CN104954345A - Attack recognition method based on object analysis and device thereof - Google Patents
Attack recognition method based on object analysis and device thereof Download PDFInfo
- Publication number
- CN104954345A CN104954345A CN201410126740.XA CN201410126740A CN104954345A CN 104954345 A CN104954345 A CN 104954345A CN 201410126740 A CN201410126740 A CN 201410126740A CN 104954345 A CN104954345 A CN 104954345A
- Authority
- CN
- China
- Prior art keywords
- multimode
- keyword
- feature
- storehouse
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The present invention discloses an attack recognition method based on object analysis and a device thereof. The method comprises a step of establishing a characteristic library which comprises multiple characteristic expressions, wherein each of the characteristic expressions comprises the attribute of an object, a step of establishing a multi-mode library which comprises multiple key words, wherein each of the key words comprises the attribute of the object, the key words in the multi-mode library and one or more characteristic expressions in the characteristic library has a mapping relation, and the key words and the characteristic expressions which have the mapping relation have the same attribute, and a step of matching the data of the objects obtained after analyzing a message based on the characteristic library and the multi-mode library, and determining whether the attack exists or not. According to the method and the device, based on the targeted filtering of the object and through the mode of combining the multi-mode library and the characteristic library, most safety data can be filtered, the cumbersome character matching of most safety data is not needed, and the detection efficiency is improved significantly.
Description
Technical field
The present invention relates to technical field of network security, be specifically related to a kind of attack recognition method based on object analysis and device.
Background technology
Network attack, refers to the attack that the leak that utilizes network to exist and safety defect carry out the data in the hardware of network system, software and system thereof.Attack is divided into active attack and passive attack.Active attack refers to and comprises the intentional act that assailant accesses required information.Passive attack is mainly collected information instead of is conducted interviews, and the validated user of data can be perceived this activity not at all.Passive attack comprises: 1, eavesdrop: comprise thump record, network monitoring, unauthorized access data, obtain cryptogam; 2, cheat: comprise and obtain password, malicious code, network cheating; 3, denial of service: comprise and cause ectype, resource exhaustion type, deception type; 4, data-driven attack: comprise buffer overflow, format string attack, Input Validation Attacks, synchronous leak attack, trust leak attack.
A kind of identifying schemes of existing attack carries out based on regular representation.General step based on the attack recognition scheme of regular expression is: for attack structure key character; Structure regular expression; Judge whether the data obtained with matching regular expressions, if had, then determine to exist and attack.Regular expression is the logic filter based on character, and detection efficiency is low.To carry out attack detecting to http request message, that matching regular expressions is carried out to all characters comprised, along with attack signature and data request amount two aspect increase, cause feature database huge especially, and matching regular expressions performance non-linear growth, but the relation with increase of n*n, efficiency can drop to very low.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or the attack recognition method based on object analysis solved the problem at least in part and device.
According to one aspect of the present invention, provide a kind of attack recognition method based on object analysis, it is characterized in that, comprising: construction feature storehouse, described feature database comprises many feature expression, and every bar feature expression has the attribute of object; Build multimode storehouse, described multimode storehouse comprises many keywords, and every bar keyword has the attribute of object; Keyword in described multimode storehouse and one or more feature expression in described feature database have mapping relations, and the keyword with mapping relations has identical attribute with feature expression; Based on described feature database and described multimode storehouse, the data of the object obtained after parsing message are mated, determines whether there is attack.
Preferably, described based on described feature database and described multimode storehouse, the data of the object obtained after parsing message are mated, determines whether there is attack and comprise: protocal analysis is carried out to the message obtained, resolve the data obtaining one or more object; For the data of described object, utilize multimode storehouse to carry out multimode matching, if match the keyword for this object, then carry out subsequent step, otherwise determine to there is not attack; Mate from feature database whether exist for this object, with the keyword mated, there is the feature expression of mapping relations, if do not match feature expression, then determine to there is not attack, otherwise carry out subsequent step; Based on described for this object, with the keyword characteristic of correspondence expression formula of mating, rule match is carried out to the data of this object, if the match is successful, then determines to exist and attack, otherwise determine to there is not attack.
Preferably, described multimode storehouse builds according to described feature database, each key representations pattern.
Preferably, determine that whether a keyword is be for the mode of the keyword of described object: whether the attribute determining this keyword is described object; Determine that whether a feature expression is be for the mode of the feature expression of described object: whether the attribute determining this feature expression is described object.
Preferably, in the described feature database process of structure, based on the type of attacking, described many feature expression are organized according to the mode of main classes, subclass Sum fanction; In multimode storehouse process described in framework, based on the type of attacking, organize described many keywords according to the mode of main classes, subclass Sum fanction.
Preferably, described message is application layer protocol message; Described application layer protocol comprises TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
Preferably, described message refers to http protocol message; Described object refers to the predefine field of http protocol message, comprises url, reference, parameter, cookie.
Preferably, multimode matching algorithm is adopted to carry out described multimode matching; Described multimode matching algorithm is ACBM algorithm.
According to another aspect of the present invention, a kind of attack recognition device based on object analysis being provided, comprising: message retrieval unit, for obtaining message; Message parsing unit, for carrying out protocal analysis to the message obtained, resolves the data obtaining one or more object; Feature database construction unit, for building described feature database, described feature database comprises many feature expression, and every bar feature expression has the attribute of object; Multimode storehouse construction unit, for building described multimode storehouse, described multimode storehouse comprises many keywords, and every bar keyword has the attribute of object; Wherein, the keyword in described multimode storehouse and one or more feature expression in feature database have mapping relations, and the keyword with mapping relations has identical attribute with feature expression; Matching unit, for based on described feature database and described multimode storehouse, mates the data of the object that described message parsing unit obtains, determines whether there is attack.
Preferably, described matching unit comprises: multimode matching subelement, for the data for described object, utilizes multimode storehouse to carry out multimode matching; Subelement is determined in mapping, for mate from feature database whether exist for this object, with the keyword mated, there is the feature expression of mapping relations; Rule match subelement, for based on described for this object, with the keyword characteristic of correspondence expression formula of mating, rule match is carried out to the data of this object; Result determination subelement, for determining that the confirmation result of subelement and rule match subelement determines whether there is attack according to multimode matching subelement, mapping, wherein, if multimode matching subelement does not match determine that subelement does not match feature expression or described rule match subelement and do not have that the match is successful for the keyword of this object, described mapping, then determine to there is not attack, if the match is successful for described rule match subelement, then determine to exist and attack.
Preferably, described multimode storehouse builds according to described feature database, each key representations pattern.
Preferably, described mapping determines that subelement determines that whether a keyword is be for the mode of the keyword of described object: whether the attribute determining this keyword is described object; Described rule match subelement determines that whether a feature expression is be for the mode of the feature expression of described object: whether the attribute determining this feature expression is described object.
Preferably, described feature database construction unit, in the described feature database process of structure, for based on the type of attacking, organizes described many feature expression according to the mode of main classes, subclass Sum fanction; Described multimode storehouse construction unit, in multimode storehouse process described in framework, for based on the type of attacking, organizes described many keywords according to the mode of main classes, subclass Sum fanction.
Preferably, the described message that described message retrieval unit obtains is application layer protocol message; Described application layer protocol comprises TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
Preferably, the described message that described message retrieval unit obtains refers to http protocol message; The described object that described message parsing unit obtains refers to the predefine field of http protocol message, comprises url, reference, parameter, cookie.
Preferably, described multimode matching unit adopts multimode matching algorithm to carry out described multimode matching; Described multimode matching algorithm is ACBM algorithm.
Visible, the present invention is based on object and filter targetedly, and by the mode that multimode storehouse is combined with feature database, most of secure data can be filtered, and not need to carry out loaded down with trivial details character match to most of data, thus significantly improve detection efficiency
Further, due to the present invention to carry out multimode filtration, characteristic filter and character match three levels filtration to data, can safety filtering be ensured for secure data at the first level or the second level, and need not loaded down with trivial details character filtering be carried out.In the first level filters, filter out all security request data; Second level does once preliminary filtration to suspectable data in filtering; During third layer time is filtered, message has may going of attack just very large, determines with feature expression.Adopt the embodiment of the present invention, can be filtered out the data of the overwhelming majority by the first level, during the second level and third layer time are filtered, the request msg of process is probably in the ratio of very little (being about 10% according to statistics).Namely, do not need to carry out the process of feature matching regular expressions to the normal data of the overwhelming majority.Thus, detection efficiency is significantly increased.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows the relation schematic diagram of feature database and pattern base according to an embodiment of the invention;
Fig. 2 shows basis according to an embodiment of the invention based on the attack recognition method flow diagram of object analysis; And
Fig. 3 shows the schematic diagram according to an embodiment of the invention according to attack type construction feature storehouse or pattern base.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
For portal website, because user is many, pageview large, thus there is higher security risk.At present more common web application safety leak comprises: SQL injects, XSS across station, list is walked around, Cookies cheat, leakage of information, GoogleHacking, access control mistake, the peculiar leak of PHP is attacked, variable is abused, file comprises, uploads leak attack, webpage tamper, extension horse etc.
For SQL injection attacks, the existing SQL based on regular expression injects the process detected: after intercepting http request, first carry out URL(URL(uniform resource locator) to content, Uniform Resource Locator) decoding, prevent assailant from injecting statement with URL coded system constructing SQL; To detect in request msg whether conventional containing SQL injection attacks keyword and separator, as " select ", " and ", "; ", "--" etc., if do not contained, then can get rid of the possibility of injection attacks, if had, being then committed to next step carries out detailed rule detection; For comprising the web request injecting keyword, then convenient rule base carries out detailed canonical coupling to request content.If the match is successful, then interception request, sends warning and log to client, if it fails to match, then request character string is recorded into suspicious attack code storehouse, submits to webmaster to analyze.Those skilled in the art understand, based on the regular expression detection scheme inefficiency of character match, in order to a certain degree improve detection efficiency, usually when writing regular expression rule, the side-play amount of character machining can be set, such as only detect certain section (such as front 50 characters) of whole data, if SQL injects statement just occur in the field do not detected, then can cause failing to report.
Use single character string to describe from traditional regular expression, to mate a series of character string meeting certain syntax rule different, the present invention is based on carrying out protocol analysis to message thus obtaining different object (i.e. message predefine field), then mate by different level rule according to object.
The present invention is applicable to application layer protocol.
Application layer protocol (application layer protocol) defines the program process operated on different end system and how mutually to transmit message.The definition of application layer protocol comprises following content: the type of message that (1) exchanges, as request message and response message; (2) grammer of various type of message, as the public detailed description of each field in message; (3) semanteme of field, is namely included in the implication of information in field; (4) when, how process sends message and responds message.Some application layer protocol is defined by RFC document, and therefore they are positioned at public sphere.Such as, the agreement HTTP (HTML (Hypertext Markup Language), RFC2616) of the application layer of web just as a RFC for user.If browser developers defers to HTTP RFC rule, the browser developed just can access any web deferring to the document standard, and server also obtains corresponding web page.Other application layer protocol a lot of is also had to be special arbitrarily can not be applied to public sphere.Such as, a lot of existing P2P shared file system uses proprietary application layer protocol.Object, application layer protocol mainly contains following several.(1) domain name system (Domain Name System, DNS): for realizing the network service of network equipment name to IP address maps.(2) file transfer protocol (FTP) (FileTransfer Protocol, FTP): realize interactive file transfer function by fourth.(3) simple message transfer protocol (SMTP) (Simple Mail Transfer Protocol, SMTP): for realizing E-mail address transmitting function (4) HTML (Hypertext Markup Language) (HyperText Transfer Protocol, HTTP): for realizing WWW service.(5) Simple Network Management Protocol (simple Network Management Protocol, SNMP): for management and monitoring network equipment.(6) Telnet (Telnet): for realizing Telnet function.
For convenience of description, the embodiment of the present invention is described with http protocol message.So, the embodiment of the present invention is such as, based on http message being carried out to protocol analysis (according to http rfc protocol specification) thus obtaining different object (i.e. http message predefine field: the fields such as url, reference, parameter, cookie), then mate by different level rule according to object.
Enforcement of the present invention is divided into two stages, and first stage is data preparation stage, and second stage is the attack recognition stage.
At data preparation stage, construction feature storehouse and multimode storehouse be completed.Wherein, the feature database that feature database and existing employing regular expression carry out attack recognition scheme is similar, is all made up of many feature expression (also can be described as " rule ") based on canonical.But, differently from existing feature database (or being called " rule base " etc.) to be, each rule to be with the addition of to the attribute of object, namely, establish the corresponding relation of " object-feature ".Multimode storehouse of the present invention is new introducing, and it is from feature database hair tonic.Multimode storehouse comprises many keywords (characteristic that namely keyword is attacked), and every bar keyword has the attribute of object.Namely often kind of pattern can be regarded as a keyword (namely each node of multimode tree), and each keyword has the attribute of object.One or more feature expression in keyword in multimode storehouse and feature database has mapping relations, and the keyword with mapping relations has identical attribute with feature expression.
See Fig. 1, be the feature database of one embodiment of the invention and the relation schematic diagram of pattern base.
In Fig. 1, feature database comprises many feature expression: feature expression 1, feature expression 2, feature expression 3, feature expression 4, feature expression 5 ..., feature expression N.And each feature expression has attribute (as mentioned above, attribute refers to object).Particularly, namely feature expression 1 has attribute A(, the attribute of feature expression 1 is object A), feature expression 2 has attribute A, feature expression 3 has attribute B, feature expression 4 has attribute B, feature expression 5 has attribute C ..., feature expression N has attribute N.From this feature database, build multimode storehouse.Multimode storehouse comprises many keywords: keyword 1, keyword 2, keyword 3, keyword 4, keyword 5 ..., keyword N.And each keyword has attribute (as mentioned above, attribute refers to object).Particularly, keyword 1 has attribute A, keyword 2 has attribute B, keyword 3 has attribute B, keyword 4 has attribute C, keyword 5 has attribute C ..., keyword N has attribute N.Wherein, a keyword can have mapping relations with one or more feature expression, and the keyword meeting mapping relations requires to have identical attribute with feature expression.Such as, in FIG, the keyword 1 with attribute A has mapping relations with the same feature expression 1 with attribute A, have the keyword 3 of attribute B has mapping relations with the keyword 5 that the feature expression 3 and feature expression 4 equally with attribute B has mapping relations, have attribute C with the feature expression 5 equally with attribute C.In Fig. 1, keyword 2 possesses the feature expression of mapping relations with the every sample of keyword 4.It should be noted that, Fig. 1 is only the example in feature database and multimode storehouse, does not constitute any limitation, and its hetero-organization or corresponding relation all can realize the embodiment of the present invention.
In the attack recognition stage, be divided into again two steps.First step carries out protocal analysis to message, thus get each object that message comprises.Second step is, carries out object-based attack recognition to message, and attack recognition is specifically subdivided into again three levels.First level carries out multimode matching, in the event of the keyword of in multimode storehouse (attribute of band object), then determines to there is attack suspicion, carry out next level filtration, otherwise think safe data.Second level: carry out characteristic filter according to multimode matching result, object just selects the keyword characteristic of correspondence expression formula of multimode matching hit, filters out the feature expression that other are irrelevant.In this second level filters, the mapping relations of multimode keyword and feature expression can guarantee that carrying out characteristic filter efficiently completes fast.If do not have the keyword in any feature expression and multimode matching result to have mapping relations, so just can affirm that these data are safe; Otherwise enter next level to filter.Third layer time: in this step, all request msgs all have attack suspicion, so finally carry out characteristic matching with the feature expression filtered out with regard to needing, namely real feature based carries out the character match of regular expression, and coming finally to be confirmed whether is attack.
See Fig. 2, for basis is according to an embodiment of the invention based on the attack recognition method flow diagram of object analysis.
The method flow chart comprises the following steps:
S201: carry out protocal analysis to the message obtained, resolves the data obtaining one or more object;
For http agreement, what suppose acquisition is http protocol message, then carry out protocal analysis to this message, that is, http rfc protocol specification carries out protocal analysis, thus each http protocol fields that acquisition message comprises, that is, obtain the data content that object comprises.For http agreement, object of the present invention refers to http message predefine field, such as, and the fields such as url, reference, parameter, cookie.
Those skilled in the art understand, and for http agreement, solicited message comprises the filename and client information wishing to return.Client information sends to server with request header, and request header comprises HTTP method and head field.What HTTP method was conventional has the methods such as GET, HEAD, POST, PUT, DELETE, LINK, UNLINK.Head field comprises: DATE: the date and time that request sends; PARGMA: for the information had nothing to do with realization to server transmission, this field, also for telling proxy server, will get resource from real server instead of from high-speed cache; FORWARDED: can be used for following the trail of between machine, instead of the message of client-server, this field can be used for following the trail of the transmission route between proxy server; MESSAGE_ID: for identification message uniquely; ACCEPT: the announcement server client receptible data type of institute and size (*/* represents can accept all types of data); AOTHORIZATION: provide bypassing safety to protect and encryption mechanism to server, if server does not need this field, then do not provide this field; FROM: when client applications wishes that thinking that server provides during its e-mail address relevant uses; IF-MODEFIED-SINCE is used for providing condition GET; If the document of asking has not changed since the specified date, then server should not send this object; If the date format sent is illegal, or be later than the date of server, server can ignore this field; BEFERRER: carry out the object that resource request uses to server; MIME-VERTION: for the treatment of the MIME protocol version of files in different types; USER-AGENT: about sending the customer information of request.
S202: for the data of object, utilizes multimode storehouse to carry out multimode matching, if match the keyword for this object, then carries out subsequent step, otherwise determines to there is not attack;
Wherein, multimode matching algorithm is adopted to carry out multimode matching.Multimode matching algorithm comprises multiple, such as Trie tree, AC algorithm, WM algorithm etc.The embodiment of the present invention preferably adopts ACBM algorithm.ACBM algorithm is on the basis of AC automaton, introduces the multimode expansion of BM algorithm, the efficient multimode matching of realization.The core concept of ACBM algorithm is exactly make the original position span of each coupling large as much as possible, to raise the efficiency.Do not need to scan each character in target text string unlike, ACBM algorithm with AC automaton, this can be utilized to mate unsuccessful information, skip character as much as possible, realize efficient matchings.As follows in coupling step: 1, a selected coupling original position.2, AC tree is used to mate, if coupling lost efficacy, jump procedure 1; If the match is successful, can need jump to step 1 or exit according to application.AC algorithm part in ACBM algorithm is simpler than the realization of AC automaton algorithm, and do not need the problem considering inefficacy function, the AC algorithm part that is realized in ACBM algorithm is one tree, and is a figure in the realization of AC automaton.The realization of the BM algorithm in ACBM algorithm than BM algorithm itself realize more complex because this is the multi-mode one expansion to BM algorithm.Kernel data structure in ACBM algorithm comprises: 1, MinLen, the length of that pattern string the shortest in pattern string set: the character number jumped at most when comparing mismatch can not more than Minlen.2, ACTree, the State Tree constructed by pattern string set, construction method is identical with the construction method of AC automaton, and does not need to calculate inefficacy function, fairly simple.3, the corresponding bad character array of BCshift:ACTree, when mating inefficacy, searching this array calculating batter and according with side-play amount.4, the corresponding good suffix side-play amount of each node of GSshift:AC tree.
Suppose to get object A, object B by step S201, then for the multimode storehouse of Fig. 1, search multimode storehouse and carry out multimode matching, if determine that the data of object A do not comprise the keyword 1 with attribute A, then determine the keyword do not matched with object A, further, the data of object B are mated with the keyword 2 and keyword 3 with attribute B, if but the data of object B do not comprise keyword 2 comprise keyword 3, then determine to match keyword 3.For other keywords 5 that multimode storehouse comprises ... .., keyword N, the object (A and B) that the attribute (C-N) due to them not gets, therefore can not match.
S203: mate from feature database whether exist for this object, with the keyword mated, there is the feature expression of mapping relations, if do not match feature expression, then determine to there is not attack, otherwise carry out subsequent step;
Wherein, determine that whether a keyword is be for the mode of the keyword of described object: whether the attribute determining this keyword is described object; Determine that whether a feature expression is be for the mode of the feature expression of described object: whether the attribute determining this feature expression is described object.
Match keyword by step S202, so in this step, continue the feature expression judging whether there are with the keyword matched mapping relations.Still with above-mentioned for Fig. 1, suppose to match a keyword 3 by multimode matching, then according to the mapping relations of feature expression in keyword in multimode storehouse and feature database, find keyword 3, with feature expression 3 and feature expression 4, there are mapping relations, so, namely this step determines that next step only needs to mate feature expression 3 and feature expression 4.
S204: based on for this object, with the keyword characteristic of correspondence expression formula of mating, rule match is carried out to the data of this object, if the match is successful, then determines to exist and attack, otherwise determine to there is not attack.
By abovementioned steps, determine the limited bar feature expression that will be used for carrying out canonical coupling in this step.Still for Fig. 1, owing to defining feature expression 3 and feature expression 4, then in this step, the data of object B are mated with feature expression 3 and feature expression 4 respectively, if the match is successful any expression formula, then think to exist and attack, if do not have an expression formula, the match is successful, then determine to there is not attack.
Employing embodiment of the present invention object is: in the first level filters, filter out all security request data; Second level does once preliminary filtration to suspectable data in filtering; During third layer time is filtered, message has may going of attack just very large, determines with feature expression.Adopt the embodiment of the present invention, the data of 99% can be filtered out by the first level, during the second level and third layer time are filtered, the request msg of process probably 10% ratio.Namely, the normal data to 99% is not needed to carry out the process of feature matching regular expressions.Thus, detection efficiency is significantly increased.
In addition, in the described feature database process of structure, based on the type of attacking, described many feature expression can also be organized according to the mode of main classes, subclass Sum fanction; In like manner, in the process of framework multimode storehouse, based on the type of attacking, organize described many keywords according to the mode of main classes, subclass Sum fanction.As previously mentioned, network attack type class is various.Therefore, when construction feature storehouse and multimode storehouse, according to attack type, feature expression and keyword are organized.Thus, when the safety product completed by the embodiment of the present invention is supplied to user, user can select particular attack safeguard procedures targetedly, and other incoherent attack protection just do not need to run like this, can provide network operation speed thus.
Such as, when construction feature storehouse or multimode storehouse, organize according to Fig. 3 example.Fig. 3 shows the schematic diagram according to an embodiment of the invention according to attack type construction feature storehouse or pattern base.In Fig. 3, show main classes 1, main classes 2 ..., main classes n(main classes 2-main classes n omits), subclass 1, the subclass 2 of each main classes 1 subordinate ..., subclass n, and the rule 1 of each subclass subordinate, rule 2 ..., regular n.Wherein, main classes refers to a large class of network attack, and subclass refers to a group under this large class, and rule refers to concrete attack signature code.Such as, SQL injects and belongs to a main classes, and " carrying out SQL injection by the get message of http agreement " belongs to a subclass under this main classes, and " select " that comprise in data etc. inject statement and belong to rule.
With a http agreement object lesson, the present invention program is described below.
(1) construction feature storehouse and multimode storehouse.
Build and comprise the feature database of many feature expression and comprise the multimode storehouse of many keywords.The example carrying out building storehouse according to attack type is as follows:
In above-mentioned example, show the strategy of a main classes (main classes 1, main_class1), and eliminate other main classes 2 ..., main classes n.Be appreciated that each main classes subordinate comprises multiple subclass (sub_class), such as subclass 1, subclass 2 ..., subclass n, and each subclass comprises the rule (rule) of multiple subordinate, such as rule 1, rule 2 ..., regular n.Wherein, a main classes represents a large class of network attack, and subclass refers to a group under this large class, and rule refers to concrete attack signature code.Such as, in above-mentioned example, SQL injects (SQL Inject) and belongs to a main classes, " carry out SQL injection (Get SQL Inject) by the get message of http agreement " and belong to a subclass under this main classes, " select " that comprise in data etc. inject statement and belong to rule.
(2) obtain http message, and protocol analysis is carried out to http message, obtain the data of each object in message (such as: the fields such as url, reference, cookie).
Usual http message comprises client computer to the http request message of server and server to the http response message of client computer.The message of this two type by an initial row, one or more header field, the just null that terminates of header field and an optional message body composition.The header field of http comprises general head, request header, head response and entity head four parts.
Such as,
A typical request message is:
GEThttp://class/download.microtool.de:80/somedata.exe
Host:download.microtool.de
Accept:*/*
Pragma:no-cache
Cache-Control:no-cache
Referer:http://class/download.microtool.de/
User-Agent:Mozilla/4.04[en](Win95;I;Nav)
Range:bytes=554554-
Wherein, the Intenet main frame of Host header field specified request resource and port numbers, must represent the request original server of url or the position of gateway; Referer header field allows the source resource address of client specified request uri, and this can allow server to generate rollback chained list, can be used to log in, optimize cache etc.; Range header field can one or more subrange of request entity; User-Agent header field content comprises the user profile of the request of sending.
(3) object obtained is mated in the storehouse set up, determine whether there is attack.
The object data that http protocol analysis obtains is identified in the storehouse of above-mentioned structure, if the match is successful, then determines to exist and attack, otherwise not think to there is attack.
Corresponding with said method, the present invention also provides a kind of attack recognition device based on object analysis.This device can pass through hardware, software or software and hardware combining and realize.Specifically right, this device can refer to service node (such as, SOCKS server), also can refer to the functional entity of service node inside, as long as have the function of this device.
Particularly, at least should comprise based on the attack recognition device of object analysis: message retrieval unit, message parsing unit, feature database construction unit, multimode storehouse construction unit and matching unit.
Wherein:
Message retrieval unit is for obtaining message.This message comprises application layer protocol (application layer protocol) message.As previously mentioned, application layer protocol mainly contains following several.(1) domain name system (Domain Name System, DNS): for realizing the network service of network equipment name to IP address maps.(2) file transfer protocol (FTP) (FileTransfer Protocol, FTP): realize interactive file transfer function by fourth.(3) simple message transfer protocol (SMTP) (Simple Mail Transfer Protocol, SMTP): for realizing E-mail address transmitting function (4) HTML (Hypertext Markup Language) (HyperText Transfer Protocol, HTTP): for realizing WWW service.(5) Simple Network Management Protocol (simple Network Management Protocol, SNMP): for management and monitoring network equipment.(6) Telnet (Telnet): for realizing Telnet function.So, the message that message retrieval unit obtains at least comprises DNS message, FTP message, SMTP message, HTTP message, snmp message and Telnet message.
The message that message parsing unit is used for obtaining carries out protocal analysis, resolves the data obtaining one or more object.Object wherein refers to each predefine field that message obtains according to protocol analysis.For http agreement, what suppose acquisition is http protocol message, then carry out protocal analysis to this message, that is, http rfc protocol specification carries out protocal analysis, thus each http protocol fields that acquisition message comprises, that is, obtain the data content that object comprises.For http agreement, object of the present invention refers to http message predefine field, such as, and the fields such as url, reference, parameter, cookie.
Feature database construction unit, for building described feature database; And multimode storehouse construction unit, for building described multimode storehouse.Wherein, feature database comprises many feature expression, and every bar feature expression has the attribute of object; Multimode storehouse comprises many keywords, and every bar keyword has the attribute of object.Wherein, multimode storehouse builds according to feature database, each key representations pattern.In addition, one or more feature expression in the keyword in multimode storehouse and feature database has mapping relations, and the keyword with mapping relations has identical attribute with feature expression.Wherein, multimode storehouse builds according to feature database, each key representations pattern.
Matching unit, for based on described feature database and described multimode storehouse, mates the data of the object that described message parsing unit obtains, determines whether there is attack.
Wherein, matching unit comprises multimode matching subelement further, maps and determine subelement, rule match subelement and result determination subelement.
Multimode matching subelement is used for the data for object, utilizes multimode storehouse to carry out multimode matching.Wherein, multimode matching algorithm is adopted to carry out multimode matching.Multimode matching algorithm comprises multiple, such as Trie tree, AC algorithm, WM algorithm etc.The embodiment of the present invention preferably adopts ACBM algorithm.ACBM algorithm is on the basis of AC automaton, introduces the multimode expansion of BM algorithm, the efficient multimode matching of realization.The core concept of ACBM algorithm is exactly make the original position span of each coupling large as much as possible, to raise the efficiency.Do not need to scan each character in target text string unlike, ACBM algorithm with AC automaton, this can be utilized to mate unsuccessful information, skip character as much as possible, realize efficient matchings.
Map determine subelement for mate from feature database whether exist for this object, with the keyword mated, there is the feature expression of mapping relations.
Rule match subelement be used for based on described for this object, with the keyword characteristic of correspondence expression formula of mating, rule match is carried out to the data of this object.
Result determination subelement is used for according to multimode matching unit, maps and determine that the confirmation result of subelement and rule match subelement determines whether there is attack, wherein, if multimode matching subelement does not match determine that subelement does not match feature expression or described rule match subelement and do not have that the match is successful for the keyword of this object, described mapping, then determine to there is not attack, if the match is successful for described rule match subelement, then determine to exist and attack.
Wherein, map and determine that subelement determines that whether a keyword is be for the mode of the keyword of described object: whether the attribute determining this keyword is described object; In like manner, rule match subelement determines that whether a feature expression is be for the mode of the feature expression of described object: whether the attribute determining this feature expression is described object.
Preferably, feature database construction unit, in the described feature database process of structure, for based on the type of attacking, organizes described many feature expression according to the mode of main classes, subclass Sum fanction; In like manner, multimode storehouse construction unit, in multimode storehouse process described in framework, for based on the type of attacking, organizes described many keywords according to the mode of main classes, subclass Sum fanction.
Visible, the present invention is based on object and filter targetedly, and by the mode that multimode storehouse is combined with feature database, most of secure data can be filtered, and not need to carry out loaded down with trivial details character match to most of data, thus significantly improve detection efficiency.
Especially, due to the present invention to carry out multimode filtration, characteristic filter and character match three levels filtration to data, can safety filtering be ensured for secure data at the first level or the second level, and need not loaded down with trivial details character filtering be carried out.In the first level filters, filter out all security request data; Second level does once preliminary filtration to suspectable data in filtering; During third layer time is filtered, message has may going of attack just very large, determines with feature expression.Adopt the embodiment of the present invention, can be filtered out the data of the overwhelming majority by the first level, during the second level and third layer time are filtered, the request msg of process is probably in the ratio of very little (being about 10% according to statistics).Namely, do not need to carry out the process of feature matching regular expressions to the normal data of the overwhelming majority.Thus, detection efficiency is significantly increased.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions based on the some or all parts in the attack recognition device of object analysis that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
The invention provides following technical scheme:
A1 mono-kind, based on the attack recognition method of object analysis, comprising:
Construction feature storehouse, described feature database comprises many feature expression, and every bar feature expression has the attribute of object;
Build multimode storehouse, described multimode storehouse comprises many keywords, and every bar keyword has the attribute of object; Keyword in described multimode storehouse and one or more feature expression in described feature database have mapping relations, and the keyword with mapping relations has identical attribute with feature expression;
Based on described feature database and described multimode storehouse, the data of the object obtained after parsing message are mated, determines whether there is attack.
A2, method as described in A1, described based on described feature database and described multimode storehouse, the data of the object obtained after resolving message are mated, determines whether there is attack and comprise:
Protocal analysis is carried out to the message obtained, resolves the data obtaining one or more object;
For the data of described object, utilize multimode storehouse to carry out multimode matching, if match the keyword for this object, then carry out subsequent step, otherwise determine to there is not attack;
Mate from feature database whether exist for this object, with the keyword mated, there is the feature expression of mapping relations, if do not match feature expression, then determine to there is not attack, otherwise carry out subsequent step;
Based on described for this object, with the keyword characteristic of correspondence expression formula of mating, rule match is carried out to the data of this object, if the match is successful, then determines to exist and attack, otherwise determine to there is not attack.
A3, method as described in A1 or A2, described multimode storehouse builds according to described feature database, each key representations pattern.
A4, method as described in A2,
Determine that whether a keyword is be for the mode of the keyword of described object: whether the attribute determining this keyword is described object;
Determine that whether a feature expression is be for the mode of the feature expression of described object: whether the attribute determining this feature expression is described object.
A5, method as described in A1 or A2, in the described feature database process of structure, based on the type of attacking, organize described many feature expression according to the mode of main classes, subclass Sum fanction; In multimode storehouse process described in framework, based on the type of attacking, organize described many keywords according to the mode of main classes, subclass Sum fanction.
A6, method as described in A1 or A2, described message is application layer protocol message; Described application layer protocol comprises TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
A7, method as described in A6, described message refers to http protocol message; Described object refers to the predefine field of http protocol message, comprises url, reference, parameter, cookie.
A8, method as described in A1 or A2, adopt multimode matching algorithm to carry out described multimode matching; Described multimode matching algorithm is ACBM algorithm.
B9, a kind of attack recognition device based on object analysis, comprising:
Message retrieval unit, for obtaining message;
Message parsing unit, for carrying out protocal analysis to the message obtained, resolves the data obtaining one or more object;
Feature database construction unit, for building described feature database, described feature database comprises many feature expression, and every bar feature expression has the attribute of object;
Multimode storehouse construction unit, for building described multimode storehouse, described multimode storehouse comprises many keywords, and every bar keyword has the attribute of object; Wherein, the keyword in described multimode storehouse and one or more feature expression in feature database have mapping relations, and the keyword with mapping relations has identical attribute with feature expression;
Matching unit, for based on described feature database and described multimode storehouse, mates the data of the object that described message parsing unit obtains, determines whether there is attack.
B10, device as described in B9, described matching unit comprises:
Multimode matching subelement, for the data for described object, utilizes multimode storehouse to carry out multimode matching;
Subelement is determined in mapping, for mate from feature database whether exist for this object, with the keyword mated, there is the feature expression of mapping relations;
Rule match subelement, for based on described for this object, with the keyword characteristic of correspondence expression formula of mating, rule match is carried out to the data of this object;
Result determination subelement, for determining that the confirmation result of subelement and rule match subelement determines whether there is attack according to multimode matching subelement, mapping, wherein, if multimode matching subelement does not match determine that subelement does not match feature expression or described rule match subelement and do not have that the match is successful for the keyword of this object, described mapping, then determine to there is not attack, if the match is successful for described rule match subelement, then determine to exist and attack.
B11, device as described in B9 or B10, described multimode storehouse builds according to described feature database, each key representations pattern.
B12, device as described in B10, described mapping determines that subelement determines that whether a keyword is be for the mode of the keyword of described object: whether the attribute determining this keyword is described object;
Described rule match subelement determines that whether a feature expression is be for the mode of the feature expression of described object: whether the attribute determining this feature expression is described object.
B13, device as described in B9 or B10, described feature database construction unit, in the described feature database process of structure, for based on the type of attacking, organizes described many feature expression according to the mode of main classes, subclass Sum fanction; Described multimode storehouse construction unit, in multimode storehouse process described in framework, for based on the type of attacking, organizes described many keywords according to the mode of main classes, subclass Sum fanction.
B14, device as described in B9 or B10, the described message that described message retrieval unit obtains is application layer protocol message; Described application layer protocol comprises TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
B15, device as described in B14, the described message that described message retrieval unit obtains refers to http protocol message; The described object that described message parsing unit obtains refers to the predefine field of http protocol message, comprises url, reference, parameter, cookie.
B16, device as described in B9 or B10, described multimode matching unit adopts multimode matching algorithm to carry out described multimode matching; Described multimode matching algorithm is ACBM algorithm.
Claims (10)
1., based on an attack recognition method for object analysis, it is characterized in that, comprising:
Construction feature storehouse, described feature database comprises many feature expression, and every bar feature expression has the attribute of object;
Build multimode storehouse, described multimode storehouse comprises many keywords, and every bar keyword has the attribute of object; Keyword in described multimode storehouse and one or more feature expression in described feature database have mapping relations, and the keyword with mapping relations has identical attribute with feature expression;
Based on described feature database and described multimode storehouse, the data of the object obtained after parsing message are mated, determines whether there is attack.
2. the method for claim 1, is characterized in that, described based on described feature database and described multimode storehouse, mates, determine whether there is attack and comprise the data of the object obtained after parsing message:
Protocal analysis is carried out to the message obtained, resolves the data obtaining one or more object;
For the data of described object, utilize multimode storehouse to carry out multimode matching, if match the keyword for this object, then carry out subsequent step, otherwise determine to there is not attack;
Mate from feature database whether exist for this object, with the keyword mated, there is the feature expression of mapping relations, if do not match feature expression, then determine to there is not attack, otherwise carry out subsequent step;
Based on described for this object, with the keyword characteristic of correspondence expression formula of mating, rule match is carried out to the data of this object, if the match is successful, then determines to exist and attack, otherwise determine to there is not attack.
3. method as claimed in claim 1 or 2, it is characterized in that, described multimode storehouse builds according to described feature database, each key representations pattern.
4. method as claimed in claim 2, is characterized in that,
Determine that whether a keyword is be for the mode of the keyword of described object: whether the attribute determining this keyword is described object;
Determine that whether a feature expression is be for the mode of the feature expression of described object: whether the attribute determining this feature expression is described object.
5. method as claimed in claim 1 or 2, is characterized in that, in the described feature database process of structure, based on the type of attacking, organizes described many feature expression according to the mode of main classes, subclass Sum fanction; In multimode storehouse process described in framework, based on the type of attacking, organize described many keywords according to the mode of main classes, subclass Sum fanction.
6. method as claimed in claim 1 or 2, it is characterized in that, described message is application layer protocol message; Described application layer protocol comprises TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
7. method as claimed in claim 6, it is characterized in that, described message refers to http protocol message; Described object refers to the predefine field of http protocol message, comprises url, reference, parameter, cookie.
8. method as claimed in claim 1 or 2, is characterized in that, adopts multimode matching algorithm to carry out described multimode matching; Described multimode matching algorithm is ACBM algorithm.
9., based on an attack recognition device for object analysis, it is characterized in that, comprising:
Message retrieval unit, for obtaining message;
Message parsing unit, for carrying out protocal analysis to the message obtained, resolves the data obtaining one or more object;
Feature database construction unit, for building described feature database, described feature database comprises many feature expression, and every bar feature expression has the attribute of object;
Multimode storehouse construction unit, for building described multimode storehouse, described multimode storehouse comprises many keywords, and every bar keyword has the attribute of object; Wherein, the keyword in described multimode storehouse and one or more feature expression in feature database have mapping relations, and the keyword with mapping relations has identical attribute with feature expression;
Matching unit, for based on described feature database and described multimode storehouse, mates the data of the object that described message parsing unit obtains, determines whether there is attack.
10. device as claimed in claim 9, it is characterized in that, described matching unit comprises:
Multimode matching subelement, for the data for described object, utilizes multimode storehouse to carry out multimode matching;
Subelement is determined in mapping, for mate from feature database whether exist for this object, with the keyword mated, there is the feature expression of mapping relations;
Rule match subelement, for based on described for this object, with the keyword characteristic of correspondence expression formula of mating, rule match is carried out to the data of this object;
Result determination subelement, for determining that the confirmation result of subelement and rule match subelement determines whether there is attack according to multimode matching subelement, mapping, wherein, if multimode matching subelement does not match determine that subelement does not match feature expression or described rule match subelement and do not have that the match is successful for the keyword of this object, described mapping, then determine to there is not attack, if the match is successful for described rule match subelement, then determine to exist and attack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410126740.XA CN104954345B (en) | 2014-03-31 | 2014-03-31 | Attack recognition method and device based on object analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410126740.XA CN104954345B (en) | 2014-03-31 | 2014-03-31 | Attack recognition method and device based on object analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104954345A true CN104954345A (en) | 2015-09-30 |
| CN104954345B CN104954345B (en) | 2018-07-31 |
Family
ID=54168705
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410126740.XA Active CN104954345B (en) | 2014-03-31 | 2014-03-31 | Attack recognition method and device based on object analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104954345B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954346A (en) * | 2014-03-31 | 2015-09-30 | 北京奇虎科技有限公司 | Attack recognition method based on object analysis and device thereof |
| CN106453438A (en) * | 2016-12-23 | 2017-02-22 | 北京奇虎科技有限公司 | Network attack identification method and apparatus |
| CN106657075A (en) * | 2016-12-26 | 2017-05-10 | 东软集团股份有限公司 | Multilayer protocol analysis method and device as well as data matching method and device |
| CN106911649A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and apparatus for detecting network attack |
| CN106911647A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and apparatus for detecting network attack |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN112422545A (en) * | 2020-11-09 | 2021-02-26 | 北京天融信网络安全技术有限公司 | Data processing method and device based on HTTP request |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425937A (en) * | 2007-11-02 | 2009-05-06 | 北京启明星辰信息技术有限公司 | SQL injection attack detection system suitable for high speed LAN environment |
| CN103559444A (en) * | 2013-11-05 | 2014-02-05 | 星云融创(北京)信息技术有限公司 | Sql (Structured query language) injection detection method and device |
| US20140075539A1 (en) * | 2006-06-26 | 2014-03-13 | Palo Alto Networks, Inc. | Packet classification in a network security device |
| CN104954346A (en) * | 2014-03-31 | 2015-09-30 | 北京奇虎科技有限公司 | Attack recognition method based on object analysis and device thereof |
-
2014
- 2014-03-31 CN CN201410126740.XA patent/CN104954345B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140075539A1 (en) * | 2006-06-26 | 2014-03-13 | Palo Alto Networks, Inc. | Packet classification in a network security device |
| CN101425937A (en) * | 2007-11-02 | 2009-05-06 | 北京启明星辰信息技术有限公司 | SQL injection attack detection system suitable for high speed LAN environment |
| CN103559444A (en) * | 2013-11-05 | 2014-02-05 | 星云融创(北京)信息技术有限公司 | Sql (Structured query language) injection detection method and device |
| CN104954346A (en) * | 2014-03-31 | 2015-09-30 | 北京奇虎科技有限公司 | Attack recognition method based on object analysis and device thereof |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954346A (en) * | 2014-03-31 | 2015-09-30 | 北京奇虎科技有限公司 | Attack recognition method based on object analysis and device thereof |
| CN104954346B (en) * | 2014-03-31 | 2018-12-18 | 北京奇安信科技有限公司 | Attack recognition method and device based on object analysis |
| CN106911649A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and apparatus for detecting network attack |
| CN106911647A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and apparatus for detecting network attack |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN106453438A (en) * | 2016-12-23 | 2017-02-22 | 北京奇虎科技有限公司 | Network attack identification method and apparatus |
| CN106453438B (en) * | 2016-12-23 | 2019-12-10 | 北京奇虎科技有限公司 | Network attack identification method and device |
| CN106657075A (en) * | 2016-12-26 | 2017-05-10 | 东软集团股份有限公司 | Multilayer protocol analysis method and device as well as data matching method and device |
| CN106657075B (en) * | 2016-12-26 | 2019-11-15 | 东软集团股份有限公司 | Multi-layer protocol analytic method, device and data matching method and device |
| CN112422545A (en) * | 2020-11-09 | 2021-02-26 | 北京天融信网络安全技术有限公司 | Data processing method and device based on HTTP request |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104954345B (en) | 2018-07-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104954346A (en) | Attack recognition method based on object analysis and device thereof | |
| CN103744802B (en) | Method and device for identifying SQL injection attacks | |
| CN104954345A (en) | Attack recognition method based on object analysis and device thereof | |
| US7313822B2 (en) | Application-layer security method and system | |
| US8997236B2 (en) | System, method and computer readable medium for evaluating a security characteristic | |
| US7882555B2 (en) | Application layer security method and system | |
| Balduzzi et al. | Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. | |
| Sikos | AI in digital forensics: Ontology engineering for cybercrime investigations | |
| AU2002252371A1 (en) | Application layer security method and system | |
| Wang et al. | Augmented attack tree modeling of SQL injection attacks | |
| CN110209583A (en) | Safety detecting method, device, system, equipment and storage medium | |
| CN101895516A (en) | Method and device for positioning cross-site scripting attack source | |
| Gupta et al. | Robust injection point-based framework for modern applications against XSS vulnerabilities in online social networks | |
| Gupta et al. | A survey and classification of XML based attacks on web applications | |
| Hidhaya et al. | Intrusion protection against SQL injection and cross site scripting attacks using a reverse proxy | |
| CN106911649A (en) | A kind of method and apparatus for detecting network attack | |
| Grønberg | An Ontology for Cyber Threat Intelligence | |
| Shanmughaneethi et al. | SBSQLID: Securing web applications with service based SQL injection detection | |
| Aliero et al. | Review on SQL injection protection methods and tools | |
| Zhang et al. | An automated composite scanning tool with multiple vulnerabilities | |
| Fry | A forensic web log analysis tool: Techniques and implementation | |
| CN116488947B (en) | Security element treatment method | |
| CN106911647A (en) | A kind of method and apparatus for detecting network attack | |
| Jamaluddin et al. | Biologically Inspired Anomaly Detection Framework | |
| Pandey | Securing web applications from application-level attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20161125 Address after: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Applicant after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: Beijing Qihu Technology Co., Ltd. Applicant before: Qizhi Software (Beijing) Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Patentee after: Qianxin Technology Group Co., Ltd. Address before: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
| CP03 | Change of name, title or address |