CN115801305A - Network attack detection and identification method and related equipment - Google Patents
Network attack detection and identification method and related equipment Download PDFInfo
- Publication number
- CN115801305A CN115801305A CN202211093082.XA CN202211093082A CN115801305A CN 115801305 A CN115801305 A CN 115801305A CN 202211093082 A CN202211093082 A CN 202211093082A CN 115801305 A CN115801305 A CN 115801305A
- Authority
- CN
- China
- Prior art keywords
- target
- port
- address
- network
- tcp connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000001514 detection method Methods 0.000 title claims abstract description 21
- 238000004590 computer program Methods 0.000 claims description 21
- 238000012545 processing Methods 0.000 claims description 11
- 230000008859 change Effects 0.000 claims description 9
- 230000004044 response Effects 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 239000003795 chemical substances by application Substances 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network attack detection and identification method and related equipment. The method comprises the following steps: acquiring a target port and a target IP address based on a TCP connection message sent by a target server; and backtracking the target port and the target IP address according to the http access log so as to determine the network risk of the TCP connection message. According to the detection and identification method for the network attack, the server side monitors the network request and the flow condition in real time, the TCP connection message sent by the target server is analyzed to obtain the target port and the target IP address, and backtracking and comparison are carried out on the port and the IP address of the extranet request recorded in the http access log to determine whether the TCP connection message has the risk of rebounding the shell or not.
Description
Technical Field
The present disclosure relates to the field of communications, and in particular, to a method for detecting and identifying a network attack and a related device.
Background
The current monitoring mode is that an agent process is deployed to a server at each client, a key process of the server is monitored, and risk judgment is carried out. Meanwhile, the agent process needs to be deployed for each client by adopting the mode, and the deployment is difficult under the condition that the number of clients under the server is large.
Disclosure of Invention
In this summary, concepts in a simplified form are introduced that are further described in the detailed description. The summary of the invention is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
In order to provide a method for detecting and identifying a network attack that is altogether more convenient and faster, in a first aspect, the invention provides a method for detecting and identifying a network attack, the method comprising:
acquiring a target port and a target IP address based on a TCP connection message sent by a target server;
and backtracking the target port and the target IP address according to the http access log so as to determine the network risk of the TCP connection message.
Optionally, the backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection packet includes:
and sending out network intrusion risk early warning based on the TCP connection message under the condition that the http access log has the http access request with the same target port and target IP address.
Optionally, the method further includes:
identifying a target port and a target IP address corresponding to the TCP connection message based on a local preset white list;
and under the condition that the same target port and the same target IP address exist in the local preset white list, the TCP connection message has no network intrusion risk.
Optionally, the method further includes:
acquiring an http response message of a target server;
acquiring a source port and a source IP address based on the http response message;
and performing risk identification on the network requests sent by the source ports and the source IP addresses based on a cloud database to obtain the local preset white list, wherein the cloud database comprises the white list and/or the black list of the destination IP addresses and the destination source ports.
Optionally, the method further includes:
acquiring network attack frequencies of other servers in a target area within a preset time length;
and adjusting the capacity of the http access log based on the network attack frequency.
Optionally, the method further includes:
counting the access frequency of the same port and/or IP address in the http access log;
and adjusting the life cycle of the log information corresponding to the port and/or the IP address based on the access frequency.
Optionally, the method further includes:
acquiring the traffic change information of the target server;
and under the condition that the flow change information exceeds a preset threshold value, increasing the capacity of the http access log.
In a second aspect, the present invention further provides a device for detecting and identifying a network attack, including:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a target port and a target IP address based on a TCP connection message sent by a target server;
and the determining unit is used for backtracking the target port and the target IP address according to the http access log so as to determine the network risk of the TCP connection message.
In a third aspect, an electronic device includes: a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor is configured to implement the steps of the method for detecting and identifying a cyber attack according to any one of the first aspect described above when the computer program stored in the memory is executed.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for detecting and identifying a network attack according to any one of the above first aspects.
To sum up, the method for detecting and identifying network attacks in the embodiment of the present application includes: acquiring a target port and a target IP address based on a TCP connection message sent by a target server; and backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection message. According to the detection and identification method for the network attack, the server side monitors the network request and the flow condition in real time, the TCP connection message sent by the target server is analyzed to obtain the target port and the target IP address, backtracking and comparison are carried out on the port and the IP address of the extranet request recorded in the http access log, whether the TCP connection message has the risk of rebounding the shell or not is determined, the network request is monitored by the server side, the permission problem that an administrator needs to deploy agents in batches at the client side of the target server for monitoring in the prior art can be effectively solved, the problem of diversity of a rebounding shell monitoring process in the prior art is solved, and the universality of the method is improved.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention.
Drawings
Various additional advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the specification. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flowchart of a network attack detection and identification method according to an embodiment of the present application;
fig. 2 is a schematic diagram illustrating a working principle of detection and identification of a network attack according to an embodiment of the present application;
fig. 3 is a schematic diagram illustrating a working principle of a server external learning module according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram of a working principle of a resilient shell detection module according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a network attack detection and identification device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device for detecting and identifying a network attack according to an embodiment of the present application.
Detailed Description
According to the method for detecting and identifying the network attack, a server side monitors the network request and the flow condition in real time, a target port and a target IP address are obtained by analyzing a TCP connection message sent by a target server, backtracking and comparing with a port and an IP address of an extranet request recorded in an http access log are carried out, whether the TCP connection message has a risk of bouncing a shell or not is determined, the network request is monitored by the server side, the problem that in the prior art, an administrator needs to deploy agents in batches at a client side of the target server to monitor authority is effectively solved, meanwhile, the problem that in the prior art, the rebound shell monitoring process is diversified is solved, and the universality of the method is improved.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments.
The target host is in an intranet environment, cannot be directly accessed by an extranet, and can only actively bounce out the shell, and the mode is called as bounce shell. The rebound shell is that a control end monitors a certain TCP/UDP port, a controlled end initiates a request to the port, and the input and output of a command line of the controlled end are transferred to the control end, which is essentially the role reversal of a client and a server in a network concept.
Referring to fig. 1, a schematic flow chart of a method for detecting and identifying a network attack according to an embodiment of the present application may specifically include:
s110, acquiring a target port and a target IP address based on a TCP connection message sent by a target server;
illustratively, when an attacker attacks a target server, the attacker first sends an attack instruction to the target server, where the attack instruction includes an IP address and a port that the target server needs to be connected to outside. If the target server is connected with the IP address and the port provided by the attacker, the target server can be connected with the target server, and the attacker can remotely control the shell of the server so as to achieve the purpose of invading the target server.
The scheme provided by the application detects the flow at the server side, monitors the network request of the client side under the server, and analyzes the target port and the target IP address which need to be sent in the TCP message under the condition that the TCP connection message needs to be sent to the external network.
And S120, backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection message.
Illustratively, a history of the intranet access by the extranet is recorded in the http access log, wherein the history includes port information and IP address information of the visitor, and certainly also includes port information and IP address information that may be an attacker, by comparing the port information and the IP address information recorded in the http access log with a target port and a target IP address that are required to be connected by the TCP connection packet, if the target port and the target IP address corresponding to the TCP connection packet are the same as those in the http access log, a bounce shell event exists, and the target server is likely to be attacked.
To sum up, according to the detection and identification method for network attacks provided in the embodiments of the present application, a server side monitors network requests and traffic conditions in real time, analyzes a TCP connection packet sent by a target server to obtain a target port and a target IP address, and determines whether the TCP connection packet has a risk of bouncing a shell by backtracking and comparing the TCP connection packet with a port and an IP address of an extranet request recorded in an http access log.
In some examples, the backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection packet includes:
and sending out network intrusion risk early warning based on the TCP connection message under the condition that the http access log has the http access request with the same target port and target IP address.
Illustratively, the IP address and the port recorded in the http access log are compared with the target port and the target IP address which are correspondingly connected with the TCP connection message, and if the IP addresses and the port are the same, the TCP connection message sends out early warning of network intrusion risk.
For example: the intranet web host 192.168.1.50 initiates a TCP request to access the 8888 port of the external host 42.123.1.20. Reading and backtracking http access logs of a specified quantity according to the memory capacity of the current device, checking whether the keywords 42.123.1.20 exist in the history log, recording the corresponding log if the keywords exist, and pushing an alarm. Pushing the detection identification of the cyber attack as shown in table 1 if there is a risk:
TABLE 1
The early warning time, the source IP, the source port, the destination IP, the destination port, the intranet assets, the threat type and the risk session sent by the external network are recorded in the detection and identification of the network attack.
In some examples, the method further comprises:
identifying a target port and a target IP address corresponding to the TCP connection message based on a local preset white list;
and under the condition that the same target port and the same target IP address exist in the local preset white list, the TCP connection message has no network intrusion risk.
Exemplarily, before performing backtracking analysis on a TCP connection packet by using an http log, a target port and a target IP address corresponding to the TCP connection packet may be identified once through a locally stored preset white list, and if a port and an IP address which are the same as the target port and the target IP address corresponding to the TCP connection packet exist in the locally stored white list, the TCP connection packet may be trusted without a risk of network intrusion.
In summary, according to the detection and identification method for network attacks provided in the embodiments of the present application, before performing backtracking analysis and comparison on a TCP connection packet by using an http log, a destination port and a destination IP corresponding to the TCP connection packet may be first compared once by using a white list, and if the destination port and the destination IP fall into a preset white list, the TCP connection packet is directly passed through.
In some examples, the method further comprises:
acquiring an http response message of a target server;
acquiring a source port and a source IP address based on the http response message;
and performing risk identification on the network requests sent by the source ports and the source IP addresses based on a cloud database to obtain the local preset white list, wherein the cloud database comprises the white list and/or the black list of the destination IP addresses and the destination source ports.
For example, when the target server is in network connection with the external network, risk identification may be performed on a network request of the external network according to a white list and/or a black list stored in the cloud database and including a destination IP address and a destination source port, and a local preset white list of the internal network is established according to the identification, for example: starting server external connection learning, configuring and selecting an intranet host 192.168.1.50, setting learning time to be 1 day, recording a target IP corresponding to a target website when the server accesses the target website, comparing the target IP with threat information, and storing the corresponding IP and port to a white list if no threat exists.
In summary, the method for detecting and identifying network attacks provided by the embodiment of the present application can start an external learning function of a server for a target server as needed, and set a learning time range autonomously. The intranet web host actively requests the session of the extranet within a preset time range, the session is compared with the IP address in the cloud database and the white list and/or the black list of the destination source port, the local preset white list is stored and established, and if the destination IP has a threat tag, a threat log and an alarm are directly generated.
The http access log is generally set to a fixed capacity size, and when the access log is stored fully, records of an earlier access log forming time are erased, and information corresponding to a newly generated session request is recorded in the log. Then, an attacker can use the phenomenon to issue a sleep instruction to a client corresponding to an attacked intranet server when sending an attack instruction, and after the information corresponding to the attack instruction in the http access log is over, the client is connected with the attacker, so that the security detection is made in a backtracking mode based on the http access log to avoid successful intrusion.
In order to solve the phenomenon, the effectiveness of network detection can be improved by acquiring a combination form of a plurality of schemes through any scheme of the following schemes A, B and C.
In some examples, the method further comprises:
scheme A:
acquiring network attack frequencies of other servers in a target area within a preset time length;
and adjusting the capacity of the http access log based on the network attack frequency.
For example, the network attack frequency of other servers in the target area within a preset time period is counted, for example, the target area may be an entire office building, and the preset time period may be set to 1 hour, that is, the number of times that the office building is subjected to the network attack in the past hour, that is, the network attack frequency is counted. If the frequency of the network attack does not exceed the preset frequency, the capacity of the http access log can not be adjusted, and if the frequency exceeds the preset frequency, the capacity of the http access log can be properly increased, and the higher the frequency value exceeds, the higher the capacity of the http access log is, so that the possibility that an attacker gives a sleep instruction to the client to skip the security detection problem is reduced.
Scheme B:
counting the access frequency of the same port and/or IP address in the http access log;
and adjusting the life cycle of the log information corresponding to the port and/or the IP address based on the access frequency.
Illustratively, the access frequency of the same port and/or IP address in the http access log is counted, and if the port or IP address is granted to frequently send out access requests, and the access requests are not in the white list, then the risk factor of the network request is high, and the network request may be an attacker with frequent probing. And adjusting the life cycle of the log information corresponding to the port and/or the IP address according to the access frequency, namely if the access frequency is higher, preferentially erasing other historical access information with lower frequency under the condition that the capacity of the http access log is insufficient.
Scheme C:
acquiring the traffic change information of the target server;
and under the condition that the flow change information exceeds a preset threshold value, increasing the capacity of the http access log.
For example, traffic change information of the target server is obtained, where the traffic change information is a result of comparing current traffic information in a current time period with historical traffic information, and the historical traffic information is a result of counting changes of average traffic of the target server over a plurality of past natural days with time, and generally shows regularity, for example, more traffic is generated during working hours, and less traffic is generated during working hours. Under normal conditions, the traffic variation information does not exceed the preset threshold, that is, the daily traffic condition should be approximately the same, but when the traffic variation information exceeds the preset threshold, some network abnormal events may occur, such as external network attacks, and at this time, the capacity of the http access log is increased, so as to reduce the possibility that an attacker issues a sleep command to the client to skip the security detection problem.
In summary, the method for detecting and identifying network attacks provided in the embodiments of the present application adjusts the life cycle of the log information obtained by the capacity of the access log by analyzing one or more information of the network attack frequency, the access frequency of the same port and/or the IP address, and the traffic change information, so as to reduce the possibility that an attacker issues a sleep command to the client to skip the security detection problem, improve the accuracy of detecting and identifying network attacks, and improve the network security of the server.
In some examples, as shown in fig. 3, a network risk can be warned by an asset management module, a server external connection learning module, a threat intelligence module, a bounce shell detection module and a warning module, and an external connection address and a port white list are marked mainly by the server external connection learning module in combination with threat intelligence, and logs of IPs and ports of a non-white list requested by a server are traced back, and the logs are decoded and whether a related shell bounce event exists or not to warn the risk.
The asset management module may passively identify intranet web assets through manual addition or through traffic. And depending on application identification, identifying and matching response fields in the http service, and automatically identifying the web server in the intranet according to the manually configured intranet segment. Such as: and configuring the intranet section as 192.168.1.0/24, and recording the corresponding IP and the port if http response data exists in the traffic. Such as 192.168.1.50.
The server external connection learning module starts the server external learning function and the learning time range according to the requirement. As shown in fig. 4, the web host within the time range, the session requested actively, will be compared with the threat intelligence, and then the white list storage of the destination IP and the destination port is performed. If the target IP has the threat label, directly generating a threat log and an alarm. Such as: starting server external connection learning, configuring and selecting an intranet host 192.168.1.50, wherein the learning time is day, when the server accesses http:// www.baidu.com, recording a target IP, comparing the target IP with threat information, and storing the corresponding IP and port to a white list.
And the rebound shell detection module judges whether the target IP and the port are a white list or not after a request initiated by the web host exists. As shown in fig. 4: the intranet web host 192.168.1.50 initiates tcp request to access the 8888 port of the host 42.123.1.20. The first step is as follows: checking purpose IP:42.123.1.20, destination port 8888, is on the white list. And if the white list is hit, finishing the matching. Otherwise, the next step is carried out. And secondly, reading a specified number of http access logs according to the memory capacity of the current device and backtracking. Thirdly, checking whether the keywords 42.123.1.20.
Referring to fig. 5, an embodiment of a device for detecting and identifying a network attack in the embodiment of the present application may include:
an obtaining unit 21, configured to obtain a target port and a target IP address based on a TCP connection packet sent by a target server;
and the determining unit 22 is configured to trace back the target port and the target IP address according to the http access log to determine the network risk of the TCP connection packet.
As shown in fig. 6, an electronic device 300 is further provided in the embodiments of the present application, and includes a memory 310, a processor 320, and a computer program 311 stored in the memory 320 and executable on the processor, where the processor 320 executes the computer program 311 to implement the steps of any one of the methods for detecting and identifying a network attack.
Since the electronic device described in this embodiment is a device used for implementing a method for detecting and identifying a network attack in this embodiment, based on the method described in this embodiment, a person skilled in the art can understand a specific implementation of the electronic device in this embodiment and various variations thereof, so that how to implement the method in this embodiment by the electronic device is not described in detail herein, and as long as the person skilled in the art implements the device used for implementing the method in this embodiment, the device is within the scope of protection intended by this application.
In a specific implementation, the computer program 311 may implement any of the embodiments corresponding to fig. 1 when executed by a processor.
It should be noted that, in the foregoing embodiments, the description of each embodiment has an emphasis, and reference may be made to the related description of other embodiments for a part that is not described in detail in a certain embodiment.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Embodiments of the present application further provide a computer program product, where the computer program product includes computer software instructions, and when the computer software instructions are run on a processing device, the processing device executes a flow of detecting and identifying a network attack as in the embodiment corresponding to fig. 1.
The computer program product includes one or more computer instructions. The procedures or functions according to the embodiments of the present application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). Computer-readable storage media can be any available media that a computer can store or a data storage device, such as a server, data center, etc., that includes one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
Claims (10)
1. A network attack detection and identification method is characterized by comprising the following steps:
acquiring a target port and a target IP address based on a TCP connection message sent by a target server;
and backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection message.
2. The method of claim 1, wherein the backtracking the target port and the target IP address according to an http access log to determine the network risk of the TCP connection packet comprises:
and sending out network intrusion risk early warning based on the TCP connection message under the condition that the http access log has an http access request with the same target port and target IP address.
3. The method of claim 1, further comprising:
identifying a target port and a target IP address corresponding to the TCP connection message based on a local preset white list;
and under the condition that the same target port and the same target IP address exist in the local preset white list, the TCP connection message has no network intrusion risk.
4. The method of claim 3, further comprising:
acquiring an http response message of a target server;
acquiring a source port and a source IP address based on the http response message;
and carrying out risk identification on the network requests sent by the source port and the source IP address based on a cloud database to obtain the local preset white list, wherein the cloud database comprises a white list and/or a black list of a target IP address and a target source port.
5. The method of claim 1, further comprising:
acquiring network attack frequencies of other servers in a target area within a preset time length;
and adjusting the capacity of the http access log based on the network attack frequency.
6. The method of claim 1, further comprising:
counting the access frequency of the same port and/or IP address in the http access log;
and adjusting the life cycle of the log information corresponding to the port and/or the IP address based on the access frequency.
7. The method of claim 1, further comprising:
acquiring the traffic change information of the target server;
and under the condition that the flow change information exceeds a preset threshold value, improving the capacity of the http access log.
8. An apparatus for detecting and identifying network attacks, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a target port and a target IP address based on a TCP connection message sent by a target server;
and the determining unit is used for backtracking the target port and the target IP address according to the http access log so as to determine the network risk of the TCP connection message.
9. An electronic device, comprising: memory and processor, characterized in that the processor is configured to implement the steps of the method for detecting and identifying cyber attacks according to any one of claims 1 to 7 when executing a computer program stored in the memory.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program, when executed by a processor, implements the method for detecting and identifying network attacks according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211093082.XA CN115801305B (en) | 2022-09-08 | 2022-09-08 | Network attack detection and identification method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211093082.XA CN115801305B (en) | 2022-09-08 | 2022-09-08 | Network attack detection and identification method and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115801305A true CN115801305A (en) | 2023-03-14 |
| CN115801305B CN115801305B (en) | 2023-11-07 |
Family
ID=85431798
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211093082.XA Active CN115801305B (en) | 2022-09-08 | 2022-09-08 | Network attack detection and identification method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115801305B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116112295A (en) * | 2023-04-12 | 2023-05-12 | 北京长亭未来科技有限公司 | Method and device for researching and judging external connection type attack result |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103038652A (en) * | 2010-05-25 | 2013-04-10 | 海德沃特合作I有限公司 | Device-assisted services for protecting network capacity |
| WO2017018377A1 (en) * | 2015-07-30 | 2017-02-02 | 日本電信電話株式会社 | Analysis method, analysis device, and analysis program |
| CN106572083A (en) * | 2016-10-18 | 2017-04-19 | 汉柏科技有限公司 | Log processing method and system |
| US20170171305A1 (en) * | 2015-12-09 | 2017-06-15 | International Business Machines Corporation | Persistent connection rebalancing |
| CN107102795A (en) * | 2017-05-31 | 2017-08-29 | 努比亚技术有限公司 | A kind of log recording method, mobile terminal and computer-readable recording medium |
| CN107231365A (en) * | 2017-06-13 | 2017-10-03 | 深信服科技股份有限公司 | The method and server and fire wall of a kind of evidence obtaining |
| CN110098957A (en) * | 2019-04-04 | 2019-08-06 | 北京市天元网络技术股份有限公司 | Big data analysis system based on network log |
| CN110493165A (en) * | 2018-06-29 | 2019-11-22 | 厦门白山耘科技有限公司 | Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process |
| CN110764969A (en) * | 2019-10-25 | 2020-02-07 | 新华三信息安全技术有限公司 | Network attack tracing method and device |
| CN111031009A (en) * | 2019-11-25 | 2020-04-17 | 杭州安恒信息技术股份有限公司 | Multilayer-based NOSQL injection attack detection method and device |
| CN113037689A (en) * | 2019-12-24 | 2021-06-25 | 中国移动通信集团河北有限公司 | Log-based virus discovery method and device, computing equipment and storage medium |
| CN113722284A (en) * | 2021-07-30 | 2021-11-30 | 济南浪潮数据技术有限公司 | Cluster log storage method, device, equipment and medium |
| CN113761527A (en) * | 2020-07-01 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Rebound shell process detection method, device, equipment and storage medium |
| CN113992341A (en) * | 2021-09-09 | 2022-01-28 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN114153714A (en) * | 2021-12-01 | 2022-03-08 | 招商局金融科技有限公司 | Log information based capacity adjustment method, device, equipment and storage medium |
-
2022
- 2022-09-08 CN CN202211093082.XA patent/CN115801305B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103038652A (en) * | 2010-05-25 | 2013-04-10 | 海德沃特合作I有限公司 | Device-assisted services for protecting network capacity |
| WO2017018377A1 (en) * | 2015-07-30 | 2017-02-02 | 日本電信電話株式会社 | Analysis method, analysis device, and analysis program |
| US20170171305A1 (en) * | 2015-12-09 | 2017-06-15 | International Business Machines Corporation | Persistent connection rebalancing |
| CN106572083A (en) * | 2016-10-18 | 2017-04-19 | 汉柏科技有限公司 | Log processing method and system |
| CN107102795A (en) * | 2017-05-31 | 2017-08-29 | 努比亚技术有限公司 | A kind of log recording method, mobile terminal and computer-readable recording medium |
| CN107231365A (en) * | 2017-06-13 | 2017-10-03 | 深信服科技股份有限公司 | The method and server and fire wall of a kind of evidence obtaining |
| CN110493165A (en) * | 2018-06-29 | 2019-11-22 | 厦门白山耘科技有限公司 | Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process |
| CN110098957A (en) * | 2019-04-04 | 2019-08-06 | 北京市天元网络技术股份有限公司 | Big data analysis system based on network log |
| CN110764969A (en) * | 2019-10-25 | 2020-02-07 | 新华三信息安全技术有限公司 | Network attack tracing method and device |
| CN111031009A (en) * | 2019-11-25 | 2020-04-17 | 杭州安恒信息技术股份有限公司 | Multilayer-based NOSQL injection attack detection method and device |
| CN113037689A (en) * | 2019-12-24 | 2021-06-25 | 中国移动通信集团河北有限公司 | Log-based virus discovery method and device, computing equipment and storage medium |
| CN113761527A (en) * | 2020-07-01 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Rebound shell process detection method, device, equipment and storage medium |
| CN113722284A (en) * | 2021-07-30 | 2021-11-30 | 济南浪潮数据技术有限公司 | Cluster log storage method, device, equipment and medium |
| CN113992341A (en) * | 2021-09-09 | 2022-01-28 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN114153714A (en) * | 2021-12-01 | 2022-03-08 | 招商局金融科技有限公司 | Log information based capacity adjustment method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 王霄: "某中型企业数据中心日志分析系统的设计与实现", 中国优秀硕士学位论文全文数据库 信息科技辑 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116112295A (en) * | 2023-04-12 | 2023-05-12 | 北京长亭未来科技有限公司 | Method and device for researching and judging external connection type attack result |
| CN116112295B (en) * | 2023-04-12 | 2023-07-04 | 北京长亭未来科技有限公司 | Method and device for researching and judging external connection type attack result |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115801305B (en) | 2023-11-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200167468A1 (en) | Detecting Irregularities on a Device | |
| US10432650B2 (en) | System and method to protect a webserver against application exploits and attacks | |
| US8479267B2 (en) | System and method for identifying unauthorized endpoints | |
| US9401924B2 (en) | Monitoring operational activities in networks and detecting potential network intrusions and misuses | |
| US9104864B2 (en) | Threat detection through the accumulated detection of threat characteristics | |
| US10291630B2 (en) | Monitoring apparatus and method | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US20160164893A1 (en) | Event management systems | |
| EP2723034A1 (en) | System for Detection of Mobile Applications Network Behavior - Netwise | |
| KR20160051886A (en) | Context-aware network forensics | |
| WO2013184099A1 (en) | Cross-user correlation for detecting server-side multi-target intrusion | |
| CN104038466B (en) | Intruding detection system, method and apparatus for cloud computing environment | |
| KR102024142B1 (en) | A access control system for detecting and controlling abnormal users by users’ pattern of server access | |
| US20190044965A1 (en) | Systems and methods for discriminating between human and non-human interactions with computing devices on a computer network | |
| US20170244738A1 (en) | Distributed detection of malicious cloud actors | |
| CN113660224A (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| US9350754B2 (en) | Mitigating a cyber-security attack by changing a network address of a system under attack | |
| CN107666464B (en) | Information processing method and server | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN115801305A (en) | Network attack detection and identification method and related equipment | |
| EP3331210B1 (en) | Apparatus, method, and non-transitory computer-readable storage medium for network attack pattern determination | |
| RU2630415C2 (en) | Method for detecting anomalous work of network server (options) | |
| Nikolai et al. | A system for detecting malicious insider data theft in IaaS cloud environments | |
| GB2592132A (en) | Enterprise network threat detection | |
| CN103916376A (en) | Cloud system with attract defending mechanism and defending method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |