conjunction with abovementioned steps 202, when the response message described message undetermined is detected is taken When carrying default sensitive information, server can determine that this message undetermined is attack message, now can construct and carry this attack The attack of the source IP address of message notifies, and this attack is notified to be sent to WAF equipment.WAF equipment receive this attack lead to When knowing, the source IP address of this attack message can be added blacklist, subsequently may be used according to the IP address that carry in this attack notice To be identified to this attack message by blacklist, need not detect again, improve the recognition efficiency of attack message.
When described message undetermined is detected and its response message carries identical information, server can determine that this is treated Determining message is attack message, now can construct the source IP address carrying this attack message, and the attacking of described identical information Hit notice, and this attack is notified to be sent to WAF equipment.WAF equipment is receiving when this attack notifies it is also possible to attack this The IP address carrying in notice adds blacklist, preserves it is also possible that stating identical information as Equations of The Second Kind condition code simultaneously. Subsequently for the source IP address the receiving not request message in blacklist, whether WAF equipment also can detect this request message Carry described Equations of The Second Kind condition code.If this request message is detected to carry described Equations of The Second Kind condition code, WAF equipment can be true This request message fixed is attack message, and this request message is abandoned, and need not carry out subsequent detection to this request message again.If This request message is detected and do not carry described Equations of The Second Kind condition code, then combine abovementioned steps 101, WAF equipment can detect described Whether request message carries default first kind condition code, and detects whether described request message mates default feature rule Then, to determine the affiliated type of this request message.Adopt the processing pressure that can reduce WAF equipment in such a way further, with When can improve the recognition accuracy to attack message for the WAF equipment.
In another example, WAF equipment can also notify to generate daily record according to the attack receiving, so that user looks into See.This daily record can record the IP address having added blacklist, can also record the reason this IP address is added blacklist, example As:Carry sensitive information, carry Equations of The Second Kind condition code etc..
As seen from the above-described embodiment, WAF equipment can be detected to the request message receiving to determine its affiliated class Type, for the request message being defined as attack message and legal message, WAF equipment may be referred to the handling process in correlation technique It is processed, and for needing the message undetermined that detects further, WAF equipment then can forward it to server, by Server is detected further to described message undetermined.Compared with correlation technique, when visit capacity is huge, can be by server pair Message undetermined carries out further attack detecting, thus can reduce the processing pressure of WAF equipment.In addition, based on server The virtual server running is simulated response to described message undetermined, determines that this is undetermined according to the response message of this message undetermined Whether message is attack message, can also detect that the attack message that in correlation technique, WAF equipment cannot detect, and improves and attacks The recognition accuracy of message.Server can also be by the source IP address of attack message and described response message and described message undetermined The information jointly carrying is sent to WAF equipment, so that WAF equipment learns to new attack message, and for follow-up Attack detecting, reduce WAF equipment processing pressure while it is also possible to improve attack message recognition accuracy.
Corresponding with the embodiment of aforementioned attack detection method, present invention also provides the embodiment of attack detecting device.
The embodiment of the application attack detecting device can be applied respectively on WAF equipment with server.Device embodiment Can be realized by software it is also possible to realize by by way of hardware or software and hardware combining.As a example implemented in software, as one Device on individual logical meaning, is will be corresponding in nonvolatile memory with the processor of server by its place WAF equipment Computer program instructions read in internal memory run formed.For hardware view, as shown in figure 3, attacking for the application A kind of hardware structure diagram of detection means place WAF equipment, as shown in figure 4, be the application attack detecting device place server A kind of hardware structure diagram, except the processor shown in Fig. 3 and Fig. 4, internal memory, network interface and nonvolatile memory it Outward, the WAF equipment that in embodiment, device is located can also include it with server generally according to the actual functional capability of this attack detecting His hardware, repeats no more to this.
Refer to Fig. 5, be a kind of block diagram of the attack detecting device shown in the application one exemplary embodiment, this attack is examined Survey device 500 and can apply to the WAF equipment shown in Fig. 3, including:
Detector unit 501, for receiving after the request message of terminal unit, examines to described request message Survey;
First discarding unit 502, for when determining that described request message is attack message, described request message being lost Abandon;
First transmitting element 503, for when determining that described request message is message undetermined, by the mesh of described request message Port numbers be revised as default detect port numbers again after be sent to described server so that described server to described request report Literary composition is detected, and when determining that described request message is attack message, described request message is abandoned;
Second transmitting element 504, when determining that described request message is legal message, described request message is sent to institute State server.
In an optional embodiment, described detector unit 501 can include:
Feature detection subelement 5011, for detecting whether described request message carries default first kind condition code, with And detect whether described request message mates default characterization rules;
First determination subelement 5012, for when described request message carry described first kind condition code and with described feature During rule match, determine that described request message is attack message;
Second determination subelement 5013, for when described request message carry described first kind condition code but with described feature When rule mismatches, or carry, in the header field when described request message or default critical field, the coded data that cannot parse When, determine that described request message is message undetermined.
Refer to Fig. 6, be the block diagram of another kind of attack detecting device shown in the application one exemplary embodiment, this attack Detection means 600 can apply to the server shown in Fig. 4, including:
Port numbers detector unit 601, for, after the request message receiving the transmission of WAF equipment, the described request of detection is reported Whether the destination slogan of literary composition is default to detect port numbers again;
Packet check unit 602, if the destination slogan for described request message detects port numbers again for default, Then determine that described request message is message undetermined, and detect whether described message undetermined is attack message;
Second discarding unit 603, for when determining that described message undetermined is attack message, described message undetermined being lost Abandon.
In an optional embodiment, described packet check unit 602 can include:
Construction subelement 6021, for constructing the response message of described message undetermined based on virtual server;
Response detection sub-unit 6022, for detecting whether described response message carries default sensitive information;
3rd determination subelement 6023, for when described response message carries described sensitive information, determining described undetermined Message is attack message.
In said apparatus, the process of realizing of the function of unit and effect specifically refers to corresponding step in said method Realize process, will not be described here.
For device embodiment, because it corresponds essentially to embodiment of the method, thus real referring to method in place of correlation The part applying example illustrates.Device embodiment described above is only schematically, wherein said as separating component The unit illustrating can be or may not be physically separate, as the part that unit shows can be or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to actual Need to select the purpose to realize application scheme for some or all of module therein.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and to implement.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all essences in the application Within god and principle, any modification, equivalent substitution and improvement done etc., should be included within the scope of the application protection.

Claims (10)

1. a kind of attack detection method, methods described is applied to web application firewall WAF equipment it is characterised in that methods described Including:
Receiving after the request message of terminal unit, described request message is being detected;
When determining that described request message is attack message, described request message is abandoned;
When determining that described request message is message undetermined, the destination slogan of described request message is revised as default examining again It is sent to described server after surveying port numbers, so that described server detects to described request message and described determining When request message is attack message, described request message is abandoned;
When determining that described request message is legal message, described request message is sent to described server.
2. method according to claim 1 is it is characterised in that described detect to described request message, including:
Detect whether described request message carries default first kind condition code, and it is pre- to detect whether described request message mates If characterization rules;
When described request message is carried described first kind condition code and mated with described characterization rules, determine described request message For attack message;
When described request message is carried described first kind condition code but mismatched with described characterization rules, or work as described request When carrying, in the header field of message or default critical field, the coded data that cannot parse, determine that described request message is report undetermined Literary composition.
3. method according to claim 2 is it is characterised in that methods described also includes:
When the attack receiving server transmission notifies, if described attack in notice carries Equations of The Second Kind condition code, preserve Described Equations of The Second Kind condition code;Described attack notifies to be sent when determining described message undetermined for attack message by server, described The information that Equations of The Second Kind condition code carries jointly for response message message undetermined corresponding with described response message, described response report Literary composition is by the virtual server construction running on described server;
Described described request message is detected, also include:
Detect whether described request message carries described Equations of The Second Kind condition code;
When described request message carries described Equations of The Second Kind condition code, determine that described request message is attack message.
4. a kind of attack detection method, methods described is applied to server it is characterised in that methods described includes:
After the request message receiving the transmission of WAF equipment, detect whether the destination slogan of described request message is default Detect port numbers again;
If the destination slogan of described request message detects port numbers it is determined that described request message is undetermined again for default Message, and detect whether described message undetermined is attack message;
When determining that described message undetermined is attack message, by described packet loss undetermined.
5. method according to claim 4 is it is characterised in that whether the described message undetermined of described detection is attack message, Including:
Construct the response message of described message undetermined based on virtual server;
Detect whether described response message carries default sensitive information;
When described response message carries described sensitive information, determine that described message undetermined is attack message.
6. method according to claim 5 is it is characterised in that whether the described message undetermined of described detection is attack message, Also include:
Detect whether described response message and described message undetermined carry identical information;
When described response message carries identical information with described message undetermined, determine that described message undetermined is to attack report Literary composition;
Send to attack to described WAF equipment and notify, described attack carries the source IP address of described message undetermined, Yi Jisuo in notifying State identical information, so that described source IP address is added blacklist by described WAF equipment, using described identical information as second Category feature code preserves, and when the request message receiving is detected and carrying described Equations of The Second Kind condition code, determines described request report Literary composition is attack message.
7. a kind of attack detecting device, described device is applied to WAF equipment it is characterised in that described device includes:
Detector unit, for receiving after the request message of terminal unit, detects to described request message;
First discarding unit, for when determining that described request message is attack message, described request message being abandoned;
First transmitting element, for when determining that described request message is message undetermined, by the destination interface of described request message Number be revised as default detect port numbers again after be sent to described server, so that described server is carried out to described request message Detection, and when determining that described request message is attack message, described request message is abandoned;
Second transmitting element, when determining that described request message is legal message, described request message is sent to described service Device.
8. device according to claim 7 is it is characterised in that described detector unit includes:
Feature detection subelement, for detecting whether described request message carries default first kind condition code, and detection institute State whether request message mates default characterization rules;
First determination subelement, for when described request message carries described first kind condition code and mates with described characterization rules When, determine that described request message is attack message;
Second determination subelement, for when described request message carry described first kind condition code but with described characterization rules not When carrying, in timing, or the header field when described request message or default critical field, the coded data that cannot parse, determine Described request message is message undetermined.
9. a kind of attack detecting device, described device is applied to server it is characterised in that described device includes:
Port numbers detector unit, for, after the request message receiving the transmission of WAF equipment, detecting the purpose of described request message Whether port numbers are default to detect port numbers again;
Packet check unit, if for described request message destination slogan be default detect port numbers again it is determined that Described request message is message undetermined, and detects whether described message undetermined is attack message;
Second discarding unit, for when determining that described message undetermined is attack message, by described packet loss undetermined.
10. device according to claim 9 is it is characterised in that described packet check unit includes:
Construction subelement, for constructing the response message of described message undetermined based on virtual server;
Response detection sub-unit, for detecting whether described response message carries default sensitive information;
3rd determination subelement, for when described response message carries described sensitive information, determining that described message undetermined is to attack Hit message.
CN201610919494.2A 2016-10-21 2016-10-21 Attack detection method and device Active CN106470214B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610919494.2A CN106470214B (en) 2016-10-21 2016-10-21 Attack detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610919494.2A CN106470214B (en) 2016-10-21 2016-10-21 Attack detection method and device

Publications (2)

Publication Number Publication Date
CN106470214A true CN106470214A (en) 2017-03-01
CN106470214B CN106470214B (en) 2020-03-06

Family

ID=58230886

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610919494.2A Active CN106470214B (en) 2016-10-21 2016-10-21 Attack detection method and device

Country Status (1)

Country Link
CN (1) CN106470214B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107277025A (en) * 2017-06-28 2017-10-20 维沃移动通信有限公司 A kind of Secure Network Assecc method, mobile terminal and computer-readable recording medium
CN107360162A (en) * 2017-07-12 2017-11-17 北京奇艺世纪科技有限公司 A kind of network application means of defence and device
CN107634964A (en) * 2017-10-13 2018-01-26 杭州迪普科技股份有限公司 A kind of method of testing and device for WAF
CN107979610A (en) * 2017-12-14 2018-05-01 广东天网安全信息科技有限公司 The safety protecting method that a kind of fire wall communicates in big data
CN109040128A (en) * 2018-09-18 2018-12-18 四川长虹电器股份有限公司 A kind of WAF reverse proxy detection method based on offline pcap flow packet
CN110381053A (en) * 2019-07-16 2019-10-25 新华三信息安全技术有限公司 A kind of message filtering method and device
CN110912936A (en) * 2019-12-20 2020-03-24 东软集团股份有限公司 Media file security situation perception method and firewall
CN112153001A (en) * 2020-08-21 2020-12-29 杭州安恒信息技术股份有限公司 WAF-based network communication method, system, electronic device and storage medium
CN113190838A (en) * 2021-03-29 2021-07-30 贵州电网有限责任公司 Web attack behavior detection method and system based on expression
CN113630417A (en) * 2021-08-12 2021-11-09 杭州安恒信息安全技术有限公司 Data transmission method and device based on WAF, electronic device and storage medium

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1581803A (en) * 2004-05-20 2005-02-16 中国科学院软件研究所 Safety platform for network data exchange
CN1996892A (en) * 2006-12-25 2007-07-11 杭州华为三康技术有限公司 Detection method and device for network attack
CN101257388A (en) * 2008-04-08 2008-09-03 华为技术有限公司 Lawless exterior joint detecting method, apparatus and system
CN101626345A (en) * 2009-07-23 2010-01-13 中兴通讯股份有限公司 Message processing method and real-time stream protocol application layer gateway in home gateway
CN102404318A (en) * 2011-10-31 2012-04-04 杭州迪普科技有限公司 Method and device for prevention of DNS (Domain Name Server) cathe attack
CN103475746A (en) * 2013-08-09 2013-12-25 杭州华三通信技术有限公司 Terminal service method and apparatus
CN103532964A (en) * 2013-10-22 2014-01-22 邱文乔 Method for verifying TCP (transmission control protocol) connection security
CN103856470A (en) * 2012-12-06 2014-06-11 腾讯科技(深圳)有限公司 Distributed denial of service attack detection method and device
CN104219200A (en) * 2013-05-30 2014-12-17 杭州迪普科技有限公司 Device and method for protection from DNS cache attack
CN104468267A (en) * 2014-11-24 2015-03-25 国家电网公司 Information safety penetration testing method for distribution automation system
WO2015057558A1 (en) * 2013-10-14 2015-04-23 Alibaba Group Holding Limited Login method for client application and corresponding server
CN104853003A (en) * 2015-04-30 2015-08-19 中国人民解放军国防科学技术大学 Netfilter-based address and port hopping communication implementation method

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1581803A (en) * 2004-05-20 2005-02-16 中国科学院软件研究所 Safety platform for network data exchange
CN1996892A (en) * 2006-12-25 2007-07-11 杭州华为三康技术有限公司 Detection method and device for network attack
CN101257388A (en) * 2008-04-08 2008-09-03 华为技术有限公司 Lawless exterior joint detecting method, apparatus and system
CN101626345A (en) * 2009-07-23 2010-01-13 中兴通讯股份有限公司 Message processing method and real-time stream protocol application layer gateway in home gateway
CN102404318A (en) * 2011-10-31 2012-04-04 杭州迪普科技有限公司 Method and device for prevention of DNS (Domain Name Server) cathe attack
CN103856470A (en) * 2012-12-06 2014-06-11 腾讯科技(深圳)有限公司 Distributed denial of service attack detection method and device
CN104219200A (en) * 2013-05-30 2014-12-17 杭州迪普科技有限公司 Device and method for protection from DNS cache attack
CN103475746A (en) * 2013-08-09 2013-12-25 杭州华三通信技术有限公司 Terminal service method and apparatus
WO2015057558A1 (en) * 2013-10-14 2015-04-23 Alibaba Group Holding Limited Login method for client application and corresponding server
CN103532964A (en) * 2013-10-22 2014-01-22 邱文乔 Method for verifying TCP (transmission control protocol) connection security
CN104468267A (en) * 2014-11-24 2015-03-25 国家电网公司 Information safety penetration testing method for distribution automation system
CN104853003A (en) * 2015-04-30 2015-08-19 中国人民解放军国防科学技术大学 Netfilter-based address and port hopping communication implementation method

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107277025A (en) * 2017-06-28 2017-10-20 维沃移动通信有限公司 A kind of Secure Network Assecc method, mobile terminal and computer-readable recording medium
CN107360162A (en) * 2017-07-12 2017-11-17 北京奇艺世纪科技有限公司 A kind of network application means of defence and device
CN107634964A (en) * 2017-10-13 2018-01-26 杭州迪普科技股份有限公司 A kind of method of testing and device for WAF
CN107979610A (en) * 2017-12-14 2018-05-01 广东天网安全信息科技有限公司 The safety protecting method that a kind of fire wall communicates in big data
CN109040128B (en) * 2018-09-18 2020-09-22 四川长虹电器股份有限公司 WAF reverse proxy detection method based on offline pcap flow packet
CN109040128A (en) * 2018-09-18 2018-12-18 四川长虹电器股份有限公司 A kind of WAF reverse proxy detection method based on offline pcap flow packet
CN110381053A (en) * 2019-07-16 2019-10-25 新华三信息安全技术有限公司 A kind of message filtering method and device
CN110912936A (en) * 2019-12-20 2020-03-24 东软集团股份有限公司 Media file security situation perception method and firewall
CN110912936B (en) * 2019-12-20 2022-02-18 东软集团股份有限公司 Media file security situation perception method and firewall
CN112153001A (en) * 2020-08-21 2020-12-29 杭州安恒信息技术股份有限公司 WAF-based network communication method, system, electronic device and storage medium
CN112153001B (en) * 2020-08-21 2023-06-23 杭州安恒信息技术股份有限公司 WAF-based network communication method, WAF-based network communication system, electronic device and storage medium
CN113190838A (en) * 2021-03-29 2021-07-30 贵州电网有限责任公司 Web attack behavior detection method and system based on expression
CN113630417A (en) * 2021-08-12 2021-11-09 杭州安恒信息安全技术有限公司 Data transmission method and device based on WAF, electronic device and storage medium
CN113630417B (en) * 2021-08-12 2023-09-26 杭州安恒信息安全技术有限公司 WAF-based data transmission method, WAF-based data transmission device, WAF-based electronic device and storage medium

Also Published As

Publication number Publication date
CN106470214B (en) 2020-03-06

Similar Documents

Publication Publication Date Title
CN106470214A (en) Attack detection method and device
US11429625B2 (en) Query engine for remote endpoint information retrieval
KR101005927B1 (en) Method for detecting a web application attack
CN107122221B (en) Compiler for regular expressions
US11848913B2 (en) Pattern-based malicious URL detection
US8051484B2 (en) Method and security system for indentifying and blocking web attacks by enforcing read-only parameters
Song et al. Advanced evasion attacks and mitigations on practical ML‐based phishing website classifiers
US20150304350A1 (en) Detection of malware beaconing activities
US10757135B2 (en) Bot characteristic detection method and apparatus
CN102404318B (en) A kind of method and device taking precautions against DNS cache attack
CN109698831B (en) Data protection method and device
CN109413016B (en) Rule-based message detection method and device
KR102152338B1 (en) System and method for converting rule between NIDPS engines
CN107122657B (en) Database agent device for defending SQL injection attack
KR20080026122A (en) Method for defending against denial of service attacks in ip networks by target victim self-identification and control
US8812480B1 (en) Targeted search system with de-obfuscating functionality
CN108256327A (en) A kind of file test method and device
CN114726579A (en) Method, apparatus, device, storage medium and program product for defending against network attacks
CN113328976B (en) Security threat event identification method, device and equipment
CN112637171A (en) Data traffic processing method, device, equipment, system and storage medium
KR101256463B1 (en) Apparatus and method for inspecting malignant code
CN115514539B (en) Network attack protection method and device, storage medium and electronic equipment
US8627462B2 (en) Token processing
CN110460592B (en) URL analysis method, device, equipment and medium
US20220207085A1 (en) Data classification technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant