CN112134837A - Method and system for detecting Web attack behavior - Google Patents
Method and system for detecting Web attack behavior Download PDFInfo
- Publication number
- CN112134837A CN112134837A CN202010782683.6A CN202010782683A CN112134837A CN 112134837 A CN112134837 A CN 112134837A CN 202010782683 A CN202010782683 A CN 202010782683A CN 112134837 A CN112134837 A CN 112134837A
- Authority
- CN
- China
- Prior art keywords
- web
- visitor
- threat
- access data
- tracing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000013515 script Methods 0.000 claims abstract description 41
- 230000008447 perception Effects 0.000 claims abstract description 40
- 230000006399 behavior Effects 0.000 claims abstract description 27
- 238000001514 detection method Methods 0.000 claims abstract description 10
- 230000007123 defense Effects 0.000 claims description 15
- 238000004088 simulation Methods 0.000 claims description 13
- 230000003068 static effect Effects 0.000 claims description 8
- 238000005516 engineering process Methods 0.000 claims description 7
- 230000002441 reversible effect Effects 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 claims description 2
- 230000000694 effects Effects 0.000 abstract description 3
- 230000003287 optical effect Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 239000013307 optical fiber Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention provides a method and a system for detecting Web attack behavior, wherein the system comprises the following steps: the system comprises a Web service website, a Web honeypot and a threat perception tracing platform; the Web service website and the Web honeypot are used for embedding a tracing script in webpage data returned to a visitor; the tracing script automatically runs after being loaded, and is used for acquiring the access data of an accessor and sending the access data to the threat perception tracing platform; the threat perception tracing platform is used for collecting visitor access data sent by the tracing script and detecting Web attack behaviors according to the visitor access data. The method and the device can effectively improve the detection effect of the Web attack behavior.
Description
[ technical field ] A method for producing a semiconductor device
The application relates to the technical field of computer security, in particular to a method and a system for detecting Web attack behaviors.
[ background of the invention ]
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
In Web (Web) attacks, attackers often use Proxy (Proxy) or other techniques to hide their true attack source IP. In a more concealed attack, an attacker uses a remote trojan or an automated tool and then generates a continuous or batch attack in a Proxy or springboard mode and the like. Traditional defense techniques have difficulty tracing such attacks to locate the attacker.
[ summary of the invention ]
In view of this, the present application provides a method, an apparatus, and a system for detecting a Web attack behavior, so as to improve a detection effect of the Web attack behavior.
The specific technical scheme is as follows:
in a first aspect, the present application provides a system for detecting a Web attack behavior, where the system includes: the system comprises a Web service website, a Web honeypot and a threat perception tracing platform;
the Web service website and the Web honeypot are used for embedding a tracing script in webpage data returned to a visitor;
the tracing script automatically runs after being loaded, and is used for acquiring the access data of an accessor and sending the access data to the threat perception tracing platform;
the threat perception tracing platform is used for collecting visitor access data sent by the tracing script and detecting Web attack behaviors according to the visitor access data.
According to a preferred embodiment of the present application, the Web honeypot includes: at least one of a high-simulation Web honeypot and a low-interaction Web honeypot;
the high-simulation Web honeypot is used for mapping the Web service website through a reverse proxy technology to obtain a cloned Web service website;
the low-interaction Web honeypot is used for simulating a static Web site, and the static Web site is different from the Web service site.
According to a preferred embodiment of the present application, the visitor's access data includes at least one of:
visitor browser feature data, mouse and keyboard event information, touch screen event information, motion sensor event information, visitor device IP address.
According to a preferred embodiment of the present application, the system further comprises: a log collection center;
the tracing script is specifically used for sending the access data of the visitor to the log collection center;
the log collection center is used for collecting and storing the access data of the visitor;
the threat awareness tracing platform is specifically used for acquiring the access data of the visitor from the log collection center.
According to a preferred embodiment of the present application, the threat awareness tracing platform is specifically configured to perform at least one of the following detection processes:
marking visitors who visit the Web honeypots and visit data thereof as threats;
evaluating whether the access flow of the visitor to the Web service website is matched with a preset threat rule, and if so, marking the visitor and the access data thereof as a threat;
providing visitor information marked as a threat to a defense system corresponding to the Web service website, so that the defense system prevents visitors marked as threats from visiting the Web service website, or guides the visitors marked as threats to visit the Web service website to the Web honeypot;
and analyzing the historical visit track of the visitor marked as the threat and restoring the life cycle of the threat event.
In a second aspect, the present application provides a method for detecting a Web attack behavior, where the method includes:
embedding a tracing script in webpage data returned to a visitor by a Web service website and a Web honeypot;
the tracing script automatically runs after being loaded, acquires the access data of an accessor and sends the access data to the threat perception tracing platform;
the threat perception tracing platform collects the visitor access data sent by the tracing script, and the Web attack behavior is detected according to the visitor access data.
According to a preferred embodiment of the present application, the Web honeypot includes at least one of a high-emulation Web honeypot and a low-interaction Web honeypot:
the high-simulation Web honeypot maps the Web service website through a reverse proxy technology to obtain a cloned Web service website; and/or the presence of a gas in the gas,
the low-interaction Web honeypot simulates a static Web site, which is different from the Web service site.
According to a preferred embodiment of the present application, the visitor's access data includes at least one of:
visitor browser feature data, mouse and keyboard event information, touch screen event information, motion sensor event information, visitor device IP address.
According to a preferred embodiment of the present application, the sending to the threat awareness tracing platform includes:
the tracing script sends acquired visitor access data to the threat perception tracing platform in real time; alternatively, the first and second electrodes may be,
the tracing script sends the collected visitor access data to a log collection center, and the threat perception tracing platform obtains the visitor access data from the log collection center.
According to a preferred embodiment of the present application, the detecting the Web attack behavior according to the access data of the visitor includes:
the threat perception tracing platform marks visitors who visit the Web honeypots and visit data thereof as threats; and/or the presence of a gas in the gas,
the threat perception tracing platform evaluates whether the access flow of a visitor to the Web service website is matched with a preset threat rule, and if so, marks the visitor and the access data thereof as threats; and/or the presence of a gas in the gas,
the threat perception tracing platform provides visitor information marked as a threat to a defense system corresponding to the Web service website, so that the defense system prevents visitors marked as threats from visiting the Web service website, or guides the visitors marked as threats to the Web service website; and/or the presence of a gas in the gas,
and the threat perception tracing platform analyzes the historical visit track of the visitor marked as the threat and restores the life cycle of the threat event.
According to the technical scheme, the Web honeypot and the threat perception tracing platform are arranged, and the tracing script capable of collecting visitor access data is embedded into the Web page data returned to the visitor by the Web service website and the Web honeypot, so that the threat perception tracing platform can acquire the visitor access data collected by the tracing script, and the detection of the Web attack behavior is realized. Because the method is based on access data detection, even if an attacker generates an attack by adopting a hidden source IP and a proxy or springboard mode, the attack behavior can be traced, and the detection effect of the Web attack behavior is effectively improved.
[ description of the drawings ]
FIG. 1 is a schematic diagram of a system architecture provided by an embodiment of the present application;
fig. 2 is a flowchart of a method for detecting a Web attack behavior based on the above system according to an embodiment of the present application;
FIG. 3 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in detail below with reference to the accompanying drawings and specific embodiments.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
To facilitate an understanding of the present application, a description of a system architecture employed by the present application is first described. As shown in fig. 1, the system may include a Web services website, a Web honeypot, and a threat awareness traceability platform.
The Web service website is a normal Web website and a real website for providing various Web services on line. In the present application, a trace-back script, for example, a way of manually embedding a trace-back JS code, may be embedded in the web page data returned to the visitor.
The Web honeypot is a computer system simulating Web sites on the Internet, is a trap system containing bugs, and provides an attacker with an easily-attacked target by simulating one or more hosts of vulnerable websites. In the present application, at least one of two kinds of Web honeypots may be included: high-simulation Web honeypots and low-interaction Web honeypots. The figure takes the example of including these two kinds of Web honeypots.
The high-simulation Web honeypot maps the Web service website through a reverse proxy technology to obtain a cloned Web service website, namely, the high-simulation Web honeypot simulates a normal Web service website. When a visitor visits the highly emulated Web honeypot, the reverse proxy embeds a traceback script, such as an automatically embedded traceback JS code, in the Web page data returned to the visitor.
The deployment of the high-simulation Web honeypots in the network can cause an attacker to mistakenly think of accessing a real website. And after the attacker successfully logs in the Web site, part of real data can be seen, so that the attacker is induced to perform more operations, and more access data of the attacker can be collected. These access data can reveal information such as the intent of intrusion and the manipulation of an attacker.
Further, the highly emulated Web honeypot may additionally be deployed with a WAF (Web Application Firewall) system, which may be a highly flexible lightweight system. WAF systems represent an emerging class of information security technologies for addressing Web application security issues that are overwhelmed by traditional device handles, such as firewalls. Unlike traditional firewalls, the WAF works at the application layer, thus having inherent technical advantages for Web application protection. Based on deep understanding of Web application service and logic, the WAF system detects and verifies the content of various requests from a Web application program client, ensures the security and the legality of the requests, and blocks illegal requests in real time, thereby effectively protecting various website sites. In the embodiment of the application, the threat degree of an attacker damaging or stealing sensitive data information can be reduced by configuring protection rules or algorithms for the WAF system.
The low-interaction Web honeypot simulation static Web site comprises a simulation HTTP response and a Web interface, wherein the simulated static Web site is different from a Web service site and is unrelated to a normal Web service site. A trace-back script is also embedded in the Web page data returned by the low-interaction Web honeypot to the visitor.
Because the low-interaction Web honeypot is simple and convenient for large-scale deployment, the method can be used for large-scale rapid deployment, and puzzles an attacker to acquire more access data of the attacker when the attacker moves transversely or scans website services indiscriminately. These access data can reveal information such as the attacker's attack technique and tools.
It can be seen that the normal Web service websites and the Web honeypots described above both embed the trace-back scripts in the Web page data returned to the visitor. And the tracing script automatically runs after being loaded by the browser and is used for acquiring the access data of the visitor and sending the access data to the threat perception tracing platform.
The visitor access data collected by the tracing script may include at least one of the following: visitor browser feature data, mouse and keyboard event information, touch screen event information, motion sensor event information, visitor device IP address. Where the browser characteristic data may be, for example, a browser ID, a fingerprint, etc. The motion sensor may be an acceleration sensor, a gyroscope, or the like.
And the threat perception tracing platform collects the visit data of the visitor sent by the tracing script and detects the Web attack behavior according to the visit data of the visitor.
The tracing script can directly send the collected visitor access data to the threat perception tracing platform in real time.
The trace-back script may also send the collected visitor's visit data to the log collection center. The log collection center records the visit data of the visitor and records the visit data as a visit log. And the threat awareness platform acquires offline access data from the log collection center.
In the embodiment of the application, when the threat awareness tracing platform detects a Web attack behavior according to access data of a visitor, one or any combination of the following detection processing methods can be adopted, but not limited to:
and in the first mode, the threat perception tracing platform monitors the visit of the visitor to the Web honeypots. Preferably, the visit of the visitor to the Web honeypots can be monitored in real time according to the visit data sent by the tracing script. Once the visitors' access to the Web honeypot is monitored, the visitors and their access data are marked as threats. The visitor may be tagged with a browser ID, a fingerprint, a visitor device IP address, a visitor MAC address, etc.
Of course, the visitor accessing the Web honeypot may also be determined by monitoring the access data in the access log recorded by the log collection center. The visitor and its access data are then marked as a threat.
Therefore, even if an attacker generates an attack by hiding a source IP and adopting an agent or springboard mode, the behavior of the attacker for accessing the Web honeypot is collected and exposed due to the setting of the Web honeypot and the collection of the tracing script on the access data of the attacker, so that the attacker and the access data thereof are marked as threats.
And secondly, evaluating whether the access flow of the visitor to the Web service website is matched with a preset threat rule by the threat perception tracing platform, and if so, marking the visitor and the access data thereof as threats.
Wherein the threat rules are the characteristics of the access traffic of the threat obtained by analyzing the access traffic of the known threat. The access traffic of the known threat can be identified in any way, can be identified based on the access to the Web honeypot in the application, and can also be identified in other ways. That is, for a visitor who has been identified as an attacker, attack features can be extracted from the access traffic of the visitor so that a threat rule will be established, and if the access traffic of the visitor to the Web service website matches the threat rule, the visitor is probably an attacker and is therefore marked as a threat.
And thirdly, providing the visitor information marked as the threat to a defense system corresponding to the Web service website by the threat perception tracing platform, so that the defense system prevents the visitor marked as the threat from accessing the Web service website, or guides the visit of the visitor marked as the threat to the Web service website to a Web honeypot.
Whether in the first mode, the second mode or other modes, once the visitor is marked as a threat, the visitor information marked as the threat is synchronized into a defense system for the Web service website. The defense system corresponding to the Web service website may be a firewall, a WAF system, or other systems capable of controlling the flow of accessing the Web service website.
For the visitor marked as the threat, once the visitor marked as the threat acquires the access request of the visitor to the Web service website, the defense system of the Web service website prohibits the access request from accessing the Web service website. Or once the access request to the Web service website is obtained, the defense system of the Web service website forwards the access request to the high-simulation Web honeypot, so that an attacker misunderstands that the real Web service website is accessed, more access data of the attacker are collected, and the influence of the attacker on the Web service website is reduced to the maximum extent.
And fourthly, analyzing the historical visit track of the visitor marked as the threat by the threat perception tracing platform, and restoring the life cycle of the threat event.
In this way, the threat awareness tracing platform may trace back the long-period access log and restore the life cycle of the threat event by analyzing the historical tracks of the visitors marked as threats.
Fig. 2 is a flowchart of a method for detecting a Web attack behavior based on the above system according to an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:
in 201, the Web services site and Web honeypot embed a traceback script in the data of the Web page returned to the visitor.
As described in the above system embodiment, the Web honeypot may include at least one of a high-emulation Web honeypot and a low-interaction Web honeypot, which is not described herein in detail. Both normal Web service websites and Web honeypots embed a trace-back script in the Web page data returned to the visitor.
In 202, the tracing script is automatically run after being loaded, and the access data of the visitor is collected and sent to the threat perception tracing platform.
And the tracing script automatically runs after being loaded by the browser and is used for acquiring the access data of the visitor and sending the access data to the threat perception tracing platform. The visitor's access data may include at least one of visitor browser feature data, mouse and keyboard event information, touch screen event information, motion sensor event information, and a visitor device IP address.
Specifically, the tracing script can send the acquired visitor access data to the threat perception tracing platform in real time; the collected visitor access data can also be sent to a log collection center, and the threat perception tracing platform acquires the visitor access data from the log collection center.
In addition, in order to improve the security of data transmission, the tracing script can encrypt the access data and send the access data to the threat perception tracing platform or the log collection platform.
In 203, the threat awareness tracing platform collects the visitor's access data sent by the tracing script, and detects the Web attack behavior according to the visitor's access data.
The detection processing of the threat awareness tracing platform on the Web attack behavior may also refer to the related description in the above system embodiment, which is not described herein again.
At 204, the threat awareness platform displays the detection result or alarms when a threat is detected.
The threat perception tracing platform can display the visitor information marked as threat and the access flow information thereof through the threat display interface, or display the life cycle of the threat event obtained by analyzing the historical access track of the visitor marked as the threat. The threat awareness traceability platform may also alarm when a visitor or access traffic marked as a threat is monitored. The manner of the alarm may include, but is not limited to, an interface alarm, an audible alarm, or a manner of sending an alarm message.
The Web honeypot and threat-aware traceability platform in the above-described system may be provided in the form of a computer system or server, respectively, and fig. 3 shows a block diagram of an exemplary computer system/server 012 suitable for use in implementing an embodiment of the invention. The computer system/server 012 shown in fig. 3 is only an example, and should not bring any limitations to the function and the scope of use of the embodiments of the present invention.
As shown in fig. 3, the computer system/server 012 is embodied as a general purpose computing device. The components of computer system/server 012 may include, but are not limited to: one or more processors or processing units 016, a system memory 028, and a bus 018 that couples various system components including the system memory 028 and the processing unit 016.
Computer system/server 012 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 012 and includes both volatile and nonvolatile media, removable and non-removable media.
Program/utility 040 having a set (at least one) of program modules 042 can be stored, for example, in memory 028, such program modules 042 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof might include an implementation of a network environment. Program modules 042 generally perform the functions and/or methodologies of embodiments of the present invention as described herein.
The computer system/server 012 may also communicate with one or more external devices 014 (e.g., keyboard, pointing device, display 024, etc.), hi the present invention, the computer system/server 012 communicates with an external radar device, and may also communicate with one or more devices that enable a user to interact with the computer system/server 012, and/or with any device (e.g., network card, modem, etc.) that enables the computer system/server 012 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 022. Also, the computer system/server 012 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 020. As shown, the network adapter 020 communicates with the other modules of the computer system/server 012 via bus 018. It should be appreciated that although not shown in fig. 3, other hardware and/or software modules may be used in conjunction with the computer system/server 012, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 016 executes programs stored in the system memory 028, thereby executing various functional applications and data processing, such as implementing the method flow provided by the embodiment of the present invention.
The computer program described above may be provided in a computer storage medium encoded with a computer program that, when executed by one or more computers, causes the one or more computers to perform the method flows and/or apparatus operations shown in the above-described embodiments of the invention. For example, the method flows provided by the embodiments of the invention are executed by one or more processors described above.
With the development of time and technology, the meaning of media is more and more extensive, and the propagation path of computer programs is not limited to tangible media any more, and can also be downloaded from a network directly and the like. Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A system for detecting Web attack behavior, the system comprising: the system comprises a Web service website, a Web honeypot and a threat perception tracing platform;
the Web service website and the Web honeypot are used for embedding a tracing script in webpage data returned to a visitor;
the tracing script automatically runs after being loaded, and is used for acquiring the access data of an accessor and sending the access data to the threat perception tracing platform;
the threat perception tracing platform is used for collecting visitor access data sent by the tracing script and detecting Web attack behaviors according to the visitor access data.
2. The system of claim 1, wherein the Web honeypot comprises: at least one of a high-simulation Web honeypot and a low-interaction Web honeypot;
the high-simulation Web honeypot is used for mapping the Web service website through a reverse proxy technology to obtain a cloned Web service website;
the low-interaction Web honeypot is used for simulating a static Web site, and the static Web site is different from the Web service site.
3. The system of claim 1, wherein the visitor's access data includes at least one of:
visitor browser feature data, mouse and keyboard event information, touch screen event information, motion sensor event information, visitor device IP address.
4. The system of claim 1, further comprising: a log collection center;
the tracing script is specifically used for sending the access data of the visitor to the log collection center;
the log collection center is used for collecting and storing the access data of the visitor;
the threat awareness tracing platform is specifically used for acquiring the access data of the visitor from the log collection center.
5. The system according to any one of claims 1 to 4, characterized in that said threat-aware traceability platform is specifically configured to perform at least one of the following detection processes:
marking visitors who visit the Web honeypots and visit data thereof as threats;
evaluating whether the access flow of the visitor to the Web service website is matched with a preset threat rule, and if so, marking the visitor and the access data thereof as a threat;
providing visitor information marked as a threat to a defense system corresponding to the Web service website, so that the defense system prevents visitors marked as threats from visiting the Web service website, or guides the visitors marked as threats to visit the Web service website to the Web honeypot;
and analyzing the historical visit track of the visitor marked as the threat and restoring the life cycle of the threat event.
6. A method for detecting Web attack behavior is characterized by comprising the following steps:
embedding a tracing script in webpage data returned to a visitor by a Web service website and a Web honeypot;
the tracing script automatically runs after being loaded, acquires the access data of an accessor and sends the access data to the threat perception tracing platform;
the threat perception tracing platform collects the visitor access data sent by the tracing script, and the Web attack behavior is detected according to the visitor access data.
7. The method of claim 6, wherein the Web honeypot comprises at least one of a high-emulation Web honeypot and a low-interaction Web honeypot:
the high-simulation Web honeypot maps the Web service website through a reverse proxy technology to obtain a cloned Web service website; and/or the presence of a gas in the gas,
the low-interaction Web honeypot simulates a static Web site, which is different from the Web service site.
8. The method of claim 6, wherein the visitor's access data includes at least one of:
visitor browser feature data, mouse and keyboard event information, touch screen event information, motion sensor event information, visitor device IP address.
9. The method of claim 6, wherein the sending to a threat awareness traceability platform comprises:
the tracing script sends acquired visitor access data to the threat perception tracing platform in real time; alternatively, the first and second electrodes may be,
the tracing script sends the collected visitor access data to a log collection center, and the threat perception tracing platform obtains the visitor access data from the log collection center.
10. The method according to any one of claims 6 to 9, wherein the detecting the Web attack behavior according to the visitor's access data comprises:
the threat perception tracing platform marks visitors who visit the Web honeypots and visit data thereof as threats; and/or the presence of a gas in the gas,
the threat perception tracing platform evaluates whether the access flow of a visitor to the Web service website is matched with a preset threat rule, and if so, marks the visitor and the access data thereof as threats; and/or the presence of a gas in the gas,
the threat perception tracing platform provides visitor information marked as a threat to a defense system corresponding to the Web service website, so that the defense system prevents visitors marked as threats from visiting the Web service website, or guides the visitors marked as threats to the Web service website; and/or the presence of a gas in the gas,
and the threat perception tracing platform analyzes the historical visit track of the visitor marked as the threat and restores the life cycle of the threat event.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010782683.6A CN112134837A (en) | 2020-08-06 | 2020-08-06 | Method and system for detecting Web attack behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010782683.6A CN112134837A (en) | 2020-08-06 | 2020-08-06 | Method and system for detecting Web attack behavior |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112134837A true CN112134837A (en) | 2020-12-25 |
Family
ID=73850789
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010782683.6A Pending CN112134837A (en) | 2020-08-06 | 2020-08-06 | Method and system for detecting Web attack behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112134837A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113645242A (en) * | 2021-08-11 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Honeypot source tracing method, device and related equipment |
| CN114143105A (en) * | 2021-12-06 | 2022-03-04 | 安天科技集团股份有限公司 | Method and device for tracing network air threat behavior, electronic equipment and storage medium |
| CN114296820A (en) * | 2021-12-23 | 2022-04-08 | 北京知道创宇信息技术股份有限公司 | Plug-in address adding method and device, server and storage medium |
| CN115022077A (en) * | 2022-06-30 | 2022-09-06 | 绿盟科技集团股份有限公司 | Network threat protection method, system and computer readable storage medium |
| CN115134166A (en) * | 2022-08-02 | 2022-09-30 | 软极网络技术(北京)有限公司 | Attack tracing method based on honey holes |
| CN115378643A (en) * | 2022-07-14 | 2022-11-22 | 软极网络技术(北京)有限公司 | Network attack defense method and system based on honey dots |
| CN115801431A (en) * | 2022-11-29 | 2023-03-14 | 国网山东省电力公司信息通信公司 | Automatic threat tracing method, system, equipment and medium |
Citations (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222349A (en) * | 2007-01-12 | 2008-07-16 | 中国电信股份有限公司 | Method and system for collecting web user action and performance data |
| CN101242307A (en) * | 2008-02-01 | 2008-08-13 | 刘峰 | Website access analysis system and method based on built-in code proxy log |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN105989268A (en) * | 2015-03-02 | 2016-10-05 | 苏宁云商集团股份有限公司 | Safety access method and system for human-computer identification |
| CN106446228A (en) * | 2016-10-08 | 2017-02-22 | 中国工商银行股份有限公司 | Collection analysis method and device for WEB page data |
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| CN107493303A (en) * | 2017-09-28 | 2017-12-19 | 北京云衢科技有限公司 | Network security protection system, network safety protection method and storage medium |
| CN107612924A (en) * | 2017-09-30 | 2018-01-19 | 北京奇虎科技有限公司 | Attacker's localization method and device based on wireless network invasion |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| CN107797908A (en) * | 2017-11-07 | 2018-03-13 | 南威软件股份有限公司 | A kind of behavioral data acquisition method of website user |
| CN107979562A (en) * | 2016-10-21 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of mixed type honey jar Dynamic Deployment System based on cloud platform |
| CN108959572A (en) * | 2018-07-04 | 2018-12-07 | 北京知道创宇信息技术有限公司 | A kind of network source tracing method, device, electronic equipment and storage medium |
| CN109361670A (en) * | 2018-10-21 | 2019-02-19 | 北京经纬信安科技有限公司 | Utilize the device and method of the targeted Dynamical Deployment capture malice sample of honey jar |
| CN109413046A (en) * | 2018-09-29 | 2019-03-01 | 深圳开源互联网安全技术有限公司 | A kind of network protection method, system and terminal device |
| CN109462599A (en) * | 2018-12-13 | 2019-03-12 | 烽台科技(北京)有限公司 | A kind of honey jar management system |
| CN109474625A (en) * | 2018-12-25 | 2019-03-15 | 北京知道创宇信息技术有限公司 | Network safety protection method, device and embedded system |
| CN109831465A (en) * | 2019-04-12 | 2019-05-31 | 重庆天蓬网络有限公司 | A kind of invasion detection method based on big data log analysis |
| CN109981608A (en) * | 2019-03-07 | 2019-07-05 | 北京华安普特网络科技有限公司 | Network security intrusion detecting system and method based on Web |
| CN110046647A (en) * | 2019-03-08 | 2019-07-23 | 同盾控股有限公司 | A kind of identifying code machine Activity recognition method and device |
| CN110336811A (en) * | 2019-06-29 | 2019-10-15 | 上海淇馥信息技术有限公司 | A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system |
| CN110602032A (en) * | 2019-06-19 | 2019-12-20 | 上海云盾信息技术有限公司 | Attack identification method and device |
| CN110677414A (en) * | 2019-09-27 | 2020-01-10 | 北京知道创宇信息技术股份有限公司 | Network detection method and device, electronic equipment and computer readable storage medium |
| CN111147504A (en) * | 2019-12-26 | 2020-05-12 | 深信服科技股份有限公司 | Threat detection method, apparatus, device and storage medium |
| CN111193749A (en) * | 2020-01-03 | 2020-05-22 | 北京明略软件系统有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| CN111404934A (en) * | 2020-03-16 | 2020-07-10 | 广州锦行网络科技有限公司 | Network attack tracing method and system based on dynamic and static combination mode and honey mark technology |
| CN111404909A (en) * | 2020-03-10 | 2020-07-10 | 上海豌豆信息技术有限公司 | Security detection system and method based on log analysis |
| CN111428231A (en) * | 2020-06-12 | 2020-07-17 | 完美世界(北京)软件科技发展有限公司 | Safety processing method, device and equipment based on user behaviors |
-
2020
- 2020-08-06 CN CN202010782683.6A patent/CN112134837A/en active Pending
Patent Citations (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222349A (en) * | 2007-01-12 | 2008-07-16 | 中国电信股份有限公司 | Method and system for collecting web user action and performance data |
| CN101242307A (en) * | 2008-02-01 | 2008-08-13 | 刘峰 | Website access analysis system and method based on built-in code proxy log |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN105989268A (en) * | 2015-03-02 | 2016-10-05 | 苏宁云商集团股份有限公司 | Safety access method and system for human-computer identification |
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| CN106446228A (en) * | 2016-10-08 | 2017-02-22 | 中国工商银行股份有限公司 | Collection analysis method and device for WEB page data |
| CN107979562A (en) * | 2016-10-21 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of mixed type honey jar Dynamic Deployment System based on cloud platform |
| CN107493303A (en) * | 2017-09-28 | 2017-12-19 | 北京云衢科技有限公司 | Network security protection system, network safety protection method and storage medium |
| CN107612924A (en) * | 2017-09-30 | 2018-01-19 | 北京奇虎科技有限公司 | Attacker's localization method and device based on wireless network invasion |
| CN107797908A (en) * | 2017-11-07 | 2018-03-13 | 南威软件股份有限公司 | A kind of behavioral data acquisition method of website user |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| CN108959572A (en) * | 2018-07-04 | 2018-12-07 | 北京知道创宇信息技术有限公司 | A kind of network source tracing method, device, electronic equipment and storage medium |
| CN109413046A (en) * | 2018-09-29 | 2019-03-01 | 深圳开源互联网安全技术有限公司 | A kind of network protection method, system and terminal device |
| CN109361670A (en) * | 2018-10-21 | 2019-02-19 | 北京经纬信安科技有限公司 | Utilize the device and method of the targeted Dynamical Deployment capture malice sample of honey jar |
| CN109462599A (en) * | 2018-12-13 | 2019-03-12 | 烽台科技(北京)有限公司 | A kind of honey jar management system |
| CN109474625A (en) * | 2018-12-25 | 2019-03-15 | 北京知道创宇信息技术有限公司 | Network safety protection method, device and embedded system |
| CN109981608A (en) * | 2019-03-07 | 2019-07-05 | 北京华安普特网络科技有限公司 | Network security intrusion detecting system and method based on Web |
| CN110046647A (en) * | 2019-03-08 | 2019-07-23 | 同盾控股有限公司 | A kind of identifying code machine Activity recognition method and device |
| CN109831465A (en) * | 2019-04-12 | 2019-05-31 | 重庆天蓬网络有限公司 | A kind of invasion detection method based on big data log analysis |
| CN110602032A (en) * | 2019-06-19 | 2019-12-20 | 上海云盾信息技术有限公司 | Attack identification method and device |
| CN110336811A (en) * | 2019-06-29 | 2019-10-15 | 上海淇馥信息技术有限公司 | A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system |
| CN110677414A (en) * | 2019-09-27 | 2020-01-10 | 北京知道创宇信息技术股份有限公司 | Network detection method and device, electronic equipment and computer readable storage medium |
| CN111147504A (en) * | 2019-12-26 | 2020-05-12 | 深信服科技股份有限公司 | Threat detection method, apparatus, device and storage medium |
| CN111193749A (en) * | 2020-01-03 | 2020-05-22 | 北京明略软件系统有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| CN111404909A (en) * | 2020-03-10 | 2020-07-10 | 上海豌豆信息技术有限公司 | Security detection system and method based on log analysis |
| CN111404934A (en) * | 2020-03-16 | 2020-07-10 | 广州锦行网络科技有限公司 | Network attack tracing method and system based on dynamic and static combination mode and honey mark technology |
| CN111428231A (en) * | 2020-06-12 | 2020-07-17 | 完美世界(北京)软件科技发展有限公司 | Safety processing method, device and equipment based on user behaviors |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113645242A (en) * | 2021-08-11 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Honeypot source tracing method, device and related equipment |
| CN114143105A (en) * | 2021-12-06 | 2022-03-04 | 安天科技集团股份有限公司 | Method and device for tracing network air threat behavior, electronic equipment and storage medium |
| CN114143105B (en) * | 2021-12-06 | 2023-12-26 | 安天科技集团股份有限公司 | Source tracing method and device for network air threat behavior bodies, electronic equipment and storage medium |
| CN114296820A (en) * | 2021-12-23 | 2022-04-08 | 北京知道创宇信息技术股份有限公司 | Plug-in address adding method and device, server and storage medium |
| CN115022077A (en) * | 2022-06-30 | 2022-09-06 | 绿盟科技集团股份有限公司 | Network threat protection method, system and computer readable storage medium |
| CN115022077B (en) * | 2022-06-30 | 2023-05-16 | 绿盟科技集团股份有限公司 | Network threat protection method, system and computer readable storage medium |
| CN115378643A (en) * | 2022-07-14 | 2022-11-22 | 软极网络技术(北京)有限公司 | Network attack defense method and system based on honey dots |
| CN115378643B (en) * | 2022-07-14 | 2024-02-23 | 软极网络技术(北京)有限公司 | Network attack defense method and system based on honey points |
| CN115134166A (en) * | 2022-08-02 | 2022-09-30 | 软极网络技术(北京)有限公司 | Attack tracing method based on honey holes |
| CN115134166B (en) * | 2022-08-02 | 2024-01-26 | 软极网络技术(北京)有限公司 | Attack tracing method based on honey hole |
| CN115801431A (en) * | 2022-11-29 | 2023-03-14 | 国网山东省电力公司信息通信公司 | Automatic threat tracing method, system, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112134837A (en) | Method and system for detecting Web attack behavior | |
| Zhang et al. | Crawlphish: Large-scale analysis of client-side cloaking techniques in phishing | |
| US11716348B2 (en) | Malicious script detection | |
| US9876753B1 (en) | Automated message security scanner detection system | |
| US10904286B1 (en) | Detection of phishing attacks using similarity analysis | |
| US10339300B2 (en) | Advanced persistent threat and targeted malware defense | |
| US8528091B2 (en) | Methods, systems, and media for detecting covert malware | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| EP2790121A1 (en) | Client Based Local Malware Detection Method | |
| WO2019018033A2 (en) | Methods, systems, and media for testing insider threat detection systems | |
| RU2697950C2 (en) | System and method of detecting latent behaviour of browser extension | |
| CN111786966A (en) | Method and device for browsing webpage | |
| US20210385245A1 (en) | Security system for detecting malicious actor's observation | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| CN110933103A (en) | Anti-crawler method, device, equipment and medium | |
| CN111885007B (en) | Information tracing method, device, system and storage medium | |
| CN110348210A (en) | Safety protecting method and device | |
| US20210314353A1 (en) | Rule-based dynamic security test system | |
| CN114422255A (en) | Cloud security simulation detection system and detection method | |
| CN113190839A (en) | Web attack protection method and system based on SQL injection | |
| CN114169456A (en) | Data processing method, device, equipment and medium based on 5G terminal security | |
| CN110808997B (en) | Method and device for remotely obtaining evidence of server, electronic equipment and storage medium | |
| CN112351008B (en) | Network attack analysis method and device, readable storage medium and computer equipment | |
| Lawal et al. | Have you been framed and can you prove it? |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201225 |