CN111683095B - Attack detection method and device and computer readable storage medium - Google Patents

Attack detection method and device and computer readable storage medium Download PDF

Info

Publication number
CN111683095B
CN111683095B CN202010520494.1A CN202010520494A CN111683095B CN 111683095 B CN111683095 B CN 111683095B CN 202010520494 A CN202010520494 A CN 202010520494A CN 111683095 B CN111683095 B CN 111683095B
Authority
CN
China
Prior art keywords
wide area
area network
data
protocol
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010520494.1A
Other languages
Chinese (zh)
Other versions
CN111683095A (en
Inventor
孟翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010520494.1A priority Critical patent/CN111683095B/en
Publication of CN111683095A publication Critical patent/CN111683095A/en
Application granted granted Critical
Publication of CN111683095B publication Critical patent/CN111683095B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1475Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an attack detection method, which comprises the following steps: acquiring medium traffic data of a wide area network; determining whether information collection behavior occurs in the wide area network according to the attribute of the flow data; and outputting attack prompt information when the information gathering behavior occurs in the wide area network. The invention also discloses an attack detection device and a computer readable storage medium. The data security in the wide area network is higher.

Description

Attack detection method and device and computer readable storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to an attack detection method and apparatus, and a computer readable storage medium.
Background
In the scenario of the wide area network, after the intranet host or the server is hacked by a hacker, the intranet host or the server becomes a broiler which is manipulated by the hacker, and the hacker uses the broiler to carry out intranet diffusion, so that data in the wide area network is stolen, and the data security in the wide area network is lower.
Disclosure of Invention
The invention mainly aims to provide an attack detection method and device and a computer readable storage medium, and aims to solve the problem of low data security in a wide area network.
In order to achieve the above object, the present invention provides an attack detection method, comprising the steps of:
determining whether information collection behavior occurs in the wide area network according to the attribute of the flow data;
and outputting attack prompt information when the information gathering behavior occurs in the wide area network.
In one embodiment, the step of determining whether information gathering occurs in the wide area network according to the attribute of the traffic data includes:
extracting data of a preset protocol from the flow data, wherein the preset protocol comprises at least one of a domain name system protocol, a server information block protocol and a network authentication protocol, and the attribute is determined according to the data of the preset protocol;
and determining whether information collection behavior occurs in the wide area network according to the attribute of the data of the preset protocol.
In an embodiment, the preset protocol includes a domain name system protocol, and the step of determining whether the information gathering behavior occurs in the wide area network according to the attribute of the data of the preset protocol includes:
determining that a server in the wide area network generates an information synchronization event according to the data of the domain name system protocol, and determining a destination IP address and a source IP address corresponding to the information synchronization event;
and determining whether the wide area network generates information gathering behavior according to the destination IP address and the source IP address.
In an embodiment, the step of determining whether the wide area network has information gathering activity based on the destination IP address and the source IP address comprises:
and under the condition that the destination IP address is the address of a domain name system main server in the wide area network and the source IP address is not the address of a domain name system slave server in the wide area network, judging that information gathering behavior occurs in the wide area network.
In an embodiment, the preset protocol includes a server information block protocol, and the step of determining whether the information gathering behavior occurs in the wide area network according to an attribute of data of the preset protocol includes:
determining whether the data of the server information block protocol contains an enumeration function, wherein when the data of the server information block protocol contains the enumeration function, information collection behavior in the wide area network is judged.
In an embodiment, the preset protocol includes a server information block protocol, and the step of determining whether the information gathering behavior occurs in the wide area network according to an attribute of data of the preset protocol includes:
and confirming whether the second preset value is contained in the data of the server information block protocol, wherein when the second preset value is contained in the data of the server information block protocol, judging that information collection behavior occurs in the wide area network.
In an embodiment, the preset protocol includes a network authentication protocol, and the step of determining whether the information gathering behavior occurs in the wide area network according to the attribute of the data of the preset protocol includes:
and confirming whether a second preset field appears in the data of the network authentication protocol, wherein when the second preset field appears in the data of the network authentication protocol, judging that information collection behavior occurs in the wide area network.
In an embodiment, after the step of confirming whether the second preset field is present in the data of the network authentication protocol, the method further includes:
and when a second preset field appears in the data of the network authentication protocol, determining whether the appearance frequency of the second preset field is larger than or equal to a preset frequency, wherein when the appearance frequency is larger than or equal to the preset frequency, judging that information collection behavior occurs in the wide area network.
In order to achieve the above object, the present invention also provides an attack detection apparatus including a memory, a processor, and an attack detection program stored in the memory and executable on the processor, which when executed by the processor, implements the respective steps of the attack detection method as described above.
In order to achieve the above object, the present invention also provides a computer-readable storage medium storing an attack detection program which, when executed by a processor, implements the respective steps of the attack detection method described above.
The attack detection device acquires the flow data in the wide area network, determines whether information collection behavior occurs in the wide area network according to the attribute of the flow data, and outputs warning information if the information collection behavior occurs in the wide area network. After the host or the server in the wide area network is hacked by the hacker, the hacker can detect the deployment condition and account condition in the wide area network by using the hacked host or server, namely, the hacker can collect information such as the host, the server and the account in the wide area network, so that the device can determine that the wide area network is hacked by determining the information collecting behavior in the wide area network, and at the moment, the device outputs warning information to prompt a background personnel to take corresponding measures to prevent the data in the wide area network from being stolen, and the data security in the wide area network is higher.
Drawings
Fig. 1 is a schematic diagram of a hardware architecture of an attack detection device according to an embodiment of the present invention;
FIG. 2 is a flowchart of a first embodiment of an attack detection method according to the present invention;
FIG. 3 is a schematic diagram of a refinement flow chart of step S200 in FIG. 2;
FIG. 4 is a detailed flowchart of step S220 in the second embodiment of the attack detection method according to the present invention;
FIG. 5 is a detailed flowchart of step S200 in a third embodiment of the attack detection method according to the present invention;
FIG. 6 is a detailed flowchart of step S200 in a fourth embodiment of the attack detection method according to the present invention;
fig. 7 is a detailed flowchart of step S200 in the fifth embodiment of the attack detection method according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The main solutions of the embodiments of the present invention are: acquiring medium traffic data of a wide area network; determining whether information collection behavior occurs in the wide area network according to the attribute of the flow data; and outputting attack prompt information when the information gathering behavior occurs in the wide area network.
After the host or the server in the wide area network is hacked by the hacker, the hacker can detect the deployment condition and account condition in the wide area network by using the hacked host or server, namely, the hacker can collect information such as the host, the server and the account in the wide area network, so that the device can determine that the wide area network is hacked by determining the information collecting behavior in the wide area network, and at the moment, the device outputs warning information to prompt a background personnel to take corresponding measures to prevent the data in the wide area network from being stolen, and the data security in the wide area network is higher.
As an implementation manner, an attack detection device according to an embodiment of the present invention is provided.
As shown in fig. 1, the attack detection device includes: a processor 101, such as a CPU, a memory 102, and a communication bus 103. Wherein the communication bus 103 is used to enable connected communication among the components.
The memory 102 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. As shown in fig. 1, an attack detection program may be included in a memory 103 as a kind of computer storage medium; and the processor 101 may be configured to invoke the attack detection program stored in the memory 102 and perform the following operations:
determining whether information collection behavior occurs in the wide area network according to the attribute of the flow data;
and outputting attack prompt information when the information gathering behavior occurs in the wide area network.
In one embodiment, the processor 101 may be configured to invoke an attack detection program stored in the memory 102 and perform the following operations:
extracting data of a preset protocol from the flow data, wherein the preset protocol comprises at least one of a domain name system protocol, a server information block protocol and a network authentication protocol, and the attribute is determined according to the data of the preset protocol;
and determining whether information collection behavior occurs in the wide area network according to the attribute of the data of the preset protocol.
In an embodiment, the preset protocol includes a domain name system protocol, and the step of determining whether the information gathering behavior occurs in the wide area network according to the attribute of the data of the preset protocol includes:
determining that a server in the wide area network generates an information synchronization event according to the data of the domain name system protocol, and determining a destination IP address and a source IP address corresponding to the information synchronization event;
and determining whether the wide area network generates information gathering behavior according to the destination IP address and the source IP address.
In one embodiment, the processor 101 may be configured to invoke an attack detection program stored in the memory 102 and perform the following operations:
and under the condition that the destination IP address is the address of a domain name system main server in the wide area network and the source IP address is not the address of a domain name system slave server in the wide area network, judging that information gathering behavior occurs in the wide area network.
In one embodiment, the processor 101 may be configured to invoke an attack detection program stored in the memory 102 and perform the following operations:
determining whether the data of the server information block protocol contains an enumeration function, wherein when the data of the server information block protocol contains the enumeration function, information collection behavior in the wide area network is judged.
In one embodiment, the processor 101 may be configured to invoke an attack detection program stored in the memory 102 and perform the following operations:
and confirming whether the second preset value is contained in the data of the server information block protocol, wherein when the second preset value is contained in the data of the server information block protocol, judging that information collection behavior occurs in the wide area network.
In one embodiment, the processor 101 may be configured to invoke an attack detection program stored in the memory 102 and perform the following operations:
and confirming whether a second preset field appears in the data of the network authentication protocol, wherein when the second preset field appears in the data of the network authentication protocol, judging that information collection behavior occurs in the wide area network.
In one embodiment, the processor 101 may be configured to invoke an attack detection program stored in the memory 102 and perform the following operations:
and when a second preset field appears in the data of the network authentication protocol, determining whether the appearance frequency of the second preset field is larger than or equal to a preset frequency, wherein when the appearance frequency is larger than or equal to the preset frequency, judging that information collection behavior occurs in the wide area network.
According to the scheme, the attack detection device acquires the flow data in the wide area network, determines whether information collection behavior occurs in the wide area network according to the attribute of the flow data, and outputs warning information if the information collection behavior occurs in the wide area network. After the host or the server in the wide area network is hacked by the hacker, the hacker can detect the deployment condition and account condition in the wide area network by using the hacked host or server, namely, the hacker can collect information such as the host, the server and the account in the wide area network, so that the device can determine that the wide area network is hacked by determining the information collecting behavior in the wide area network, and at the moment, the device outputs warning information to prompt a background personnel to take corresponding measures to prevent the data in the wide area network from being stolen, and the data security in the wide area network is higher.
Based on the hardware framework of the attack detection device, the embodiment of the attack detection method is provided.
Referring to fig. 2, fig. 2 is a first embodiment of the attack detection method according to the present invention, the attack detection method includes the steps of:
step S100, medium-traffic data of a wide area network is obtained;
in the present embodiment, the execution subject is an attack detection device. For convenience of description, the following means will be referred to as attack detection means. The device is arranged in a wide area network, which may be an AD domain (Active Directory) or other wide area networks. The device is used for intercepting traffic data in the wide area network. The device may intercept traffic data generated by the wide area network in real time or at regular time.
Step 200, determining whether information collection behavior occurs in the wide area network according to the attribute of the flow data;
after obtaining the traffic data, the device analyzes the traffic data to determine whether information gathering activity has occurred in the wide area network. The information gathering behavior includes information gathering for hosts in the wide area network, information gathering for servers in the wide area network, information gathering for accounts in the wide area network, and so on. And these information gathering actions may be determined by protocol data. Specifically, referring to fig. 3, that is, step S200 includes:
step S210, extracting data of a preset protocol from the flow data, wherein the preset protocol comprises at least one of a domain name system protocol, a server information block protocol and a network authentication protocol, and the attribute is determined according to the data of the preset protocol;
step S220, according to the attribute of the data of the preset protocol, determining whether the information collection behavior occurs in the wide area network.
The information gathering behavior typically invokes DNS (Domain Name System ) protocols, SMB (Server Message Block, server information block) protocols, and Kerberos protocols (network authentication protocols). In this way, the device screens out data of a preset protocol from the flow data, and filters other data. The preset protocol includes at least one of DNS protocol, SMB protocol, and Kerberos protocol. The device can determine whether information collection behavior occurs in the wide area network according to the attribute of the data of the preset protocol. The attribute of the flow data can be regarded as what type of protocol data, namely, the attribute of the flow data is determined according to the data of the preset protocol. The attribute is the data of what protocol data.
And step S300, outputting attack prompt information when the information gathering behavior in the wide area network is determined.
The device analyzes the data of the preset protocol to determine whether the wide area network has information collection behaviors of the host, the server and account information collection behaviors, and if the wide area network has at least any one of the information collection behaviors, the device can determine that the information collection behaviors occur in the wide area network, and at the moment, the device outputs attack prompt information. The device can send the warning information to the terminal corresponding to the manager of the wide area network so as to prompt the manager to take measures and avoid further stealing the data in the wide area network.
In the technical scheme provided by the embodiment, the attack detection device acquires the flow data in the wide area network, determines whether information collection behavior occurs in the wide area network according to the attribute of the flow data, and outputs warning information if the information collection behavior occurs in the wide area network. After the host or the server in the wide area network is hacked by the hacker, the hacker can detect the deployment condition and account condition in the wide area network by using the hacked host or server, namely, the hacker can collect information such as the host, the server and the account in the wide area network, so that the device can determine that the wide area network is hacked by determining the information collecting behavior in the wide area network, and at the moment, the device outputs warning information to prompt a background personnel to take corresponding measures to prevent the data in the wide area network from being stolen, and the data security in the wide area network is higher.
Referring to fig. 4, fig. 4 is a second embodiment of the attack detection method according to the present invention, based on the first embodiment, the step S220 includes:
step S221, determining that the server in the wide area network generates an information synchronization event according to the data of the domain name system protocol, and determining a destination IP address and a source IP address corresponding to the information synchronization event;
step S222, determining whether the information gathering behavior occurs in the wide area network according to the destination IP address and the source IP address, where the information gathering behavior is determined to occur in the wide area network when the destination IP address is an address of a domain name system master server in the wide area network and the source IP address is not an address of a domain name system slave server in the wide area network.
In this embodiment, the preset protocol includes a domain name system protocol, that is, in this embodiment, the data of the preset protocol is the data of the domain name system protocol. A hacker may conduct DNS probing in a wide area network. DNS probing is used to probe which hosts are included in the wide area network in a manner that is synchronized with the information. Specifically, the device determines whether an information synchronization event occurs to a server in the wide area network through data of a domain name system protocol (the data of the domain name system protocol is data generated by a Domain Name System (DNS)) and if the information synchronization event occurs, the device further acquires a destination IP address and a source IP address corresponding to the information synchronization event. If the destination IP address is a DNS master service in the wide area network and the source IP address is not a DNS slave server in the wide area network, it can be determined that a hacker falsifies an address to obtain host information in the wide area network from the DNS master service, that is, information collection behavior of DNS detection occurs in the wide area network. At this time, the attack hint information may be specifically an attack caused by DNS probing.
The device determines that a server in the wide area network has an information synchronization event can be confirmed by a field of DNS protocol data. The device detects DNS protocol data and extracts a first preset field, where the first preset field may be a type field, and if the value of the type field is a first preset value, for example, the first preset value is AXFR, it may be determined that an information synchronization event occurs in a server in the wide area network. AXFR is a numerical value represented by a letter.
In the technical solution provided in this embodiment, the device obtains DNS protocol data, and when determining that an information synchronization event occurs in the wide area network according to the DNS protocol data, obtains a destination IP address and a source IP address of the information synchronization event, and if the destination IP address is a DNS master server in the wide area network and the source IP address is not a DNS slave server in the wide area network, determines an information gathering behavior of DNS probing.
Referring to fig. 5, fig. 5 is a third embodiment of the attack detection method according to the present invention, based on the first or second embodiment, the step S220 includes:
step S223, determining whether the data of the server information block protocol contains an enumeration function, where when the second data contains an enumeration function, it is determined that an information gathering behavior occurs in the wide area network.
In this embodiment, the preset protocol includes a server information block protocol, that is, the data of the preset protocol is the data of the server information block protocol. The device can determine SMB session enumeration in the wide area network, wherein the SMB session enumeration is the information detection of all hosts which open the SMB protocol in the wide area network by a hacker. Specifically, the device acquires SMB protocol data (data of a server information block protocol), and then determines whether the SMB protocol data includes an enumeration function, where the enumeration function is a value generated when a netsessen enum (netsessen is the internet) method is called, e.g., opnum:12. In the SMB protocol, if the DCERPC protocol (Distributed Computing Environment Remote Procedure Call Protocol, distributed computing environment remote call protocol) is called in the SMB protocol, then the SRVSVC protocol (UUID: 4B324FC8-1670-01D3-1278-5A47BF6EE 188) is called in the DCERPC protocol, finally the NetSessenum method is called in the SRVSVC protocol to generate an enumeration function, and the NetSessenum method is adopted to be regarded as information detection of all hosts which open the SMB protocol in the wide area network. When the SMB session enumeration exists, the warning information can be the SMB session enumeration. It should be noted that, the device may perform DNS probing and SMB session enumeration out of order.
In the technical scheme provided by the embodiment, the device acquires the SMB protocol data, analyzes the SMB protocol data to determine whether an enumeration function is included, and if the enumeration function is included, determines that a hacker performs information gathering behavior on the wide area network.
Referring to fig. 6, fig. 6 is a fourth embodiment of the attack detection method according to the present invention, based on any one of the first to third embodiments, the step S220 includes:
step S224 is executed to determine whether a second preset value is included in the data of the server information block protocol, where it is determined that an information gathering behavior occurs in the wide area network when the second preset value is included in the data of the server information block protocol.
In this embodiment, the preset protocol includes a server information block protocol, that is, the data of the preset protocol includes data of the server information block protocol. The device performs catalog inquiry detection, namely SAMR detection. Specifically, the device obtains SMB protocol data (data of server information block protocol), if it is determined in the data of server information block protocol that DCERPC protocol is called in SMB, then UUID of SAMR protocol (Security Account Manager Remote Protocol ) is called in DCERPC protocol, 12345778-1234-ABCD-EF 00-01234556789 AC), and specific opnum values (second preset value) are called in SAMR protocol in a short time, and these opnum values are all related to operations such as account enumeration, user group enumeration, etc. If the opnum operations are not performed for the previous week, it can be determined that the SAMR detection is performed, that is, the information gathering behavior in the AD domain occurs, and the warning information can be SAMR detection
It should be noted that the device may perform detection of at least two of DNS detection, SMB session enumeration, and SAMR detection out of order. In the technical solution provided in this embodiment, the device acquires SAMR protocol data, detects whether the SAMR protocol data contains a second preset value, and if so, determines that the hacker performs information gathering in the wide area network.
Referring to fig. 7, fig. 7 is a fifth embodiment of the attack detection method according to the present invention, based on any one of the first to fourth embodiments, the step S220 includes:
step S225, whether a second preset field appears is confirmed in the data of the network authentication protocol, wherein when the second preset field appears in the data of the network authentication protocol, the information collection behavior in the wide area network is judged. In this embodiment, the preset protocol includes a network authentication protocol, that is, the data of the preset protocol is the data of the network authentication protocol. The device may detect an account enumeration event for the wide area network. The account enumeration event is a black box detecting account information in the wide area network.
The device acquires Kerberos protocol data (data of the network authentication protocol), and then judges whether the Kerberos protocol data contains a second preset field. The second preset field may be kdc_err_c_ PRINCIPAL _unknown (code=6) or krb5kdc_err_preauth_required (code=25). If the Kerberos protocol data contains a second preset field, it can be determined that the hacker logs in by using the account to check the account information. At this time, the alert information may be an account viewing event. code=6 represents account user name error, and code=25 represents account password error.
Further, when the second preset field appears in the Kerberos protocol data, determining the frequency of appearance of the second preset field, that is, the number of times the second field appears in a continuous time period, and dividing the number of times by the continuous time to obtain the frequency of appearance. And if the occurrence frequency is greater than or equal to the preset frequency, determining that the account enumeration event occurs. The device may determine that information gathering activity is occurring in the data of the network authentication protocol.
The device determines whether a third predetermined field is included in the third data, and the third predetermined field may be krb5kdc_err_preauth_required. If the third preset field is contained, the account enumeration is successful, and if the third preset field is not contained, the enumeration fails. The device determines that the third data comprises the third data and outputs warning information of successful account enumeration; and the third data is determined to be included in the third data, and warning information of failure in account enumeration is output.
It should be noted that, the device may perform detection of at least two of DNS probing, account enumeration, SMB session enumeration, and account enumeration out of order. The device can comprehensively detect whether information collection behaviors occur in the wide area network through DNS detection, SMB session enumeration, account enumeration and SAMR detection, so that whether the wide area network is attacked or not can be accurately determined. Meanwhile, the specific protocol data in the flow data is used for judging, so that the information collection behavior can be accurately determined, and the determination effect is good.
In the technical solution provided in this embodiment, the device determines whether a second preset field exists in Kerberos protocol data, and if the second preset field exists, it may determine that an information gathering behavior occurs in the wide area network.
The present invention also provides an attack detection device, which includes a memory, a processor, and an attack detection program stored in the memory and executable on the processor, where the attack detection program, when executed by the processor, implements the steps of the attack detection method according to the above embodiment.
The present invention also provides a computer-readable storage medium storing an attack detection program which, when executed by a processor, implements the steps of the attack detection method described in the above embodiments.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims (8)

1. An attack detection method, characterized in that it comprises the steps of:
acquiring medium traffic data of a wide area network;
determining whether information collection behavior occurs in the wide area network according to the attribute of the flow data, wherein the information collection behavior comprises at least one of information collection of a host in the wide area network, information collection of a server in the wide area network and account information searching in the wide area network;
outputting attack prompt information when the information collection behavior in the wide area network is determined;
the step of determining whether information gathering behavior occurs in the wide area network according to the attribute of the traffic data includes:
extracting data of a preset protocol from the flow data, wherein the preset protocol comprises at least one of a domain name system protocol, a server information block protocol and a network authentication protocol, and the attribute is determined according to the data of the preset protocol;
determining whether information collection behavior occurs in the wide area network according to the attribute of the data of a preset protocol;
the step of determining whether the information gathering behavior occurs in the wide area network according to the attribute of the data of the preset protocol includes:
extracting a type field from the data of the domain name system protocol, if the value of the type field is a first preset value, determining that an information synchronization event occurs in a server in the wide area network, and determining a destination IP address and a source IP address corresponding to the information synchronization event;
and determining whether the wide area network generates information gathering behavior according to the destination IP address and the source IP address.
2. The attack detection method according to claim 1, wherein the step of determining whether the wide area network has information gathering behavior based on the destination IP address and the source IP address comprises:
and under the condition that the destination IP address is the address of a domain name system main server in the wide area network and the source IP address is not the address of a domain name system slave server in the wide area network, judging that information gathering behavior occurs in the wide area network.
3. The attack detection method according to claim 1, wherein the preset protocol includes a server information block protocol, and the step of determining whether information gathering behavior occurs in the wide area network according to an attribute of data of the preset protocol includes:
determining whether the data of the server information block protocol contains an enumeration function, wherein when the data of the server information block protocol contains the enumeration function, information collection behavior in the wide area network is judged.
4. The attack detection method according to claim 1, wherein the preset protocol includes a server information block protocol, and the step of determining whether information gathering behavior occurs in the wide area network according to an attribute of data of the preset protocol includes:
and confirming whether the second preset value is contained in the data of the server information block protocol, wherein when the second preset value is contained in the data of the server information block protocol, judging that information collection behavior occurs in the wide area network.
5. The attack detection method according to claim 1, wherein the preset protocol includes a network authentication protocol, and the step of determining whether information gathering behavior occurs in the wide area network according to an attribute of data of the preset protocol includes:
and confirming whether a second preset field appears in the data of the network authentication protocol, wherein when the second preset field appears in the data of the network authentication protocol, judging that information collection behavior occurs in the wide area network.
6. The attack detection method according to claim 5, wherein after the step of confirming whether the second preset field is present in the data of the network authentication protocol, further comprising:
and when a second preset field appears in the data of the network authentication protocol, determining whether the appearance frequency of the second preset field is larger than or equal to a preset frequency, wherein when the appearance frequency is larger than or equal to the preset frequency, judging that information collection behavior occurs in the wide area network.
7. An attack detection apparatus comprising a memory, a processor and an attack detection program stored in the memory and executable on the processor, the attack detection program when executed by the processor implementing the steps of the attack detection method according to any of claims 1-5.
8. A computer-readable storage medium, characterized in that the computer-readable storage medium stores an attack detection program which, when executed by a processor, implements the respective steps of the attack detection method according to any of claims 1-6.
CN202010520494.1A 2020-06-08 2020-06-08 Attack detection method and device and computer readable storage medium Active CN111683095B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010520494.1A CN111683095B (en) 2020-06-08 2020-06-08 Attack detection method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010520494.1A CN111683095B (en) 2020-06-08 2020-06-08 Attack detection method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN111683095A CN111683095A (en) 2020-09-18
CN111683095B true CN111683095B (en) 2023-05-12

Family

ID=72435199

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010520494.1A Active CN111683095B (en) 2020-06-08 2020-06-08 Attack detection method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111683095B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015111770A (en) * 2013-12-06 2015-06-18 Kddi株式会社 System and method for performing realtime reporting of abnormal internet protocol attack
CN111181930A (en) * 2019-12-17 2020-05-19 中移(杭州)信息技术有限公司 DDoS attack detection method, device, computer equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015111770A (en) * 2013-12-06 2015-06-18 Kddi株式会社 System and method for performing realtime reporting of abnormal internet protocol attack
CN111181930A (en) * 2019-12-17 2020-05-19 中移(杭州)信息技术有限公司 DDoS attack detection method, device, computer equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于异常行为特征的僵尸网络检测方法研究》;杨奇;《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑(月刊)》;20110315;参见第51-54页、第26页 *

Also Published As

Publication number Publication date
CN111683095A (en) 2020-09-18

Similar Documents

Publication Publication Date Title
CN107370763B (en) Asset safety early warning method and device based on external threat information analysis
US8869272B2 (en) System, method, and computer program product for preventing a modification to a domain name system setting
US9282114B1 (en) Generation of alerts in an event management system based upon risk
US20090055528A1 (en) Method for Providing Status Information to a Device Attached to an Information Infrastructure
CN110430205B (en) Single sign-on method, device, equipment and computer readable storage medium
CN112039894B (en) Network access control method, device, storage medium and electronic equipment
CN109684155B (en) Monitoring configuration method, device, equipment and readable storage medium
CN111371623B (en) Service performance and safety monitoring method and device, storage medium and electronic equipment
CN107360198B (en) Suspicious domain name detection method and system
CN112818307A (en) User operation processing method, system, device and computer readable storage medium
CN108111346B (en) Method and device for determining frequent item set in alarm correlation analysis and storage medium
CN111327588A (en) Network access security detection method, system, terminal and readable storage medium
CN108494749B (en) Method, device and equipment for disabling IP address and computer readable storage medium
CN112615848B (en) Vulnerability repair state detection method and system
TW201417548A (en) Method of connection reliability assurance of user end to cloud and user end
CN111683095B (en) Attack detection method and device and computer readable storage medium
CN112347484A (en) Software vulnerability detection method, device, equipment and computer readable storage medium
CN111786940A (en) Data processing method and device
CN115225531B (en) Database firewall testing method and device, electronic equipment and medium
CN114301796B (en) Verification method, device and system for prediction situation awareness
US20230188564A1 (en) Detecting and Protecting Against Employee Targeted Phishing Attacks
CN112948831B (en) Application risk identification method and device
CN112765588B (en) Identity recognition method and device, electronic equipment and storage medium
CN110417615B (en) Check switch control method, device and equipment and computer readable storage medium
CN111600947A (en) Resource management method, device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant