CN114978609A - Method and system for interfering web attack - Google Patents

Method and system for interfering web attack Download PDF

Info

Publication number
CN114978609A
CN114978609A CN202210460816.7A CN202210460816A CN114978609A CN 114978609 A CN114978609 A CN 114978609A CN 202210460816 A CN202210460816 A CN 202210460816A CN 114978609 A CN114978609 A CN 114978609A
Authority
CN
China
Prior art keywords
attacker
data
attack
module
internet protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210460816.7A
Other languages
Chinese (zh)
Inventor
王嘉雄
陈梓亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Moan Technology Co ltd
Original Assignee
Hangzhou Moan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Moan Technology Co ltd filed Critical Hangzhou Moan Technology Co ltd
Priority to CN202210460816.7A priority Critical patent/CN114978609A/en
Publication of CN114978609A publication Critical patent/CN114978609A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a method and a system for interfering web attack in the technical field of network security, which comprises the following steps: acquiring communication data of an attacker, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacker; acquiring attack characteristic data of an attacker, and constructing a false success data packet according to the attack characteristic data and the communication data; the redirection link is generated, the false successful data packet is copied into a new resource address of the redirection link, and then the redirection link is sent to the attacker, so that the method has the advantage of low interference to normal services, and breaks through the bottleneck that the conventional defense mechanism cannot effectively defend the invasion of the attacker.

Description

Method and system for interfering web attack
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for interfering web attack.
Background
The current technical solutions for network intrusion detection are various, but a small number of effective attack events are submerged in a large number of probing and scanning situations, and mass data reported by an intrusion detection system is not effectively utilized.
The current network intrusion detection system has no flexible defense means aiming at discovered attack behaviors, and for traditional security equipment, a common defense strategy is to limit access or block IP, but the common defense strategy cannot achieve a good defense effect, on one hand, a hacker can continuously change IP and equipment, deadlocked data cannot be mapped out of a real person, and the hacker cannot be well limited, and on the other hand, the means of limiting access or blocking IP is likely to cause accidental injury, thereby influencing the use of a user or interfering the operation of normal services.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a method and a system for interfering web attack, which have the advantage of low interference on normal services and break through the bottleneck that the existing defense mechanism can not effectively defend the invasion of attackers.
In order to solve the technical problem, the invention is solved by the following technical scheme:
a method of interfering with a web attack, comprising the steps of:
acquiring communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked;
acquiring attack characteristic data of an attacker, and constructing a false success data packet according to the attack characteristic data and the communication data;
and generating a redirection link, copying the false successful data packet into a new resource address of the redirection link, and then sending the redirection link to an attacker.
Optionally, constructing a blocking data packet according to the communication data includes the following steps:
generating a reset message, and taking out communication protocol data, an attacker internet protocol address and an attacker port in the communication data;
modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
and generating a blocking data packet by the reset message, the communication protocol data, the attacker Internet protocol address, the attacker port, the modified sender Internet protocol address and the modified sender port.
Optionally, constructing a false success data packet according to the attack characteristic data and the communication data, including the following steps:
analyzing the attack intention of an attacker by the attack characteristic data, and generating false attack success data according to the attack intention;
modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
and generating a false success data packet by the false attack success data, the modified sender internet protocol address and the modified sender port.
Optionally, the method further comprises the following steps:
generating a rule base and acquiring access characteristic data of an accessor;
comparing whether the access characteristic data exists in the rule base, if so, determining that the visitor is an attacker, and if not, determining that the visitor is not the attacker;
and when the visitor is judged to be the attacker, sending an attacker intrusion prompt to the server.
Optionally, the generating a rule base includes the following steps:
the method comprises the steps of obtaining access paths, access frequencies and carrying parameters of all historical attackers, and combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules to form a rule base.
A system for interfering web attack comprises a first building module, a second building module and a web page switching module;
the first building module is used for obtaining communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked;
the second building module is used for obtaining attack characteristic data of an attacker and constructing a false success data packet according to the attack characteristic data and the communication data;
and the webpage switching module is used for generating a redirection link, copying the false successful data packet into a new resource address of the redirection link and then sending the redirection link to an attacker.
Optionally, the first building module includes a first data obtaining module, a first modifying module and a first generating module;
the first data acquisition module is used for generating a reset message and extracting communication protocol data, an attacker internet protocol address and an attacker port in the communication data;
the first modification module is used for modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
the first generating module is used for generating a blocking data packet from the reset message, the communication protocol data, the attacker internet protocol address, the attacker port, the modified sender internet protocol address and the modified sender port.
Optionally, the second building module includes a data analysis module, a second modification module, and a second generation module;
the data analysis module is used for analyzing the attack intention of an attacker by the attack characteristic data and generating false attack success data according to the attack intention;
the second modification module is used for modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
and the second generation module is used for generating a false successful data packet by the false attack successful data, the modified sender internet protocol address and the modified sender port.
Optionally, the system further comprises a second data acquisition module, a comparison analysis module and an intrusion warning module;
the second data acquisition module is used for generating a rule base and acquiring access characteristic data of an accessor;
the comparison analysis module is used for comparing whether the access characteristic data exists in the rule base, if so, the visitor is an attacker, and if not, the visitor is not the attacker;
and the intrusion warning module is used for sending an attacker intrusion prompt to the server side when the visitor is judged to be the attacker.
Optionally, the second data obtaining module includes a rule base generating module;
the rule base generation module is used for acquiring access paths, access frequencies and carrying parameters of all historical attackers, and combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules to form a rule base.
Compared with the prior art, the technical scheme provided by the invention has the following beneficial effects:
the communication connection between an attacker and a web server is disconnected by the constructed blocking data packet, and the attacker can enter a specified resource address to obtain the constructed false successful data packet according to the setting of a defender after the disconnection is cut by sending a redirection link, so that the attacked web server can normally perform service operation without being influenced; on the other hand, the attacker is puzzled by the false successful data packet, so that the attacker mistakenly thinks that the attack is effective, the purposes of disturbing judgment of the attacker and consuming time of the attacker are achieved, and the effectiveness of defense is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flow of an attacker initiating access and a flow of blocking a data packet and sending a redirection link according to a first embodiment of the present invention;
fig. 2 is a flowchart of a method for interfering with a web attack according to an embodiment.
Detailed Description
The present invention will be described in further detail with reference to examples, which are illustrative of the present invention and are not to be construed as being limited thereto.
Example one
As shown in fig. 1 and fig. 2, when an attacker launches an intrusion attack on a server, an access path now passes through a switch, and then the access with a web server is realized through the switch, where the web server is said to be attacked in the present application, and the method for interfering with a web attack provided by this embodiment is executed in an interference system, and further, the method for interfering with a web attack includes the following steps: the method comprises the steps of obtaining communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked, specifically, obtaining access data in a switch in a bypass monitoring mode when the attacker carries out intrusion access and sends the access data to the switch, so that the communication data of the attacker can be obtained from the access data.
Further, constructing a blocking data packet according to the communication data specifically includes the following steps: generating a reset message, and taking out communication protocol data, an attacker internet protocol address and an attacker port in the communication data; modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port; and generating a blocking data packet by the reset message, the communication protocol data, the attacker internet protocol address, the attacker port, the modified sender internet protocol address and the modified sender port.
Specifically, the blocking data packet needs to include a reset message, a communication address of an attacker, and communication protocol data of a current session where the attacker and the web server are located, where the reset message, i.e., a reset message, is used in TCP design to close an abnormal connection, and when the attacked receives the blocking data packet including the reset message, the communication process with the attacker is stopped, the buffer is released, and all TCP state information is cancelled, i.e., attack connection is released, so that communication blocking is achieved.
On the other hand, the communication protocol data includes an acknowledgement number, a sequence number, and the like, for the blocking data packet, in order to prevent the blocking data packet from being ignored in the attack session of the attacker, the acknowledgement number and the sequence number of the current session need to be obtained through the traffic mirroring technology, and as the data packet sent to the attacker, the blocking data packet also needs to have communication addresses of the attacker and the attacker, where the communication addresses refer to the attacker internet protocol address, the attacker port number, the attacker internet protocol address, and the attacker port number, and both the attacker internet protocol address and the attacker port number can be obtained through the traffic mirroring technology.
Further, acquiring attack characteristic data of an attacker, and constructing a false success data packet according to the attack characteristic data and the communication data, specifically, constructing the false success data packet according to the attack characteristic data and the communication data, and the method comprises the following steps: analyzing the attack intention of an attacker by the attack characteristic data, and generating false attack success data according to the attack intention; modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port; and generating a false success data packet by the false attack success data, the modified sender internet protocol address and the modified sender port.
The method for obtaining the attack characteristic data of the attacker is the same as the method for obtaining the communication data of the attacker, and the access data in the switch are obtained in a bypass monitoring mode, so that the attack characteristic data of the attacker is obtained in the access data, wherein the attack characteristic data of the attacker can be understood as malicious load data, namely special loads constructed when the attacker attacks, such as malicious codes carried in an HTTP request, wherein the attack characteristic data comprises an access path, an access frequency, carrying parameters and the like, after the extraction of the attack characteristic data is completed, whether the access path is an abnormal path or not is analyzed, whether the access frequency accords with the access frequency characteristics of the attacker or not is analyzed, and whether the carried parameters accord with the attack request characteristics of the attacker or not is analyzed, so that the intention of the attacker is summarized, and false attack success data are generated.
In addition, in order to make the false attack successful data packet better interfere the puzzled attacker and mislead the attacker to think that the attack is effective, the sender internet protocol address and the sender port in the false attack successful data packet are modified into the attacker internet protocol address and the attacked port, namely, the sender internet protocol address and the attacked port in the web server host are modified into the internet protocol address of the web server host and the port number of the web server host, so that the attacker misunderstands that the false attack successful data packet is provided by the web server host, the simulation of the false attack successful data packet is improved, the attacker does not attack the web server host any more, and the effect of one-time security defense attack is achieved.
For example, an attacker inserts an SQL statement into a query parameter, and then thinks that the attacker wants to perform SQL injection attack, more specifically, the attacker can judge which type of database, such as MySQL or Oracle, the attacker wants to inject according to the characteristics, and then see which of addition, deletion, modification, and check the specific operation of the SQL statement injected by the attacker belongs to, synthesize a plurality of factors, construct a false attack success data meeting the intention requirement of the attacker, and for example, when the attacker inserts a command execution statement into the query parameter, a command specifically executed by the attacker can be extracted, specifically, when the attacker executes a command for querying an IP, a corresponding IP address is returned to the attacker.
And generating a redirection link, copying the false successful data packet into a new resource address of the redirection link, and then sending the redirection link to an attacker, wherein the redirection link is HTTP Redirect.
When the communication between an attacker and a web server is disconnected by sending blocking data packets, the sending time of one or two blocking data packets is very short in practice, the completion can be completed within a few milliseconds, the attacker is unaware, and the attacked web server does not have false successful data packets, so that a redirection link needs to be sent to the attacker in order to enable the attacker to feel that the attacker is visiting the attacked web server, and therefore the attacker can jump to a specified resource address through HTTP Redirect to request to obtain the false successful data packets after the attack of the attacker is blocked, so that the purpose of confusing the attacker with the completion of the attack task is achieved, and the attacker cannot launch intrusion attack on the web server again.
A method of interfering with a web attack, further comprising the steps of: generating a rule base and acquiring access characteristic data of an accessor; comparing whether the access characteristic data exists in the rule base, if so, the visitor is an attacker, if not, the visitor is a non-attacker, and for carrying out intrusion attack on the interference attacker, the first task is to identify whether the visitor is the attacker, so that the rule base needs to be generated firstly for accurately identifying the attacker, and the method specifically comprises the following steps: acquiring access paths, access frequencies and carrying parameters of all historical attackers, combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules to form a rule base, for example, an attacker needs to access the web server to obtain personal identity data in the server host, and at this time, the attacker may send a request carrying identity information extraction parameters at a certain frequency for the same path until the attacker obtains the required data information, the frequency of transmission may be different, and the request to be transmitted may also be different, and the access characteristic data obtained from such traffic transmission may be determined to be an attacker, the rule base contains a plurality of access characteristics which can reflect that the access characteristic data belongs to the sum of the access characteristics of the attackers, i.e., to summarize the set of different access characteristic data used by an attacker to exploit different vulnerabilities.
In another aspect, a method of interfering with web attacks further comprises the steps of: and when the visitor is judged to be an attacker, sending an attacker intrusion prompt to the server, thereby informing the staff of the server of the current attacker intrusion condition and the interference blocking result of the current party through the attacker intrusion prompt, and facilitating the staff to record the current intrusion event.
Example two
When an attacker launches an intrusion attack on a server, an access path firstly passes through a switch and then realizes access with a web server through the switch, and the web server is the attacker, so that the system for interfering the web attack is provided in the embodiment and comprises a first building module, a second building module and a webpage switching module; the first building module is used for obtaining communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked, and specifically, when the attacker performs intrusion access and sends access data to the switch, the first building module obtains the access data in the switch in a bypass interception mode, so that the communication data of the attacker can be obtained from the access data.
Further, the first building module comprises a first data acquisition module, a first modification module and a first generation module; the first data acquisition module is used for generating a reset message and extracting communication protocol data, an attacker Internet protocol address and an attacker port in the communication data; the first modification module is used for modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port; the first generating module is used for generating a blocking data packet from the reset message, the communication protocol data, the attacker internet protocol address, the attacker port, the modified sender internet protocol address and the modified sender port.
Specifically, the blocking data packet needs to include a reset message, a communication address of an attacker, and communication protocol data of a current session where the attacker and the web server are located, where the reset message, i.e., a reset message, is used in TCP design to close an abnormal connection, and when the attacked receives the blocking data packet including the reset message, the communication process with the attacker is stopped, the buffer is released, and all TCP state information is cancelled, i.e., attack connection is released, so that communication blocking is achieved.
On the other hand, the communication protocol data includes an acknowledgement number, a sequence number, and the like, for the blocking data packet, in order to prevent the blocking data packet from being ignored in the attack session of the attacker, the acknowledgement number and the sequence number of the current session need to be obtained through the traffic mirroring technology, and as the data packet sent to the attacker, the blocking data packet also needs to have communication addresses of the attacker and the attacker, where the communication addresses refer to the attacker internet protocol address, the attacker port number, the attacker internet protocol address, and the attacker port number, and both the attacker internet protocol address and the attacker port number can be obtained through the traffic mirroring technology.
Further, the second building module is used for obtaining attack characteristic data of an attacker and constructing a false success data packet according to the attack characteristic data and the communication data, and specifically, the second building module comprises a data analysis module, a second modification module and a second generation module; the data analysis module is used for analyzing the attack intention of an attacker according to the attack characteristic data and generating false attack success data according to the attack intention; the second modification module is used for modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port; and the second generation module is used for generating a false successful data packet by the false attack successful data, the modified sender internet protocol address and the modified sender port.
The method for obtaining the attack characteristic data of the attacker is the same as the method for obtaining the communication data of the attacker, and the access data in the switch are obtained in a bypass monitoring mode, so that the attack characteristic data of the attacker is obtained in the access data, wherein the attack characteristic data of the attacker can be understood as malicious load data, namely special loads constructed when the attacker attacks, such as malicious codes carried in an HTTP request, wherein the attack characteristic data comprises an access path, an access frequency, carrying parameters and the like, after the extraction of the attack characteristic data is completed, whether the access path is an abnormal path or not is analyzed, whether the access frequency accords with the access frequency characteristics of the attacker or not is analyzed, and whether the carried parameters accord with the attack request characteristics of the attacker or not is analyzed, so that the intention of the attacker is summarized, and false attack success data are generated.
In addition, in order to make the false attack successful data packet better interfere the puzzled attacker and mislead the attacker to think that the attack is effective, the sender internet protocol address and the sender port in the false attack successful data packet are modified into the attacker internet protocol address and the attacked port, namely, the sender internet protocol address and the attacked port in the web server host are modified into the internet protocol address of the web server host and the port number of the web server host, so that the attacker misunderstands that the false attack successful data packet is provided by the web server host, the simulation of the false attack successful data packet is improved, the attacker does not attack the web server host any more, and the effect of one-time security defense attack is achieved.
For example, an attacker inserts an SQL statement into a query parameter, and then the attacker may be considered to want to perform SQL injection attack, more specifically, the attacker may determine which type of database, such as MySQL or Oracle, the attacker wants to inject the type of database, and then see which of addition, deletion, modification, and search the specific operation of the SQL statement injected by the attacker belongs to, synthesize a variety of factors, construct false attack success data meeting the requirement of the attacker's intention, and for example, when the attacker inserts an instruction execution statement into the query parameter, an instruction specifically executed by the attacker may be extracted, and specifically, when the attacker executes an instruction for querying an IP, a corresponding IP address is returned to the attacker.
And the webpage switching module is used for generating a redirection link, copying the false successful data packet into a new resource address of the redirection link, and then sending the redirection link to an attacker, wherein the redirection link is HTTP Redirect.
When the communication between an attacker and a web server is disconnected by sending blocking data packets, the sending time of one or two blocking data packets is very short in practice, the completion can be completed within a few milliseconds, the attacker is unaware, and the attacked web server does not have false successful data packets, so that a redirection link needs to be sent to the attacker in order to enable the attacker to feel that the attacker is visiting the attacked web server, and therefore the attacker can jump to a specified resource address through HTTP Redirect to request to obtain the false successful data packets after the attack of the attacker is blocked, so that the purpose of confusing the attacker with the completion of the attack task is achieved, and the attacker cannot launch intrusion attack on the web server again.
The system for interfering web attack further comprises a second data acquisition module and a comparison analysis module; the second data acquisition module is used for generating a rule base and acquiring access characteristic data of an accessor; the comparison analysis module is used for comparing whether the access characteristic data exists in the rule base, if so, the visitor is an attacker, if not, the visitor is not an attacker, and the intrusion attack is carried out on the interference attacker, the first task is to identify whether the visitor is the attacker, therefore, the rule base needs to be generated firstly aiming at how to accurately identify the attacker, therefore, the second data acquisition module comprises the rule base generation module which is used for acquiring the access paths, the access frequencies and the carrying parameters of all historical attackers, and combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules and form the rule base, for example, a certain attacker needs to access a web server to acquire personal identity data in the server host, and at the moment, the attacker can carry out a request with identity information extraction parameters at a certain frequency aiming at the same path, until the required data information is obtained, the sending frequency may be different, and the sending request may also be different, the access characteristic data obtained from such traffic transmission may be determined to be an attacker, and the rule base includes a plurality of sets of access characteristic data that can reflect that the access characteristic data is the sum of access characteristics belonging to the attacker, that is, different access characteristic data used by the attacker when using different vulnerabilities are summarized.
On the other hand, the system for interfering web attack further comprises an intrusion warning module, wherein the intrusion warning module is used for sending an attacker intrusion prompt to the server when the visitor is judged to be an attacker, so that the server is informed of the current attacker intrusion condition and the interference blocking result of the client through the attacker intrusion prompt, and the client can conveniently record the current intrusion event.
It should be noted that the above description is only an embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (10)

1. A method of disrupting a web attack, comprising the steps of:
acquiring communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked;
acquiring attack characteristic data of an attacker, and constructing a false success data packet according to the attack characteristic data and the communication data;
and generating a redirection link, copying the false successful data packet into a new resource address of the redirection link, and then sending the redirection link to an attacker.
2. The method of claim 1, wherein constructing a blocking packet according to the communication data comprises:
generating a reset message, and taking out communication protocol data, an attacker internet protocol address and an attacker port in the communication data;
modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
and generating a blocking data packet by the reset message, the communication protocol data, the attacker internet protocol address, the attacker port, the modified sender internet protocol address and the modified sender port.
3. The method of claim 1, wherein constructing false success packets according to the attack characteristic data and the communication data comprises the following steps:
analyzing the attack intention of an attacker by the attack characteristic data, and generating false attack success data according to the attack intention;
modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
and generating a false success data packet by the false attack success data, the modified sender internet protocol address and the modified sender port.
4. The method of interfering with web attacks according to claim 1, further comprising the steps of:
generating a rule base and acquiring access characteristic data of an accessor;
comparing whether the access characteristic data exists in the rule base, if so, determining that the visitor is an attacker, and if not, determining that the visitor is not the attacker;
and when the visitor is judged to be the attacker, sending an attacker intrusion prompt to the server.
5. The method of claim 4, wherein the generating the rule base comprises the following steps:
the method comprises the steps of obtaining access paths, access frequencies and carrying parameters of all historical attackers, and combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules to form a rule base.
6. A system for interfering web attack is characterized by comprising a first building module, a second building module and a webpage switching module;
the first building module is used for obtaining communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked;
the second building module is used for obtaining attack characteristic data of an attacker and constructing a false success data packet according to the attack characteristic data and the communication data;
and the webpage switching module is used for generating a redirection link, copying the false successful data packet into a new resource address of the redirection link and then sending the redirection link to an attacker.
7. The system for interfering with web attacks according to claim 6, wherein the first building module comprises a first data obtaining module, a first modifying module and a first generating module;
the first data acquisition module is used for generating a reset message and extracting communication protocol data, an attacker internet protocol address and an attacker port in the communication data;
the first modification module is used for modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
the first generating module is used for generating a blocking data packet from the reset message, the communication protocol data, the attacker internet protocol address, the attacker port, the modified sender internet protocol address and the modified sender port.
8. The system for interfering with web attacks of claim 6, wherein the second building module comprises a data analysis module, a second modification module, and a second generation module;
the data analysis module is used for analyzing the attack intention of an attacker by the attack characteristic data and generating false attack success data according to the attack intention;
the second modification module is used for modifying the sender Internet protocol address and the sender port into an attacker Internet protocol address and an attacker port;
and the second generation module is used for generating a false successful data packet by the false attack successful data, the modified sender internet protocol address and the modified sender port.
9. The system for interfering with web attacks of claim 6, further comprising a second data acquisition module, a comparison analysis module, and an intrusion alert module;
the second data acquisition module is used for generating a rule base and acquiring access characteristic data of an accessor;
the comparison analysis module is used for comparing whether the access characteristic data exists in the rule base, if so, the visitor is an attacker, and if not, the visitor is not the attacker;
and the intrusion warning module is used for sending an attacker intrusion prompt to the server side when the visitor is judged to be the attacker.
10. The system for interfering with web attacks of claim 9, wherein the second data acquisition module comprises a rule base generation module;
the rule base generation module is used for acquiring access paths, access frequencies and carrying parameters of all historical attackers, and combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules to form a rule base.
CN202210460816.7A 2022-04-28 2022-04-28 Method and system for interfering web attack Pending CN114978609A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210460816.7A CN114978609A (en) 2022-04-28 2022-04-28 Method and system for interfering web attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210460816.7A CN114978609A (en) 2022-04-28 2022-04-28 Method and system for interfering web attack

Publications (1)

Publication Number Publication Date
CN114978609A true CN114978609A (en) 2022-08-30

Family

ID=82980205

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210460816.7A Pending CN114978609A (en) 2022-04-28 2022-04-28 Method and system for interfering web attack

Country Status (1)

Country Link
CN (1) CN114978609A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107347047A (en) * 2016-05-04 2017-11-14 阿里巴巴集团控股有限公司 Attack guarding method and device
US10298598B1 (en) * 2013-12-16 2019-05-21 Amazon Technologies, Inc. Countering service enumeration through imposter-driven response
CN110677408A (en) * 2019-07-09 2020-01-10 腾讯科技(深圳)有限公司 Attack information processing method and device, storage medium and electronic device
CN112087413A (en) * 2019-06-14 2020-12-15 张长河 Network attack intelligent dynamic protection and trapping system and method based on active detection
CN113472761A (en) * 2021-06-22 2021-10-01 杭州默安科技有限公司 Website cheating method and system
CN113572730A (en) * 2021-06-15 2021-10-29 郑州云智信安安全技术有限公司 Implementation method for actively and automatically trapping honeypots based on web

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10298598B1 (en) * 2013-12-16 2019-05-21 Amazon Technologies, Inc. Countering service enumeration through imposter-driven response
CN107347047A (en) * 2016-05-04 2017-11-14 阿里巴巴集团控股有限公司 Attack guarding method and device
CN112087413A (en) * 2019-06-14 2020-12-15 张长河 Network attack intelligent dynamic protection and trapping system and method based on active detection
CN110677408A (en) * 2019-07-09 2020-01-10 腾讯科技(深圳)有限公司 Attack information processing method and device, storage medium and electronic device
CN113572730A (en) * 2021-06-15 2021-10-29 郑州云智信安安全技术有限公司 Implementation method for actively and automatically trapping honeypots based on web
CN113472761A (en) * 2021-06-22 2021-10-01 杭州默安科技有限公司 Website cheating method and system

Similar Documents

Publication Publication Date Title
JP4911018B2 (en) Filtering apparatus, filtering method, and program causing computer to execute the method
US6405318B1 (en) Intrusion detection system
US8516575B2 (en) Systems, methods, and media for enforcing a security policy in a network including a plurality of components
US7464407B2 (en) Attack defending system and attack defending method
CN107888607A (en) A kind of Cyberthreat detection method, device and network management device
CN106850690B (en) Honeypot construction method and system
KR20000054538A (en) System and method for intrusion detection in network and it's readable record medium by computer
CA2336775A1 (en) Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources
CN111835694B (en) Network security vulnerability defense system based on dynamic camouflage
CN113364799B (en) Method and system for processing network threat behaviors
CN112769833B (en) Method and device for detecting command injection attack, computer equipment and storage medium
CN111970300A (en) Network intrusion prevention system based on behavior inspection
CN113422779B (en) Active security defense system based on centralized management and control
CN111651754A (en) Intrusion detection method and device, storage medium and electronic device
CN110213301B (en) Method, server and system for transferring network attack plane
CN113132335A (en) Virtual transformation system and method, network security system and method
CN108092943A (en) A kind of method and system for defending APT attacks
CN114978609A (en) Method and system for interfering web attack
CN109274638A (en) A kind of method and router of attack source access automatic identification processing
CN113055362B (en) Method, device, equipment and storage medium for preventing abnormal behaviors
KR20050075950A (en) Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices
Ghribi et al. Multi-layer Cooperative Intrusion Detection System for Cloud Environment.
JP2003186763A (en) Detection and prevention method of breaking into computer system
KR20050048558A (en) Web service preservation system based on profiling and method the same
Anbar et al. Investigating study on network scanning techniques

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 1st Floor, Building 3, No. 2616, Yuhangtang Road, Cangqian Street, Yuhang District, Hangzhou City, Zhejiang Province, 311100

Applicant after: HANGZHOU MOAN TECHNOLOGY CO.,LTD.

Address before: 311100 10th floor, Block E, building 1, 1378 Wenyi West Road, Cangqian street, Yuhang District, Hangzhou City, Zhejiang Province

Applicant before: HANGZHOU MOAN TECHNOLOGY CO.,LTD.

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination