CN113810343B - Method, device and equipment for detecting function injection attack and readable storage medium - Google Patents
Method, device and equipment for detecting function injection attack and readable storage medium Download PDFInfo
- Publication number
- CN113810343B CN113810343B CN202010542244.8A CN202010542244A CN113810343B CN 113810343 B CN113810343 B CN 113810343B CN 202010542244 A CN202010542244 A CN 202010542244A CN 113810343 B CN113810343 B CN 113810343B
- Authority
- CN
- China
- Prior art keywords
- request
- parameter
- function
- parameters
- injection attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method, a device, equipment and a readable storage medium for detecting function injection attack. The method disclosed by the application comprises the following steps: reading a request in a WEB network; analyzing the request and extracting request parameters from the request; judging whether the request parameter is a suspicious function parameter or not; if yes, the request parameters are marked with attributes, marking results are obtained, and the function injection attack types corresponding to the request parameters are identified according to the marking results and the request parameters. The method and the device have the advantages that a large number of rules are not required to be preset, the known function injection attack can be detected, and the unknown function injection attack can be detected, so that the detection efficiency is high, and good universality is achieved. Correspondingly, the detection device and the detection readable storage medium for the function injection attack also have the technical effects.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for detecting a function injection attack.
Background
Function injection attack is a common network attack mode in the field of WEB network security. An attacker can inject uploading webshell scripts or execute system commands and the like by means of functions, so that hidden danger is brought to network safety. Rule matching is currently mainly used to detect function injection attacks. The detection mode needs to collect a large number of known types of function injection attacks in advance, extract corresponding rules from the types of the function injection attacks, then match data packets corresponding to requests in a WEB network by using the rules, and judge the data packets hit the rules as the function injection attacks.
However, since this detection method requires collection of a large number of known types of function injection attacks in advance, the amount of work in the early stage is large, and the large number of rules determined thereby are difficult to maintain. Furthermore, since the rules are determined based on known types of function injection attacks, these rules can only detect known types of function injection attacks. The data packet corresponding to the request in the WEB network comprises various parameters and data, the parameters and the data are required to be matched in the detection mode, so that the corresponding parameters cannot be injected into the function to be accurately detected, the matching workload is large, and the detection efficiency is low.
Therefore, how to improve the detection efficiency of the function injection attack is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
In view of the foregoing, an object of the present application is to provide a method, apparatus, device and readable storage medium for detecting a function injection attack, so as to improve the detection efficiency of the function injection attack. The specific scheme is as follows:
in a first aspect, the present application provides a method for detecting a function injection attack, including:
reading a request in a WEB network;
analyzing the request and extracting request parameters from the request;
judging whether the request parameter is a suspicious function parameter or not;
if yes, attribute labeling is carried out on the request parameters, labeling results are obtained, and the function injection attack type corresponding to the request parameters is identified according to the labeling results and the request parameters.
Preferably, the extracting the request parameter from the request includes:
extracting request line parameters and POST form parameters from the request, wherein the request parameters comprise request line parameters and POST form parameters;
and converting the request line parameters and the POST form parameters into associated arrays, and taking the associated arrays as the request parameters, wherein the associated arrays comprise parameter names and parameter values.
Preferably, the determining whether the request parameter is a suspicious function parameter includes:
judging whether the request parameters exist in a suspicious function parameter library;
if yes, determining the request parameter as a suspicious function parameter;
if not, determining the request parameter as a normal function parameter.
Preferably, the attribute labeling of the request parameter to obtain a labeling result includes:
labeling the attribute of the request parameter according to a target mode to obtain the labeling result;
the target mode comprises any one or combination of a regular expression, a directory separator, a file suffix name, a command identification parameter and a code identification parameter; the label of the attribute label comprises any one or combination of URI, file name, command, coded content, code and common parameters.
Preferably, the identifying the function injection attack type corresponding to the request parameter according to the labeling result and the request parameter includes:
generating fingerprint data according to the labeling result and the request parameters;
comparing the fingerprint data with a function injection attack fingerprint library to obtain a comparison result;
and determining the type of the function injection attack according to the comparison result.
Preferably, the identifying the function injection attack type corresponding to the request parameter according to the labeling result and the request parameter includes:
and inputting the labeling result and the request parameters into a target model so as to output the function injection attack type and the confidence of the function injection attack type.
Preferably, the target model is obtained by using a supervised learning method and labeled function injection attack parameter training.
In a second aspect, the present application provides a detection apparatus for a function injection attack, including:
the reading module is used for reading the request in the WEB network;
the analysis module is used for analyzing the request and extracting request parameters from the request;
the judging module is used for judging whether the request parameter is a suspicious function parameter or not;
and the detection module is used for marking the attributes of the request parameters if the request parameters are suspicious function parameters, obtaining marking results, and identifying the function injection attack types corresponding to the request parameters according to the marking results and the request parameters.
In a third aspect, the present application provides a detection apparatus for a function injection attack, including:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the detection method of the function injection attack disclosed by the prior art.
In a fourth aspect, the present application provides a readable storage medium storing a computer program, where the computer program, when executed by a processor, implements the method for detecting a function injection attack disclosed above.
According to the scheme, the application provides a method for detecting function injection attack, which comprises the following steps: reading a request in a WEB network; analyzing the request and extracting request parameters from the request; judging whether the request parameter is a suspicious function parameter or not; if yes, attribute labeling is carried out on the request parameters, labeling results are obtained, and the function injection attack type corresponding to the request parameters is identified according to the labeling results and the request parameters.
The method comprises the steps of extracting request parameters from a request in a WEB network, judging whether the request parameters are suspicious function parameters, if so, labeling the request parameters by attributes to obtain labeling results, and identifying the function injection attack type corresponding to the request parameters according to the labeling results and the request parameters. The method and the device can extract the request parameters from the request, and identify the characteristics of the function injection attack in the request parameters after determining that the request parameters are suspicious function parameters, so that the type of the function injection attack corresponding to the request parameters is determined. According to the scheme, a large number of rules are not required to be preset, the known function injection attack can be detected, and the unknown function injection attack can be detected, so that the detection efficiency is high, and the method has good universality.
Correspondingly, the detection device and the detection readable storage medium for the function injection attack also have the technical effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a flow chart of a method for detecting a function injection attack disclosed in the present application;
FIG. 2 is a flowchart of another method for detecting a function injection attack disclosed in the present application;
FIG. 3 is a schematic diagram of a detection device for function injection attack disclosed in the present application;
FIG. 4 is a schematic diagram of a detection device for function injection attack disclosed in the present application;
fig. 5 is a schematic diagram of another detection apparatus for function injection attack disclosed in the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Currently, the existing detection method needs to collect a large number of known types of function injection attacks in advance, so that the early workload is high, and the determined large number of rules are difficult to maintain. Furthermore, since the rules are determined based on known types of function injection attacks, these rules can only detect known types of function injection attacks. The data packet corresponding to the request in the WEB network comprises various parameters and data, the parameters and the data are required to be matched in the detection mode, so that the corresponding parameters cannot be injected into the function to be accurately detected, the matching workload is large, and the detection efficiency is low. Therefore, the application provides a detection scheme of the function injection attack, which can improve the detection efficiency of the function injection attack.
The following describes a method for detecting a function injection attack provided in the embodiment of the present application, and referring to fig. 1, the embodiment of the present application discloses a method for detecting a function injection attack, which includes:
s101, reading a request in a WEB network.
Note that, the WEB network generally uses HTTP/HTTPs protocol to communicate, so the request in the WEB network includes a data packet conforming to the HTTP/HTTPs protocol. Among them, HTTP (Hyper Text Transport Protocol) is a hypertext transfer protocol, which is a network protocol widely used on the internet. HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) is a secure version of HTTP, namely the encrypted HTTP data transfer protocol.
Common function injection attacks are: function injection attacks in the PHP service program, etc. Since the PHP service program allows the function to be dynamically called through the string variable, misuse of commands such as call_user_func is a main cause of function injection attack in the PHP service program. The PHP service program is a program written by PHP (Hypertext Preprocessor), and PHP is an embedded programming language of HTML (HyperText Markup Language ). Function injection attacks are also known as function injection holes.
S102, analyzing the request and extracting request parameters from the request.
In one embodiment, extracting the request parameters from the request includes: extracting request line parameters and POST form parameters from the request, wherein the request parameters comprise the request line parameters and the POST form parameters; converting the request line parameters and the POST form parameters into associated arrays, and taking the associated arrays as request parameters, wherein the associated arrays comprise parameter names and parameter values.
For example: the request parameters corresponding to the system function injection attack are as follows:
POST/thinkphp_5.0.22_with_extend/public/index.phps=captcha HTTP/1.0
Content-Length:56
Content-Type:application/x-www-form-urlencoded
_method=__construct&filter[]=system&method=get&get[]=dir
the following parameter names and parameter values can be extracted from the request parameters (POST form parameters) corresponding to the system function injection attack:
s103, judging whether the request parameter is a suspicious function parameter; if yes, executing S104; if not, no operation is performed.
In one embodiment, determining whether the request parameter is a suspicious function parameter includes: judging whether request parameters exist in a suspicious function parameter library; if yes, determining the request parameter as a suspicious function parameter; if not, determining the request parameter as a normal function parameter.
For example: for the relevant parameters of the system function in the example, the system relevant parameters are found to exist in the suspicious function parameter library, so that the system may be an injection function, and the risk of function injection exists, and then the relevant parameters of the system function are determined to be suspicious function parameters; if the system related parameters are found to be not in the suspicious function parameter library, the related parameters of the system function are determined to be normal function parameters. For normal function parameters, the embodiment can discard the normal function parameters directly without performing the following operation, so as to filter normal traffic. Since suspicious functions are the necessary features to constitute function injection, they can be processed in subsequent steps.
S104, labeling the attributes of the request parameters to obtain labeling results, and identifying the function injection attack type corresponding to the request parameters according to the labeling results and the request parameters.
In a specific embodiment, performing attribute labeling on the request parameters to obtain labeling results, including: labeling the attribute of the request parameter according to a target mode to obtain a labeling result; the target mode comprises any one or combination of a regular expression, a directory separator, a file suffix name, a command identification parameter and a code identification parameter; the label of the attribute label comprises any one or combination of URI, file name, command, coded content, code and common parameters.
For example: the parameter of the suspicious function system is a command string. The tag of the attribute tag includes uri, file name (file), command (cmd), encoded content (encoded), code (code), common parameter (common), and the like. Attribute labeling can utilize a variety of methods, such as: (1) describing uri patterns using regular expressions; (2) Describing file names according to directory separators and common file suffixes; (3) identifying command parameters based on the common commands; (4) identifying the encrypted content based on the specific code, etc.
In a specific embodiment, identifying the function injection attack type corresponding to the request parameter according to the labeling result and the request parameter includes: generating fingerprint data according to the labeling result and the request parameters; injecting the fingerprint data and the function into an attack fingerprint library for comparison to obtain a comparison result; and determining the type of the function injection attack and the risk index of the type according to the comparison result.
The fingerprint data in the function injection attack fingerprint library can be represented by a data set formed by injection functions and parameters thereof. For example: (System, cmd) fingerprint data representing a system function injection attack; the file_put_contents (file) represents fingerprint data of the file_put_contents function injection attack, one parameter (i.e. "x") of the file_put_contents function is to be written, and may be any text, and the other parameter (i.e. "file") is the written file name.
In a specific embodiment, identifying the function injection attack type corresponding to the request parameter according to the labeling result and the request parameter includes: the labeling result and the request parameters are input into the target model so as to output the function injection attack type and the confidence of the function injection attack type. The target model is obtained through training attack parameters by using a supervised learning method and a labeled function injection, such as an XGBoost model. Of course, other models may also be trained using supervised learning methods and tagged function injection attack parameters to obtain the target model.
The supervised learning method needs to vectorize the labeling result and the request parameters, so that a feature vector with a fixed length can be used as an input of a target model, and each component in the feature vector represents whether a certain type of label or function appears.
In one embodiment, another method for detecting a function injection attack includes:
s201, acquiring HTTP request data;
s202, carrying out parameter analysis on HTTP request data to obtain a parameter list;
s203, searching an injection function based on the parameter list;
s204, if the injection function is searched, carrying out attribute marking on the parameters, and carrying out attack recognition so as to output risk coefficients; otherwise, outputting prompt information without risk.
Referring specifically to fig. 2, in fig. 2, the HTTP request data is parsed to obtain URI parameters and POST form parameters, and a parameter list is obtained; and if the parameters corresponding to the injection function are searched based on the parameter list, carrying out attribute labeling on the parameters, integrating the functions and the attribute labeling of the parameters, and identifying and evaluating the type of the current function injection attack. The method can accurately identify the type of the function injection attack and promote the defending capability of the Web application firewall on the function injection attack. Web application firewalls (WAF, web Application Firewall) provide security protection specifically for Web applications by enforcing several security policies for HTTP/HTTPs protocols, etc.
Therefore, in the embodiment of the application, the request parameters are extracted from the request in the WEB network, whether the request parameters are suspicious function parameters or not is judged, if the request parameters are suspicious function parameters, attribute labeling is carried out on the request parameters, labeling results are obtained, and the function injection attack types corresponding to the request parameters are identified according to the labeling results and the request parameters. The method and the device can extract the request parameters from the request, and identify the characteristics of the function injection attack in the request parameters after determining that the request parameters are suspicious function parameters, so that the type of the function injection attack corresponding to the request parameters is determined. According to the scheme, a large number of rules are not required to be preset, the known function injection attack can be detected, and the unknown function injection attack can be detected, so that the detection efficiency is high, and the method has good universality.
The following describes a device for detecting a function injection attack according to an embodiment of the present application, and the device for detecting a function injection attack described below and the method for detecting a function injection attack described above may be referred to each other.
Referring to fig. 3, an embodiment of the present application discloses a detection apparatus for a function injection attack, including:
a reading module 301, configured to read a request in a WEB network;
the parsing module 302 is configured to parse the request and extract a request parameter from the request;
a judging module 303, configured to judge whether the request parameter is a suspicious function parameter;
and the detection module 304 is configured to, if the request parameter is a suspicious function parameter, perform attribute labeling on the request parameter to obtain a labeling result, and identify a function injection attack type corresponding to the request parameter according to the labeling result and the request parameter.
In one embodiment, the parsing module is specifically configured to:
extracting request line parameters and POST form parameters from the request, wherein the request parameters comprise the request line parameters and the POST form parameters; converting the request line parameters and the POST form parameters into associated arrays, and taking the associated arrays as request parameters, wherein the associated arrays comprise parameter names and parameter values.
In one embodiment, the judging module is specifically configured to:
judging whether request parameters exist in a suspicious function parameter library;
if yes, determining the request parameter as a suspicious function parameter;
if not, determining the request parameter as a normal function parameter.
In one embodiment, the detection module is specifically configured to:
labeling the attribute of the request parameter according to a target mode to obtain a labeling result;
the target mode comprises any one or combination of a regular expression, a directory separator, a file suffix name, a command identification parameter and a code identification parameter; the label of the attribute label comprises any one or combination of URI, file name, command, coded content, code and common parameters.
In one embodiment, the detection module is specifically configured to:
generating fingerprint data according to the labeling result and the request parameters;
injecting the fingerprint data and the function into an attack fingerprint library for comparison to obtain a comparison result;
and determining the type of the function injection attack according to the comparison result.
In one embodiment, the detection module is specifically configured to:
the labeling result and the request parameters are input into the target model so as to output the function injection attack type and the confidence of the function injection attack type.
In one embodiment, the target model is obtained by using a supervised learning method and labeled function injection attack parameter training.
The more specific working process of each module and unit in this embodiment may refer to the corresponding content disclosed in the foregoing embodiment, and will not be described herein.
It can be seen that this embodiment provides a detection device for function injection attack, where the device extracts a request parameter from a request in a WEB network, determines whether the request parameter is a suspicious function parameter, if the request parameter is the suspicious function parameter, performs attribute labeling on the request parameter to obtain a labeling result, and identifies a function injection attack type corresponding to the request parameter according to the labeling result and the request parameter. The method and the device can extract the request parameters from the request, and identify the characteristics of the function injection attack in the request parameters after determining that the request parameters are suspicious function parameters, so that the type of the function injection attack corresponding to the request parameters is determined. According to the scheme, a large number of rules are not required to be preset, the known function injection attack can be detected, and the unknown function injection attack can be detected, so that the detection efficiency is high, and the method has good universality.
The following describes a device for detecting a function injection attack according to an embodiment of the present application, and the following description of the device for detecting a function injection attack and the foregoing method and apparatus for detecting a function injection attack may be referred to each other.
Referring to fig. 4, an embodiment of the present application discloses a detection device for a function injection attack, including:
a memory 401 for holding a computer program;
a processor 402 for executing the computer program to perform the steps of:
reading a request in a WEB network; analyzing the request and extracting request parameters from the request; judging whether the request parameter is a suspicious function parameter or not; if yes, the request parameters are marked with attributes, marking results are obtained, and the function injection attack types corresponding to the request parameters are identified according to the marking results and the request parameters.
In this embodiment, when the processor executes the computer subroutine stored in the memory, the following steps may be specifically implemented: extracting request line parameters and POST form parameters from the request, wherein the request parameters comprise the request line parameters and the POST form parameters; converting the request line parameters and the POST form parameters into associated arrays, and taking the associated arrays as request parameters, wherein the associated arrays comprise parameter names and parameter values.
In this embodiment, when the processor executes the computer subroutine stored in the memory, the following steps may be specifically implemented: judging whether request parameters exist in a suspicious function parameter library; if yes, determining the request parameter as a suspicious function parameter; if not, determining the request parameter as a normal function parameter.
In this embodiment, when the processor executes the computer subroutine stored in the memory, the following steps may be specifically implemented: labeling the attribute of the request parameter according to a target mode to obtain a labeling result; the target mode comprises any one or combination of a regular expression, a directory separator, a file suffix name, a command identification parameter and a code identification parameter; the label of the attribute label comprises any one or combination of URI, file name, command, coded content, code and common parameters.
In this embodiment, when the processor executes the computer subroutine stored in the memory, the following steps may be specifically implemented: generating fingerprint data according to the labeling result and the request parameters; injecting the fingerprint data and the function into an attack fingerprint library for comparison to obtain a comparison result; and determining the type of the function injection attack according to the comparison result.
In this embodiment, when the processor executes the computer subroutine stored in the memory, the following steps may be specifically implemented: the labeling result and the request parameters are input into the target model so as to output the function injection attack type and the confidence of the function injection attack type.
Referring to fig. 5, fig. 5 is a schematic diagram of another detection device for a function injection attack according to the present embodiment, where the detection device for a function injection attack may have a relatively large difference due to different configurations or performances, and may include one or more processors (central processing units, CPU) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing applications 342 or data 344. Wherein the memory 332 and the storage medium 330 may be transitory or persistent. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instruction operations in the data processing apparatus. Still further, the central processor 322 may be configured to communicate with the storage medium 330 to execute a series of instruction operations in the storage medium 330 on the detection device 301 of the function injection attack.
The detection device 301 for a function injection attack may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input output interfaces 358, and/or one or more operating systems 341. For example, windows ServerTM, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
In fig. 5, the application 342 may be a program that performs a detection method of a function injection attack, and the data 344 may be data required or generated for performing the detection method of the function injection attack.
The steps in the method for detecting a function injection attack described above may be implemented by the structure of the detection device for a function injection attack.
The following describes a readable storage medium provided in the embodiments of the present application, and the method, apparatus and device for detecting a function injection attack described in the following may refer to each other.
A readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the method for detecting a function injection attack disclosed in the foregoing embodiment. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
Reference to "first," "second," "third," "fourth," etc. (if present) herein is used to distinguish similar objects from each other and does not necessarily describe a particular order or sequence. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, or apparatus.
It should be noted that the description herein of "first," "second," etc. is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implying an indication of the number of technical features being indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be regarded as not exist and not within the protection scope of the present application.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of readable storage medium known in the art.
The principles and embodiments of the present application are described herein with specific examples, the above examples being provided only to assist in understanding the methods of the present application and their core ideas; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Claims (9)
1. A method for detecting a function injection attack, comprising:
reading a request in a WEB network;
analyzing the request and extracting request parameters from the request;
judging whether the request parameters exist in a suspicious function parameter library;
if yes, determining the request parameter as a suspicious function parameter, marking the request parameter with attributes to obtain a marking result, and identifying a function injection attack type corresponding to the request parameter according to the marking result and the request parameter; the related parameters of the function with function injection risk are suspicious function parameters;
the attribute labeling of the request parameters to obtain labeling results includes:
labeling the attribute of the request parameter according to a target mode to obtain the labeling result;
the target mode comprises any one or combination of a regular expression, a directory separator, a file suffix name, a command identification parameter and a code identification parameter; the label of the attribute label comprises any one or combination of URI, file name, command, coded content, code and common parameters.
2. The method for detecting a function injection attack according to claim 1, wherein the extracting a request parameter from the request comprises:
extracting request line parameters and POST form parameters from the request, wherein the request parameters comprise request line parameters and POST form parameters;
and converting the request line parameters and the POST form parameters into associated arrays, and taking the associated arrays as the request parameters, wherein the associated arrays comprise parameter names and parameter values.
3. The method according to claim 1, wherein if the request parameter does not exist in the suspicious function parameter library, determining that the request parameter is a normal function parameter.
4. A method for detecting a function injection attack according to any of claims 1 to 3, wherein the identifying a function injection attack type corresponding to the request parameter according to the labeling result and the request parameter includes:
generating fingerprint data according to the labeling result and the request parameters;
comparing the fingerprint data with a function injection attack fingerprint library to obtain a comparison result;
and determining the type of the function injection attack according to the comparison result.
5. A method for detecting a function injection attack according to any of claims 1 to 3, wherein the identifying a function injection attack type corresponding to the request parameter according to the labeling result and the request parameter includes:
and inputting the labeling result and the request parameters into a target model so as to output the function injection attack type and the confidence of the function injection attack type.
6. The method for detecting a function injection attack according to claim 5, wherein the target model is obtained by using a supervised learning method and labeled function injection attack parameter training.
7. A device for detecting a function injection attack, comprising:
the reading module is used for reading the request in the WEB network;
the analysis module is used for analyzing the request and extracting request parameters from the request;
the judging module is used for judging whether the request parameters exist in the suspicious function parameter library;
the detection module is used for determining the request parameter as the suspicious function parameter if the request parameter exists in the suspicious function parameter library, marking the attribute of the request parameter to obtain a marking result, and identifying the function injection attack type corresponding to the request parameter according to the marking result and the request parameter; the related parameters of the function with function injection risk are suspicious function parameters;
wherein, the detection module is specifically used for:
labeling the attribute of the request parameter according to a target mode to obtain the labeling result;
the target mode comprises any one or combination of a regular expression, a directory separator, a file suffix name, a command identification parameter and a code identification parameter; the label of the attribute label comprises any one or combination of URI, file name, command, coded content, code and common parameters.
8. A device for detecting a function injection attack, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the method of detecting a function injection attack as claimed in any of claims 1 to 6.
9. A readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements a method of detecting a function injection attack according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010542244.8A CN113810343B (en) | 2020-06-15 | 2020-06-15 | Method, device and equipment for detecting function injection attack and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010542244.8A CN113810343B (en) | 2020-06-15 | 2020-06-15 | Method, device and equipment for detecting function injection attack and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113810343A CN113810343A (en) | 2021-12-17 |
| CN113810343B true CN113810343B (en) | 2023-05-12 |
Family
ID=78892340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010542244.8A Active CN113810343B (en) | 2020-06-15 | 2020-06-15 | Method, device and equipment for detecting function injection attack and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113810343B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8601586B1 (en) * | 2008-03-24 | 2013-12-03 | Google Inc. | Method and system for detecting web application vulnerabilities |
| CN105553917A (en) * | 2014-10-28 | 2016-05-04 | 腾讯科技(深圳)有限公司 | Detection method and system of webpage bugs |
| CN107566392A (en) * | 2017-09-22 | 2018-01-09 | 北京知道创宇信息技术有限公司 | A kind of detection method and proxy server of the type SQL injection that reports an error |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN108234453A (en) * | 2017-12-12 | 2018-06-29 | 杭州安恒信息技术有限公司 | A kind of web safety defense methods of rule-based Java |
| CN108664793A (en) * | 2017-03-30 | 2018-10-16 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of detection loophole |
| CN108712448A (en) * | 2018-07-09 | 2018-10-26 | 四川大学 | A kind of injection attack detection model based on the analysis of dynamic stain |
| CN108845941A (en) * | 2018-06-15 | 2018-11-20 | 郑州云海信息技术有限公司 | A kind of SQL injection test coverage statistical method and system |
| CN108959926A (en) * | 2018-06-27 | 2018-12-07 | 杭州安恒信息技术股份有限公司 | A kind of detection method of SQL injection attack |
| CN109525556A (en) * | 2018-10-18 | 2019-03-26 | 中国电力科学研究院有限公司 | It is a kind of for determining the light weight method and system of protocol bug in embedded system firmware |
| CN109525567A (en) * | 2018-11-01 | 2019-03-26 | 郑州云海信息技术有限公司 | A kind of detection method and system for implementing parameter injection attacks for website |
| CN109818976A (en) * | 2019-03-15 | 2019-05-28 | 杭州迪普科技股份有限公司 | A kind of anomalous traffic detection method and device |
| CN110958246A (en) * | 2019-11-29 | 2020-04-03 | 中电福富信息科技有限公司 | Dynamic intelligent protection method based on WEB server and application thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8171550B2 (en) * | 2006-08-07 | 2012-05-01 | Webroot Inc. | System and method for defining and detecting pestware with function parameters |
-
2020
- 2020-06-15 CN CN202010542244.8A patent/CN113810343B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8601586B1 (en) * | 2008-03-24 | 2013-12-03 | Google Inc. | Method and system for detecting web application vulnerabilities |
| CN105553917A (en) * | 2014-10-28 | 2016-05-04 | 腾讯科技(深圳)有限公司 | Detection method and system of webpage bugs |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN108664793A (en) * | 2017-03-30 | 2018-10-16 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of detection loophole |
| CN107566392A (en) * | 2017-09-22 | 2018-01-09 | 北京知道创宇信息技术有限公司 | A kind of detection method and proxy server of the type SQL injection that reports an error |
| CN108234453A (en) * | 2017-12-12 | 2018-06-29 | 杭州安恒信息技术有限公司 | A kind of web safety defense methods of rule-based Java |
| CN108845941A (en) * | 2018-06-15 | 2018-11-20 | 郑州云海信息技术有限公司 | A kind of SQL injection test coverage statistical method and system |
| CN108959926A (en) * | 2018-06-27 | 2018-12-07 | 杭州安恒信息技术股份有限公司 | A kind of detection method of SQL injection attack |
| CN108712448A (en) * | 2018-07-09 | 2018-10-26 | 四川大学 | A kind of injection attack detection model based on the analysis of dynamic stain |
| CN109525556A (en) * | 2018-10-18 | 2019-03-26 | 中国电力科学研究院有限公司 | It is a kind of for determining the light weight method and system of protocol bug in embedded system firmware |
| CN109525567A (en) * | 2018-11-01 | 2019-03-26 | 郑州云海信息技术有限公司 | A kind of detection method and system for implementing parameter injection attacks for website |
| CN109818976A (en) * | 2019-03-15 | 2019-05-28 | 杭州迪普科技股份有限公司 | A kind of anomalous traffic detection method and device |
| CN110958246A (en) * | 2019-11-29 | 2020-04-03 | 中电福富信息科技有限公司 | Dynamic intelligent protection method based on WEB server and application thereof |
Non-Patent Citations (1)
| Title |
|---|
| 多特征关联的注入型威胁检测方法;贾文超等;《浙江大学学报(工学版)》;20180301(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113810343A (en) | 2021-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106961419B (en) | WebShell detection method, device and system | |
| CN109922052B (en) | Malicious URL detection method combining multiple features | |
| CN110233849B (en) | Method and system for analyzing network security situation | |
| US9032516B2 (en) | System and method for detecting malicious script | |
| CN109344615B (en) | Method and device for detecting malicious command | |
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| CN111835777B (en) | Abnormal flow detection method, device, equipment and medium | |
| CN109992969B (en) | Malicious file detection method and device and detection platform | |
| CN111400719A (en) | Firmware vulnerability distinguishing method and system based on open source component version identification | |
| CN113194058B (en) | WEB attack detection method, equipment, website application layer firewall and medium | |
| CN114531259B (en) | Attack result detection method, device, system, computer equipment and medium | |
| CN111488590A (en) | SQ L injection detection method based on user behavior credibility analysis | |
| CN113079150B (en) | Intrusion detection method for power terminal equipment | |
| CN114357443A (en) | Malicious code detection method, equipment and storage medium based on deep learning | |
| Gao et al. | Detecting SQL injection attacks using grammar pattern recognition and access behavior mining | |
| CN107786529B (en) | Website detection method, device and system | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| CN113067792A (en) | XSS attack identification method, device, equipment and medium | |
| CN116340939A (en) | Webshell detection method, device, equipment and storage medium | |
| CN113141332B (en) | Command injection identification method, system, equipment and computer storage medium | |
| CN113810343B (en) | Method, device and equipment for detecting function injection attack and readable storage medium | |
| CN113094706A (en) | WebShell detection method, device, equipment and readable storage medium | |
| CN112202763B (en) | IDS strategy generation method, device, equipment and medium | |
| Choi et al. | Detection of cross site scripting attack in wireless networks using n-Gram and SVM | |
| CN115906086A (en) | Method, system and storage medium for detecting webpage backdoor based on code attribute graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |