CN104954345B - Attack recognition method and device based on object analysis - Google Patents
Attack recognition method and device based on object analysis Download PDFInfo
- Publication number
- CN104954345B CN104954345B CN201410126740.XA CN201410126740A CN104954345B CN 104954345 B CN104954345 B CN 104954345B CN 201410126740 A CN201410126740 A CN 201410126740A CN 104954345 B CN104954345 B CN 104954345B
- Authority
- CN
- China
- Prior art keywords
- multimode
- keyword
- feature
- library
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 230000014509 gene expression Effects 0.000 claims abstract description 141
- 238000013507 mapping Methods 0.000 claims abstract description 51
- 238000010276 construction Methods 0.000 claims abstract description 28
- 235000014510 cooky Nutrition 0.000 claims description 10
- KKIMDKMETPPURN-UHFFFAOYSA-N 1-(3-(trifluoromethyl)phenyl)piperazine Chemical compound FC(F)(F)C1=CC=CC(N2CCNCC2)=C1 KKIMDKMETPPURN-UHFFFAOYSA-N 0.000 claims description 5
- 238000001514 detection method Methods 0.000 abstract description 12
- 238000001914 filtration Methods 0.000 description 23
- 238000002347 injection Methods 0.000 description 13
- 239000007924 injection Substances 0.000 description 13
- 230000006870 function Effects 0.000 description 10
- 238000012546 transfer Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 241000406668 Loxodonta cyclotis Species 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 241000209202 Bromus secalinus Species 0.000 description 1
- 241001269238 Data Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 238000003754 machining Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 230000001256 tonic effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The attack recognition method and device based on object analysis that the invention discloses a kind of.Method therein includes:Construction feature library, the feature database include a plurality of feature expression, and every feature expression has the attribute of object;Multimode library is built, the multimode library includes a plurality of keyword, and every keyword has the attribute of object;Keyword in the multimode library has mapping relations with one or more feature expression in the feature database, the keyword with mapping relations and feature expression attribute having the same;Data based on the feature database and the multimode library, the object to being obtained after parsing message match, it is determined whether there is attack.The present invention is based on objects targetedly to be filtered, and in such a way that multimode library is combined with feature database, can be filtered most of secure data, without most of data are carried out with cumbersome character match, to significantly improve detection efficiency.
Description
Technical field
The present invention relates to technical field of network security, and in particular to a kind of attack recognition method and dress based on object analysis
It sets.
Background technology
Network attack, which refers to using loophole existing for network and safety defect, to the hardware of network system, software and its is
The attack that data in system carry out.Attack is divided into active attack and passive attack.Active attack refers to accessing institute comprising attacker
Need the intentional act of information.Passive attack mainly collects information rather than accesses, and the validated user of data is to this
Activity can be perceived not at all.Passive attack includes:1, it eavesdrops:Including thump record, network monitoring, unauthorized access data,
Obtain cryptogam;2, it cheats:Including obtaining password, malicious code, network cheating;3, refusal service:Including cause ectype,
Resource exhaustion type, deception type;4, data-driven attack:It is attacked including buffer overflow, format string attack, input verification
It hits, synchronizes loophole attack, trusts loophole attack.
A kind of identifying schemes of existing attack are carried out based on regular representation.Attack recognition side based on regular expression
The general step of case is:Key character is constructed for attack;Construct regular expression;It judges whether there is and regular expression matching
The data obtained, if there is, it is determined that there is attack.Regular expression is the logic filter based on character, and detection efficiency is low.With right
It is that regular expression matching is carried out to all characters for including, as attack is special for http request message carries out attack detecting
Sign and two aspect of data request amount increase, and cause feature database especially huge, and regular expression matching performance and non-linear increasing
It is long, but the relation with increase of n*n, efficiency can drop to very low.
Invention content
In view of the above problems, it is proposed that the present invention overcoming the above problem in order to provide one kind or solves at least partly
State the attack recognition method and device based on object analysis of problem.
One side according to the present invention provides a kind of attack recognition method based on object analysis, which is characterized in that packet
It includes:Construction feature library, the feature database include a plurality of feature expression, and every feature expression has the attribute of object;Structure
Multimode library, the multimode library include a plurality of keyword, and every keyword has the attribute of object;Keyword in the multimode library
There are mapping relations with one or more feature expression in the feature database, keyword and mark sheet with mapping relations
Up to formula attribute having the same;Based on the feature database and the multimode library, to the data of the object obtained after parsing message into
Row matching, it is determined whether there is attack.
Preferably, described to be based on the feature database and the multimode library, to the data of object that are obtained after parsing message into
Row matching, it is determined whether there are attacks to include:Protocal analysis is carried out to the message of acquisition, parsing obtains one or more objects
Data;For the data of the object, multimode matching is carried out using multimode library, if being matched to the keyword for the object,
Subsequent step is then carried out, otherwise determines that there is no attacks;From feature database matching with the presence or absence of for the object, with it is matched
Keyword has the feature expression of mapping relations, if being not matched to feature expression, it is determined that there is no attacks, otherwise
Carry out subsequent step;Based on described for the object, corresponding with matched keyword feature expression, to the number of the object
According to rule match is carried out, if successful match, it is determined that there is attack, otherwise determine that there is no attacks.
Preferably, the multimode library is built according to the feature database, one pattern of each key representations.
Preferably, determine whether a keyword is to be for the mode of the keyword of the object:Determine the keyword
Attribute whether be the object;Determine whether a feature expression is mode for the feature expression of the object
For:Determine whether the attribute of this feature expression formula is the object.
Preferably, during building the feature database, the type based on attack, according to the side of main classes, subclass and rule
A plurality of feature expression described in formula tissue;Described in framework during multimode library, the type based on attack, according to main classes, subclass
A plurality of keyword described in mode tissue with rule.
Preferably, the message is application layer protocol message;The application layer protocol include TFTP, HTTP, SNMP, FTP,
SMTP, DNS or Telnet agreement.
Preferably, the message refers to http protocol messages;The object refers to the predefined field of http protocol messages,
Including url, reference, parameter, cookie.
Preferably, the multimode matching is carried out using multimode matching algorithm;The multimode matching algorithm is ACBM algorithms.
Other side according to the present invention provides a kind of attack recognition device based on object analysis, including:Message obtains
Unit is taken, for obtaining message;Message parsing unit, for carrying out protocal analysis to the message of acquisition, parsing obtain one or
The data of multiple objects;Feature database construction unit, for building the feature database, the feature database includes a plurality of feature representation
Formula, every feature expression have the attribute of object;Multimode library construction unit, for building the multimode library, the multimode library
Including a plurality of keyword, every keyword has the attribute of object;Wherein, in the keyword and feature database in the multimode library
One or more feature expression has mapping relations, the keyword with mapping relations and feature expression category having the same
Property;Matching unit, for being based on the feature database and the multimode library, to the data for the object that the message parsing unit obtains
It is matched, it is determined whether there is attack.
Preferably, the matching unit includes:Multimode matching subelement, for the data for the object, using more
Mould library carries out multimode matching;Map determination subelement, for from feature database matching with the presence or absence of for the object, with match
Keyword have mapping relations feature expression;Rule match subelement, for based on it is described for the object, with
The corresponding feature expression of keyword matched carries out rule match to the data of the object;As a result determination subelement is used for basis
The confirmation result of multimode matching subelement, mapping determination subelement and rule match subelement determines whether there is attack, wherein
If multimode matching subelement is not matched to the keyword for the object, the mapping determination subelement is not matched to feature
Expression formula or the rule match subelement do not have successful match, it is determined that there is no attacks, if the rule match is sub
Units match success, it is determined that there is attack.
Preferably, the multimode library is built according to the feature database, one pattern of each key representations.
Preferably, the mapping determination subelement determines whether a keyword is side for the keyword of the object
Formula is:Determine whether the attribute of the keyword is the object;The rule match subelement determines that a feature expression is
The no mode of feature expression for for the object is:Determine whether the attribute of this feature expression formula is the object.
Preferably, the feature database construction unit is used for the type based on attack during building the feature database,
The a plurality of feature expression described in tissue in the way of main classes, subclass and rule;Multimode library construction unit, described in framework
During multimode library, it to be used for the type based on attack, a plurality of keyword described in tissue in the way of main classes, subclass and rule.
Preferably, the message that the message retrieval unit obtains is application layer protocol message;The application layer protocol
Including TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
Preferably, the message that the message retrieval unit obtains refers to http protocol messages;The message parsing is single
The object that member obtains refers to the predefined field of http protocol messages, including url, reference, parameter, cookie.
Preferably, the multimode matching unit carries out the multimode matching using multimode matching algorithm;The multimode matching
Algorithm is ACBM algorithms.
As it can be seen that the present invention is based on objects targetedly to be filtered, and in such a way that multimode library is combined with feature database,
Most of secure data can be filtered, without most of data are carried out with cumbersome character match, to significantly
Improve detection efficiency
Further, multimode filtering, the filtering of three levels of characteristic filter and character match are carried out to data due to the present invention,
Safety filtering can be ensured in the first level or the second level for secure data, without carrying out cumbersome character filtering.
In the filtering of first level, all security request data are filtered out;In the filtering of second level, suspectable data are done primary first
The filtering of step;In third level filtering, message has the possibility row of attack just very big, is determined with feature expression.It adopts
With the embodiment of the present invention, the data of the overwhelming majority can be filtered out by the first level, during the second level and third level filter,
The request data of processing is probably in very little(It is about 10% according to statistics)Ratio.It is, need not be to the normal number of the overwhelming majority
According to progress feature regular expression matching processing.Detection efficiency is significantly increased as a result,.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technical means of the present invention,
And can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, below the special specific implementation mode for lifting the present invention.
Description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this field
Technical staff will become clear.Attached drawing only for the purpose of illustrating preferred embodiments, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows the relation schematic diagram of feature database and pattern base according to an embodiment of the invention;
Fig. 2 shows according to the attack recognition method flow diagram according to an embodiment of the invention based on object analysis;
And
Fig. 3 shows the signal according to an embodiment of the invention according to attack type construction feature library or pattern base
Figure.
Specific implementation mode
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
By taking portal website as an example, since user is more, pageview is big, thus there are higher security risks.At present more typically
Web application security breaches include:SQL injection, XSS across station, list bypasses, Cookies is cheated, leakage of information,
The peculiar loophole attack of GoogleHacking, access control mistake, PHP, variable abuse, file include, upload loophole attack, net
Page distorts, extension horse etc..
By taking SQL injection is attacked as an example, the process of the existing SQL injection detection based on regular expression is:When intercepting
URL is carried out to content first after http request(Uniform resource locator, Uniform Resource Locator)Decoding, prevents
Attacker injects sentence with URL coding mode constructing SQLs;It whether detects in request data containing the common pass of SQL injection attack
Key word and separator, such as " select ", " and ", ";", " -- " etc., if do not contained, can exclude injection attacks can
Can, carry out detailed rule detection in next step if so, being then committed to;For including the web request of injection keyword, then facilitate
Rule base carries out detailed canonical matching to request content.If successful match, interception request sends warning simultaneously to client
Request character string is recorded into suspicious attack code library, submits webmaster point by record log if it fails to match
Analysis.Those skilled in the art understand, the regular expression detection scheme inefficiency based on character match, in order to a certain degree
Detection efficiency is improved, usually when writing regular expression rule, the offset of character machining can be set, such as only detection is entire
Certain section of data(Such as preceding 50 characters)If SQL injection sentence is happened at the field not detected just, then can cause to leak
Report.
A series of words for meeting some syntax rule are described, matched using single character string with traditional regular expression
Symbol string is different, and the present invention is to be based on carrying out protocol analysis to message to obtain different objects(I.e. message predefines field), after
And rule is matched by different level according to object.
The present invention is all suitable for application layer protocol.
Application layer protocol (application layer protocol) defines the application operated on different end systems
How program process mutually transmits message.The definition of application layer protocol includes following content:(1) type of message exchanged, is such as asked
Ask message and response message;(2) grammer of various type of messages, such as the public detailed description of each field in message;(3) field
Semanteme, that is, be included in field in information meaning;(4) when, how process sends message and is responded to message.Some
Application layer protocol is defined by RFC documents, therefore they are located at public sphere.For example, the agreement HTTP of the application layer of web
(hypertext transfer protocol, RFC2616) is just used as a RFC for users to use.If browser developers defer to HTTP RFC
Rule, the browser developed can access any web for deferring to the document standard, and server simultaneously obtains corresponding Web page
Face.Also many other application layer protocols are dedicated cannot to be arbitrarily applied to public sphere.For example, many existing P2P texts
Part shared system uses proprietary application layer protocol.Purpose, application layer protocol are mainly the following.(1) domain name system
(Domain Name System, DNS):The network service mapped for realizing network equipment name to IP address.(2) file passes
Defeated agreement (FileTransfer Protocol, FTP):Interactive file transfer function is realized with fourth.(3) simple mail transmits
Agreement (Simple Mail Transfer Protocol, SMTP):It is passed for realizing E-mail address transmitting function (4) hypertext
Defeated agreement (HyperText Transfer Protocol, HTTP):It is serviced for realizing WWW.(5) Simple Network Management Protocol
(simple Network Management Protocol, SNMP):For managing and monitoring the network equipment.(6) Telnet
Agreement (Telnet):For realizing Telnet function.
For convenience of description, the embodiment of the present invention is illustrated with http protocol messages.So, the embodiment of the present invention is base
In to http message progress protocol analysis(According to http rfc protocol specifications)To obtain different objects(I.e. http message is predetermined
Adopted field, such as:The fields such as url, reference, parameter, cookie), then according to object rule is carried out by different level
Match.
The implementation of the present invention is divided into two stages, and first stage is data preparation stage, and second stage is that attack is known
The other stage.
In data preparation stage, construction feature library and multimode library are completed.Wherein, feature database uses regular expressions with existing
The feature database that formula carries out attack recognition scheme is similar, is all by a plurality of feature expression based on canonical(Alternatively referred to as " rule ")
Composition.But with existing feature database(Or it is " rule base " etc.)Difference is, the category of object is added to each rule
Property, it is, establishing the correspondence of " object-feature ".What the multimode library of the present invention was newly introduced, it is from feature database
Hair tonic and come.Multimode library includes a plurality of keyword(Keyword is the characteristic attacked), every keyword has object
Attribute.Each pattern can be regarded as a keyword(Namely each node of multimode tree), and each keyword
Attribute with object.One or more feature expression in keyword and feature database in multimode library has mapping relations,
Keyword with mapping relations and feature expression attribute having the same.
It is the relation schematic diagram of the feature database and pattern base of one embodiment of the invention referring to Fig. 1.
In Fig. 1, feature database includes a plurality of feature expression:Feature expression 1, feature expression 2, feature expression 3, spy
Expression formula 4, feature expression 5 are levied ..., feature expression N.And each feature expression has attribute(As described above,
Attribute refers to object).Specifically, feature expression 1 has attribute A(That is, the attribute of feature expression 1 is object A), mark sheet
Up to formula 2 with attribute A, feature expression 3 with attribute B, feature expression 4 with attribute B, feature expression 5 with attribute
C ..., feature expression N has attribute N.From this feature library, structure multimode library.Multimode library includes a plurality of keyword:It closes
Key word 1, keyword 2, keyword 3, keyword 4, keyword 5 ..., keyword N.And each keyword has attribute
(As described above, attribute refers to object).Specifically, keyword 1 has with attribute A, keyword 2 with attribute B, keyword 3
Attribute B, keyword 4 with attribute C, keyword 5 with attribute C ..., keyword N has attribute N.Wherein, a keyword
There can be mapping relations with one or more feature expression, the keyword and feature expression requirement for meeting mapping relations have
There is identical attribute.For example, in Fig. 1, the keyword 1 with attribute A has with the same feature expression 1 with attribute A
Mapping relations, the keyword 3 with attribute B are with the same feature expression 3 with attribute B and feature expression 4 with mapping
Relationship, the keyword 5 with attribute C are with the same feature expression 5 with attribute C with mapping relations.In Fig. 1, keyword 2
Has the feature expression of mapping relations per sample with keyword 4.It should be noted that Fig. 1 is only feature database and multimode library shows
Example, is not limited in any way, hetero-organization or correspondence can all realize the embodiment of the present invention.
In the attack recognition stage, it is divided into as two steps.First step is protocal analysis to be carried out to message, to obtain
Get each object that message is included.Second step is to carry out object-based attack recognition, attack recognition tool to message
Body is subdivided into three levels.First level is to carry out multimode matching, in the event of a keyword in multimode library(With right
The attribute of elephant), it is determined that there are attack suspicion, carry out next level filtering, otherwise it is assumed that being safe data.Second level:
Characteristic filter is carried out according to multimode matching result, it is therefore an objective to only select the corresponding mark sheet of keyword of multimode matching hit
Up to formula, other unrelated feature expressions are filtered out.In second level filtering, multimode keyword and feature expression reflect
The relationship of penetrating can ensure that carrying out characteristic filter efficiently quickly finishes.If without any one feature expression and multimode matching knot
Keyword in fruit has mapping relations, then can affirm that the data are safe;Otherwise enter next level to filter.Third
Level:In this step, all request datas all have attack suspicion, then just needing finally with the feature filtered out
Expression formula carries out characteristic matching, i.e., real feature based carries out the character match of regular expression, is finally confirm
No is attack.
Referring to Fig. 2, for according to the attack recognition method flow diagram according to an embodiment of the invention based on object analysis.
This method flow chart includes the following steps:
S201:Protocal analysis is carried out to the message of acquisition, parsing obtains the data of one or more objects;
By taking http agreements as an example, it is assumed that acquisition is http protocol messages, then carries out protocal analysis to the message, that is,
Http rfc protocol specifications carry out protocal analysis, to obtain each http protocol fields that message includes, that is, obtain object institute
Including data content.By taking http agreements as an example, object of the invention refers to the predefined field of http message, for example, url,
The fields such as reference, parameter, cookie.
Skilled in the art realises that for http agreements, solicited message includes the filename wished to return to and client computer
Information.Client information is sent to server with request header, and request header includes HTTP method and head file.HTTP method is common
There are the methods of GET, HEAD, POST, PUT, DELETE, LINK, UNLINK.Head file includes:DATE:Ask send date and
Time;PARGMA:For to the server transport information unrelated with realization, this field to be additionally operable to tell proxy server,
From real server rather than take resource from cache;FORWARDED:Between being used for tracking machine, rather than client
The message of machine and server, this field can be used for tracking the transmission routing between proxy server;MESSAGE_ID:With
In uniquely identifying message;ACCEPT:Notify the receptible data type of server clients institute and size(*/* expressions can connect
By all types of data);AOTHORIZATION:Bypassing safety protection and encryption mechanism are provided to server, if server is not
This field is needed, then this field is not provided;FROM:When client applications wishes to think that server provides its related electronics postal
It is used when part address;IF-MODEFIED-SINCE is for providing condition GET;If requested document is since specified day
It has not changed since phase, then server should not send the object;If transmitted date format is illegal, or is later than clothes
The date of business device, server can ignore the field;BEFERRER:The object that resource request is used is carried out to server;MIME-
VERTION:MIME protocol versions for handling files in different types;USER-AGENT:Client in relation to sending out request believes
Breath.
S202:For the data of object, multimode matching is carried out using multimode library, if being matched to the key for the object
Word then carries out subsequent step, otherwise determines that there is no attacks;
Wherein, multimode matching is carried out using multimode matching algorithm.Multimode matching algorithm includes a variety of, such as Trie trees, AC
Algorithm, WM algorithms etc..The embodiment of the present invention preferably uses ACBM algorithms.ACBM algorithms be on the basis of AC automatic machines,
Introduce the multimode extension of BM algorithms, the efficient multimode matching of realization.The core concept of ACBM algorithms is exactly to allow each matching
Initial position span it is big as far as possible, to improve efficiency.Unlike AC automatic machines, ACBM algorithms need not scan target
Each character in text string can utilize this unsuccessful information of matching, skip character as much as possible, realize efficient
Matching.It is as follows in matching step:1, a matching initial position is selected.2, it is matched using AC trees, if matching failure, is jumped
Go to step 1;If successful match, it can need to go to step according to application and 1 or exit.AC algorithms part in ACBM algorithms
Realization than AC automatic machine algorithms is simple, without the concern for failure function the problem of, that is to say, that realized in ACBM algorithms
AC algorithms part is one tree, and is a figure in the realization of AC automatic machines.The realization ratio BM of BM algorithms in ACBM algorithms
The realization of algorithm itself wants more complex, because this is to a kind of extension of the multi-mode of BM algorithms.Core number in ACBM algorithms
Include according to structure:1, MinLen, the length of that most short pattern string in pattern set of strings:Compare the character at most to jump when mismatch
Number is no more than Minlen.2, ACTree, the State Tree constructed by pattern set of strings, the structure of construction method and AC automatic machines
Construction method is identical, and need not calculate failure function, fairly simple.3、BCshift:ACTree corresponds to a bad number of characters
Group searches the array and calculates batter's symbol offset when matching failure.4、GSshift:Each node of AC trees corresponds to one
Good suffix offset.
Assuming that getting object A, object B by step S201, then by taking the multimode library of Fig. 1 as an example, searches multimode library and carry out
Multimode matching, if it is determined that the data of object A do not include the keyword 1 with attribute A, it is determined that are not matched to object A
Keyword, further, to the data of object B with attribute B keyword 2 and keyword 3 match, if object
The data of B do not include keyword 2 but include keyword 3, it is determined that are matched to keyword 3.Include for multimode library other
Keyword 5 ... .., keyword N, due to their attribute(C-N)The object not got(A and B), therefore will not match
It arrives.
S203:Matching, which whether there is for the object and matched keyword, from feature database has mapping relations
Feature expression, if being not matched to feature expression, it is determined that there is no attacks, otherwise carry out subsequent step;
Wherein it is determined that whether keyword is to be for the mode of the keyword of the object:Determine the keyword
Whether attribute is the object;Determine whether a feature expression is to be for the mode of the feature expression of the object:
Determine whether the attribute of this feature expression formula is the object.
Keyword is had been matched to by step S202, then in this step, the pass for continuing to determine whether and being matched to
Key word has the feature expression of mapping relations.Still by above-mentioned by taking Fig. 1 as an example, it is assumed that be matched to a key by multimode matching
Word 3 finds keyword 3 and mark sheet then according to the mapping relations of feature expression in keyword in multimode library and feature database
There are mapping relations up to formula 3 and feature expression 4, then, this step determine only to need in next step to feature expression 3 and
Feature expression 4 is matched.
S204:Based on for the object, corresponding with matched keyword feature expression, to the data of the object into
Line discipline matches, if successful match, it is determined that there is attack, otherwise determines that there is no attacks.
Pass through abovementioned steps, it has been determined that be used to carry out the matched limited feature expression of canonical in this step.Still
By taking Fig. 1 as an example, since it is determined that feature expression 3 and feature expression 4 then in this step distinguish the data of object B
It is matched with feature expression 3 and feature expression 4, if there is any expression formula successful match, then it is assumed that there is attack,
If without an expression formula successful match, it is determined that there is no attacks.
It is using the purpose of embodiment of the present invention:In the filtering of the first level, all security request data are filtered out;Second
In level filtering, primary preliminary filtering is done to suspectable data;In third level filtering, message has the possibility of attack
Row is just very big, is determined with feature expression.Using the embodiment of the present invention, 99% number can be filtered out by the first level
According in, the second level and third level filtering, the request data of processing probably 10% ratio.It is, need not be to 99%
Normal data carry out feature regular expression matching processing.Detection efficiency is significantly increased as a result,.
In addition, during building the feature database, it is also based on the type of attack, according to main classes, subclass and rule
Mode tissue described in a plurality of feature expression;Similarly, during framework multimode library, the type based on attack, according to main classes,
A plurality of keyword described in the mode tissue of subclass and rule.As previously mentioned, network attack type class is various.Therefore, it is building
When feature database is with multimode library, according to attack type, tissue is carried out to feature expression and keyword.It will pass through this hair as a result,
When the safety product that bright embodiment is completed is supplied to user, user can targetedly select particular attack safeguard procedures, this
Other incoherent attack protection of sample are there is no need to run, it is possible thereby to provide network operation speed.
For example, at construction feature library or multimode library, tissue is carried out according to Fig. 3 examples.Fig. 3 is shown according to the present invention one
A embodiment according to attack type construction feature library or the schematic diagram of pattern base.In Fig. 3, main classes 1, main classes are shown
2 ..., main classes n(Main classes 2- main classes n is omitted), subclass 1, the subclass 2 ... ... of 1 subordinate of each main classes, subclass n and each subclass
Rule 1, the rule 2 of subordinate ..., regular n.Wherein, main classes refers to a major class of network attack, and subclass refers under the major class
A group, rule refers to specific attack signature code.For example, SQL injection belongs to a main classes, " pass through http agreements
Get message carry out SQL injection " belong to a subclass under the main classes, the injection sentence category such as " select " for including in data
In rule.
The present invention program is illustrated with a http agreement specific example below.
(1)Construction feature library and multimode library.
Structure includes the feature database of a plurality of feature expression and the multimode library including a plurality of keyword.According to attack type
An example for build library is as follows:
In above-mentioned example, a main classes is shown(Main classes 1, main_class1)Strategy, and other main classes are omitted
2 ..., main classes n.It is appreciated that each main classes subordinate includes multiple subclasses(sub_class), such as subclass 1, subclass 2 ... ...,
Subclass n and each subclass include the rule of multiple subordinaties(rule), such as rule 1, rule 2 ... ..., regular n.Wherein, one
Main classes represents a major class of network attack, and subclass refers to a group under the major class, and rule refers to specific attack signature
Code.Such as in above-mentioned example, SQL injection(SQL Inject)Belong to a main classes, " by the get message of http agreements into
Row SQL injection(Get SQL Inject)" belong to a subclass under the main classes, the injection language such as " select " for including in data
Sentence belongs to rule.
(2)Http message is obtained, and protocol analysis is carried out to http message, obtains each object in message(Such as:url、
The fields such as reference, cookie)Data.
Usual http message includes that client computer is rung to the http request message and server of server to the http of client computer
Answer message.The message of both types is by an initial row, one or more header field, a null that only header field terminates and
Optional message body composition.The header field of http includes general head, request header, four parts of head response and entity head.
For example,
One typical request message is:
GEThttp://class/download.microtool.de:80/somedata.exe
Host:download.microtool.de
Accept:*/*
Pragma:no-cache
Cache-Control:no-cache
Referer:http://class/download.microtool.de/
User-Agent:Mozilla/4.04[en](Win95;I;Nav)
Range:bytes=554554-
Wherein, the Intenet hosts and port numbers of the specified request resource of Host header fields, it is necessary to indicate that request url's is original
The position of server or gateway;Referer header fields allow the source resource address of the specified request uri of client, this can allow to take
Business device generates rollback chained list, can be used to log in, optimize cache etc.;Range header fields can be with one or more son of request entity
Range;User-Agent header field contents include to send out the user information of request.
(3)The object of acquisition is matched in the library of foundation, it is determined whether there is attack.
The object data that http protocol analysis obtains is identified in the library of above-mentioned structure, if successful match,
Determine there is attack, otherwise it is assumed that there is no attacks.
It is corresponding with the above method, the present invention also provides a kind of attack recognition device based on object analysis.The device can
To be realized by hardware, software or software and hardware combining.Specific right, which can refer to service node(For example, firewall services
Device), the functional entity inside service node is may also mean that, as long as having the function of the device.
Specifically, the attack recognition device based on object analysis is somebody's turn to do to include at least:Message retrieval unit, message parsing are single
Member, feature database construction unit, multimode library construction unit and matching unit.
Wherein:
Message retrieval unit is for obtaining message.The message includes application layer protocol (application layer
Protocol) message.As previously mentioned, application layer protocol is mainly the following.(1) domain name system (Domain Name
System, DNS):The network service mapped for realizing network equipment name to IP address.(2) File Transfer Protocol
(FileTransfer Protocol, FTP):Interactive file transfer function is realized with fourth.(3) simple message transfer protocol (SMTP)
(Simple Mail Transfer Protocol,SMTP):It is assisted for realizing E-mail address transmitting function (4) Hyper text transfer
It discusses (HyperText Transfer Protocol, HTTP):It is serviced for realizing WWW.(5) Simple Network Management Protocol
(simple Network Management Protocol, SNMP):For managing and monitoring the network equipment.(6) Telnet
Agreement (Telnet):For realizing Telnet function.So, message retrieval unit obtain message include at least DNS message,
FTP message, SMTP message, HTTP message, snmp message and Telnet message.
Message parsing unit is used to carry out protocal analysis to the message of acquisition, and parsing obtains the number of one or more objects
According to.Object therein refers to each predefined field that message is obtained according to protocol analysis.By taking http agreements as an example, it is assumed that obtain
Be http protocol messages, then to the message carry out protocal analysis, that is, http rfc protocol specifications carry out protocal analysis, to
Obtain each http protocol fields that message includes, that is, obtain the data content that object is included.By taking http agreements as an example, this
The object of invention refers to that http message predefines field, for example, the fields such as url, reference, parameter, cookie.
Feature database construction unit, for building the feature database;And multimode library construction unit, it is described more for building
Mould library.Wherein, feature database includes a plurality of feature expression, and every feature expression has the attribute of object;Multimode library includes more
Keyword, every keyword have the attribute of object.Wherein, multimode library is built according to feature database, each key representations
One pattern.In addition, one or more feature expression in keyword and feature database in multimode library has mapping relations, tool
There are the keyword and feature expression attribute having the same of mapping relations.Wherein, multimode library is built according to feature database, each
One pattern of key representations.
Matching unit, for being based on the feature database and the multimode library, to the object of message parsing unit acquisition
Data matched, it is determined whether there is attack.
Wherein, matching unit further comprise multimode matching subelement, mapping determination subelement, rule match subelement and
As a result determination subelement.
Multimode matching subelement is used for the data for object, and multimode matching is carried out using multimode library.Wherein, using multimode
Matching algorithm carries out multimode matching.Multimode matching algorithm includes a variety of, such as Trie trees, AC algorithms, WM algorithms etc..The present invention
Embodiment preferably uses ACBM algorithms.ACBM algorithms are the multimode extensions that BM algorithms are introduced on the basis of AC automatic machines,
The efficient multimode matching realized.The core concept of ACBM algorithms be exactly allow each matched initial position span as far as possible
Greatly, to improve efficiency.Unlike AC automatic machines, ACBM algorithms need not scan each character in target text string,
This unsuccessful information of matching can be utilized, character as much as possible is skipped, realizes efficient matchings.
Mapping determination subelement is used for the matching from feature database and whether there is for the object and matched keyword tool
There is the feature expression of mapping relations.
Rule match subelement is used for based on described for the object, corresponding with matched keyword feature representation
Formula carries out rule match to the data of the object.
As a result determination subelement is used for according to multimode matching unit, mapping determination subelement and rule match subelement really
Recognize result and determine whether there is attack, wherein if multimode matching subelement is not matched to the keyword for the object, described
Mapping determination subelement, which is not matched to feature expression or the rule match subelement, does not have successful match, it is determined that no
There are attacks, if the rule match subelement successful match, it is determined that there is attack.
Wherein, mapping determination subelement determines whether a keyword is to be for the mode of the keyword of the object:
Determine whether the attribute of the keyword is the object;Similarly, rule match subelement determine a feature expression whether be
Mode for the feature expression of the object is:Determine whether the attribute of this feature expression formula is the object.
Preferably, feature database construction unit is used for the type based on attack during building the feature database, according to
A plurality of feature expression described in the mode tissue of main classes, subclass and rule;Similarly, multimode library construction unit is more described in framework
During mould library, it to be used for the type based on attack, a plurality of keyword described in tissue in the way of main classes, subclass and rule.
As it can be seen that the present invention is based on objects targetedly to be filtered, and in such a way that multimode library is combined with feature database,
Most of secure data can be filtered, without most of data are carried out with cumbersome character match, to significantly
Improve detection efficiency.
Particularly, multimode filtering, the filtering of three levels of characteristic filter and character match are carried out to data due to the present invention,
Safety filtering can be ensured in the first level or the second level for secure data, without carrying out cumbersome character filtering.
In the filtering of first level, all security request data are filtered out;In the filtering of second level, suspectable data are done primary first
The filtering of step;In third level filtering, message has the possibility row of attack just very big, is determined with feature expression.It adopts
With the embodiment of the present invention, the data of the overwhelming majority can be filtered out by the first level, during the second level and third level filter,
The request data of processing is probably in very little(It is about 10% according to statistics)Ratio.It is, need not be to the normal number of the overwhelming majority
According to progress feature regular expression matching processing.Detection efficiency is significantly increased as a result,.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect
Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific implementation mode are expressly incorporated in the specific implementation mode, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in the one or more equipment different from the embodiment.It can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any
Combination is to this specification(Including adjoint claim, abstract and attached drawing)Disclosed in all features and so disclosed appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification(Including adjoint power
Profit requirement, abstract and attached drawing)Disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization, or to run on one or more processors
Software module realize, or realized with combination thereof.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor(DSP)To realize the attack recognition according to the ... of the embodiment of the present invention based on object analysis
The some or all functions of some or all components in device.The present invention is also implemented as being retouched here for executing
The some or all equipment or program of device for the method stated(For example, computer program and computer program product).
It is such to realize that the program of the present invention may be stored on the computer-readable medium, or can have one or more signal
Form.Such signal can be downloaded from internet website and be obtained, either provide on carrier signal or with it is any its
He provides form.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be by the same hardware branch
To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and be run after fame
Claim.
The present invention provides the following technical solutions:
A kind of attack recognition methods based on object analysis of A1, including:
Construction feature library, the feature database include a plurality of feature expression, and every feature expression has the attribute of object;
Multimode library is built, the multimode library includes a plurality of keyword, and every keyword has the attribute of object;The multimode
Keyword in library has mapping relations with one or more feature expression in the feature database, the pass with mapping relations
Key word and feature expression attribute having the same;
Data based on the feature database and the multimode library, the object to being obtained after parsing message match, and determine
With the presence or absence of attack.
A2, the method as described in A1, it is described to be based on the feature database and the multimode library, to pair obtained after parsing message
The data of elephant are matched, it is determined whether there are attacks to include:
Protocal analysis is carried out to the message of acquisition, parsing obtains the data of one or more objects;
For the data of the object, multimode matching is carried out using multimode library, if being matched to the key for the object
Word then carries out subsequent step, otherwise determines that there is no attacks;
Matching whether there is mark sheet for the object, having mapping relations with matched keyword from feature database
Up to formula, if being not matched to feature expression, it is determined that there is no attacks, otherwise carry out subsequent step;
Based on described for the object, corresponding with matched keyword feature expression, to the data of the object into
Line discipline matches, if successful match, it is determined that there is attack, otherwise determines that there is no attacks.
A3, the method as described in A1 or A2, the multimode library are built according to the feature database, each key representations one
A pattern.
A4, the method as described in A2,
Determine whether a keyword is to be for the mode of the keyword of the object:Determining the attribute of the keyword is
No is the object;
Determine whether a feature expression is to be for the mode of the feature expression of the object:Determine this feature table
Whether the attribute up to formula is the object.
A5, the method as described in A1 or A2, during building the feature database, the type based on attack, according to main classes,
A plurality of feature expression described in the mode tissue of subclass and rule;Described in framework during multimode library, the type based on attack,
The a plurality of keyword described in tissue in the way of main classes, subclass and rule.
A6, the method as described in A1 or A2, the message are application layer protocol message;The application layer protocol includes
TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
A7, the method as described in A6, the message refer to http protocol messages;The object refers to http protocol messages
Predefined field, including url, reference, parameter, cookie.
A8, the method as described in A1 or A2 carry out the multimode matching using multimode matching algorithm;The multimode matching is calculated
Method is ACBM algorithms.
B9, a kind of attack recognition device based on object analysis, including:
Message retrieval unit, for obtaining message;
Message parsing unit carries out protocal analysis for the message to acquisition, and parsing obtains the number of one or more objects
According to;
Feature database construction unit, for building the feature database, the feature database includes a plurality of feature expression, every spy
Levying expression formula has the attribute of object;
Multimode library construction unit, for building the multimode library, the multimode library includes a plurality of keyword, every keyword
Attribute with object;Wherein, one or more feature expression in the keyword and feature database in the multimode library has
Mapping relations, the keyword with mapping relations and feature expression attribute having the same;
Matching unit, for being based on the feature database and the multimode library, to the object of message parsing unit acquisition
Data matched, it is determined whether there is attack.
B10, the device as described in B9, the matching unit include:
Multimode matching subelement carries out multimode matching for the data for the object using multimode library;
Mapping determination subelement whether there is for the object and matched keyword for being matched from feature database
Feature expression with mapping relations;
Rule match subelement is used for based on described for the object, corresponding with matched keyword feature representation
Formula carries out rule match to the data of the object;
As a result determination subelement, for according to multimode matching subelement, mapping determination subelement and rule match subelement
Confirmation result determine whether there is attack, wherein if multimode matching subelement be not matched to the keyword for the object,
The mapping determination subelement, which is not matched to feature expression or the rule match subelement, does not have successful match, then really
Fixed there is no attacks, if the rule match subelement successful match, it is determined that there is attack.
B11, the device as described in B9 or B10, the multimode library are built according to the feature database, each key representations
One pattern.
B12, the device as described in B10, the mapping determination subelement determine whether a keyword is for described right
The mode of the keyword of elephant is:Determine whether the attribute of the keyword is the object;
The rule match subelement determines whether a feature expression is feature expression for the object
Mode is:Determine whether the attribute of this feature expression formula is the object.
B13, the device as described in B9 or B10, the feature database construction unit are used during building the feature database
In the type based on attack, a plurality of feature expression described in tissue in the way of main classes, subclass and rule;Multimode library structure
Unit is built, described in framework during multimode library, is used for the type based on attack, the group in the way of main classes, subclass and rule
Knit a plurality of keyword.
B14, the device as described in B9 or B10, the message that the message retrieval unit obtains disappear for application layer protocol
Breath;The application layer protocol includes TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
B15, the device as described in B14, the message that the message retrieval unit obtains refers to http protocol messages;Institute
The object for stating message parsing unit acquisition refers to the predefined field of http protocol messages, including url, reference, ginseng
Number, cookie.
B16, the device as described in B9 or B10, the multimode matching unit carry out the multimode using multimode matching algorithm
Matching;The multimode matching algorithm is ACBM algorithms.
Claims (10)
1. a kind of attack recognition method based on object analysis, which is characterized in that including:
Construction feature library, the feature database include a plurality of feature expression, and every feature expression has the attribute of object;
Multimode library is built, the multimode library includes a plurality of keyword, and every keyword has the attribute of object;In the multimode library
Keyword and the feature database in one or more feature expression there are mapping relations, the keyword with mapping relations
With feature expression attribute having the same;
Data based on the feature database and the multimode library, the object to being obtained after parsing message match, it is determined whether
There are attacks;
Described to be based on the feature database and the multimode library, the data of the object to being obtained after parsing message match, and determine
Include with the presence or absence of attack:
Protocal analysis is carried out to the message of acquisition, parsing obtains the data of one or more objects;
For the data of the object, multimode matching is carried out using multimode library, if being matched to the keyword for the object,
Subsequent step is carried out, otherwise determines that there is no attacks;
Matching whether there is feature representation for the object, having mapping relations with matched keyword from feature database
Formula, if being not matched to feature expression, it is determined that there is no attacks, otherwise carry out subsequent step;
Based on described for the object, corresponding with matched keyword feature expression, to the data of the object into professional etiquette
It then matches, if successful match, it is determined that there is attack, otherwise determine that there is no attacks;
Wherein:The multimode library is built according to the feature database, one pattern of each key representations.
2. the method as described in claim 1, which is characterized in that
Determine whether a keyword is to be for the mode of the keyword of the object:Determine the keyword attribute whether be
The object;
Determine whether a feature expression is to be for the mode of the feature expression of the object:Determine this feature expression formula
Attribute whether be the object.
3. the method as described in claim 1, which is characterized in that during building the feature database, the type based on attack,
The a plurality of feature expression described in tissue in the way of main classes, subclass and rule;Described in framework during multimode library, based on attacking
The type hit, a plurality of keyword described in tissue in the way of main classes, subclass and rule.
4. a kind of attack recognition device based on object analysis, which is characterized in that including:
Message retrieval unit, for obtaining message;
Message parsing unit carries out protocal analysis for the message to acquisition, and parsing obtains the data of one or more objects;
Feature database construction unit, for building the feature database, the feature database includes a plurality of feature expression, every mark sheet
There is the attribute of object up to formula;
Multimode library construction unit, for building the multimode library, the multimode library includes a plurality of keyword, and every keyword has
The attribute of object;Wherein, one or more feature expression in the keyword and feature database in the multimode library has mapping
Relationship, the keyword with mapping relations and feature expression attribute having the same;
Matching unit, for being based on the feature database and the multimode library, to the number for the object that the message parsing unit obtains
According to being matched, it is determined whether there is attack;
The matching unit includes:
Multimode matching subelement carries out multimode matching for the data for the object using multimode library;
Map determination subelement, for from feature database matching with the presence or absence of for the object, have with matched keyword
The feature expression of mapping relations;
Rule match subelement is used for based on described for the object, corresponding with matched keyword feature expression, right
The data of the object carry out rule match;
As a result determination subelement is used for according to multimode matching subelement, mapping determination subelement and rule match subelement really
Recognize result and determine whether there is attack, wherein if multimode matching subelement is not matched to the keyword for the object, described
Mapping determination subelement, which is not matched to feature expression or the rule match subelement, does not have successful match, it is determined that no
There are attacks, if the rule match subelement successful match, it is determined that there is attack.
5. device as claimed in claim 4, which is characterized in that the multimode library is built according to the feature database, and each is closed
Key word represents a pattern.
6. device as claimed in claim 4, which is characterized in that
The mapping determination subelement determines whether a keyword is to be for the mode of the keyword of the object:Determining should
Whether the attribute of keyword is the object;
The rule match subelement determines whether a feature expression is mode for the feature expression of the object
For:Determine whether the attribute of this feature expression formula is the object.
7. device as claimed in claim 4, which is characterized in that the feature database construction unit is building the feature database mistake
Cheng Zhong is used for the type based on attack, a plurality of feature expression described in tissue in the way of main classes, subclass and rule;It is described
Multimode library construction unit described in framework during multimode library, is used for the type based on attack, according to main classes, subclass and rule
Mode tissue described in a plurality of keyword.
8. such as claim 4-7 any one of them devices, which is characterized in that the message that the message retrieval unit obtains
For application layer protocol message;The application layer protocol includes TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
9. such as claim 4-7 any one of them devices, which is characterized in that the message that the message retrieval unit obtains
Refer to http protocol messages;The object that the message parsing unit obtains refers to the predefined field of http protocol messages,
Including url, reference, parameter, cookie.
10. such as claim 4-7 any one of them devices, which is characterized in that the multimode matching unit uses multimode matching
Algorithm carries out the multimode matching;The multimode matching algorithm is ACBM algorithms.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410126740.XA CN104954345B (en) | 2014-03-31 | 2014-03-31 | Attack recognition method and device based on object analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410126740.XA CN104954345B (en) | 2014-03-31 | 2014-03-31 | Attack recognition method and device based on object analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104954345A CN104954345A (en) | 2015-09-30 |
| CN104954345B true CN104954345B (en) | 2018-07-31 |
Family
ID=54168705
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410126740.XA Active CN104954345B (en) | 2014-03-31 | 2014-03-31 | Attack recognition method and device based on object analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104954345B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954346B (en) * | 2014-03-31 | 2018-12-18 | 北京奇安信科技有限公司 | Attack recognition method and device based on object analysis |
| CN106911647A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and apparatus for detecting network attack |
| CN106911649A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and apparatus for detecting network attack |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN106453438B (en) * | 2016-12-23 | 2019-12-10 | 北京奇虎科技有限公司 | Network attack identification method and device |
| CN106657075B (en) * | 2016-12-26 | 2019-11-15 | 东软集团股份有限公司 | Multi-layer protocol analytic method, device and data matching method and device |
| CN112422545A (en) * | 2020-11-09 | 2021-02-26 | 北京天融信网络安全技术有限公司 | Data processing method and device based on HTTP request |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425937A (en) * | 2007-11-02 | 2009-05-06 | 北京启明星辰信息技术有限公司 | SQL injection attack detection system suitable for high speed LAN environment |
| CN103559444A (en) * | 2013-11-05 | 2014-02-05 | 星云融创(北京)信息技术有限公司 | Sql (Structured query language) injection detection method and device |
| CN104954346A (en) * | 2014-03-31 | 2015-09-30 | 北京奇虎科技有限公司 | Attack recognition method based on object analysis and device thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8009566B2 (en) * | 2006-06-26 | 2011-08-30 | Palo Alto Networks, Inc. | Packet classification in a network security device |
-
2014
- 2014-03-31 CN CN201410126740.XA patent/CN104954345B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425937A (en) * | 2007-11-02 | 2009-05-06 | 北京启明星辰信息技术有限公司 | SQL injection attack detection system suitable for high speed LAN environment |
| CN103559444A (en) * | 2013-11-05 | 2014-02-05 | 星云融创(北京)信息技术有限公司 | Sql (Structured query language) injection detection method and device |
| CN104954346A (en) * | 2014-03-31 | 2015-09-30 | 北京奇虎科技有限公司 | Attack recognition method based on object analysis and device thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104954345A (en) | 2015-09-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104954346B (en) | Attack recognition method and device based on object analysis | |
| CN104954345B (en) | Attack recognition method and device based on object analysis | |
| US10798202B2 (en) | Security systems for mitigating attacks from a headless browser executing on a client computer | |
| Genge et al. | ShoVAT: Shodan‐based vulnerability assessment tool for Internet‐facing services | |
| US10834101B2 (en) | Applying bytecode obfuscation techniques to programs written in an interpreted language | |
| CN103744802B (en) | Method and device for identifying SQL injection attacks | |
| US9185125B2 (en) | Systems and methods for detecting and mitigating threats to a structured data storage system | |
| Pan et al. | Cspautogen: Black-box enforcement of content security policy upon real-world websites | |
| US20100332837A1 (en) | Web application security filtering | |
| US20060272008A1 (en) | Method and security system for indentifying and blocking web attacks by enforcing read-only parameters | |
| JP2015053070A (en) | Cross-site scripting filter | |
| CN106576051B (en) | It is a kind of to detect the method threatened for 1st, the network equipment, non-transitory machine-readable media | |
| CN110362992A (en) | Based on the method and apparatus for stopping in the environment of cloud or detecting computer attack | |
| Muthuprasanna et al. | Eliminating SQL injection attacks-A transparent defense mechanism | |
| Bock et al. | Detecting and evading {Censorship-in-Depth}: A case study of {Iran’s} protocol whitelister | |
| Gupta et al. | Robust injection point-based framework for modern applications against XSS vulnerabilities in online social networks | |
| Reynolds et al. | Equivocal URLs: Understanding the Fragmented Space of URL Parser Implementations | |
| CN106911649A (en) | A kind of method and apparatus for detecting network attack | |
| Kaur et al. | State-of-the-art survey on web vulnerabilities, threat vectors, and countermeasures | |
| Gupta et al. | RAJIVE: restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications | |
| Wang et al. | Break the Wall from Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls | |
| Yamazaki et al. | Xilara: An XSS filter based on HTML template restoration | |
| CN106911647A (en) | A kind of method and apparatus for detecting network attack | |
| CN114116619A (en) | Method and system for defending file deletion vulnerability and computer equipment | |
| Balasundram et al. | Prevention of SQL Injection attacks by using service oriented authentication technique |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20161125 Address after: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Applicant after: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant before: Qizhi software (Beijing) Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Patentee after: QAX Technology Group Inc. Address before: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| CP03 | Change of name, title or address |