CN104954345B - Attack recognition method and device based on object analysis - Google Patents

Attack recognition method and device based on object analysis Download PDF

Info

Publication number
CN104954345B
CN104954345B CN201410126740.XA CN201410126740A CN104954345B CN 104954345 B CN104954345 B CN 104954345B CN 201410126740 A CN201410126740 A CN 201410126740A CN 104954345 B CN104954345 B CN 104954345B
Authority
CN
China
Prior art keywords
multimode
keyword
feature
library
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410126740.XA
Other languages
Chinese (zh)
Other versions
CN104954345A (en
Inventor
姚熙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Original Assignee
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qianxin Technology Co Ltd filed Critical Beijing Qianxin Technology Co Ltd
Priority to CN201410126740.XA priority Critical patent/CN104954345B/en
Publication of CN104954345A publication Critical patent/CN104954345A/en
Application granted granted Critical
Publication of CN104954345B publication Critical patent/CN104954345B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The attack recognition method and device based on object analysis that the invention discloses a kind of.Method therein includes:Construction feature library, the feature database include a plurality of feature expression, and every feature expression has the attribute of object;Multimode library is built, the multimode library includes a plurality of keyword, and every keyword has the attribute of object;Keyword in the multimode library has mapping relations with one or more feature expression in the feature database, the keyword with mapping relations and feature expression attribute having the same;Data based on the feature database and the multimode library, the object to being obtained after parsing message match, it is determined whether there is attack.The present invention is based on objects targetedly to be filtered, and in such a way that multimode library is combined with feature database, can be filtered most of secure data, without most of data are carried out with cumbersome character match, to significantly improve detection efficiency.

Description

Attack recognition method and device based on object analysis
Technical field
The present invention relates to technical field of network security, and in particular to a kind of attack recognition method and dress based on object analysis It sets.
Background technology
Network attack, which refers to using loophole existing for network and safety defect, to the hardware of network system, software and its is The attack that data in system carry out.Attack is divided into active attack and passive attack.Active attack refers to accessing institute comprising attacker Need the intentional act of information.Passive attack mainly collects information rather than accesses, and the validated user of data is to this Activity can be perceived not at all.Passive attack includes:1, it eavesdrops:Including thump record, network monitoring, unauthorized access data, Obtain cryptogam;2, it cheats:Including obtaining password, malicious code, network cheating;3, refusal service:Including cause ectype, Resource exhaustion type, deception type;4, data-driven attack:It is attacked including buffer overflow, format string attack, input verification It hits, synchronizes loophole attack, trusts loophole attack.
A kind of identifying schemes of existing attack are carried out based on regular representation.Attack recognition side based on regular expression The general step of case is:Key character is constructed for attack;Construct regular expression;It judges whether there is and regular expression matching The data obtained, if there is, it is determined that there is attack.Regular expression is the logic filter based on character, and detection efficiency is low.With right It is that regular expression matching is carried out to all characters for including, as attack is special for http request message carries out attack detecting Sign and two aspect of data request amount increase, and cause feature database especially huge, and regular expression matching performance and non-linear increasing It is long, but the relation with increase of n*n, efficiency can drop to very low.
Invention content
In view of the above problems, it is proposed that the present invention overcoming the above problem in order to provide one kind or solves at least partly State the attack recognition method and device based on object analysis of problem.
One side according to the present invention provides a kind of attack recognition method based on object analysis, which is characterized in that packet It includes:Construction feature library, the feature database include a plurality of feature expression, and every feature expression has the attribute of object;Structure Multimode library, the multimode library include a plurality of keyword, and every keyword has the attribute of object;Keyword in the multimode library There are mapping relations with one or more feature expression in the feature database, keyword and mark sheet with mapping relations Up to formula attribute having the same;Based on the feature database and the multimode library, to the data of the object obtained after parsing message into Row matching, it is determined whether there is attack.
Preferably, described to be based on the feature database and the multimode library, to the data of object that are obtained after parsing message into Row matching, it is determined whether there are attacks to include:Protocal analysis is carried out to the message of acquisition, parsing obtains one or more objects Data;For the data of the object, multimode matching is carried out using multimode library, if being matched to the keyword for the object, Subsequent step is then carried out, otherwise determines that there is no attacks;From feature database matching with the presence or absence of for the object, with it is matched Keyword has the feature expression of mapping relations, if being not matched to feature expression, it is determined that there is no attacks, otherwise Carry out subsequent step;Based on described for the object, corresponding with matched keyword feature expression, to the number of the object According to rule match is carried out, if successful match, it is determined that there is attack, otherwise determine that there is no attacks.
Preferably, the multimode library is built according to the feature database, one pattern of each key representations.
Preferably, determine whether a keyword is to be for the mode of the keyword of the object:Determine the keyword Attribute whether be the object;Determine whether a feature expression is mode for the feature expression of the object For:Determine whether the attribute of this feature expression formula is the object.
Preferably, during building the feature database, the type based on attack, according to the side of main classes, subclass and rule A plurality of feature expression described in formula tissue;Described in framework during multimode library, the type based on attack, according to main classes, subclass A plurality of keyword described in mode tissue with rule.
Preferably, the message is application layer protocol message;The application layer protocol include TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
Preferably, the message refers to http protocol messages;The object refers to the predefined field of http protocol messages, Including url, reference, parameter, cookie.
Preferably, the multimode matching is carried out using multimode matching algorithm;The multimode matching algorithm is ACBM algorithms.
Other side according to the present invention provides a kind of attack recognition device based on object analysis, including:Message obtains Unit is taken, for obtaining message;Message parsing unit, for carrying out protocal analysis to the message of acquisition, parsing obtain one or The data of multiple objects;Feature database construction unit, for building the feature database, the feature database includes a plurality of feature representation Formula, every feature expression have the attribute of object;Multimode library construction unit, for building the multimode library, the multimode library Including a plurality of keyword, every keyword has the attribute of object;Wherein, in the keyword and feature database in the multimode library One or more feature expression has mapping relations, the keyword with mapping relations and feature expression category having the same Property;Matching unit, for being based on the feature database and the multimode library, to the data for the object that the message parsing unit obtains It is matched, it is determined whether there is attack.
Preferably, the matching unit includes:Multimode matching subelement, for the data for the object, using more Mould library carries out multimode matching;Map determination subelement, for from feature database matching with the presence or absence of for the object, with match Keyword have mapping relations feature expression;Rule match subelement, for based on it is described for the object, with The corresponding feature expression of keyword matched carries out rule match to the data of the object;As a result determination subelement is used for basis The confirmation result of multimode matching subelement, mapping determination subelement and rule match subelement determines whether there is attack, wherein If multimode matching subelement is not matched to the keyword for the object, the mapping determination subelement is not matched to feature Expression formula or the rule match subelement do not have successful match, it is determined that there is no attacks, if the rule match is sub Units match success, it is determined that there is attack.
Preferably, the multimode library is built according to the feature database, one pattern of each key representations.
Preferably, the mapping determination subelement determines whether a keyword is side for the keyword of the object Formula is:Determine whether the attribute of the keyword is the object;The rule match subelement determines that a feature expression is The no mode of feature expression for for the object is:Determine whether the attribute of this feature expression formula is the object.
Preferably, the feature database construction unit is used for the type based on attack during building the feature database, The a plurality of feature expression described in tissue in the way of main classes, subclass and rule;Multimode library construction unit, described in framework During multimode library, it to be used for the type based on attack, a plurality of keyword described in tissue in the way of main classes, subclass and rule.
Preferably, the message that the message retrieval unit obtains is application layer protocol message;The application layer protocol Including TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
Preferably, the message that the message retrieval unit obtains refers to http protocol messages;The message parsing is single The object that member obtains refers to the predefined field of http protocol messages, including url, reference, parameter, cookie.
Preferably, the multimode matching unit carries out the multimode matching using multimode matching algorithm;The multimode matching Algorithm is ACBM algorithms.
As it can be seen that the present invention is based on objects targetedly to be filtered, and in such a way that multimode library is combined with feature database, Most of secure data can be filtered, without most of data are carried out with cumbersome character match, to significantly Improve detection efficiency
Further, multimode filtering, the filtering of three levels of characteristic filter and character match are carried out to data due to the present invention, Safety filtering can be ensured in the first level or the second level for secure data, without carrying out cumbersome character filtering. In the filtering of first level, all security request data are filtered out;In the filtering of second level, suspectable data are done primary first The filtering of step;In third level filtering, message has the possibility row of attack just very big, is determined with feature expression.It adopts With the embodiment of the present invention, the data of the overwhelming majority can be filtered out by the first level, during the second level and third level filter, The request data of processing is probably in very little(It is about 10% according to statistics)Ratio.It is, need not be to the normal number of the overwhelming majority According to progress feature regular expression matching processing.Detection efficiency is significantly increased as a result,.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technical means of the present invention, And can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, below the special specific implementation mode for lifting the present invention.
Description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this field Technical staff will become clear.Attached drawing only for the purpose of illustrating preferred embodiments, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows the relation schematic diagram of feature database and pattern base according to an embodiment of the invention;
Fig. 2 shows according to the attack recognition method flow diagram according to an embodiment of the invention based on object analysis; And
Fig. 3 shows the signal according to an embodiment of the invention according to attack type construction feature library or pattern base Figure.
Specific implementation mode
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.
By taking portal website as an example, since user is more, pageview is big, thus there are higher security risks.At present more typically Web application security breaches include:SQL injection, XSS across station, list bypasses, Cookies is cheated, leakage of information, The peculiar loophole attack of GoogleHacking, access control mistake, PHP, variable abuse, file include, upload loophole attack, net Page distorts, extension horse etc..
By taking SQL injection is attacked as an example, the process of the existing SQL injection detection based on regular expression is:When intercepting URL is carried out to content first after http request(Uniform resource locator, Uniform Resource Locator)Decoding, prevents Attacker injects sentence with URL coding mode constructing SQLs;It whether detects in request data containing the common pass of SQL injection attack Key word and separator, such as " select ", " and ", ";", " -- " etc., if do not contained, can exclude injection attacks can Can, carry out detailed rule detection in next step if so, being then committed to;For including the web request of injection keyword, then facilitate Rule base carries out detailed canonical matching to request content.If successful match, interception request sends warning simultaneously to client Request character string is recorded into suspicious attack code library, submits webmaster point by record log if it fails to match Analysis.Those skilled in the art understand, the regular expression detection scheme inefficiency based on character match, in order to a certain degree Detection efficiency is improved, usually when writing regular expression rule, the offset of character machining can be set, such as only detection is entire Certain section of data(Such as preceding 50 characters)If SQL injection sentence is happened at the field not detected just, then can cause to leak Report.
A series of words for meeting some syntax rule are described, matched using single character string with traditional regular expression Symbol string is different, and the present invention is to be based on carrying out protocol analysis to message to obtain different objects(I.e. message predefines field), after And rule is matched by different level according to object.
The present invention is all suitable for application layer protocol.
Application layer protocol (application layer protocol) defines the application operated on different end systems How program process mutually transmits message.The definition of application layer protocol includes following content:(1) type of message exchanged, is such as asked Ask message and response message;(2) grammer of various type of messages, such as the public detailed description of each field in message;(3) field Semanteme, that is, be included in field in information meaning;(4) when, how process sends message and is responded to message.Some Application layer protocol is defined by RFC documents, therefore they are located at public sphere.For example, the agreement HTTP of the application layer of web (hypertext transfer protocol, RFC2616) is just used as a RFC for users to use.If browser developers defer to HTTP RFC Rule, the browser developed can access any web for deferring to the document standard, and server simultaneously obtains corresponding Web page Face.Also many other application layer protocols are dedicated cannot to be arbitrarily applied to public sphere.For example, many existing P2P texts Part shared system uses proprietary application layer protocol.Purpose, application layer protocol are mainly the following.(1) domain name system (Domain Name System, DNS):The network service mapped for realizing network equipment name to IP address.(2) file passes Defeated agreement (FileTransfer Protocol, FTP):Interactive file transfer function is realized with fourth.(3) simple mail transmits Agreement (Simple Mail Transfer Protocol, SMTP):It is passed for realizing E-mail address transmitting function (4) hypertext Defeated agreement (HyperText Transfer Protocol, HTTP):It is serviced for realizing WWW.(5) Simple Network Management Protocol (simple Network Management Protocol, SNMP):For managing and monitoring the network equipment.(6) Telnet Agreement (Telnet):For realizing Telnet function.
For convenience of description, the embodiment of the present invention is illustrated with http protocol messages.So, the embodiment of the present invention is base In to http message progress protocol analysis(According to http rfc protocol specifications)To obtain different objects(I.e. http message is predetermined Adopted field, such as:The fields such as url, reference, parameter, cookie), then according to object rule is carried out by different level Match.
The implementation of the present invention is divided into two stages, and first stage is data preparation stage, and second stage is that attack is known The other stage.
In data preparation stage, construction feature library and multimode library are completed.Wherein, feature database uses regular expressions with existing The feature database that formula carries out attack recognition scheme is similar, is all by a plurality of feature expression based on canonical(Alternatively referred to as " rule ") Composition.But with existing feature database(Or it is " rule base " etc.)Difference is, the category of object is added to each rule Property, it is, establishing the correspondence of " object-feature ".What the multimode library of the present invention was newly introduced, it is from feature database Hair tonic and come.Multimode library includes a plurality of keyword(Keyword is the characteristic attacked), every keyword has object Attribute.Each pattern can be regarded as a keyword(Namely each node of multimode tree), and each keyword Attribute with object.One or more feature expression in keyword and feature database in multimode library has mapping relations, Keyword with mapping relations and feature expression attribute having the same.
It is the relation schematic diagram of the feature database and pattern base of one embodiment of the invention referring to Fig. 1.
In Fig. 1, feature database includes a plurality of feature expression:Feature expression 1, feature expression 2, feature expression 3, spy Expression formula 4, feature expression 5 are levied ..., feature expression N.And each feature expression has attribute(As described above, Attribute refers to object).Specifically, feature expression 1 has attribute A(That is, the attribute of feature expression 1 is object A), mark sheet Up to formula 2 with attribute A, feature expression 3 with attribute B, feature expression 4 with attribute B, feature expression 5 with attribute C ..., feature expression N has attribute N.From this feature library, structure multimode library.Multimode library includes a plurality of keyword:It closes Key word 1, keyword 2, keyword 3, keyword 4, keyword 5 ..., keyword N.And each keyword has attribute (As described above, attribute refers to object).Specifically, keyword 1 has with attribute A, keyword 2 with attribute B, keyword 3 Attribute B, keyword 4 with attribute C, keyword 5 with attribute C ..., keyword N has attribute N.Wherein, a keyword There can be mapping relations with one or more feature expression, the keyword and feature expression requirement for meeting mapping relations have There is identical attribute.For example, in Fig. 1, the keyword 1 with attribute A has with the same feature expression 1 with attribute A Mapping relations, the keyword 3 with attribute B are with the same feature expression 3 with attribute B and feature expression 4 with mapping Relationship, the keyword 5 with attribute C are with the same feature expression 5 with attribute C with mapping relations.In Fig. 1, keyword 2 Has the feature expression of mapping relations per sample with keyword 4.It should be noted that Fig. 1 is only feature database and multimode library shows Example, is not limited in any way, hetero-organization or correspondence can all realize the embodiment of the present invention.
In the attack recognition stage, it is divided into as two steps.First step is protocal analysis to be carried out to message, to obtain Get each object that message is included.Second step is to carry out object-based attack recognition, attack recognition tool to message Body is subdivided into three levels.First level is to carry out multimode matching, in the event of a keyword in multimode library(With right The attribute of elephant), it is determined that there are attack suspicion, carry out next level filtering, otherwise it is assumed that being safe data.Second level: Characteristic filter is carried out according to multimode matching result, it is therefore an objective to only select the corresponding mark sheet of keyword of multimode matching hit Up to formula, other unrelated feature expressions are filtered out.In second level filtering, multimode keyword and feature expression reflect The relationship of penetrating can ensure that carrying out characteristic filter efficiently quickly finishes.If without any one feature expression and multimode matching knot Keyword in fruit has mapping relations, then can affirm that the data are safe;Otherwise enter next level to filter.Third Level:In this step, all request datas all have attack suspicion, then just needing finally with the feature filtered out Expression formula carries out characteristic matching, i.e., real feature based carries out the character match of regular expression, is finally confirm No is attack.
Referring to Fig. 2, for according to the attack recognition method flow diagram according to an embodiment of the invention based on object analysis.
This method flow chart includes the following steps:
S201:Protocal analysis is carried out to the message of acquisition, parsing obtains the data of one or more objects;
By taking http agreements as an example, it is assumed that acquisition is http protocol messages, then carries out protocal analysis to the message, that is, Http rfc protocol specifications carry out protocal analysis, to obtain each http protocol fields that message includes, that is, obtain object institute Including data content.By taking http agreements as an example, object of the invention refers to the predefined field of http message, for example, url, The fields such as reference, parameter, cookie.
Skilled in the art realises that for http agreements, solicited message includes the filename wished to return to and client computer Information.Client information is sent to server with request header, and request header includes HTTP method and head file.HTTP method is common There are the methods of GET, HEAD, POST, PUT, DELETE, LINK, UNLINK.Head file includes:DATE:Ask send date and Time;PARGMA:For to the server transport information unrelated with realization, this field to be additionally operable to tell proxy server, From real server rather than take resource from cache;FORWARDED:Between being used for tracking machine, rather than client The message of machine and server, this field can be used for tracking the transmission routing between proxy server;MESSAGE_ID:With In uniquely identifying message;ACCEPT:Notify the receptible data type of server clients institute and size(*/* expressions can connect By all types of data);AOTHORIZATION:Bypassing safety protection and encryption mechanism are provided to server, if server is not This field is needed, then this field is not provided;FROM:When client applications wishes to think that server provides its related electronics postal It is used when part address;IF-MODEFIED-SINCE is for providing condition GET;If requested document is since specified day It has not changed since phase, then server should not send the object;If transmitted date format is illegal, or is later than clothes The date of business device, server can ignore the field;BEFERRER:The object that resource request is used is carried out to server;MIME- VERTION:MIME protocol versions for handling files in different types;USER-AGENT:Client in relation to sending out request believes Breath.
S202:For the data of object, multimode matching is carried out using multimode library, if being matched to the key for the object Word then carries out subsequent step, otherwise determines that there is no attacks;
Wherein, multimode matching is carried out using multimode matching algorithm.Multimode matching algorithm includes a variety of, such as Trie trees, AC Algorithm, WM algorithms etc..The embodiment of the present invention preferably uses ACBM algorithms.ACBM algorithms be on the basis of AC automatic machines, Introduce the multimode extension of BM algorithms, the efficient multimode matching of realization.The core concept of ACBM algorithms is exactly to allow each matching Initial position span it is big as far as possible, to improve efficiency.Unlike AC automatic machines, ACBM algorithms need not scan target Each character in text string can utilize this unsuccessful information of matching, skip character as much as possible, realize efficient Matching.It is as follows in matching step:1, a matching initial position is selected.2, it is matched using AC trees, if matching failure, is jumped Go to step 1;If successful match, it can need to go to step according to application and 1 or exit.AC algorithms part in ACBM algorithms Realization than AC automatic machine algorithms is simple, without the concern for failure function the problem of, that is to say, that realized in ACBM algorithms AC algorithms part is one tree, and is a figure in the realization of AC automatic machines.The realization ratio BM of BM algorithms in ACBM algorithms The realization of algorithm itself wants more complex, because this is to a kind of extension of the multi-mode of BM algorithms.Core number in ACBM algorithms Include according to structure:1, MinLen, the length of that most short pattern string in pattern set of strings:Compare the character at most to jump when mismatch Number is no more than Minlen.2, ACTree, the State Tree constructed by pattern set of strings, the structure of construction method and AC automatic machines Construction method is identical, and need not calculate failure function, fairly simple.3、BCshift:ACTree corresponds to a bad number of characters Group searches the array and calculates batter's symbol offset when matching failure.4、GSshift:Each node of AC trees corresponds to one Good suffix offset.
Assuming that getting object A, object B by step S201, then by taking the multimode library of Fig. 1 as an example, searches multimode library and carry out Multimode matching, if it is determined that the data of object A do not include the keyword 1 with attribute A, it is determined that are not matched to object A Keyword, further, to the data of object B with attribute B keyword 2 and keyword 3 match, if object The data of B do not include keyword 2 but include keyword 3, it is determined that are matched to keyword 3.Include for multimode library other Keyword 5 ... .., keyword N, due to their attribute(C-N)The object not got(A and B), therefore will not match It arrives.
S203:Matching, which whether there is for the object and matched keyword, from feature database has mapping relations Feature expression, if being not matched to feature expression, it is determined that there is no attacks, otherwise carry out subsequent step;
Wherein it is determined that whether keyword is to be for the mode of the keyword of the object:Determine the keyword Whether attribute is the object;Determine whether a feature expression is to be for the mode of the feature expression of the object: Determine whether the attribute of this feature expression formula is the object.
Keyword is had been matched to by step S202, then in this step, the pass for continuing to determine whether and being matched to Key word has the feature expression of mapping relations.Still by above-mentioned by taking Fig. 1 as an example, it is assumed that be matched to a key by multimode matching Word 3 finds keyword 3 and mark sheet then according to the mapping relations of feature expression in keyword in multimode library and feature database There are mapping relations up to formula 3 and feature expression 4, then, this step determine only to need in next step to feature expression 3 and Feature expression 4 is matched.
S204:Based on for the object, corresponding with matched keyword feature expression, to the data of the object into Line discipline matches, if successful match, it is determined that there is attack, otherwise determines that there is no attacks.
Pass through abovementioned steps, it has been determined that be used to carry out the matched limited feature expression of canonical in this step.Still By taking Fig. 1 as an example, since it is determined that feature expression 3 and feature expression 4 then in this step distinguish the data of object B It is matched with feature expression 3 and feature expression 4, if there is any expression formula successful match, then it is assumed that there is attack, If without an expression formula successful match, it is determined that there is no attacks.
It is using the purpose of embodiment of the present invention:In the filtering of the first level, all security request data are filtered out;Second In level filtering, primary preliminary filtering is done to suspectable data;In third level filtering, message has the possibility of attack Row is just very big, is determined with feature expression.Using the embodiment of the present invention, 99% number can be filtered out by the first level According in, the second level and third level filtering, the request data of processing probably 10% ratio.It is, need not be to 99% Normal data carry out feature regular expression matching processing.Detection efficiency is significantly increased as a result,.
In addition, during building the feature database, it is also based on the type of attack, according to main classes, subclass and rule Mode tissue described in a plurality of feature expression;Similarly, during framework multimode library, the type based on attack, according to main classes, A plurality of keyword described in the mode tissue of subclass and rule.As previously mentioned, network attack type class is various.Therefore, it is building When feature database is with multimode library, according to attack type, tissue is carried out to feature expression and keyword.It will pass through this hair as a result, When the safety product that bright embodiment is completed is supplied to user, user can targetedly select particular attack safeguard procedures, this Other incoherent attack protection of sample are there is no need to run, it is possible thereby to provide network operation speed.
For example, at construction feature library or multimode library, tissue is carried out according to Fig. 3 examples.Fig. 3 is shown according to the present invention one A embodiment according to attack type construction feature library or the schematic diagram of pattern base.In Fig. 3, main classes 1, main classes are shown 2 ..., main classes n(Main classes 2- main classes n is omitted), subclass 1, the subclass 2 ... ... of 1 subordinate of each main classes, subclass n and each subclass Rule 1, the rule 2 of subordinate ..., regular n.Wherein, main classes refers to a major class of network attack, and subclass refers under the major class A group, rule refers to specific attack signature code.For example, SQL injection belongs to a main classes, " pass through http agreements Get message carry out SQL injection " belong to a subclass under the main classes, the injection sentence category such as " select " for including in data In rule.
The present invention program is illustrated with a http agreement specific example below.
(1)Construction feature library and multimode library.
Structure includes the feature database of a plurality of feature expression and the multimode library including a plurality of keyword.According to attack type An example for build library is as follows:
In above-mentioned example, a main classes is shown(Main classes 1, main_class1)Strategy, and other main classes are omitted 2 ..., main classes n.It is appreciated that each main classes subordinate includes multiple subclasses(sub_class), such as subclass 1, subclass 2 ... ..., Subclass n and each subclass include the rule of multiple subordinaties(rule), such as rule 1, rule 2 ... ..., regular n.Wherein, one Main classes represents a major class of network attack, and subclass refers to a group under the major class, and rule refers to specific attack signature Code.Such as in above-mentioned example, SQL injection(SQL Inject)Belong to a main classes, " by the get message of http agreements into Row SQL injection(Get SQL Inject)" belong to a subclass under the main classes, the injection language such as " select " for including in data Sentence belongs to rule.
(2)Http message is obtained, and protocol analysis is carried out to http message, obtains each object in message(Such as:url、 The fields such as reference, cookie)Data.
Usual http message includes that client computer is rung to the http request message and server of server to the http of client computer Answer message.The message of both types is by an initial row, one or more header field, a null that only header field terminates and Optional message body composition.The header field of http includes general head, request header, four parts of head response and entity head.
For example,
One typical request message is:
GEThttp://class/download.microtool.de:80/somedata.exe
Host:download.microtool.de
Accept:*/*
Pragma:no-cache
Cache-Control:no-cache
Referer:http://class/download.microtool.de/
User-Agent:Mozilla/4.04[en](Win95;I;Nav)
Range:bytes=554554-
Wherein, the Intenet hosts and port numbers of the specified request resource of Host header fields, it is necessary to indicate that request url's is original The position of server or gateway;Referer header fields allow the source resource address of the specified request uri of client, this can allow to take Business device generates rollback chained list, can be used to log in, optimize cache etc.;Range header fields can be with one or more son of request entity Range;User-Agent header field contents include to send out the user information of request.
(3)The object of acquisition is matched in the library of foundation, it is determined whether there is attack.
The object data that http protocol analysis obtains is identified in the library of above-mentioned structure, if successful match, Determine there is attack, otherwise it is assumed that there is no attacks.
It is corresponding with the above method, the present invention also provides a kind of attack recognition device based on object analysis.The device can To be realized by hardware, software or software and hardware combining.Specific right, which can refer to service node(For example, firewall services Device), the functional entity inside service node is may also mean that, as long as having the function of the device.
Specifically, the attack recognition device based on object analysis is somebody's turn to do to include at least:Message retrieval unit, message parsing are single Member, feature database construction unit, multimode library construction unit and matching unit.
Wherein:
Message retrieval unit is for obtaining message.The message includes application layer protocol (application layer Protocol) message.As previously mentioned, application layer protocol is mainly the following.(1) domain name system (Domain Name System, DNS):The network service mapped for realizing network equipment name to IP address.(2) File Transfer Protocol (FileTransfer Protocol, FTP):Interactive file transfer function is realized with fourth.(3) simple message transfer protocol (SMTP) (Simple Mail Transfer Protocol,SMTP):It is assisted for realizing E-mail address transmitting function (4) Hyper text transfer It discusses (HyperText Transfer Protocol, HTTP):It is serviced for realizing WWW.(5) Simple Network Management Protocol (simple Network Management Protocol, SNMP):For managing and monitoring the network equipment.(6) Telnet Agreement (Telnet):For realizing Telnet function.So, message retrieval unit obtain message include at least DNS message, FTP message, SMTP message, HTTP message, snmp message and Telnet message.
Message parsing unit is used to carry out protocal analysis to the message of acquisition, and parsing obtains the number of one or more objects According to.Object therein refers to each predefined field that message is obtained according to protocol analysis.By taking http agreements as an example, it is assumed that obtain Be http protocol messages, then to the message carry out protocal analysis, that is, http rfc protocol specifications carry out protocal analysis, to Obtain each http protocol fields that message includes, that is, obtain the data content that object is included.By taking http agreements as an example, this The object of invention refers to that http message predefines field, for example, the fields such as url, reference, parameter, cookie.
Feature database construction unit, for building the feature database;And multimode library construction unit, it is described more for building Mould library.Wherein, feature database includes a plurality of feature expression, and every feature expression has the attribute of object;Multimode library includes more Keyword, every keyword have the attribute of object.Wherein, multimode library is built according to feature database, each key representations One pattern.In addition, one or more feature expression in keyword and feature database in multimode library has mapping relations, tool There are the keyword and feature expression attribute having the same of mapping relations.Wherein, multimode library is built according to feature database, each One pattern of key representations.
Matching unit, for being based on the feature database and the multimode library, to the object of message parsing unit acquisition Data matched, it is determined whether there is attack.
Wherein, matching unit further comprise multimode matching subelement, mapping determination subelement, rule match subelement and As a result determination subelement.
Multimode matching subelement is used for the data for object, and multimode matching is carried out using multimode library.Wherein, using multimode Matching algorithm carries out multimode matching.Multimode matching algorithm includes a variety of, such as Trie trees, AC algorithms, WM algorithms etc..The present invention Embodiment preferably uses ACBM algorithms.ACBM algorithms are the multimode extensions that BM algorithms are introduced on the basis of AC automatic machines, The efficient multimode matching realized.The core concept of ACBM algorithms be exactly allow each matched initial position span as far as possible Greatly, to improve efficiency.Unlike AC automatic machines, ACBM algorithms need not scan each character in target text string, This unsuccessful information of matching can be utilized, character as much as possible is skipped, realizes efficient matchings.
Mapping determination subelement is used for the matching from feature database and whether there is for the object and matched keyword tool There is the feature expression of mapping relations.
Rule match subelement is used for based on described for the object, corresponding with matched keyword feature representation Formula carries out rule match to the data of the object.
As a result determination subelement is used for according to multimode matching unit, mapping determination subelement and rule match subelement really Recognize result and determine whether there is attack, wherein if multimode matching subelement is not matched to the keyword for the object, described Mapping determination subelement, which is not matched to feature expression or the rule match subelement, does not have successful match, it is determined that no There are attacks, if the rule match subelement successful match, it is determined that there is attack.
Wherein, mapping determination subelement determines whether a keyword is to be for the mode of the keyword of the object: Determine whether the attribute of the keyword is the object;Similarly, rule match subelement determine a feature expression whether be Mode for the feature expression of the object is:Determine whether the attribute of this feature expression formula is the object.
Preferably, feature database construction unit is used for the type based on attack during building the feature database, according to A plurality of feature expression described in the mode tissue of main classes, subclass and rule;Similarly, multimode library construction unit is more described in framework During mould library, it to be used for the type based on attack, a plurality of keyword described in tissue in the way of main classes, subclass and rule.
As it can be seen that the present invention is based on objects targetedly to be filtered, and in such a way that multimode library is combined with feature database, Most of secure data can be filtered, without most of data are carried out with cumbersome character match, to significantly Improve detection efficiency.
Particularly, multimode filtering, the filtering of three levels of characteristic filter and character match are carried out to data due to the present invention, Safety filtering can be ensured in the first level or the second level for secure data, without carrying out cumbersome character filtering. In the filtering of first level, all security request data are filtered out;In the filtering of second level, suspectable data are done primary first The filtering of step;In third level filtering, message has the possibility row of attack just very big, is determined with feature expression.It adopts With the embodiment of the present invention, the data of the overwhelming majority can be filtered out by the first level, during the second level and third level filter, The request data of processing is probably in very little(It is about 10% according to statistics)Ratio.It is, need not be to the normal number of the overwhelming majority According to progress feature regular expression matching processing.Detection efficiency is significantly increased as a result,.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific implementation mode are expressly incorporated in the specific implementation mode, wherein each claim itself All as a separate embodiment of the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment Change and they are arranged in the one or more equipment different from the embodiment.It can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any Combination is to this specification(Including adjoint claim, abstract and attached drawing)Disclosed in all features and so disclosed appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification(Including adjoint power Profit requirement, abstract and attached drawing)Disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization, or to run on one or more processors Software module realize, or realized with combination thereof.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor(DSP)To realize the attack recognition according to the ... of the embodiment of the present invention based on object analysis The some or all functions of some or all components in device.The present invention is also implemented as being retouched here for executing The some or all equipment or program of device for the method stated(For example, computer program and computer program product). It is such to realize that the program of the present invention may be stored on the computer-readable medium, or can have one or more signal Form.Such signal can be downloaded from internet website and be obtained, either provide on carrier signal or with it is any its He provides form.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be by the same hardware branch To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and be run after fame Claim.
The present invention provides the following technical solutions:
A kind of attack recognition methods based on object analysis of A1, including:
Construction feature library, the feature database include a plurality of feature expression, and every feature expression has the attribute of object;
Multimode library is built, the multimode library includes a plurality of keyword, and every keyword has the attribute of object;The multimode Keyword in library has mapping relations with one or more feature expression in the feature database, the pass with mapping relations Key word and feature expression attribute having the same;
Data based on the feature database and the multimode library, the object to being obtained after parsing message match, and determine With the presence or absence of attack.
A2, the method as described in A1, it is described to be based on the feature database and the multimode library, to pair obtained after parsing message The data of elephant are matched, it is determined whether there are attacks to include:
Protocal analysis is carried out to the message of acquisition, parsing obtains the data of one or more objects;
For the data of the object, multimode matching is carried out using multimode library, if being matched to the key for the object Word then carries out subsequent step, otherwise determines that there is no attacks;
Matching whether there is mark sheet for the object, having mapping relations with matched keyword from feature database Up to formula, if being not matched to feature expression, it is determined that there is no attacks, otherwise carry out subsequent step;
Based on described for the object, corresponding with matched keyword feature expression, to the data of the object into Line discipline matches, if successful match, it is determined that there is attack, otherwise determines that there is no attacks.
A3, the method as described in A1 or A2, the multimode library are built according to the feature database, each key representations one A pattern.
A4, the method as described in A2,
Determine whether a keyword is to be for the mode of the keyword of the object:Determining the attribute of the keyword is No is the object;
Determine whether a feature expression is to be for the mode of the feature expression of the object:Determine this feature table Whether the attribute up to formula is the object.
A5, the method as described in A1 or A2, during building the feature database, the type based on attack, according to main classes, A plurality of feature expression described in the mode tissue of subclass and rule;Described in framework during multimode library, the type based on attack, The a plurality of keyword described in tissue in the way of main classes, subclass and rule.
A6, the method as described in A1 or A2, the message are application layer protocol message;The application layer protocol includes TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
A7, the method as described in A6, the message refer to http protocol messages;The object refers to http protocol messages Predefined field, including url, reference, parameter, cookie.
A8, the method as described in A1 or A2 carry out the multimode matching using multimode matching algorithm;The multimode matching is calculated Method is ACBM algorithms.
B9, a kind of attack recognition device based on object analysis, including:
Message retrieval unit, for obtaining message;
Message parsing unit carries out protocal analysis for the message to acquisition, and parsing obtains the number of one or more objects According to;
Feature database construction unit, for building the feature database, the feature database includes a plurality of feature expression, every spy Levying expression formula has the attribute of object;
Multimode library construction unit, for building the multimode library, the multimode library includes a plurality of keyword, every keyword Attribute with object;Wherein, one or more feature expression in the keyword and feature database in the multimode library has Mapping relations, the keyword with mapping relations and feature expression attribute having the same;
Matching unit, for being based on the feature database and the multimode library, to the object of message parsing unit acquisition Data matched, it is determined whether there is attack.
B10, the device as described in B9, the matching unit include:
Multimode matching subelement carries out multimode matching for the data for the object using multimode library;
Mapping determination subelement whether there is for the object and matched keyword for being matched from feature database Feature expression with mapping relations;
Rule match subelement is used for based on described for the object, corresponding with matched keyword feature representation Formula carries out rule match to the data of the object;
As a result determination subelement, for according to multimode matching subelement, mapping determination subelement and rule match subelement Confirmation result determine whether there is attack, wherein if multimode matching subelement be not matched to the keyword for the object, The mapping determination subelement, which is not matched to feature expression or the rule match subelement, does not have successful match, then really Fixed there is no attacks, if the rule match subelement successful match, it is determined that there is attack.
B11, the device as described in B9 or B10, the multimode library are built according to the feature database, each key representations One pattern.
B12, the device as described in B10, the mapping determination subelement determine whether a keyword is for described right The mode of the keyword of elephant is:Determine whether the attribute of the keyword is the object;
The rule match subelement determines whether a feature expression is feature expression for the object Mode is:Determine whether the attribute of this feature expression formula is the object.
B13, the device as described in B9 or B10, the feature database construction unit are used during building the feature database In the type based on attack, a plurality of feature expression described in tissue in the way of main classes, subclass and rule;Multimode library structure Unit is built, described in framework during multimode library, is used for the type based on attack, the group in the way of main classes, subclass and rule Knit a plurality of keyword.
B14, the device as described in B9 or B10, the message that the message retrieval unit obtains disappear for application layer protocol Breath;The application layer protocol includes TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
B15, the device as described in B14, the message that the message retrieval unit obtains refers to http protocol messages;Institute The object for stating message parsing unit acquisition refers to the predefined field of http protocol messages, including url, reference, ginseng Number, cookie.
B16, the device as described in B9 or B10, the multimode matching unit carry out the multimode using multimode matching algorithm Matching;The multimode matching algorithm is ACBM algorithms.

Claims (10)

1. a kind of attack recognition method based on object analysis, which is characterized in that including:
Construction feature library, the feature database include a plurality of feature expression, and every feature expression has the attribute of object;
Multimode library is built, the multimode library includes a plurality of keyword, and every keyword has the attribute of object;In the multimode library Keyword and the feature database in one or more feature expression there are mapping relations, the keyword with mapping relations With feature expression attribute having the same;
Data based on the feature database and the multimode library, the object to being obtained after parsing message match, it is determined whether There are attacks;
Described to be based on the feature database and the multimode library, the data of the object to being obtained after parsing message match, and determine Include with the presence or absence of attack:
Protocal analysis is carried out to the message of acquisition, parsing obtains the data of one or more objects;
For the data of the object, multimode matching is carried out using multimode library, if being matched to the keyword for the object, Subsequent step is carried out, otherwise determines that there is no attacks;
Matching whether there is feature representation for the object, having mapping relations with matched keyword from feature database Formula, if being not matched to feature expression, it is determined that there is no attacks, otherwise carry out subsequent step;
Based on described for the object, corresponding with matched keyword feature expression, to the data of the object into professional etiquette It then matches, if successful match, it is determined that there is attack, otherwise determine that there is no attacks;
Wherein:The multimode library is built according to the feature database, one pattern of each key representations.
2. the method as described in claim 1, which is characterized in that
Determine whether a keyword is to be for the mode of the keyword of the object:Determine the keyword attribute whether be The object;
Determine whether a feature expression is to be for the mode of the feature expression of the object:Determine this feature expression formula Attribute whether be the object.
3. the method as described in claim 1, which is characterized in that during building the feature database, the type based on attack, The a plurality of feature expression described in tissue in the way of main classes, subclass and rule;Described in framework during multimode library, based on attacking The type hit, a plurality of keyword described in tissue in the way of main classes, subclass and rule.
4. a kind of attack recognition device based on object analysis, which is characterized in that including:
Message retrieval unit, for obtaining message;
Message parsing unit carries out protocal analysis for the message to acquisition, and parsing obtains the data of one or more objects;
Feature database construction unit, for building the feature database, the feature database includes a plurality of feature expression, every mark sheet There is the attribute of object up to formula;
Multimode library construction unit, for building the multimode library, the multimode library includes a plurality of keyword, and every keyword has The attribute of object;Wherein, one or more feature expression in the keyword and feature database in the multimode library has mapping Relationship, the keyword with mapping relations and feature expression attribute having the same;
Matching unit, for being based on the feature database and the multimode library, to the number for the object that the message parsing unit obtains According to being matched, it is determined whether there is attack;
The matching unit includes:
Multimode matching subelement carries out multimode matching for the data for the object using multimode library;
Map determination subelement, for from feature database matching with the presence or absence of for the object, have with matched keyword The feature expression of mapping relations;
Rule match subelement is used for based on described for the object, corresponding with matched keyword feature expression, right The data of the object carry out rule match;
As a result determination subelement is used for according to multimode matching subelement, mapping determination subelement and rule match subelement really Recognize result and determine whether there is attack, wherein if multimode matching subelement is not matched to the keyword for the object, described Mapping determination subelement, which is not matched to feature expression or the rule match subelement, does not have successful match, it is determined that no There are attacks, if the rule match subelement successful match, it is determined that there is attack.
5. device as claimed in claim 4, which is characterized in that the multimode library is built according to the feature database, and each is closed Key word represents a pattern.
6. device as claimed in claim 4, which is characterized in that
The mapping determination subelement determines whether a keyword is to be for the mode of the keyword of the object:Determining should Whether the attribute of keyword is the object;
The rule match subelement determines whether a feature expression is mode for the feature expression of the object For:Determine whether the attribute of this feature expression formula is the object.
7. device as claimed in claim 4, which is characterized in that the feature database construction unit is building the feature database mistake Cheng Zhong is used for the type based on attack, a plurality of feature expression described in tissue in the way of main classes, subclass and rule;It is described Multimode library construction unit described in framework during multimode library, is used for the type based on attack, according to main classes, subclass and rule Mode tissue described in a plurality of keyword.
8. such as claim 4-7 any one of them devices, which is characterized in that the message that the message retrieval unit obtains For application layer protocol message;The application layer protocol includes TFTP, HTTP, SNMP, FTP, SMTP, DNS or Telnet agreement.
9. such as claim 4-7 any one of them devices, which is characterized in that the message that the message retrieval unit obtains Refer to http protocol messages;The object that the message parsing unit obtains refers to the predefined field of http protocol messages, Including url, reference, parameter, cookie.
10. such as claim 4-7 any one of them devices, which is characterized in that the multimode matching unit uses multimode matching Algorithm carries out the multimode matching;The multimode matching algorithm is ACBM algorithms.
CN201410126740.XA 2014-03-31 2014-03-31 Attack recognition method and device based on object analysis Active CN104954345B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410126740.XA CN104954345B (en) 2014-03-31 2014-03-31 Attack recognition method and device based on object analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410126740.XA CN104954345B (en) 2014-03-31 2014-03-31 Attack recognition method and device based on object analysis

Publications (2)

Publication Number Publication Date
CN104954345A CN104954345A (en) 2015-09-30
CN104954345B true CN104954345B (en) 2018-07-31

Family

ID=54168705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410126740.XA Active CN104954345B (en) 2014-03-31 2014-03-31 Attack recognition method and device based on object analysis

Country Status (1)

Country Link
CN (1) CN104954345B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104954346B (en) * 2014-03-31 2018-12-18 北京奇安信科技有限公司 Attack recognition method and device based on object analysis
CN106911647A (en) * 2015-12-23 2017-06-30 北京奇虎科技有限公司 A kind of method and apparatus for detecting network attack
CN106911649A (en) * 2015-12-23 2017-06-30 北京奇虎科技有限公司 A kind of method and apparatus for detecting network attack
CN108111466A (en) * 2016-11-24 2018-06-01 北京金山云网络技术有限公司 A kind of attack detection method and device
CN106453438B (en) * 2016-12-23 2019-12-10 北京奇虎科技有限公司 Network attack identification method and device
CN106657075B (en) * 2016-12-26 2019-11-15 东软集团股份有限公司 Multi-layer protocol analytic method, device and data matching method and device
CN112422545A (en) * 2020-11-09 2021-02-26 北京天融信网络安全技术有限公司 Data processing method and device based on HTTP request

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101425937A (en) * 2007-11-02 2009-05-06 北京启明星辰信息技术有限公司 SQL injection attack detection system suitable for high speed LAN environment
CN103559444A (en) * 2013-11-05 2014-02-05 星云融创(北京)信息技术有限公司 Sql (Structured query language) injection detection method and device
CN104954346A (en) * 2014-03-31 2015-09-30 北京奇虎科技有限公司 Attack recognition method based on object analysis and device thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8009566B2 (en) * 2006-06-26 2011-08-30 Palo Alto Networks, Inc. Packet classification in a network security device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101425937A (en) * 2007-11-02 2009-05-06 北京启明星辰信息技术有限公司 SQL injection attack detection system suitable for high speed LAN environment
CN103559444A (en) * 2013-11-05 2014-02-05 星云融创(北京)信息技术有限公司 Sql (Structured query language) injection detection method and device
CN104954346A (en) * 2014-03-31 2015-09-30 北京奇虎科技有限公司 Attack recognition method based on object analysis and device thereof

Also Published As

Publication number Publication date
CN104954345A (en) 2015-09-30

Similar Documents

Publication Publication Date Title
CN104954346B (en) Attack recognition method and device based on object analysis
CN104954345B (en) Attack recognition method and device based on object analysis
US10798202B2 (en) Security systems for mitigating attacks from a headless browser executing on a client computer
Genge et al. ShoVAT: Shodan‐based vulnerability assessment tool for Internet‐facing services
US10834101B2 (en) Applying bytecode obfuscation techniques to programs written in an interpreted language
CN103744802B (en) Method and device for identifying SQL injection attacks
US9185125B2 (en) Systems and methods for detecting and mitigating threats to a structured data storage system
Pan et al. Cspautogen: Black-box enforcement of content security policy upon real-world websites
US20100332837A1 (en) Web application security filtering
US20060272008A1 (en) Method and security system for indentifying and blocking web attacks by enforcing read-only parameters
JP2015053070A (en) Cross-site scripting filter
CN110362992A (en) Based on the method and apparatus for stopping in the environment of cloud or detecting computer attack
Muthuprasanna et al. Eliminating SQL injection attacks-A transparent defense mechanism
Bock et al. Detecting and evading {Censorship-in-Depth}: A case study of {Iran’s} protocol whitelister
Gupta et al. Robust injection point-based framework for modern applications against XSS vulnerabilities in online social networks
CN106911649A (en) A kind of method and apparatus for detecting network attack
Reynolds et al. Equivocal URLs: Understanding the Fragmented Space of URL Parser Implementations
Kaur et al. State-of-the-art survey on web vulnerabilities, threat vectors, and countermeasures
Gupta et al. RAJIVE: restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications
CN106911647A (en) A kind of method and apparatus for detecting network attack
Yamazaki et al. Xilara: An XSS filter based on HTML template restoration
Wang et al. Break the Wall from Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls
Haukeli False positive reduction through IDS network awareness
CN114116619A (en) Method and system for defending file deletion vulnerability and computer equipment
Balasundram et al. Prevention of SQL Injection attacks by using service oriented authentication technique

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20161125

Address after: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3

Applicant after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Applicant before: Beijing Qihu Technology Co., Ltd.

Applicant before: Qizhi Software (Beijing) Co., Ltd.

GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing

Patentee after: Qianxin Technology Group Co., Ltd.

Address before: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3

Patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD.

CP03 Change of name, title or address