CN114978609A - Method and system for interfering web attack - Google Patents
Method and system for interfering web attack Download PDFInfo
- Publication number
- CN114978609A CN114978609A CN202210460816.7A CN202210460816A CN114978609A CN 114978609 A CN114978609 A CN 114978609A CN 202210460816 A CN202210460816 A CN 202210460816A CN 114978609 A CN114978609 A CN 114978609A
- Authority
- CN
- China
- Prior art keywords
- attacker
- data
- attack
- module
- internet protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a method and a system for interfering web attack in the technical field of network security, which comprises the following steps: acquiring communication data of an attacker, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacker; acquiring attack characteristic data of an attacker, and constructing a false success data packet according to the attack characteristic data and the communication data; the redirection link is generated, the false successful data packet is copied into a new resource address of the redirection link, and then the redirection link is sent to the attacker, so that the method has the advantage of low interference to normal services, and breaks through the bottleneck that the conventional defense mechanism cannot effectively defend the invasion of the attacker.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for interfering web attack.
Background
The current technical solutions for network intrusion detection are various, but a small number of effective attack events are submerged in a large number of probing and scanning situations, and mass data reported by an intrusion detection system is not effectively utilized.
The current network intrusion detection system has no flexible defense means aiming at discovered attack behaviors, and for traditional security equipment, a common defense strategy is to limit access or block IP, but the common defense strategy cannot achieve a good defense effect, on one hand, a hacker can continuously change IP and equipment, deadlocked data cannot be mapped out of a real person, and the hacker cannot be well limited, and on the other hand, the means of limiting access or blocking IP is likely to cause accidental injury, thereby influencing the use of a user or interfering the operation of normal services.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a method and a system for interfering web attack, which have the advantage of low interference on normal services and break through the bottleneck that the existing defense mechanism can not effectively defend the invasion of attackers.
In order to solve the technical problem, the invention is solved by the following technical scheme:
a method of interfering with a web attack, comprising the steps of:
acquiring communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked;
acquiring attack characteristic data of an attacker, and constructing a false success data packet according to the attack characteristic data and the communication data;
and generating a redirection link, copying the false successful data packet into a new resource address of the redirection link, and then sending the redirection link to an attacker.
Optionally, constructing a blocking data packet according to the communication data includes the following steps:
generating a reset message, and taking out communication protocol data, an attacker internet protocol address and an attacker port in the communication data;
modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
and generating a blocking data packet by the reset message, the communication protocol data, the attacker Internet protocol address, the attacker port, the modified sender Internet protocol address and the modified sender port.
Optionally, constructing a false success data packet according to the attack characteristic data and the communication data, including the following steps:
analyzing the attack intention of an attacker by the attack characteristic data, and generating false attack success data according to the attack intention;
modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
and generating a false success data packet by the false attack success data, the modified sender internet protocol address and the modified sender port.
Optionally, the method further comprises the following steps:
generating a rule base and acquiring access characteristic data of an accessor;
comparing whether the access characteristic data exists in the rule base, if so, determining that the visitor is an attacker, and if not, determining that the visitor is not the attacker;
and when the visitor is judged to be the attacker, sending an attacker intrusion prompt to the server.
Optionally, the generating a rule base includes the following steps:
the method comprises the steps of obtaining access paths, access frequencies and carrying parameters of all historical attackers, and combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules to form a rule base.
A system for interfering web attack comprises a first building module, a second building module and a web page switching module;
the first building module is used for obtaining communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked;
the second building module is used for obtaining attack characteristic data of an attacker and constructing a false success data packet according to the attack characteristic data and the communication data;
and the webpage switching module is used for generating a redirection link, copying the false successful data packet into a new resource address of the redirection link and then sending the redirection link to an attacker.
Optionally, the first building module includes a first data obtaining module, a first modifying module and a first generating module;
the first data acquisition module is used for generating a reset message and extracting communication protocol data, an attacker internet protocol address and an attacker port in the communication data;
the first modification module is used for modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
the first generating module is used for generating a blocking data packet from the reset message, the communication protocol data, the attacker internet protocol address, the attacker port, the modified sender internet protocol address and the modified sender port.
Optionally, the second building module includes a data analysis module, a second modification module, and a second generation module;
the data analysis module is used for analyzing the attack intention of an attacker by the attack characteristic data and generating false attack success data according to the attack intention;
the second modification module is used for modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
and the second generation module is used for generating a false successful data packet by the false attack successful data, the modified sender internet protocol address and the modified sender port.
Optionally, the system further comprises a second data acquisition module, a comparison analysis module and an intrusion warning module;
the second data acquisition module is used for generating a rule base and acquiring access characteristic data of an accessor;
the comparison analysis module is used for comparing whether the access characteristic data exists in the rule base, if so, the visitor is an attacker, and if not, the visitor is not the attacker;
and the intrusion warning module is used for sending an attacker intrusion prompt to the server side when the visitor is judged to be the attacker.
Optionally, the second data obtaining module includes a rule base generating module;
the rule base generation module is used for acquiring access paths, access frequencies and carrying parameters of all historical attackers, and combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules to form a rule base.
Compared with the prior art, the technical scheme provided by the invention has the following beneficial effects:
the communication connection between an attacker and a web server is disconnected by the constructed blocking data packet, and the attacker can enter a specified resource address to obtain the constructed false successful data packet according to the setting of a defender after the disconnection is cut by sending a redirection link, so that the attacked web server can normally perform service operation without being influenced; on the other hand, the attacker is puzzled by the false successful data packet, so that the attacker mistakenly thinks that the attack is effective, the purposes of disturbing judgment of the attacker and consuming time of the attacker are achieved, and the effectiveness of defense is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flow of an attacker initiating access and a flow of blocking a data packet and sending a redirection link according to a first embodiment of the present invention;
fig. 2 is a flowchart of a method for interfering with a web attack according to an embodiment.
Detailed Description
The present invention will be described in further detail with reference to examples, which are illustrative of the present invention and are not to be construed as being limited thereto.
Example one
As shown in fig. 1 and fig. 2, when an attacker launches an intrusion attack on a server, an access path now passes through a switch, and then the access with a web server is realized through the switch, where the web server is said to be attacked in the present application, and the method for interfering with a web attack provided by this embodiment is executed in an interference system, and further, the method for interfering with a web attack includes the following steps: the method comprises the steps of obtaining communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked, specifically, obtaining access data in a switch in a bypass monitoring mode when the attacker carries out intrusion access and sends the access data to the switch, so that the communication data of the attacker can be obtained from the access data.
Further, constructing a blocking data packet according to the communication data specifically includes the following steps: generating a reset message, and taking out communication protocol data, an attacker internet protocol address and an attacker port in the communication data; modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port; and generating a blocking data packet by the reset message, the communication protocol data, the attacker internet protocol address, the attacker port, the modified sender internet protocol address and the modified sender port.
Specifically, the blocking data packet needs to include a reset message, a communication address of an attacker, and communication protocol data of a current session where the attacker and the web server are located, where the reset message, i.e., a reset message, is used in TCP design to close an abnormal connection, and when the attacked receives the blocking data packet including the reset message, the communication process with the attacker is stopped, the buffer is released, and all TCP state information is cancelled, i.e., attack connection is released, so that communication blocking is achieved.
On the other hand, the communication protocol data includes an acknowledgement number, a sequence number, and the like, for the blocking data packet, in order to prevent the blocking data packet from being ignored in the attack session of the attacker, the acknowledgement number and the sequence number of the current session need to be obtained through the traffic mirroring technology, and as the data packet sent to the attacker, the blocking data packet also needs to have communication addresses of the attacker and the attacker, where the communication addresses refer to the attacker internet protocol address, the attacker port number, the attacker internet protocol address, and the attacker port number, and both the attacker internet protocol address and the attacker port number can be obtained through the traffic mirroring technology.
Further, acquiring attack characteristic data of an attacker, and constructing a false success data packet according to the attack characteristic data and the communication data, specifically, constructing the false success data packet according to the attack characteristic data and the communication data, and the method comprises the following steps: analyzing the attack intention of an attacker by the attack characteristic data, and generating false attack success data according to the attack intention; modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port; and generating a false success data packet by the false attack success data, the modified sender internet protocol address and the modified sender port.
The method for obtaining the attack characteristic data of the attacker is the same as the method for obtaining the communication data of the attacker, and the access data in the switch are obtained in a bypass monitoring mode, so that the attack characteristic data of the attacker is obtained in the access data, wherein the attack characteristic data of the attacker can be understood as malicious load data, namely special loads constructed when the attacker attacks, such as malicious codes carried in an HTTP request, wherein the attack characteristic data comprises an access path, an access frequency, carrying parameters and the like, after the extraction of the attack characteristic data is completed, whether the access path is an abnormal path or not is analyzed, whether the access frequency accords with the access frequency characteristics of the attacker or not is analyzed, and whether the carried parameters accord with the attack request characteristics of the attacker or not is analyzed, so that the intention of the attacker is summarized, and false attack success data are generated.
In addition, in order to make the false attack successful data packet better interfere the puzzled attacker and mislead the attacker to think that the attack is effective, the sender internet protocol address and the sender port in the false attack successful data packet are modified into the attacker internet protocol address and the attacked port, namely, the sender internet protocol address and the attacked port in the web server host are modified into the internet protocol address of the web server host and the port number of the web server host, so that the attacker misunderstands that the false attack successful data packet is provided by the web server host, the simulation of the false attack successful data packet is improved, the attacker does not attack the web server host any more, and the effect of one-time security defense attack is achieved.
For example, an attacker inserts an SQL statement into a query parameter, and then thinks that the attacker wants to perform SQL injection attack, more specifically, the attacker can judge which type of database, such as MySQL or Oracle, the attacker wants to inject according to the characteristics, and then see which of addition, deletion, modification, and check the specific operation of the SQL statement injected by the attacker belongs to, synthesize a plurality of factors, construct a false attack success data meeting the intention requirement of the attacker, and for example, when the attacker inserts a command execution statement into the query parameter, a command specifically executed by the attacker can be extracted, specifically, when the attacker executes a command for querying an IP, a corresponding IP address is returned to the attacker.
And generating a redirection link, copying the false successful data packet into a new resource address of the redirection link, and then sending the redirection link to an attacker, wherein the redirection link is HTTP Redirect.
When the communication between an attacker and a web server is disconnected by sending blocking data packets, the sending time of one or two blocking data packets is very short in practice, the completion can be completed within a few milliseconds, the attacker is unaware, and the attacked web server does not have false successful data packets, so that a redirection link needs to be sent to the attacker in order to enable the attacker to feel that the attacker is visiting the attacked web server, and therefore the attacker can jump to a specified resource address through HTTP Redirect to request to obtain the false successful data packets after the attack of the attacker is blocked, so that the purpose of confusing the attacker with the completion of the attack task is achieved, and the attacker cannot launch intrusion attack on the web server again.
A method of interfering with a web attack, further comprising the steps of: generating a rule base and acquiring access characteristic data of an accessor; comparing whether the access characteristic data exists in the rule base, if so, the visitor is an attacker, if not, the visitor is a non-attacker, and for carrying out intrusion attack on the interference attacker, the first task is to identify whether the visitor is the attacker, so that the rule base needs to be generated firstly for accurately identifying the attacker, and the method specifically comprises the following steps: acquiring access paths, access frequencies and carrying parameters of all historical attackers, combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules to form a rule base, for example, an attacker needs to access the web server to obtain personal identity data in the server host, and at this time, the attacker may send a request carrying identity information extraction parameters at a certain frequency for the same path until the attacker obtains the required data information, the frequency of transmission may be different, and the request to be transmitted may also be different, and the access characteristic data obtained from such traffic transmission may be determined to be an attacker, the rule base contains a plurality of access characteristics which can reflect that the access characteristic data belongs to the sum of the access characteristics of the attackers, i.e., to summarize the set of different access characteristic data used by an attacker to exploit different vulnerabilities.
In another aspect, a method of interfering with web attacks further comprises the steps of: and when the visitor is judged to be an attacker, sending an attacker intrusion prompt to the server, thereby informing the staff of the server of the current attacker intrusion condition and the interference blocking result of the current party through the attacker intrusion prompt, and facilitating the staff to record the current intrusion event.
Example two
When an attacker launches an intrusion attack on a server, an access path firstly passes through a switch and then realizes access with a web server through the switch, and the web server is the attacker, so that the system for interfering the web attack is provided in the embodiment and comprises a first building module, a second building module and a webpage switching module; the first building module is used for obtaining communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked, and specifically, when the attacker performs intrusion access and sends access data to the switch, the first building module obtains the access data in the switch in a bypass interception mode, so that the communication data of the attacker can be obtained from the access data.
Further, the first building module comprises a first data acquisition module, a first modification module and a first generation module; the first data acquisition module is used for generating a reset message and extracting communication protocol data, an attacker Internet protocol address and an attacker port in the communication data; the first modification module is used for modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port; the first generating module is used for generating a blocking data packet from the reset message, the communication protocol data, the attacker internet protocol address, the attacker port, the modified sender internet protocol address and the modified sender port.
Specifically, the blocking data packet needs to include a reset message, a communication address of an attacker, and communication protocol data of a current session where the attacker and the web server are located, where the reset message, i.e., a reset message, is used in TCP design to close an abnormal connection, and when the attacked receives the blocking data packet including the reset message, the communication process with the attacker is stopped, the buffer is released, and all TCP state information is cancelled, i.e., attack connection is released, so that communication blocking is achieved.
On the other hand, the communication protocol data includes an acknowledgement number, a sequence number, and the like, for the blocking data packet, in order to prevent the blocking data packet from being ignored in the attack session of the attacker, the acknowledgement number and the sequence number of the current session need to be obtained through the traffic mirroring technology, and as the data packet sent to the attacker, the blocking data packet also needs to have communication addresses of the attacker and the attacker, where the communication addresses refer to the attacker internet protocol address, the attacker port number, the attacker internet protocol address, and the attacker port number, and both the attacker internet protocol address and the attacker port number can be obtained through the traffic mirroring technology.
Further, the second building module is used for obtaining attack characteristic data of an attacker and constructing a false success data packet according to the attack characteristic data and the communication data, and specifically, the second building module comprises a data analysis module, a second modification module and a second generation module; the data analysis module is used for analyzing the attack intention of an attacker according to the attack characteristic data and generating false attack success data according to the attack intention; the second modification module is used for modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port; and the second generation module is used for generating a false successful data packet by the false attack successful data, the modified sender internet protocol address and the modified sender port.
The method for obtaining the attack characteristic data of the attacker is the same as the method for obtaining the communication data of the attacker, and the access data in the switch are obtained in a bypass monitoring mode, so that the attack characteristic data of the attacker is obtained in the access data, wherein the attack characteristic data of the attacker can be understood as malicious load data, namely special loads constructed when the attacker attacks, such as malicious codes carried in an HTTP request, wherein the attack characteristic data comprises an access path, an access frequency, carrying parameters and the like, after the extraction of the attack characteristic data is completed, whether the access path is an abnormal path or not is analyzed, whether the access frequency accords with the access frequency characteristics of the attacker or not is analyzed, and whether the carried parameters accord with the attack request characteristics of the attacker or not is analyzed, so that the intention of the attacker is summarized, and false attack success data are generated.
In addition, in order to make the false attack successful data packet better interfere the puzzled attacker and mislead the attacker to think that the attack is effective, the sender internet protocol address and the sender port in the false attack successful data packet are modified into the attacker internet protocol address and the attacked port, namely, the sender internet protocol address and the attacked port in the web server host are modified into the internet protocol address of the web server host and the port number of the web server host, so that the attacker misunderstands that the false attack successful data packet is provided by the web server host, the simulation of the false attack successful data packet is improved, the attacker does not attack the web server host any more, and the effect of one-time security defense attack is achieved.
For example, an attacker inserts an SQL statement into a query parameter, and then the attacker may be considered to want to perform SQL injection attack, more specifically, the attacker may determine which type of database, such as MySQL or Oracle, the attacker wants to inject the type of database, and then see which of addition, deletion, modification, and search the specific operation of the SQL statement injected by the attacker belongs to, synthesize a variety of factors, construct false attack success data meeting the requirement of the attacker's intention, and for example, when the attacker inserts an instruction execution statement into the query parameter, an instruction specifically executed by the attacker may be extracted, and specifically, when the attacker executes an instruction for querying an IP, a corresponding IP address is returned to the attacker.
And the webpage switching module is used for generating a redirection link, copying the false successful data packet into a new resource address of the redirection link, and then sending the redirection link to an attacker, wherein the redirection link is HTTP Redirect.
When the communication between an attacker and a web server is disconnected by sending blocking data packets, the sending time of one or two blocking data packets is very short in practice, the completion can be completed within a few milliseconds, the attacker is unaware, and the attacked web server does not have false successful data packets, so that a redirection link needs to be sent to the attacker in order to enable the attacker to feel that the attacker is visiting the attacked web server, and therefore the attacker can jump to a specified resource address through HTTP Redirect to request to obtain the false successful data packets after the attack of the attacker is blocked, so that the purpose of confusing the attacker with the completion of the attack task is achieved, and the attacker cannot launch intrusion attack on the web server again.
The system for interfering web attack further comprises a second data acquisition module and a comparison analysis module; the second data acquisition module is used for generating a rule base and acquiring access characteristic data of an accessor; the comparison analysis module is used for comparing whether the access characteristic data exists in the rule base, if so, the visitor is an attacker, if not, the visitor is not an attacker, and the intrusion attack is carried out on the interference attacker, the first task is to identify whether the visitor is the attacker, therefore, the rule base needs to be generated firstly aiming at how to accurately identify the attacker, therefore, the second data acquisition module comprises the rule base generation module which is used for acquiring the access paths, the access frequencies and the carrying parameters of all historical attackers, and combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules and form the rule base, for example, a certain attacker needs to access a web server to acquire personal identity data in the server host, and at the moment, the attacker can carry out a request with identity information extraction parameters at a certain frequency aiming at the same path, until the required data information is obtained, the sending frequency may be different, and the sending request may also be different, the access characteristic data obtained from such traffic transmission may be determined to be an attacker, and the rule base includes a plurality of sets of access characteristic data that can reflect that the access characteristic data is the sum of access characteristics belonging to the attacker, that is, different access characteristic data used by the attacker when using different vulnerabilities are summarized.
On the other hand, the system for interfering web attack further comprises an intrusion warning module, wherein the intrusion warning module is used for sending an attacker intrusion prompt to the server when the visitor is judged to be an attacker, so that the server is informed of the current attacker intrusion condition and the interference blocking result of the client through the attacker intrusion prompt, and the client can conveniently record the current intrusion event.
It should be noted that the above description is only an embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (10)
1. A method of disrupting a web attack, comprising the steps of:
acquiring communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked;
acquiring attack characteristic data of an attacker, and constructing a false success data packet according to the attack characteristic data and the communication data;
and generating a redirection link, copying the false successful data packet into a new resource address of the redirection link, and then sending the redirection link to an attacker.
2. The method of claim 1, wherein constructing a blocking packet according to the communication data comprises:
generating a reset message, and taking out communication protocol data, an attacker internet protocol address and an attacker port in the communication data;
modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
and generating a blocking data packet by the reset message, the communication protocol data, the attacker internet protocol address, the attacker port, the modified sender internet protocol address and the modified sender port.
3. The method of claim 1, wherein constructing false success packets according to the attack characteristic data and the communication data comprises the following steps:
analyzing the attack intention of an attacker by the attack characteristic data, and generating false attack success data according to the attack intention;
modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
and generating a false success data packet by the false attack success data, the modified sender internet protocol address and the modified sender port.
4. The method of interfering with web attacks according to claim 1, further comprising the steps of:
generating a rule base and acquiring access characteristic data of an accessor;
comparing whether the access characteristic data exists in the rule base, if so, determining that the visitor is an attacker, and if not, determining that the visitor is not the attacker;
and when the visitor is judged to be the attacker, sending an attacker intrusion prompt to the server.
5. The method of claim 4, wherein the generating the rule base comprises the following steps:
the method comprises the steps of obtaining access paths, access frequencies and carrying parameters of all historical attackers, and combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules to form a rule base.
6. A system for interfering web attack is characterized by comprising a first building module, a second building module and a webpage switching module;
the first building module is used for obtaining communication data between an attacker and an attacked, constructing a blocking data packet according to the communication data, and sending the blocking data packet to the attacked;
the second building module is used for obtaining attack characteristic data of an attacker and constructing a false success data packet according to the attack characteristic data and the communication data;
and the webpage switching module is used for generating a redirection link, copying the false successful data packet into a new resource address of the redirection link and then sending the redirection link to an attacker.
7. The system for interfering with web attacks according to claim 6, wherein the first building module comprises a first data obtaining module, a first modifying module and a first generating module;
the first data acquisition module is used for generating a reset message and extracting communication protocol data, an attacker internet protocol address and an attacker port in the communication data;
the first modification module is used for modifying the sender internet protocol address and the sender port into an attacker internet protocol address and an attacker port;
the first generating module is used for generating a blocking data packet from the reset message, the communication protocol data, the attacker internet protocol address, the attacker port, the modified sender internet protocol address and the modified sender port.
8. The system for interfering with web attacks of claim 6, wherein the second building module comprises a data analysis module, a second modification module, and a second generation module;
the data analysis module is used for analyzing the attack intention of an attacker by the attack characteristic data and generating false attack success data according to the attack intention;
the second modification module is used for modifying the sender Internet protocol address and the sender port into an attacker Internet protocol address and an attacker port;
and the second generation module is used for generating a false successful data packet by the false attack successful data, the modified sender internet protocol address and the modified sender port.
9. The system for interfering with web attacks of claim 6, further comprising a second data acquisition module, a comparison analysis module, and an intrusion alert module;
the second data acquisition module is used for generating a rule base and acquiring access characteristic data of an accessor;
the comparison analysis module is used for comparing whether the access characteristic data exists in the rule base, if so, the visitor is an attacker, and if not, the visitor is not the attacker;
and the intrusion warning module is used for sending an attacker intrusion prompt to the server side when the visitor is judged to be the attacker.
10. The system for interfering with web attacks of claim 9, wherein the second data acquisition module comprises a rule base generation module;
the rule base generation module is used for acquiring access paths, access frequencies and carrying parameters of all historical attackers, and combining the access paths, the access frequencies and the carrying parameters to obtain a plurality of groups of expert rules to form a rule base.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210460816.7A CN114978609A (en) | 2022-04-28 | 2022-04-28 | Method and system for interfering web attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210460816.7A CN114978609A (en) | 2022-04-28 | 2022-04-28 | Method and system for interfering web attack |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114978609A true CN114978609A (en) | 2022-08-30 |
Family
ID=82980205
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210460816.7A Pending CN114978609A (en) | 2022-04-28 | 2022-04-28 | Method and system for interfering web attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114978609A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107347047A (en) * | 2016-05-04 | 2017-11-14 | 阿里巴巴集团控股有限公司 | Attack guarding method and device |
US10298598B1 (en) * | 2013-12-16 | 2019-05-21 | Amazon Technologies, Inc. | Countering service enumeration through imposter-driven response |
CN110677408A (en) * | 2019-07-09 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Attack information processing method and device, storage medium and electronic device |
CN112087413A (en) * | 2019-06-14 | 2020-12-15 | 张长河 | Network attack intelligent dynamic protection and trapping system and method based on active detection |
CN113472761A (en) * | 2021-06-22 | 2021-10-01 | 杭州默安科技有限公司 | Website cheating method and system |
CN113572730A (en) * | 2021-06-15 | 2021-10-29 | 郑州云智信安安全技术有限公司 | Implementation method for actively and automatically trapping honeypots based on web |
-
2022
- 2022-04-28 CN CN202210460816.7A patent/CN114978609A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10298598B1 (en) * | 2013-12-16 | 2019-05-21 | Amazon Technologies, Inc. | Countering service enumeration through imposter-driven response |
CN107347047A (en) * | 2016-05-04 | 2017-11-14 | 阿里巴巴集团控股有限公司 | Attack guarding method and device |
CN112087413A (en) * | 2019-06-14 | 2020-12-15 | 张长河 | Network attack intelligent dynamic protection and trapping system and method based on active detection |
CN110677408A (en) * | 2019-07-09 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Attack information processing method and device, storage medium and electronic device |
CN113572730A (en) * | 2021-06-15 | 2021-10-29 | 郑州云智信安安全技术有限公司 | Implementation method for actively and automatically trapping honeypots based on web |
CN113472761A (en) * | 2021-06-22 | 2021-10-01 | 杭州默安科技有限公司 | Website cheating method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4911018B2 (en) | Filtering apparatus, filtering method, and program causing computer to execute the method | |
US6405318B1 (en) | Intrusion detection system | |
US8516575B2 (en) | Systems, methods, and media for enforcing a security policy in a network including a plurality of components | |
US7464407B2 (en) | Attack defending system and attack defending method | |
CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
CN106850690B (en) | Honeypot construction method and system | |
KR20000054538A (en) | System and method for intrusion detection in network and it's readable record medium by computer | |
CA2336775A1 (en) | Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources | |
CN111835694B (en) | Network security vulnerability defense system based on dynamic camouflage | |
CN113364799B (en) | Method and system for processing network threat behaviors | |
CN112769833B (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
CN111970300A (en) | Network intrusion prevention system based on behavior inspection | |
CN113422779B (en) | Active security defense system based on centralized management and control | |
CN111651754A (en) | Intrusion detection method and device, storage medium and electronic device | |
CN110213301B (en) | Method, server and system for transferring network attack plane | |
CN113132335A (en) | Virtual transformation system and method, network security system and method | |
CN108092943A (en) | A kind of method and system for defending APT attacks | |
CN114978609A (en) | Method and system for interfering web attack | |
CN109274638A (en) | A kind of method and router of attack source access automatic identification processing | |
CN113055362B (en) | Method, device, equipment and storage medium for preventing abnormal behaviors | |
KR20050075950A (en) | Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices | |
Ghribi et al. | Multi-layer Cooperative Intrusion Detection System for Cloud Environment. | |
JP2003186763A (en) | Detection and prevention method of breaking into computer system | |
KR20050048558A (en) | Web service preservation system based on profiling and method the same | |
Anbar et al. | Investigating study on network scanning techniques |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 1st Floor, Building 3, No. 2616, Yuhangtang Road, Cangqian Street, Yuhang District, Hangzhou City, Zhejiang Province, 311100 Applicant after: HANGZHOU MOAN TECHNOLOGY CO.,LTD. Address before: 311100 10th floor, Block E, building 1, 1378 Wenyi West Road, Cangqian street, Yuhang District, Hangzhou City, Zhejiang Province Applicant before: HANGZHOU MOAN TECHNOLOGY CO.,LTD. |
|
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |