CN114726579B - Method, device, equipment, storage medium and program product for defending network attack - Google Patents
Method, device, equipment, storage medium and program product for defending network attack Download PDFInfo
- Publication number
- CN114726579B CN114726579B CN202210227278.7A CN202210227278A CN114726579B CN 114726579 B CN114726579 B CN 114726579B CN 202210227278 A CN202210227278 A CN 202210227278A CN 114726579 B CN114726579 B CN 114726579B
- Authority
- CN
- China
- Prior art keywords
- access request
- transmission layer
- fingerprint feature
- fingerprint
- request corresponding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000002159 abnormal effect Effects 0.000 claims abstract description 75
- 230000005540 biological transmission Effects 0.000 claims abstract description 45
- 238000012546 transfer Methods 0.000 claims abstract description 7
- 238000001514 detection method Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 5
- 230000007123 defense Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The disclosure provides a method, a device, equipment, a storage medium and a program product for defending against network attacks, relates to the technical field of computers, and particularly relates to a CC defending attack technical scene in the technical field of network security. The specific implementation scheme is as follows: acquiring a transport layer client handshake packet of an encrypted hypertext transfer security protocol request; analyzing the transport layer client handshake packet to obtain a server name indication and client field characteristics; determining an access request corresponding to a transport layer fingerprint feature under the indication of the server name, wherein the transport layer fingerprint feature is generated according to the client field feature; detecting an abnormal access request corresponding to the fingerprint feature of the transmission layer based on the access request corresponding to the fingerprint feature of the transmission layer; and intercepting an abnormal access request corresponding to the fingerprint characteristics of the transmission layer. Through the method and the device, the CC attack of HTTPS can be more effectively resisted.
Description
Technical Field
The disclosure relates to the field of computer technology, in particular to a CC defending attack technical scene in the field of network security technology.
Background
The encryption traffic CC (Challenge Collapsar, challenge black hole) defends against attack techniques, mainly by discovering hack initiated encrypted HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer, hypertext transfer security protocol) layer DDoS (Distributed Denial of Service ) attacks and blocking in large-scale network traffic.
In order to accurately identify a CC attack initiated by a hacker, in current network attack detection, HTTPS analysis is generally performed on 7-layer flows under the HTTPS protocol. The page access frequency of the HTTPS is obtained through HTTPS analysis, the IP (Internet Protocol Address ) with higher access frequency is judged to be the IP of the CC attack, and the IP judged to be the CC attack is blocked, so that the CC defending attack is carried out.
Disclosure of Invention
The present disclosure provides a method, apparatus, device, storage medium, and program product for defending against network attacks.
According to an aspect of the present disclosure, there is provided a method of defending against a network attack, including:
acquiring a transport layer client handshake packet of an encrypted hypertext transfer security protocol request; analyzing the transport layer client handshake packet to obtain a server name indication and client field characteristics; determining an access request corresponding to a transport layer fingerprint feature under the indication of the server name, wherein the transport layer fingerprint feature is generated according to the client field feature; detecting an abnormal access request corresponding to the fingerprint feature of the transmission layer based on the access request corresponding to the fingerprint feature of the transmission layer; and intercepting an abnormal access request corresponding to the fingerprint characteristics of the transmission layer.
According to another aspect of the present disclosure, there is provided an apparatus for defending against a network attack, including:
an obtaining unit, configured to obtain a transport layer client handshake packet of an encrypted hypertext transfer security protocol request; the analyzing unit is used for analyzing the transport layer client handshake packet to obtain a server name indication and client field characteristics; the determining unit is used for determining an access request corresponding to the transmission layer fingerprint feature under the indication of the server name, and the transmission layer fingerprint feature is generated according to the client field feature; the detection unit is used for detecting the abnormal access request corresponding to the fingerprint feature of the transmission layer based on the access request corresponding to the fingerprint feature of the transmission layer and intercepting the abnormal access request corresponding to the fingerprint feature of the transmission layer.
According to another aspect of the present disclosure, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method described above.
According to another aspect of the present disclosure, there is provided a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform the above-described method.
According to another aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the method described above.
The method for defending network attack can more effectively defend the CC attack of HTTPS.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
The drawings are for a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
FIG. 1 is a flowchart of a method of defending against a network attack, shown in an exemplary embodiment of the present disclosure;
FIG. 2 is a flowchart of a method for detecting an abnormal access request corresponding to a TLS fingerprint feature based on an access request corresponding to a TLS fingerprint feature, according to one exemplary embodiment of the present disclosure;
FIG. 3 is a flowchart of a method for detecting an abnormal access request corresponding to a TLS fingerprint feature based on an access request corresponding to a TLS fingerprint feature, according to one exemplary embodiment of the present disclosure;
FIG. 4 is a schematic diagram of a method implementation of defending against a network attack, shown in an exemplary embodiment of the present disclosure;
FIG. 5 is a block diagram of an apparatus for defending against a network attack, shown in an exemplary embodiment of the present disclosure;
fig. 6 is a block diagram of an electronic device used to implement a method of defending against network attacks in accordance with an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
The method for defending the network attack is applied to CC attack detection defending scenes of HTTPS, for example, CC attack detection defending under a cloud computing platform environment is carried out, and CC attack detection defending of a large-flow enterprise is carried out.
In the related art, in the detection and defense of the CC attack of HTTPS, IP access determination is performed mainly by decrypting the traffic of HTTPS, so as to determine whether an access source is the CC attack, and block the CC attack. The manner of determining the CC attack mainly includes the following situations:
1. and determining the number of access requests sent by the same source IP address in unit time. If the number of the access requests sent by the IP address from the same source is larger than the set number threshold, judging that the IP address has attack behaviors, and shielding the access requests sent by the IP address.
2. And determining the total number of data packets or the number of access requests reaching the same port or different ports of the same target server in unit time. If the total number of data packets or the number of access requests reaching the same port or different ports of the same target server in unit time reaches a certain threshold value, judging that the server is abnormal or attacked.
3. The number of requests for accessing the same page by the same source IP address in a unit time is determined. If the number of requests of the same source IP address to access the same page in unit time reaches a certain threshold value, judging that the IP address has attack behavior, and shielding the access request sent by the IP address.
However, decrypting the traffic of HTTPS as described above requires a significant amount of machine resources. In addition, when traffic corresponding to the IP address is simply determined, false alarm may occur in the case of traffic burst, for example, a service party performs a sales promotion, and the determination is not valid. Further, in the IP sharing scenario, since the same IP address may correspond to multiple access requests, access requests that are not aggressive may be masked.
In view of this, embodiments of the present disclosure provide a method of defending against network attacks, in which TLS (Transport Layer Security, transport layer) client handshake packets of HTTPS requests are extracted. The Client handshake packet is also called a Client Hello packet. And extracts the SNI (Server Name Indication ) domain name from the TLS Client Hello packet and the Client field characteristics used to generate the TLS fingerprint characteristics. For the extracted SNI domain name, TLS fingerprint features are generated based on the client field features. CC defense is performed through TLS fingerprinting of the encrypted traffic of HTTPS.
As an exemplary embodiment, fig. 1 is a flowchart of a method of defending against a network attack, as shown in an exemplary embodiment of the present disclosure. Referring to fig. 1, the method for defending against the network attack includes the following steps S101 to S104.
In step S101, a TLS client handshake packet of an encrypted HTTPS request is acquired.
Wherein the TLS client handshake packet is in plaintext. The TLS client handshake packet includes SNI and client field characteristics.
SNI is an extension of the TLS protocol, which is used in HTTPS. SNI is used to specify the hostname or domain name of the website during the TLS handshake. Based on the SNI, the website visited by the client device may be determined.
The client field features are mainly field features for generating TLS fingerprint features for identifying the client. For example, there may be Version (TLS Version), acceptable password (Ciphers), extended list (Extensions), elliptic curve password (eliptic papers), and Elliptic curve password format (Elliptic Curve Point Formats). And splicing the client field features extracted from the TLS client handshake packet to finally generate TLS fingerprint features. Among these, TLS fingerprints are sometimes identified by MD5 hash values (hashes). Among them, TLS fingerprint feature extraction technology is also called TLS fingerprint technology.
It will be appreciated that if there is no TLS extension (TLS Extensions) in the Client Hello packet, then the value of the Client field feature used to generate the TLS fingerprint feature is null.
In step S102, the TLS client handshake packet is parsed to obtain SNI and client field characteristics.
The SNI obtained by parsing the TLS client handshake packet may be one or more.
And analyzing the client field characteristics obtained by the TLS client handshake packet to generate TLS fingerprint characteristics. For example, MD5 hash is generated.
In step S103, an access request corresponding to the TLS fingerprint feature under SNI is determined.
In the embodiment of the present disclosure, if the SNI obtained by parsing the TLS client handshake packet is multiple, the access request corresponding to the TLS fingerprint feature under each SNI is determined in real time for the multiple SNIs.
The access request corresponding to the TLS fingerprint may be understood as an access request sent by the client identified by the TLS fingerprint to the server indicated by the SNI.
In step S104, based on the access request corresponding to the TLS fingerprint feature, an abnormal access request corresponding to the TLS fingerprint feature is detected, and the abnormal access request corresponding to the TLS fingerprint feature is intercepted.
In this embodiment of the present disclosure, the abnormal access request corresponding to the TLS fingerprint feature may be understood as an access request with CC attack behavior, or may be understood as a malicious request.
In the embodiment of the disclosure, the TLS fingerprint feature is generated according to the client field feature obtained by analyzing the TLS client handshake packet, and the abnormal access request corresponding to the TLS fingerprint feature is detected based on the access request corresponding to the TLS fingerprint feature, so that the HTTPS encrypted traffic packet (TLS fingerprint feature) is not required to be analyzed, and resources can be saved in comparison with the method of decrypting the HTTPS traffic packet.
Furthermore, the TLS fingerprint features can uniquely identify the client for access, so that the abnormal access request can be accurately determined by detecting the abnormal access request to perform CC defense attack based on the TLS fingerprint features. When the abnormal access interception is carried out, the abnormal access request corresponding to the TLS fingerprint feature is intercepted, and the access request corresponding to the whole IP address is not intercepted, so that the accurate interception of the abnormal access request can be realized, and the interception of the normal access request without attack can be avoided.
It can be understood that, in the embodiment of the present disclosure, CC protection attack is implemented in the TLS layer, which is equivalent to four-layer traffic analysis. The method based on the IP address in the traditional technology is a decryption analysis of seven layers of traffic.
The embodiment of the present disclosure will hereinafter describe an implementation process of detecting an abnormal access request corresponding to TLS fingerprint based on an access request corresponding to TLS fingerprint.
In one implementation, in an embodiment of the present disclosure, whether the access request corresponding to the TLS fingerprint feature is an abnormal access request may be detected based on the number of access requests corresponding to the TLS fingerprint feature.
As an exemplary embodiment, fig. 2 is a flowchart of a method for detecting an abnormal access request corresponding to a TLS fingerprint feature based on an access request corresponding to the TLS fingerprint feature according to an exemplary embodiment of the present disclosure. Referring to fig. 2, the method for detecting the abnormal access request corresponding to the TLS fingerprint feature based on the access request corresponding to the TLS fingerprint feature includes the following steps.
In step S201, the number of access requests corresponding to TLS fingerprint features in a specified period of time is acquired.
Wherein, the specified time period in the embodiments of the present disclosure may be predefined. For example, may be a time unit on the order of seconds.
Further, the access request obtained in the embodiment of the present disclosure may be a newly created access request.
In the embodiment of the present disclosure, an abnormal access request is determined by determining that the access request suddenly increases substantially. The threshold number of abnormal access requests may be set in the embodiments of the present disclosure.
If the number of access requests corresponding to the TLS fingerprint feature in the specified period is greater than the number threshold, step S202a is executed. If the number of access requests corresponding to the TLS fingerprint feature in the specified period is less than or equal to the number threshold, step S202b is executed.
In step S202a, if the number of access requests corresponding to the TLS fingerprint feature is greater than the number threshold in the specified period of time, it is determined that the access request corresponding to the TLS fingerprint feature is an abnormal access request.
In step S202b, if the number of access requests corresponding to the TLS fingerprint feature is less than or equal to the number threshold in the specified period of time, it is determined that the access request corresponding to the TLS fingerprint feature is a normal access request.
In an example, the access request newly created access request, for example, the number threshold may be set to 80%.
If the new access request corresponding to the TLS fingerprint feature is greater than 80% of the total access request ratio, determining that the client corresponding to the TLS fingerprint feature initiates an abnormal access request, and that CC attack behavior exists and interception is needed.
If the new access request corresponding to the TLS fingerprint feature is smaller than or equal to 80% in the total access request ratio, it is determined that the client corresponding to the TLS fingerprint feature initiates a normal access request, and no CC attack exists, so that normal access can be performed.
In the embodiment of the disclosure, the number of access requests corresponding to the TLS fingerprint feature in the specified time period is counted, and the access requests which are suddenly and greatly increased in a short time can be determined by comparing the number of access requests with the number threshold. Because the access requests suddenly and greatly increased in a short time have the risk of CC attack, the access requests corresponding to the TLS fingerprint features, the number of which is larger than the number threshold value, are determined to be abnormal access requests, and the CC attack can be effectively performed.
In the related art, a situation in which the number of access requests increases dramatically may occur in the case of shortness or the like. However, the normal access request may have an increased number of accesses, but is not frequently accessed, so that the access rate is relatively small. However, for the CC attack of the abnormal access request, frequent access may occur, and the access rate is relatively high. Therefore, the embodiment of the disclosure accurately identifies the abnormal access request, and can determine the abnormal access request by counting the access rate of the access request corresponding to the TLS fingerprint feature in unit time.
In one embodiment, in the embodiment of the disclosure, an access request whose access rate per unit time is greater than the access rate threshold may be determined as an abnormal access request.
For example, in the embodiment of the present disclosure, for the access requests whose number of access requests corresponding to the TLS fingerprint is greater than the number threshold in the specified period, it may be further determined whether the number of access requests is greater than the number threshold, and if the access rate per unit time is greater than the access rate threshold, it may be determined that the access request corresponding to the TLS fingerprint is an abnormal access request. If the access rate is less than the threshold, the access request corresponding to the TLS fingerprint feature may be a normal access request.
As an exemplary embodiment, fig. 3 is a flowchart of a method for detecting an abnormal access request corresponding to a TLS fingerprint feature based on an access request corresponding to the TLS fingerprint feature according to an exemplary embodiment of the present disclosure. Referring to fig. 3, a method for detecting an abnormal access request corresponding to TLS fingerprint features based on an access request corresponding to TLS fingerprint features includes the following steps S301 to S302.
In step S301, the number of access requests corresponding to TLS fingerprint features within a specified period of time is acquired.
In step S302, if the number of access requests corresponding to the TLS fingerprint feature is greater than the number threshold in the specified period of time and the access rate in the unit time is greater than the access rate threshold, it is determined that the access request corresponding to the TLS fingerprint feature is an abnormal access request.
In the embodiment of the disclosure, under the condition that the number of the access requests is determined to be larger than the number threshold, whether the access rate in unit time is larger than the access rate threshold is further determined, so that abnormal access requests for CC attack can be more accurately determined, and the accurate determination of CC defending attack is improved.
In one example, during a short lived activity, there may be a greater number of client access requests to a server indicated by a certain SNI. But normal access requests are sent through different clients. For example, a total of M clients transmit M access requests in total within 1s, and the access rate for each client is 1. But for a client that initiates a CC attack, M access requests may be sent within 1s, the access rate M of the client that initiates the CC attack. Therefore, in the embodiment of the disclosure, whether the access rate of the access request corresponding to the TLS fingerprint feature in unit time is greater than the access rate threshold can accurately identify the abnormal access request sent by the client initiating the CC attack in the scene of burst increase of traffic such as the sales promotion, so as to effectively perform the CC defending attack.
In another implementation manner of the disclosed embodiment, when detecting whether the access request corresponding to the TLS fingerprint feature is an abnormal access request based on the access request corresponding to the TLS fingerprint feature, the determination may be performed based on a blacklist and/or a whitelist.
In one example, a TLS fingerprint whitelist, and/or a TLS fingerprint blacklist may be provided in embodiments of the present disclosure.
The access request corresponding to the TLS fingerprint feature in the TLS fingerprint feature white list is a normal access request, and CC attack is not performed.
The access request corresponding to the TLS fingerprint feature of the TLS fingerprint feature blacklist is an abnormal access request, and the behavior of CC attack exists.
In one implementation of the disclosed embodiment, if it is detected that the TLS fingerprint feature belongs to a preset TLS fingerprint feature white list, it is determined that an access request corresponding to the TLS fingerprint feature is a normal access request.
In the embodiment of the disclosure, by setting the TLS fingerprint feature white list, when the normal access request and the abnormal access request are judged, the normal access request is determined directly based on the TLS fingerprint feature white list, and other complex processing logic is not required to judge. In addition, in the embodiment of the disclosure, by setting the TLS fingerprint feature white list, a large number of accesses of the designated TLS fingerprint features can be realized, and a scene requiring a large number of accesses is satisfied.
In an implementation manner of the embodiment of the present disclosure, when performing the above determination of the abnormal access request based on the number of access requests and the access rate, it may be further determined that the TLS fingerprint feature does not belong to the preset TLS fingerprint feature whitelist. It may also be understood that if the TLS fingerprint belongs to a preset TLS fingerprint white list, the access request corresponding to the TLS fingerprint is not determined to be an abnormal access request even if the number of access requests corresponding to the TLS fingerprint is greater than the number threshold in the specified period of time or the access rate per unit time is greater than the access rate threshold. Or if the number of access requests corresponding to the TLS fingerprint features is greater than the number threshold in the specified time period, the access rate in unit time is greater than the access rate threshold, and the TLS fingerprint features do not belong to the preset TLS fingerprint feature white list, determining that the access request corresponding to the TLS fingerprint features is an abnormal access request.
In the embodiment of the disclosure, when determining the abnormal access requests based on the number of access requests and the access rate, it may be further determined that the TLS fingerprint feature does not belong to a preset TLS fingerprint feature whitelist, and it may be prevented that a client corresponding to the TLS fingerprint feature in the whitelist is misjudged as the abnormal access request when a large number of access servers are accessed.
Based on the access request corresponding to the TLS fingerprint feature, when detecting the abnormal access request corresponding to the TLS fingerprint feature, it can be detected whether the TLS fingerprint feature belongs to a preset TLS fingerprint feature blacklist. If the TLS fingerprint feature is detected to belong to a preset TLS fingerprint feature blacklist, determining that the access request corresponding to the TLS fingerprint feature is an abnormal access request.
In the embodiment of the disclosure, the access request corresponding to the TLS fingerprint feature is determined to be the abnormal access request based on the TLS fingerprint feature blacklist mode, and complex processing logic such as access request, access rate and the like is not needed, so that the method is simpler and more efficient.
If the TLS fingerprint feature is detected not to belong to the preset TLS fingerprint feature blacklist, whether the access request corresponding to the TLS fingerprint feature is an abnormal access request may be further determined based on the above-described method of determining whether the access request corresponding to the TLS fingerprint feature is an abnormal access request.
In the embodiment of the present disclosure, the TLS fingerprint feature blacklist may be preset. In the embodiment of the present disclosure, when the TLS fingerprint feature determined as the abnormal access request is added to the preset TLS fingerprint feature blacklist, the TLS fingerprint feature blacklist may be updated, and when the abnormal access request is determined subsequently, the TLS fingerprint feature blacklist may be directly determined as the abnormal access request.
Fig. 4 is a schematic diagram of an implementation process of a method for defending against a network attack according to an embodiment of the present disclosure.
Referring to fig. 4, the four-layer traffic is parsed and TLS client handshake packets of HTTPS requests are extracted. And extracting the domain name of the SNI from the TLS client handshake packet, and generating a corresponding TLS fingerprint md5 hash (TLS fingerprint feature) through the field of the TLS. And analyzing the number of the TLS fingerprint md5 hashes of the access requests under different SNIs in real time to judge whether the TLS fingerprint features are abnormal TLS fingerprint features or not. When the number of access requests corresponding to one or several TLS fingerprints md5 hashes suddenly and greatly increases, for example, the decision criterion is a new request greater than 80%. And the TLS fingerprint md5 hash which suddenly and greatly increases access is not in the TLS fingerprint feature white list, and the access request of the TLS fingerprint md5 hash is intercepted to block defense. When one or more TLS fingerprints md5 hash hit the TLS fingerprint feature blacklist, the TLS fingerprint feature blacklist is directly intercepted. When the TLS fingerprint md5 hash is in the TLS fingerprint feature white list of the TLS fingerprint white list, the TLS fingerprint md5 hash is directly released to perform normal access.
According to the method for defending against network attack, the determination of the abnormal access request is carried out through the TLS fingerprint characteristics, seven-layer flow analysis is not needed, and resource consumption can be reduced. In addition, in the embodiment of the disclosure, the abnormal access request is determined by the access rate of the TLS fingerprint feature, so that the CC attack of HTTPS can be accurately identified and prevented under the emergency. In addition, in the embodiment of the disclosure, the abnormal access requests corresponding to the TLS fingerprint features are intercepted, but not all access requests are intercepted aiming at the IP dimension, so that the shared IP can be distinguished, and the generation of false interception is prevented.
Based on the same conception, the embodiment of the disclosure also provides a device for defending against network attacks.
It may be understood that, in order to implement the above functions, the apparatus for defending against a network attack provided in the embodiments of the present disclosure includes corresponding hardware structures and/or software modules that perform each function. The disclosed embodiments may be implemented in hardware or a combination of hardware and computer software, in combination with the various example elements and algorithm steps disclosed in the embodiments of the disclosure. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Those skilled in the art may implement the described functionality using different approaches for each particular application, but such implementation is not to be considered as beyond the scope of the embodiments of the present disclosure.
Fig. 5 is a block diagram of an apparatus 500 for defending against a network attack, as an example embodiment, according to an example embodiment of the present disclosure. Referring to fig. 5, an apparatus 500 for defending against a network attack includes an acquisition unit 501, an analysis unit 502, a determination unit 503, and a detection unit 504.
An obtaining unit 501, configured to obtain a TLS client handshake packet of an encrypted HTTPS request. The parsing unit 502 is configured to parse the TLS client handshake packet to obtain SNI and a client field feature. A determining unit 503, configured to determine an access request corresponding to the TLS fingerprint feature under SNI, where the TLS fingerprint feature is generated according to the client field feature. The detecting unit 504 is configured to detect an abnormal access request corresponding to the TLS fingerprint feature based on the access request corresponding to the TLS fingerprint feature, and intercept the abnormal access request corresponding to the TLS fingerprint feature.
The detecting unit 504 detects an abnormal access request corresponding to the TLS fingerprint feature based on the access request corresponding to the TLS fingerprint feature in the following manner:
and obtaining the number of access requests corresponding to the TLS fingerprint characteristics in the appointed time period. If the number of access requests corresponding to the TLS fingerprint features is greater than the number threshold in the specified time period, determining that the access requests corresponding to the TLS fingerprint features are abnormal access requests.
The detection unit 504 is further configured to: it is determined that the access rate per unit time of access requests having a number of access requests greater than the number threshold is greater than the access rate threshold.
The detection unit 504 is further configured to: and determining that the TLS fingerprint characteristics do not belong to a preset TLS fingerprint characteristic white list.
The detecting unit 504 detects an abnormal access request corresponding to the TLS fingerprint feature based on the access request corresponding to the TLS fingerprint feature in the following manner: if the TLS fingerprint feature is detected to belong to a preset TLS fingerprint feature blacklist, determining that the access request corresponding to the TLS fingerprint feature is an abnormal access request.
The detection unit 504 is further configured to: if the TLS fingerprint feature is detected to belong to the preset TLS fingerprint feature white list, determining that the access request corresponding to the TLS fingerprint feature is a normal access request.
The specific manner in which the various modules perform the operations in relation to the apparatus of the present disclosure referred to above has been described in detail in relation to embodiments of the method and will not be described in detail herein.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the related user personal information all conform to the regulations of related laws and regulations, and the public sequence is not violated.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 6 illustrates a schematic block diagram of an example electronic device 600 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 6, the apparatus 600 includes a computing unit 601 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 602 or a computer program loaded from a storage unit 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the device 600 may also be stored. The computing unit 601, ROM 602, and RAM 603 are connected to each other by a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Various components in the device 600 are connected to the I/O interface 605, including: an input unit 606 such as a keyboard, mouse, etc.; an output unit 607 such as various types of displays, speakers, and the like; a storage unit 608, such as a magnetic disk, optical disk, or the like; and a communication unit 609 such as a network card, modem, wireless communication transceiver, etc. The communication unit 609 allows the device 600 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The computing unit 601 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 601 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 601 performs the various methods and processes described above, such as a method of defending against network attacks. For example, in some embodiments, the method of defending against a network attack may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 608. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 600 via the ROM 602 and/or the communication unit 609. When the computer program is loaded into RAM 603 and executed by the computing unit 601, one or more steps of the method of defending against a network attack described above may be performed. Alternatively, in other embodiments, the computing unit 601 may be configured to perform the method of defending against network attacks in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel or sequentially or in a different order, provided that the desired results of the technical solutions of the present disclosure are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1. A method of defending against a network attack, comprising:
acquiring a transport layer client handshake packet of an encrypted hypertext transfer security protocol request;
analyzing the transport layer client handshake packet to obtain a server name indication and client field characteristics;
determining an access request corresponding to a transport layer fingerprint feature under the indication of the server name, wherein the transport layer fingerprint feature is generated according to the client field feature;
detecting an abnormal access request corresponding to the fingerprint feature of the transmission layer based on the access request corresponding to the fingerprint feature of the transmission layer;
intercepting an abnormal access request corresponding to the fingerprint characteristics of the transmission layer;
the detecting the abnormal access request corresponding to the fingerprint feature of the transmission layer based on the access request corresponding to the fingerprint feature of the transmission layer comprises:
acquiring the number of access requests corresponding to the fingerprint characteristics of the transmission layer in a specified time period;
if the number of the access requests corresponding to the fingerprint features of the transmission layer is larger than the number threshold value in the specified time period, determining that the access rate of the access requests with the number larger than the number threshold value in unit time is larger than the access rate threshold value, and determining that the access requests corresponding to the fingerprint features of the transmission layer are abnormal access requests.
2. The method of claim 1, further comprising:
and determining that the transmission layer fingerprint characteristics do not belong to a preset transmission layer fingerprint characteristic white list.
3. The method of claim 1, wherein detecting the abnormal access request corresponding to the transport layer fingerprint feature based on the access request corresponding to the transport layer fingerprint feature comprises:
if the fact that the transmission layer fingerprint features belong to a preset transmission layer fingerprint feature blacklist is detected, determining that the access request corresponding to the transmission layer fingerprint features is an abnormal access request.
4. The method of claim 1, further comprising:
if the transmission layer fingerprint feature is detected to belong to a preset transmission layer fingerprint feature white list, determining that the access request corresponding to the transmission layer fingerprint feature is a normal access request.
5. An apparatus for defending against a network attack, comprising:
an obtaining unit, configured to obtain a transport layer client handshake packet of an encrypted hypertext transfer security protocol request;
the analyzing unit is used for analyzing the transport layer client handshake packet to obtain a server name indication and client field characteristics;
the determining unit is used for determining an access request corresponding to the transmission layer fingerprint feature under the indication of the server name, and the transmission layer fingerprint feature is generated according to the client field feature;
the detection unit is used for detecting an abnormal access request corresponding to the fingerprint characteristic of the transmission layer based on the access request corresponding to the fingerprint characteristic of the transmission layer and intercepting the abnormal access request corresponding to the fingerprint characteristic of the transmission layer;
the detection unit detects an abnormal access request corresponding to the fingerprint feature of the transmission layer based on the access request corresponding to the fingerprint feature of the transmission layer in the following manner:
acquiring the number of access requests corresponding to the fingerprint characteristics of the transmission layer in a specified time period;
if the number of the access requests corresponding to the fingerprint features of the transmission layer is larger than the number threshold value in the specified time period, determining that the access rate of the access requests with the number larger than the number threshold value in unit time is larger than the access rate threshold value, and determining that the access requests corresponding to the fingerprint features of the transmission layer are abnormal access requests.
6. The apparatus of claim 5, the detection unit further to:
and determining that the transmission layer fingerprint characteristics do not belong to a preset transmission layer fingerprint characteristic white list.
7. The apparatus of claim 5, wherein the detecting unit detects the abnormal access request corresponding to the transport layer fingerprint feature based on the access request corresponding to the transport layer fingerprint feature by:
if the fact that the transmission layer fingerprint features belong to a preset transmission layer fingerprint feature blacklist is detected, determining that the access request corresponding to the transmission layer fingerprint features is an abnormal access request.
8. The apparatus of claim 5, the detection unit further to:
if the transmission layer fingerprint feature is detected to belong to a preset transmission layer fingerprint feature white list, determining that the access request corresponding to the transmission layer fingerprint feature is a normal access request.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-4.
10. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210227278.7A CN114726579B (en) | 2022-03-08 | 2022-03-08 | Method, device, equipment, storage medium and program product for defending network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210227278.7A CN114726579B (en) | 2022-03-08 | 2022-03-08 | Method, device, equipment, storage medium and program product for defending network attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114726579A CN114726579A (en) | 2022-07-08 |
| CN114726579B true CN114726579B (en) | 2024-02-09 |
Family
ID=82237184
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210227278.7A Active CN114726579B (en) | 2022-03-08 | 2022-03-08 | Method, device, equipment, storage medium and program product for defending network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114726579B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116232767B (en) * | 2023-05-06 | 2023-08-15 | 杭州美创科技股份有限公司 | DDoS defense method, device, computer equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020176945A1 (en) * | 2019-03-05 | 2020-09-10 | Red Piranha Limited | Network data traffic identification |
| CN112583774A (en) * | 2019-09-30 | 2021-03-30 | 北京观成科技有限公司 | Method and device for detecting attack flow, storage medium and electronic equipment |
| CN113452656A (en) * | 2020-03-26 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Method and device for identifying abnormal behaviors |
| CN113630367A (en) * | 2020-05-07 | 2021-11-09 | 北京观成科技有限公司 | Anonymous traffic identification method and device and electronic equipment |
| CN113726818A (en) * | 2021-11-01 | 2021-11-30 | 北京微步在线科技有限公司 | Method and device for detecting lost host |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9419942B1 (en) * | 2013-06-05 | 2016-08-16 | Palo Alto Networks, Inc. | Destination domain extraction for secure protocols |
-
2022
- 2022-03-08 CN CN202210227278.7A patent/CN114726579B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020176945A1 (en) * | 2019-03-05 | 2020-09-10 | Red Piranha Limited | Network data traffic identification |
| CN112583774A (en) * | 2019-09-30 | 2021-03-30 | 北京观成科技有限公司 | Method and device for detecting attack flow, storage medium and electronic equipment |
| CN113452656A (en) * | 2020-03-26 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Method and device for identifying abnormal behaviors |
| CN113630367A (en) * | 2020-05-07 | 2021-11-09 | 北京观成科技有限公司 | Anonymous traffic identification method and device and electronic equipment |
| CN113726818A (en) * | 2021-11-01 | 2021-11-30 | 北京微步在线科技有限公司 | Method and device for detecting lost host |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114726579A (en) | 2022-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11102223B2 (en) | Multi-host threat tracking | |
| US10095866B2 (en) | System and method for threat risk scoring of security threats | |
| US8839435B1 (en) | Event-based attack detection | |
| US8805995B1 (en) | Capturing data relating to a threat | |
| US20170118239A1 (en) | Detection of cyber threats against cloud-based applications | |
| CN111737696A (en) | Method, system and equipment for detecting malicious file and readable storage medium | |
| EP3374870B1 (en) | Threat risk scoring of security threats | |
| US10972490B2 (en) | Specifying system, specifying device, and specifying method | |
| WO2021082834A1 (en) | Message processing method, device and apparatus as well as computer readable storage medium | |
| CN113408948A (en) | Network asset management method, device, equipment and medium | |
| US20200358817A1 (en) | Systems and methods for automated intrusion detection | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| JP6592196B2 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
| He et al. | A novel method to detect encrypted data exfiltration | |
| CN115883170A (en) | Network flow data monitoring and analyzing method and device, electronic equipment and storage medium | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| US10819683B2 (en) | Inspection context caching for deep packet inspection | |
| CN113726799B (en) | Processing method, device, system and equipment for application layer attack | |
| US11552989B1 (en) | Techniques for generating signatures characterizing advanced application layer flood attack tools | |
| CN114553452B (en) | Attack defense method and protection equipment | |
| Yang et al. | Design issues of enhanced DDoS protecting scheme under the cloud computing environment | |
| US11582259B1 (en) | Characterization of HTTP flood DDoS attacks | |
| US11451584B2 (en) | Detecting a remote exploitation attack | |
| US20240137386A1 (en) | CHARACTERIZATION OF HTTP FLOOD DDoS ATTACKS | |
| US20230208857A1 (en) | Techniques for detecting cyber-attack scanners |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |