CN114760083B - Method, device and storage medium for issuing attack detection file - Google Patents
Method, device and storage medium for issuing attack detection file Download PDFInfo
- Publication number
- CN114760083B CN114760083B CN202110025978.3A CN202110025978A CN114760083B CN 114760083 B CN114760083 B CN 114760083B CN 202110025978 A CN202110025978 A CN 202110025978A CN 114760083 B CN114760083 B CN 114760083B
- Authority
- CN
- China
- Prior art keywords
- attack
- network
- data packet
- detection file
- environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 259
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000003860 storage Methods 0.000 title claims abstract description 21
- 238000012360 testing method Methods 0.000 claims description 77
- 238000013101 initial test Methods 0.000 claims description 45
- 238000012545 processing Methods 0.000 claims description 19
- 238000012986 modification Methods 0.000 claims description 12
- 230000004048 modification Effects 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 4
- 230000000295 complement effect Effects 0.000 claims 1
- 230000006870 function Effects 0.000 description 31
- 238000005516 engineering process Methods 0.000 description 14
- 230000001186 cumulative effect Effects 0.000 description 9
- 239000000243 solution Substances 0.000 description 8
- 238000002347 injection Methods 0.000 description 6
- 239000007924 injection Substances 0.000 description 6
- 230000014509 gene expression Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 239000003795 chemical substances by application Substances 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 235000014510 cooky Nutrition 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000000354 decomposition reaction Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
Abstract
The application relates to a release method, a device and a storage medium of attack detection files, wherein the release method comprises the following steps: detecting network flow data in a bypass environment by utilizing an attack detection file issued to the bypass environment to obtain at least one network attack data packet; when the network attack data packet meets a first preset condition, extracting an attack character string in the network attack data packet by using the attack detection file; performing false alarm detection on the attack character string; and when an online issuing instruction is received and the false alarm detection result meets a second preset condition, issuing the attack detection file to the online environment. The method and the device can solve the problem of attack detection files which are on-line in error due to manual operation or negligence in the prior art.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method and apparatus for publishing an attack detection file, and a storage medium.
Background
The WAF (Web application firewall, network application firewall) blocks malicious attack requests by detecting features in Http/Http messages, the mainstream WAF integrates a regular expression engine, and detects malicious requests by writing rules based on regular expressions, so that the malicious attack requests are blocked.
In the face of various newly added vulnerabilities and rich service scenes, rules based on regular expressions need to be frequently changed in practical application, so that the changed rules can be used for detecting the newly added vulnerabilities or adapting to the rich service scenes.
However, when the rule based on the regular expression is changed, the rule of the online error is easily caused by manual operation or negligence, so that the normal service is blocked by mistake or a malicious attack request is prevented.
Disclosure of Invention
The technical problem to be solved by the application is to provide a method, a device and a storage medium for issuing attack detection files, which can solve the problem of online error detection files caused by manual operation or negligence in the prior art.
In order to solve the technical problem, in one aspect, the present application provides a method for publishing an attack detection file, where the method includes: detecting network flow data in a bypass environment by utilizing an attack detection file issued to the bypass environment to obtain at least one network attack data packet; when the network attack data packet meets a first preset condition, extracting an attack character string in the network attack data packet by using the attack detection file; performing false alarm detection on the attack character string; and when an online issuing instruction is received and the false alarm detection result meets a second preset condition, issuing the attack detection file to the online environment.
On the other hand, the application provides a device for issuing attack detection files, which comprises: the network attack data packet acquisition module is used for detecting network flow data in the bypass environment by utilizing an attack detection file issued to the bypass environment to obtain at least one network attack data packet; the attack character string acquisition module is used for extracting an attack character string in the network attack data packet by utilizing the attack detection file when the network attack data packet meets a first preset condition; the false alarm detection module is used for carrying out false alarm detection on the attack character string; and the issuing module is used for issuing the attack detection file to the online environment when an online issuing instruction is received and the false alarm detection result meets a second preset condition.
In another aspect, the present application provides a computer storage medium, where at least one instruction, at least one program, a code set, or an instruction set is stored in the storage medium, where the at least one instruction, at least one program, a code set, or an instruction set is loaded by a processor and executes the method for issuing the attack detection file according to any one of the claims.
According to the embodiment of the application, the network traffic data in the bypass environment is detected by utilizing the attack detection file issued to the bypass environment to obtain at least one network attack data packet, when the network attack data packet meets a first preset condition, the attack detection file is utilized to extract an attack character string in the network attack data packet, false alarm detection is carried out on the attack character string, and when an online issuing instruction is received and the false alarm detection result meets a second preset condition, the attack detection file is issued to the online environment. Therefore, only when the network attack data packet accords with the first preset condition, the attack character string in the network attack data packet can be extracted, and false alarm detection can be further carried out on the attack character string after the attack character is extracted, so that abnormal increase of the network attack data packet is avoided, the reliability of an attack detection file issued in an online environment is improved, and false interception or missing of attack data caused by the attack detection file after online is avoided; and network flow data in the bypass environment is fully utilized, and on the basis, attack content intercepted from the network flow data in the bypass environment can be returned to the test system so as to ensure that no report missing occurs in subsequent changes.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions and advantages of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a hardware environment provided by an embodiment of the present application;
fig. 2 is a flowchart of a method for publishing an attack detection file according to an embodiment of the present application;
fig. 3 is a flowchart of a false alarm detection method in a method for publishing an attack detection file according to an embodiment of the present application;
fig. 4 is a flowchart of another false alarm detection method in the method for publishing an attack detection file according to the embodiment of the present application;
fig. 5 is a flowchart of a method for judging whether a network attack data packet meets a first preset condition in a method for publishing an attack detection file according to an embodiment of the present application;
fig. 6 is a flowchart of another method for judging whether a network attack data packet meets a first preset condition in a method for publishing an attack detection file according to an embodiment of the present application;
FIG. 7 is a flowchart of a method for publishing an attack detection file to a bypass environment in a method for publishing an attack detection file according to an embodiment of the present application;
FIG. 8 is a flowchart of a method for publishing an attack detection file to an online environment in a method for publishing an attack detection file according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a publishing device of an attack detection file according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a publishing device of an attack detection file according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail with reference to the accompanying drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The present application relates to the following key terms, the following meaning of each key term.
The editing environment, namely the local environment of the user, can write the corresponding attack detection file and the corresponding test case in the local environment, and the editing environment further comprises a local test interface so as to carry out local test on the written attack detection file and the corresponding test case through the interface.
After the attack detection file is released to the online environment, the attack detection file can intercept a malicious attack request, so that the attack detection file needs to be ensured not to be wrongly released to the online environment.
The bypass environment is hit, the attack detection file issued to the bypass environment can not be intercepted, and only the detection data can be recorded in an interception table, wherein the network flow data in the bypass environment can be mirror image data of the online environment, namely, the total flow mirrored from the online environment can be normal flow stored in advance within a period of time.
The test system is an independent test logic, can read the attack detection file and the test case to perform automatic test, can read the result of the automatic test, can supplement the test case, and can block the release of the corresponding attack detection file when the test does not pass.
The statistical system can read interception information of bypass environment and online environment, count and monitor, judge whether the interception information accords with a threshold value, and download corresponding attack detection files when the interception information does not accord with the threshold value.
The inventor finds that related content about release is mainly release of application change in the research process, and the release is similar to gray release and blue-green release. The logic of the gray level release or the blue-green release is different from that of the WAF release, the WAF release generally does not need interaction or feedback of a user to judge the result, the WAF release only depends on the content of a request packet, the disposal result is relatively simple, and only the two types of release or interception can be carried out. Therefore, there is a need to guarantee that there is no problem before the rule is online for WAF release, rather than taking the actual service for testing.
In addition, for normal business test, the logic of input and output is fixed, normally, the input content is fixed, only the input is needed to be considered in the test, only one layer of processing is needed to be uniformly carried out on the content which is out of expectation, and WAF release aims to intercept specific malicious traffic and face various normal traffic, and the purpose of ensuring that the traffic cannot be hit by rules in the WAF is ensured. If the test case is to cover all existing white traffic as in conventional testing, it is difficult to do so.
In view of this, the embodiment of the present invention provides a method for publishing an attack detection file, and optionally, in the embodiment of the present invention, the method for publishing an attack detection file may be applied to a hardware environment formed by the first server 101, the second server 102, and the terminal 103 shown in fig. 1. .
Optionally, the first server or the second server may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, and basic cloud computing services such as big data and an artificial intelligence platform. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc. The terminal and the server may be directly or indirectly connected through wired or wireless communication, which is not limited herein.
The Cloud server relates to Cloud technology (Cloud technology), which refers to a hosting technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.
The cloud technology is a generic term of network technology, information technology, integration technology, management platform technology, application technology and the like based on cloud computing business model application, can form a resource pool, and is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing.
Applications of cloud technology include medical clouds, cloud internet of things, cloud security, cloud calling, private clouds, public clouds, hybrid clouds, cloud gaming, cloud education, cloud conferencing, cloud social, artificial intelligence cloud services, and the like.
Cloud Security (Cloud Security) refers to a generic term of Security software, hardware, users, institutions, and Security Cloud platforms based on Cloud computing business model application. Cloud security fuses emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires the latest information of Trojan horse and malicious programs in the Internet through abnormal monitoring of a large number of network clients on software behaviors, sends the latest information to a server for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client.
The main research directions of cloud security include: 1. cloud computing security, namely, how to guarantee security of cloud and various applications on the cloud, including cloud computer system security, security storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. clouding of a safety infrastructure, mainly researching how to build and integrate safety infrastructure resources by adopting cloud computing, and optimizing a safety protection mechanism, wherein the cloud computing technology is used for constructing a super-large-scale safety event and an information acquisition and processing platform, realizing acquisition and association analysis of mass information, and improving the control capability and risk control capability of the whole-network safety event; 3. cloud security services, mainly research on various security services provided for users based on cloud computing platforms, such as anti-virus services and the like.
As shown in fig. 1, a user (e.g., a tester) may send a bypass issue command to a first server 101 through a terminal 103, after receiving the bypass issue command issued by the terminal 103, the first server 101 pulls an attack detection file to be issued from the second server 102, issues the attack detection file to be issued to a bypass environment disposed on the first server 101, then the first server 101 detects a network attack data packet by using the attack detection file issued to the bypass environment, extracts an attack string from the network attack data packet, and performs false alarm detection on the attack string, and when the first server 101 receives an online issue command issued by the terminal 103 and a result of the false alarm detection satisfies a second preset condition, the first server 101 issues the attack detection file to an online environment disposed on the first server 101.
The following describes a method for publishing an attack detection file according to an embodiment of the present invention with reference to fig. 2. As shown in fig. 2, the method includes:
step S201: detecting network flow data in a bypass environment by utilizing an attack detection file issued to the bypass environment to obtain at least one network attack data packet;
in the embodiment of the invention, the attack detection file may refer to WAF integrated with a regular expression engine, and the network traffic data may refer to normal traffic stored in advance for a period of time; it may also refer to the mirrored data of the online environment, that is, the mirrored traffic of the full volume from the online environment, that is, the detecting the network traffic data in the bypass environment by using the attack detection file issued to the bypass environment may include:
mirroring network traffic data of an on-line environment in the bypass environment;
and detecting the network flow data obtained by mirroring by utilizing an attack detection file issued to a bypass environment.
In practical applications, if the normal traffic stored in advance is used as the network traffic data in the bypass environment, a large number of requests (in the billions) will need to be stored in advance, and the real-time effectiveness of the requested content cannot be guaranteed, and the risk of storing sensitive information exists, so that the problem can be well solved by the network traffic in the environment on the mirror line in the bypass environment.
In addition, in the embodiment, because the bypass environment mirrors network flow data of the online environment, the attack content returned to the test system can be ensured to be more in line with the online actual environment, and the missing report in the subsequent change can be reduced.
The network attack data packet may include a structured query language injection attack data packet (SQL, structured Query Language), a Cross site scripting attack data packet (XSS, cross Site Scripting), and various network attack modes that may cause a web server to refuse services, such as a Cross site forgery attack data packet (CSRF, cross-Site Request Forgery).
Step S203: when the network attack data packet meets a first preset condition, extracting an attack character string in the network attack data packet by using the attack detection file;
in the embodiment of the invention, whether the network attack data packet meets the first preset condition can be determined according to the number of the network attack data packets detected by the attack detection file in the bypass environment, for example, if the absolute value of the difference between the number of the network attack data packets detected by the attack detection file in the bypass environment and the number of the network attack data packets detected by the attack detection file before modification is smaller than or equal to a preset number threshold value, the network attack data packet is determined to meet the first preset condition.
And if the network data packet does not meet the first preset condition, sending an alarm or directly downloading the attack detection file from a bypass environment to modify the attack detection file.
In practical application, the attack character string in the network attack data packet is extracted by the attack detection file only when a specific condition is met, which is equivalent to performing one-time reliability detection on the attack detection file, so that the reliability of the attack detection file issued to an online environment is improved, and the extraction of the subsequent attack character string and false alarm detection are continued only by performing preliminary reliability detection, thereby timely downloading the attack detection file with error, avoiding wasting subsequent procedures and occupying the computing resources of a server.
Extracting the attack character string in the network attack data packet by using the attack detection file generally needs to decompose the network attack data packet, after the decomposition is finished, each decomposed part is matched with each function (namely attack rule) in the attack detection file, and if a certain decomposed part is hit by any attack rule, the character string of the part is determined to be the attack character string.
Taking SQL injection attack data packets as an example, one SQL injection attack data packet obtained by the server is exemplified as follows:
GET
/cgi-bin/session/checkloginappid=wxcbc3ab3807acb685&openid=oA0GbjokU2EOG3o_TvAmBNpvodlE&fskey=v0ae789cc105c8d00bfcf5e7fe13a88b')AS wxmf WHERE 8610=8610AND
(SELECT*FROM(SELECT(SLEEP(4)))wxmf)limit 1 HTTP/1.1
Host:ifzq.gtimg.cn
User-Agent:Go-http-client/1.1
Content-Type:application/json;charset=utf-8
Cookie:
Accept-Encoding:gzip
wherein Host is the name of the client browser, content-Type is the multipurpose internet mail extension Type (MIME, multipurpose Internet Mail Extensions) to which the document belongs, cookie is the stored Cookie object, and Accept-Encoding is the data Encoding Type that the browser knows how to decode.
The Get parameter included in the SQL injection attack data packet is decomposed into app id, openid and fskey, the app id, openid and fskey are used as keys, the corresponding parameters are used as values to be stored, and the result is as follows:
{'appid':['wxcbc3ab3807acb685'],
'openid':['oA0GbjokU2EOG3o_TvAmBN pvodlE'],
'fskey':["v0ae789cc105c8d00bfcf5e7fe13a88b')AS wxmf WHERE 8610=8610AND(SELECT*FROM(SELECT(SLEEP(4)))wxmf)limit 1"]}
after the decomposition is finished, the decomposed SQL injection attack data packet is matched with the attack rule in the attack detection file, so that the matched position can be returned, and the parameter corresponding to the matched position is the attack character string. For example, when the decomposed SQL injection attack data packet is matched with the attack detection file, the returned position is fskey, and the corresponding determined attack character string is:
v0ae789cc105c8d00bfcf5e7fe13a88b')AS wxmf WHERE 8610=8610 AND(SELECT*FROM(SELECT(SLEEP(4)))wxmf)limit 1
step S205: performing false alarm detection on the attack character string;
in the embodiment of the invention, after the attack character string is extracted from the network attack data packet, false alarm detection is needed to be carried out on the attack character string. When the attack character string has false alarm detection, the attack detection file issued to the bypass environment is not well completed with the vulnerability detection, so that the attack detection file needs to be downloaded from the bypass environment to be modified; when the attack character string is not detected by false alarm, the attack detection file can be released to an online environment.
In some embodiments, as shown in fig. 3, the detecting the attack string by false positive may include:
step S301: judging whether the network attack data packet in which the attack character string is positioned comprises a preset white feature or not, wherein the preset white feature is used for representing that the network data packet with the attack character string is credible;
step S303: if yes, determining the network attack data packet as a trusted network data packet;
step S305: and determining the attack character string extracted from the trusted network data packet as a false alarm attack character string.
For example, if the User-Agent feature is some trusted browser, or the IP (Internet Protocol Address ) is internal to the company, if the network attack packet includes the trusted User-Agent feature or the IP internal to the company, it is indicated that the network attack packet including these features is a trusted packet, and the attack string previously extracted from the network attack packet is a false alarm, that is, the attack string previously extracted from the network packet is actually a non-attack string.
In other embodiments, as shown in fig. 4, the detecting the attack string by false positive may further include:
Step S401: extracting a non-hit field in the network attack data packet where the attack character string is located, wherein the non-hit field is a field in the network attack data packet which is not hit by the attack detection file;
step S403: judging whether any network attack data packet is an outlier attack data packet or not based on the similarity of the unused hit field in any network attack data packet and the unused hit fields in all other network attack data packets;
step S405: if yes, determining the attack character string extracted from the outlier attack data packet as the false alarm attack character string.
For example, 3 network attack data packets are detected from the network traffic data, namely network attack data packets A, B and C respectively, when the 3 network attack data packets meet the first preset condition, 1 unused hit field is extracted from each network attack data packet, namely field a, field b and field C respectively, optionally one field such as field a, the similarity of the field a and all other fields b and C is calculated, for example, the similarity of the field a and the field b is 0.1 (assuming that the similarity of the field a and the field b is 1 when the fields a and b are completely identical), and the similarity of the field a and the field C is 0.2, then the similarity of the field a and the field b is poor, and therefore, the network attack data packet a is an outlier attack data packet, and the attack string extracted therefrom is also correspondingly determined as false alarm.
The unused hit field is a field in the network attack data packet, which is not hit by the attack detection file. By way of example, consider the following network attack packet:
POST/SdkApi/enter?×tamp=1605806506 HTTP/1.1
host:www.qq.com
connection:close
content-length:1009
charset:UTF-8
accept-encoding:identity
content-encoding:gzip
content-type:application/json
{"ssid":"ping fan zhi lu_5G","lat":29.60291,"lng":106.546554,
"nearbyWifi":"ping fan zhi lu;ping fan zhi lu_5G;1805;ccegyy;susanna;
HUAWEI-PZD2MD;CMCC-aMjQ;CMCC-eZd7;CCN_sunyong;"}
a field therein; ping fan zhi lu_5g; a miss field.
Of course, there may be various ways of specifically performing false alarm detection on the attack string, for example, performing false alarm identification on the attack string in response to a labeling instruction of a user (such as a tester); for another example, the request header length, the request body length, the associated IP, the User-Agent, and other attributes of the aggregated network attack data packet are classified, and false alarms are identified, which are not described in detail herein.
Step S207: and when an online issuing instruction is received and the false alarm detection result meets a second preset condition, issuing the attack detection file to the online environment.
In the embodiment of the invention, whether the false alarm detection result meets the second preset condition can be determined according to the number of false alarm attack strings, for example, if the ratio of the number of false alarm attack strings to the number of extracted total attack strings is smaller than or equal to the first preset ratio, the false alarm detection result is determined to meet the second preset condition; or when the number of the false alarm attack strings exceeds the preset false alarm value, determining that the false alarm detection result meets a second preset condition.
According to the embodiment of the application, the network traffic data in the bypass environment is detected by utilizing the attack detection file issued to the bypass environment to obtain at least one network attack data packet, when the network attack data packet meets a first preset condition, the attack detection file is utilized to extract an attack character string in the network attack data packet, false alarm detection is carried out on the attack character string, and when an online issuing instruction is received and the false alarm detection result meets a second preset condition, the attack detection file is issued to the online environment. Therefore, only when the network attack data packet accords with a first preset condition, the attack character string in the network attack data packet can be extracted, and false alarm detection can be further carried out on the attack character string after the attack character is extracted, so that the reliability of an attack detection file issued to an online environment is improved, and the situation that the attack detection file after being online causes false interception or missing of the attack file to normal business is avoided; and network flow data in the bypass environment is fully utilized, and on the basis, attack content intercepted from the network flow data in the bypass environment can be returned to the test system so as to ensure that no report missing occurs in subsequent changes.
Referring to fig. 5, fig. 5 is a schematic flow chart of an alternative method for publishing an attack detection file according to an embodiment of the present invention, and in some embodiments, before step S203, steps S501 to S505 shown in fig. 5 may be further included, and specific steps are described below:
step S501: when the attack detection file comprises a first function of a modification type, acquiring a first accumulated number of network attack data packets hit by the first function in the bypass environment within a first preset time, wherein the modification type is used for representing that the first function in the attack detection file is modified on the basis of an original function;
step S503: acquiring a second accumulated number of historical network attack data packets hit by the original function in the bypass environment within a first preset time;
step S505: and when the absolute value of the difference value between the first accumulated number and the second accumulated number is smaller than or equal to a first preset threshold value, determining that the network attack data packet meets a first preset condition.
For example, the first function is a modified IP rule, a first cumulative number of network attack data packets hit by the IP rule in the bypass environment is 4000, and a second cumulative number of historical network attack data packets detected by the original function, i.e. the IP rule before modification, in the bypass environment is 4100, i.e. an absolute value of a difference between the first cumulative number and the second cumulative number is 100, and if the first preset threshold is set to 200, it may be determined that the network attack data packets satisfy the first preset condition, and attack characters in the network attack data packets may be extracted by using an attack detection file.
If the first accumulated number of network attack data packets hit by the modified IP rule in the bypass environment is 4400, the absolute value of the difference between the first accumulated number and the second accumulated number is 300, which is greater than the first preset threshold 200, the network attack data packets will not meet the first preset condition, and at this time, the attack detection file is automatically disconnected from the bypass environment, and the operation of extracting the attack characters in the network attack data packets will not be triggered.
In practical application, threshold verification can be performed in a targeted manner, namely, threshold verification is performed only for modified function functions, but not for the whole attack detection file, so that the detection efficiency can be improved on the basis of ensuring the detection reliability.
Referring to fig. 6, fig. 6 is a schematic flow chart of an alternative method for publishing an attack detection file according to an embodiment of the present invention, and in some embodiments, before step S203, steps S601 to S607 may be further included as shown in fig. 6, and specific steps are described below:
step S601: when the attack detection file comprises a second function of a new type, acquiring a third accumulated number of network attack data packets hit by the second function in the bypass environment within a second preset time, wherein the new type is used for representing that the second function in the attack detection file is obtained by being newly added;
Step S603: acquiring a scene type corresponding to the second function, wherein the scene type and the second function have a pre-established corresponding relation;
step S605: determining a corresponding second preset threshold value based on the scene type;
step S607: and when the third accumulated number is smaller than or equal to the second preset threshold value, determining that the network attack data packet meets a first preset condition.
The second function and the scene type have a pre-established corresponding relation, for example, an IP rule and a domain name rule are added, and the two rules establish a corresponding relation with a certain scene type when being newly built, for example, the two rules are set for a scene of malicious scanning 0day (zero-day vulnerability).
For different scene types, a second preset threshold is preset, wherein the second preset threshold is a threshold of the number of network attack data packets hitting the second function. For example, for a scenario of malicious scanning of 0day, the second preset threshold corresponding to the IP rule is set to 10, the second preset threshold corresponding to the domain name rule is set to 50, and the second preset threshold corresponding to the total interception amount is set to 5000, which means that the number of network attack data packets hitting the newly added IP rule cannot exceed 10, the number of network attack data packets hitting the newly added domain name rule cannot exceed 50, and the number of total network attack data packets hitting cannot exceed 5000. If the two newly added rules can be met, the network attack data packets meet a first preset condition, and the data packets can be collected for extracting attack character strings; if the accumulated number of the network attack data packets hit by any new rule cannot be met, the network attack data packets are not met with the first preset condition, and the attack detection file can be downloaded from a bypass environment.
For another example, an IP rule for hitting the source IP address in the data packet is newly added, where the rule is used in a network scan scenario, and the corresponding second preset threshold is set to 10, and if the accumulated number of network attack data packets hitting the rule is less than 10, it is indicated that the network attack data packets satisfy the first preset condition, and then the data packets may be collected for extraction of the attack string.
In practical application, threshold verification can be performed in a targeted manner, namely, threshold verification is performed only for a newly added function, but not for the whole attack detection file, so that the detection efficiency can be improved on the basis of ensuring the detection reliability; moreover, since different second preset thresholds are set based on different application scenes, the reliability of detection can be further improved.
Fig. 7 is a schematic flowchart of an alternative method for publishing an attack detection file according to an embodiment of the present invention, and in some embodiments, before step S201, steps S701 to S705 shown in fig. 7 may be further included, and specific steps are described below:
step S701: when a bypass issuing instruction is received, acquiring a test case and an attack detection file to be issued, wherein the test case comprises at least one initial test sample, the initial test samples are provided with attribute identifiers, and the attribute identifiers are used for representing that the initial test samples are of a non-attack type or an attack type;
Step S703: detecting the initial test sample by using the attack detection file to obtain an intercepted initial test sample;
step S705: and when the attribute identification of the intercepted initial test sample meets a third preset condition, issuing the attack detection file to the bypass environment.
The test case and the attack detection file to be issued can be pre-stored in a database, the database can comprise an online branch and a bypass branch, the online branch is used for storing the attack detection file to be issued to an online environment, the bypass branch is used for storing the attack detection file to be issued to a bypass environment, and when a bypass issuing instruction of a user is received, the test case and the attack detection file to be issued corresponding to the identification can be pulled from the bypass branch of the database based on the identification of the attack detection file in the bypass issuing instruction.
After the user edits the attack detection file and the corresponding test case in the local environment, the user needs to test in the local environment, and after the user passes the test in the local environment, the edited attack detection file and the corresponding test case are saved in a bypass branch in the database.
After the attack detection file and the initial test sample are obtained, the initial test sample is tested by using the attack detection file, if the ratio of the number of the attack type samples in the attack detection file intercepted samples to the number of the attack type samples in the initial test sample is greater than or equal to a second preset ratio, or if the ratio of the number of the non-attack type samples in the attack detection file intercepted samples to the number of the non-attack type samples in the initial test sample is less than or equal to a third preset ratio, the detection result of the initial test sample is proved to meet a third preset condition, and the attack detection file is released to the bypass environment.
For example, the total number of the initial test samples is 1000, wherein 800 attributes are identified as non-attack types, 200 attributes are identified as attack types, if the number of the attack types in the attack detection file intercepted samples is 100, the ratio of the number of the attack types in the attack detection file intercepted samples to the number of the attack types in the initial test samples is 0.5, and if the second preset proportion is set to 0.8, it is indicated that the initial test samples cannot meet the third preset condition.
It should be noted that, the initial test samples may be false alarm samples, where the false alarm samples are usually samples that are false-reported as attack samples in the previous test process and return to the test system, that is, the false alarm samples are actually white samples, so for the false alarm samples, the attribute identifier of the false alarm samples may be set to be of a non-attack type.
In practical application, the existing sample data, namely the initial test sample, can be utilized to carry out preliminary screening on the attack detection sample to be online, so that the attack detection sample which is not qualified in online in a bypass environment is avoided, and the waste of subsequent flows and the occupation of calculation resources of a server are also avoided.
In some embodiments, after the attack string is detected by false alarm, it is possible to record information about whether the attack string can be issued, and when an online issue instruction of the user is received, the record is directly called, and whether to issue is directly determined based on the record.
For example, after false alarm detection is performed on the attack character string, it is determined that the false alarm detection result meets a second preset condition, that is, it is determined that the attack detection sample can be issued to an online environment, the information is recorded, and when an online issue instruction of a user is received, the attack detection sample can be issued to the online environment directly based on the information.
However, in practical applications, there may be some special release situations, for example, after the attack string is misdetected, the user (such as user a) does not release immediately, but releases after one or several days, or releases from another user (such as user B), if the user a modifies the attack detection file before releasing, and after one or several days, the user a forgets to modify the attack detection file, or the user B does not know about the modification of the user a, and at this time, if releases according to the record stored before that whether the user can release, it is easy to cause that the wrong attack detection text is released to the online environment.
In view of this, as shown in fig. 8, before the step of publishing the attack detection file to the online environment, the method may further include:
step S801: setting attribute identifiers for the attack character strings after false alarm detection, wherein the attribute identifiers of the attack character strings subjected to false alarm are used for representing that the attack character strings are of non-attack types, and the attribute identifiers of the attack character strings subjected to false alarm are used for representing that the attack character strings are of attack types;
step S803: taking each identified attack character string as a supplementary sample, and forming a target test sample of the test case together with the initial test sample;
Step S805: when an online issuing instruction is received and the false alarm detection result meets a second preset condition, detecting the target test sample by using the attack detection file to obtain an intercepted target test sample;
step S807: and when the attribute identification of the intercepted target test sample meets a fourth preset condition, executing the step of publishing the attack detection file to the online environment.
Step S805 is similar to step S703, and if the ratio of the number of samples of the attack type in the samples intercepted by the attack detection file to the number of samples of the attack type in the target test sample is greater than or equal to a second preset ratio, or if the ratio of the number of samples of the non-attack type in the samples intercepted by the attack detection file to the number of samples of the non-attack type in the target test sample is less than or equal to a third preset ratio, it is indicated that the detection result of the test sample in the test case meets a fourth preset condition, and the attack detection file is issued to the online environment.
In this way, the problem that the wrong attack detection text is released to the online environment under the special release condition can be avoided, and the reliability of the attack detection text in the online environment is improved.
Before the attack detection file is released to the online environment, a code merging operation is further required to be performed by using software such as GitLab, and the changes in the bypass branches of the database are merged into the online branches, so as to realize the release of the attack detection file in the online environment.
Preferably, step S803 may include:
performing similarity comparison on each attack character string;
if the similarity of any two attack strings is greater than or equal to the preset similarity, determining that the corresponding two attack strings are similar attack strings;
performing de-duplication processing on the similar attack character strings;
and taking the attack character string after the duplication removal processing as a supplementary sample, and forming a target test sample of the test case together with the initial test sample.
For example, the identified attack strings are a, b and c, wherein the similarity between the attack string a and the attack string b is greater than or equal to the preset similarity, and the attack string a and the attack string c are reserved if the attack string b is removed by performing deduplication processing on the attack string a and the attack string b.
Optionally, after the deduplication processing, the attack character string after the deduplication processing may be sampled, and the sampled attack character string is used as a supplementary sample, and the supplementary sample and the initial test sample together form a target test sample of the test case.
In practical application, through the de-duplication and sampling processing in the bypass environment, the number of similar attack samples can be greatly reduced, and the efficiency of interception test in the bypass environment is improved.
In some embodiments, after the step of publishing the attack detection file to the online environment, the method may further include:
monitoring a fourth accumulated number of network attack data packets intercepted in the online environment within a third preset time;
monitoring a fifth accumulated number of network attack data packets detected in the bypass environment within the third preset time;
and when the absolute value of the difference value between the fourth accumulated number and the fifth accumulated number is larger than or equal to a third preset threshold value, the attack detection file is offline from the online environment.
In the embodiment of the invention, after the attack detection file is online to the online environment, the difference value of the accumulated number of network attack data packets intercepted by the online environment and the bypass environment within a period of time is still monitored, and when the difference value is greater than or equal to a third preset threshold value, the fact that the online attack detection file may still have errors is indicated, and the attack detection file is required to be offline so as to check or modify the attack detection file; conversely, if the difference is less than the third preset threshold, it is indicated that the online attack detection file is reliable.
The network attack data packet may refer to a data packet intercepted by various rules, or may refer to a network attack data packet hitting a certain function in the attack detection file, for example, a network attack data packet hitting a certain IP rule, or a network attack data packet hitting a certain domain name rule.
It should be noted that, the fourth cumulative number and the fifth cumulative number are cumulative numbers based on network attack data packets under the same standard, for example, if the online environment statistics is the cumulative number of network attack data packets hitting a certain IP rule, then the statistics in the bypass environment must also be the cumulative number of network attack data packets hitting the same IP rule.
In practical application, after the online attack detection file is in the online environment, the online environment performance of the attack detection file is still monitored for a period of time, when the online environment performance of the attack detection file is consistent with the online environment performance of the attack detection file, the online attack detection file is really applied to actual business, and when the online environment performance of the attack detection file is different from the online environment performance of the attack detection file in the bypass environment greatly, the online attack detection file is disconnected from the online environment, so that the reliability of the attack detection file issued to the online environment is further ensured.
The embodiment of the invention also provides a device for issuing the attack detection file, referring to fig. 9, the device comprises:
the network attack data packet obtaining module 910 is configured to detect network traffic data in a bypass environment by using an attack detection file issued to the bypass environment, so as to obtain at least one network attack data packet;
an attack character string obtaining module 920, configured to extract an attack character string in the network attack data packet by using the attack detection file when the network attack data packet meets a first preset condition;
a false alarm detection module 930, configured to perform false alarm detection on the attack string;
and an online environment issuing module 940, configured to issue the attack detection file to the online environment when an online issuing instruction is received and a result of false alarm detection meets a second preset condition.
In some embodiments, the apparatus may further comprise:
the first accumulated number obtaining module is used for obtaining the first accumulated number of network attack data packets hit by the first function in the bypass environment in a first preset time when the first function of a modification type is included in the attack detection file, wherein the modification type is used for representing that the first function in the attack detection file is modified on the basis of the original function;
The second accumulated number acquisition module is used for acquiring a second accumulated number of historical network attack data packets hit by the original function in the bypass environment within the first preset time;
and the judging module is used for determining that the network attack data packet meets a first preset condition when the absolute value of the difference value between the first accumulated number and the second accumulated number is smaller than or equal to a first preset threshold value.
In some embodiments, the apparatus may further comprise:
a third accumulated number obtaining module, configured to obtain, when the attack detection file includes a second function of a new type, a third accumulated number of network attack data packets hit by the second function in the bypass environment within a second preset time, where the new type is used to characterize that the second function in the attack detection file is newly obtained;
the scene type acquisition module is used for acquiring a scene type corresponding to the second function, and the scene type and the second function have a corresponding relation in advance;
a second preset threshold determining module, configured to determine a corresponding second preset threshold based on the scene type;
The judging module is further configured to determine that the network attack data packet meets a first preset condition when the third accumulated number is smaller than or equal to the second preset threshold.
In some embodiments, the false positive detection module may include:
the network attack data packet judging sub-module is used for judging whether the network attack data packet with the attack character string comprises a preset white feature or not, wherein the preset white feature is used for representing that the network data packet with the attack character string is credible;
a trusted network data packet determining sub-module, configured to determine that the network attack data packet is a trusted network data packet when the network attack data packet in which the attack string is located includes a preset white feature;
and the false alarm determining sub-module is used for determining the attack character string extracted from the trusted network data packet as the false alarm attack character string.
In some embodiments, the false positive detection module may further include:
the unused hit field extraction submodule is used for extracting unused hit fields in the network attack data packet where the attack character string is located, wherein the unused hit fields are fields in the network attack data packet which cannot be hit by the attack detection file;
The outlier attack data packet judging sub-module is used for judging whether any network attack data packet is an outlier attack data packet or not based on the similarity of the unused hit field in any network attack data packet and unused hit fields in all other network attack data packets;
the false alarm determining sub-module is further configured to determine an attack string extracted from an outlier attack data packet as a false alarm attack string when any one of the network attack data packets is the outlier attack data packet.
In some embodiments, the apparatus may further comprise:
the data acquisition module is used for acquiring a test case and an attack detection file to be issued when receiving a bypass issuing instruction, wherein the test case comprises at least one initial test sample, the initial test samples are provided with attribute identifiers, and the attribute identifiers are used for representing that the initial test samples are of a non-attack type or an attack type;
the initial test sample detection module is used for detecting the initial test sample by utilizing the attack detection file to obtain an intercepted initial test sample;
and the bypass environment issuing module is used for issuing the attack detection file to the bypass environment when the attribute identification of the intercepted initial test sample meets a third preset condition.
In some embodiments, the apparatus may further comprise:
the attribute identification setting module is used for setting attribute identifications for the attack strings after false alarm detection, wherein the attribute identifications of the false alarm attack strings are used for representing the attack strings as non-attack types, and the attribute identifications of the non-false alarm attack strings are used for representing the attack strings as attack types;
the target test sample generation module is used for taking each identified attack character string as a supplementary sample and forming a target test sample of the test case together with the initial test sample;
the target test sample testing module is used for detecting the target test sample by utilizing the attack detection file when an online issuing instruction is received and the false alarm detection result meets a second preset condition, so as to obtain an intercepted target test sample;
the online environment publishing module is further configured to execute the step of publishing the attack detection file to the online environment when the attribute identifier of the intercepted target test sample meets a fourth preset condition.
In some embodiments, the apparatus may further comprise:
a fourth accumulated number monitoring module, configured to monitor a fourth accumulated number of network attack data packets intercepted in the online environment within a third preset time;
A fifth accumulated number monitoring module, configured to monitor a fifth accumulated number of network attack data packets detected in the bypass environment during the third preset time;
and the attack detection file offline module is used for offline the attack detection file from the online environment when the absolute value of the difference value between the fourth accumulated number and the fifth accumulated number is larger than or equal to a third preset threshold value.
The present embodiment also provides a computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, at least one program, set of codes, or set of instructions loaded by a processor and performing any of the methods described above in the present embodiment.
The present embodiment also provides a device, see fig. 10 for a block diagram, where the device 1200 may vary considerably in configuration or performance, and may include one or more central processing units (central processing units, CPU) 1222 (e.g., one or more processors) and memory 1232, one or more storage media 1230 (e.g., one or more mass storage devices) storing applications 1242 or data 1244. Wherein memory 1232 and storage medium 1230 can be transitory or persistent. The program stored on the storage medium 1230 may include one or more modules (not shown), each of which may include a series of instruction operations in the device. Still further, the central processor 1222 may be configured to communicate with a storage medium 1230, executing a series of instruction operations on the device 1200 in the storage medium 1230. The device 1200 may also include one or more power supplies 1226, one or more wired or wireless network interfaces 1250, one or more input/output interfaces 1258, and/or one or more operating systems 1241, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, and the like. Any of the methods described above for this embodiment may be implemented based on the apparatus shown in fig. 10.
The present specification provides method operational steps as described in the examples or flowcharts, but may include more or fewer operational steps based on conventional or non-inventive labor. The steps and sequences recited in the embodiments are merely one manner of performing the sequence of steps and are not meant to be exclusive of the sequence of steps performed. In actual system or interrupt product execution, the methods illustrated in the embodiments or figures may be performed sequentially or in parallel (e.g., in the context of parallel processors or multi-threaded processing).
The structures shown in this embodiment are only partial structures related to the present application and do not constitute limitations of the apparatus to which the present application is applied, and a specific apparatus may include more or less components than those shown, or may combine some components, or may have different arrangements of components. It should be understood that the methods, apparatuses, etc. disclosed in the embodiments may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, and the division of the modules is merely a division of one logic function, and may be implemented in other manners, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or unit modules.
Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The above embodiments are merely for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (17)
1. A method for publishing an attack detection file, the method comprising:
detecting network flow data in a bypass environment by utilizing an attack detection file issued to the bypass environment to obtain at least one network attack data packet, wherein the network attack data packet comprises a network attack mode which leads a web server to refuse service;
when the network attack data packet meets a first preset condition, extracting an attack character string in the network attack data packet by using the attack detection file;
extracting a non-hit field in the network attack data packet where the attack character string is located, wherein the non-hit field is a field in the network attack data packet which is not hit by the attack detection file;
Determining an outlier attack data packet in the network attack data packet based on the similarity of the missing hit field in any network attack data packet and the missing hit fields in all other network attack data packets;
obtaining a false alarm detection result according to an attack character string extracted from the outlier attack data packet;
and when an online issuing instruction is received and the false alarm detection result meets a second preset condition, issuing the attack detection file to an online environment.
2. The publishing method of claim 1, wherein, when the network attack data packet meets a first preset condition, before the step of extracting an attack string in the network attack data packet using the attack detection file, the method further comprises:
when the attack detection file comprises a first function of a modification type, acquiring a first accumulated number of network attack data packets hit by the first function in the bypass environment within a first preset time, wherein the modification type is used for representing that the first function in the attack detection file is modified on the basis of an original function;
acquiring a second accumulated number of historical network attack data packets hit by the original function in the bypass environment within the first preset time;
And when the absolute value of the difference value between the first accumulated number and the second accumulated number is smaller than or equal to a first preset threshold value, determining that the network attack data packet meets a first preset condition.
3. The publishing method of claim 1, wherein, when the network attack data packet meets a first preset condition, before the step of extracting an attack string in the network attack data packet using the attack detection file, the method further comprises:
when the attack detection file comprises a second function of a new type, acquiring a third accumulated number of network attack data packets hit by the second function in the bypass environment within a second preset time, wherein the new type is used for representing that the second function in the attack detection file is obtained by being newly added;
acquiring a scene type corresponding to the second function, wherein the scene type and the second function have a pre-established corresponding relation;
determining a corresponding second preset threshold value based on the scene type;
and when the third accumulated number is smaller than or equal to the second preset threshold value, determining that the network attack data packet meets a first preset condition.
4. The distribution method according to claim 1, wherein after the extracting the attack character string in the network attack packet using the attack detection file, the method further comprises:
judging whether the network attack data packet in which the attack character string is positioned comprises a preset white feature or not, wherein the preset white feature is used for representing that the network data packet with the attack character string is credible;
if yes, determining the network attack data packet as a trusted network data packet;
and obtaining the false alarm detection result according to the attack character string extracted from the trusted network data packet.
5. The distribution method according to claim 1, wherein before the step of detecting network traffic data in a bypass environment using an attack detection file distributed into the bypass environment, the method further comprises:
when a bypass issuing instruction is received, acquiring a test case and an attack detection file to be issued, wherein the test case comprises at least one initial test sample, the initial test samples are provided with attribute identifiers, and the attribute identifiers are used for representing that the initial test samples are of a non-attack type or an attack type;
Detecting the initial test sample by using the attack detection file to obtain an intercepted initial test sample;
and when the attribute identification of the intercepted initial test sample meets a third preset condition, issuing the attack detection file to the bypass environment.
6. The distribution method according to claim 5, wherein before the step of distributing the attack detection file to an on-line environment, the method further comprises:
setting attribute identifiers for the attack character strings after false alarm detection, wherein the attribute identifiers of the attack character strings subjected to false alarm are used for representing that the attack character strings are of non-attack types, and the attribute identifiers of the attack character strings subjected to false alarm are used for representing that the attack character strings are of attack types;
taking each identified attack character string as a supplementary sample, and forming a target test sample of the test case together with the initial test sample;
when an online issuing instruction is received and the false alarm detection result meets a second preset condition, detecting the target test sample by using the attack detection file to obtain an intercepted target test sample;
and when the attribute identification of the intercepted target test sample meets a fourth preset condition, executing the step of publishing the attack detection file to an online environment.
7. The publishing method of claim 6, wherein the forming the target test sample of the test case with the initial test sample using the identified respective attack strings as complementary samples comprises:
performing similarity comparison on each attack character string;
if the similarity of any two attack strings is greater than or equal to the preset similarity, determining that the corresponding two attack strings are similar attack strings;
performing de-duplication processing on the similar attack character strings;
and taking the attack character string after the duplication removal processing as a supplementary sample, and forming a target test sample of the test case together with the initial test sample.
8. The distribution method according to claim 1, wherein after the step of distributing the attack detection file to the online environment, the method further comprises:
monitoring a fourth accumulated number of network attack data packets intercepted in the online environment within a third preset time;
monitoring a fifth accumulated number of network attack data packets detected in the bypass environment within the third preset time;
and when the absolute value of the difference value between the fourth accumulated number and the fifth accumulated number is larger than or equal to a third preset threshold value, the attack detection file is offline from the online environment.
9. A distribution device of an attack detection file, the device comprising:
the network attack data packet acquisition module is used for detecting network flow data in the bypass environment by utilizing an attack detection file issued to the bypass environment to obtain at least one network attack data packet, wherein the network attack data packet comprises a network attack mode which leads a web server to refuse service;
the attack character string acquisition module is used for extracting an attack character string in the network attack data packet by utilizing the attack detection file when the network attack data packet meets a first preset condition;
the unused hit field extraction module is used for extracting unused hit fields in the network attack data packet in which the attack character string is located, wherein the unused hit fields are fields in the network attack data packet which cannot be hit by the attack detection file;
the outlier attack data packet determining module is used for determining outlier attack data packets in the network attack data packets based on the similarity of the unused hit field in any network attack data packet and the unused hit fields in all other network attack data packets;
The first false alarm detection result module is used for obtaining a false alarm detection result according to the attack character strings extracted from the outlier attack data packet;
and the online environment issuing module is used for issuing the attack detection file to the online environment when an online issuing instruction is received and the false alarm detection result meets a second preset condition.
10. The publication device of claim 9, wherein said device further comprises:
the first accumulated number obtaining module is used for obtaining the first accumulated number of network attack data packets hit by the first function in the bypass environment in a first preset time when the first function of a modification type is included in the attack detection file, wherein the modification type is used for representing that the first function in the attack detection file is modified on the basis of the original function;
the second accumulated number acquisition module is used for acquiring a second accumulated number of historical network attack data packets hit by the original function in the bypass environment within the first preset time;
and the first judging module is used for determining that the network attack data packet meets a first preset condition when the absolute value of the difference value between the first accumulated number and the second accumulated number is smaller than or equal to a first preset threshold value.
11. The publication device of claim 9, wherein said device further comprises:
a third accumulated number obtaining module, configured to obtain, when the attack detection file includes a second function of a new type, a third accumulated number of network attack data packets hit by the second function in the bypass environment within a second preset time, where the new type is used to characterize that the second function in the attack detection file is newly obtained;
the scene type acquisition module is used for acquiring a scene type corresponding to the second function, and the scene type and the second function have a corresponding relation in advance;
a second preset threshold determining module, configured to determine a corresponding second preset threshold based on the scene type;
and the second judging module is used for determining that the network attack data packet meets a first preset condition when the third accumulated number is smaller than or equal to the second preset threshold value.
12. The publication device of claim 9, wherein said device further comprises:
the network attack data packet judging module is used for judging whether the network attack data packet with the attack character string comprises a preset white feature or not, wherein the preset white feature is used for representing that the network data packet with the attack character string is credible;
The trusted network data packet determining module is used for determining that the network attack data packet is a trusted network data packet if yes;
and the second false alarm detection result module is used for obtaining the false alarm detection result according to the attack character string extracted from the trusted network data packet.
13. The publication device of claim 9, wherein said device further comprises:
the data acquisition module is used for acquiring a test case and an attack detection file to be issued when receiving a bypass issuing instruction, wherein the test case comprises at least one initial test sample, the initial test samples are provided with attribute identifiers, and the attribute identifiers are used for representing that the initial test samples are of a non-attack type or an attack type;
the initial test sample detection module is used for detecting the initial test sample by utilizing the attack detection file to obtain an intercepted initial test sample;
and the bypass environment issuing module is used for issuing the attack detection file to the bypass environment when the attribute identification of the intercepted initial test sample meets a third preset condition.
14. The publication device of claim 13 wherein said device further comprises:
The attribute identification setting module is used for setting attribute identifications for the attack strings after false alarm detection, wherein the attribute identifications of the false alarm attack strings are used for representing the attack strings as non-attack types, and the attribute identifications of the non-false alarm attack strings are used for representing the attack strings as attack types;
the target test sample generation module is used for taking each identified attack character string as a supplementary sample and forming a target test sample of the test case together with the initial test sample;
the target test sample testing module is used for detecting the target test sample by utilizing the attack detection file when an online issuing instruction is received and the false alarm detection result meets a second preset condition, so as to obtain an intercepted target test sample;
the online environment publishing module is further configured to execute the step of publishing the attack detection file to the online environment when the attribute identifier of the intercepted target test sample meets a fourth preset condition.
15. The publication device of claim 14 wherein said target test sample generation module is further configured to:
performing similarity comparison on each attack character string;
If the similarity of any two attack strings is greater than or equal to the preset similarity, determining that the corresponding two attack strings are similar attack strings;
performing de-duplication processing on the similar attack character strings;
and taking the attack character string after the duplication removal processing as a supplementary sample, and forming a target test sample of the test case together with the initial test sample.
16. The publication device of claim 9, wherein said device further comprises:
a fourth accumulated number monitoring module, configured to monitor a fourth accumulated number of network attack data packets intercepted in the online environment within a third preset time;
a fifth accumulated number monitoring module, configured to monitor a fifth accumulated number of network attack data packets detected in the bypass environment during the third preset time;
and the attack detection file offline module is used for offline the attack detection file from the online environment when the absolute value of the difference value between the fourth accumulated number and the fifth accumulated number is larger than or equal to a third preset threshold value.
17. A computer storage medium having stored therein at least one instruction, at least one program, code set, or instruction set, the at least one instruction, at least one program, code set, or instruction set being loaded by a processor and executing the method of issuing an attack detection file according to any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110025978.3A CN114760083B (en) | 2021-01-08 | 2021-01-08 | Method, device and storage medium for issuing attack detection file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110025978.3A CN114760083B (en) | 2021-01-08 | 2021-01-08 | Method, device and storage medium for issuing attack detection file |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114760083A CN114760083A (en) | 2022-07-15 |
| CN114760083B true CN114760083B (en) | 2024-04-12 |
Family
ID=82325695
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110025978.3A Active CN114760083B (en) | 2021-01-08 | 2021-01-08 | Method, device and storage medium for issuing attack detection file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760083B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116055222B (en) * | 2023-03-23 | 2023-06-16 | 北京长亭未来科技有限公司 | Method and device for preventing attack file from bypassing WAF detection |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107682315A (en) * | 2017-09-05 | 2018-02-09 | 杭州迪普科技股份有限公司 | A kind of SQL injection attack detecting moade setting method and device |
| CN111259399A (en) * | 2020-04-28 | 2020-06-09 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting vulnerability attacks for web applications |
| CN111796857A (en) * | 2020-06-30 | 2020-10-20 | 苏州三六零智能安全科技有限公司 | Hot patch release method, device, equipment and storage medium |
| CN112131578A (en) * | 2020-09-30 | 2020-12-25 | 腾讯科技(深圳)有限公司 | Method and device for training attack information prediction model, electronic equipment and storage medium |
| CN112134877A (en) * | 2020-09-22 | 2020-12-25 | 北京华赛在线科技有限公司 | Network threat detection method, device, equipment and storage medium |
-
2021
- 2021-01-08 CN CN202110025978.3A patent/CN114760083B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107682315A (en) * | 2017-09-05 | 2018-02-09 | 杭州迪普科技股份有限公司 | A kind of SQL injection attack detecting moade setting method and device |
| CN111259399A (en) * | 2020-04-28 | 2020-06-09 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting vulnerability attacks for web applications |
| CN111796857A (en) * | 2020-06-30 | 2020-10-20 | 苏州三六零智能安全科技有限公司 | Hot patch release method, device, equipment and storage medium |
| CN112134877A (en) * | 2020-09-22 | 2020-12-25 | 北京华赛在线科技有限公司 | Network threat detection method, device, equipment and storage medium |
| CN112131578A (en) * | 2020-09-30 | 2020-12-25 | 腾讯科技(深圳)有限公司 | Method and device for training attack information prediction model, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114760083A (en) | 2022-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110855676B (en) | Network attack processing method and device and storage medium | |
| CN110798472B (en) | Data leakage detection method and device | |
| KR101327317B1 (en) | Apparatus and method for sap application traffic analysis and monitoring, and the information protection system thereof | |
| KR101010302B1 (en) | Security management system and method of irc and http botnet | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| CN111651757A (en) | Attack behavior monitoring method, device, equipment and storage medium | |
| CN108154029A (en) | Intrusion detection method, electronic equipment and computer storage media | |
| JP2016508353A (en) | Improved streaming method and system for processing network metadata | |
| CN115134099B (en) | Network attack behavior analysis method and device based on full flow | |
| CN111314381A (en) | Safety isolation gateway | |
| US20180302426A1 (en) | Security device using transaction information collected from web application server or web server | |
| CN114553537A (en) | Abnormal flow monitoring method and system for industrial Internet | |
| Wang et al. | Behavior‐based botnet detection in parallel | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| KR101658450B1 (en) | Security device using transaction information obtained from web application server and proper session id | |
| KR101658456B1 (en) | Security device using transaction information obtained from web application server | |
| CN114760083B (en) | Method, device and storage medium for issuing attack detection file | |
| CN116708033B (en) | Terminal security detection method and device, electronic equipment and storage medium | |
| CN111193700B (en) | Safety protection method, safety protection device and storage medium | |
| CN113778709B (en) | Interface calling method, device, server and storage medium | |
| KR102444922B1 (en) | Apparatus of controlling intelligent access for security situation recognition in smart grid | |
| CN115633359A (en) | PFCP session security detection method, device, electronic equipment and storage medium | |
| CN116668051A (en) | Alarm information processing method, device, program, electronic and medium for attack behavior | |
| KR101650475B1 (en) | Security device using transaction information obtained from web server | |
| CN115801292A (en) | Access request authentication method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |