CN106161478B - Accurate attack recognition method based on the variation of http response head - Google Patents
Accurate attack recognition method based on the variation of http response head Download PDFInfo
- Publication number
- CN106161478B CN106161478B CN201610831649.7A CN201610831649A CN106161478B CN 106161478 B CN106161478 B CN 106161478B CN 201610831649 A CN201610831649 A CN 201610831649A CN 106161478 B CN106161478 B CN 106161478B
- Authority
- CN
- China
- Prior art keywords
- attack
- server
- http response
- request
- response head
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of accurate attack recognition methods based on the variation of http response head, it requests and is prejudged the following steps are included: receiving client side HTTP, judge whether HTTP request is doubtful attack, if anticipation result is doubtful attack, then the request is intercepted, is sent to server after client request data are replaced with common content;The http response head that server is sent is recorded, client raw requests data are sent to server;The http response head that record server is sent again;Whether http response head changes twice for comparison, if changing, judges that this client request for attack, if comparing result does not change, judges this client request for non-attack.The present invention can accurately identify doubtful attack, and accurate to determine whether attack comes into force, rate of false alarm is low.
Description
Technical field
The present invention relates to Web attack recognition technical fields, and in particular to a kind of accurately attacking based on the variation of http response head
Hit recognition methods.
Background technique
Web attack recognition technology is detected according to HTTP request at present.Detection method is that client is asked
It asks and attack signature matching is carried out to client request data before reaching server.Such as client request is http: //
Www.example.com/? id=1and 1=1 is just identified as attacking and if 1=1 has matched attack signature, if do not had
There is matching attack signature to be just identified as non-attack.This detection method has several disadvantages: firstly, attack recognition is in client request
Before reaching server, lead to whether attack comes into force and cannot differentiate;Secondly, different server is different to the processing mode of request data
Generate very high rate of false alarm;Finally, recognition methods needs timely according to attack signature when there is new attack gimmick
Carry out signature analysis and supplement.
Relational language is explained
HTTP: hypertext transfer protocol (Hyper Text Transfer Protocol) is to interconnect web-based applications the most
A kind of extensive network protocol.
Http response head: response message of the HTTP server to client computer, one or more after statusline, by HTTP head
The content of domain name, colon (:) and thresholding (wanting at least one space in thresholding front) composition.
Conveying length (in http response head field identification server of Content-Length:HTTP message entity
Response contents entity transmission length).
Summary of the invention
Technical problem to be solved by the invention is to provide a kind of accurate attack recognition sides based on the variation of http response head
Method solves after not can determine that whether attack comes into force, high rate of false alarm, new attack method occur in existing Web attack recognition technology
The problems such as carrying out attack signature analysis and supplement.
In order to solve the above technical problems, the technical solution adopted by the present invention is that:
A kind of accurate attack recognition method based on the variation of http response head, comprising the following steps:
Step 1: receiving client side HTTP and request and prejudged, judge whether HTTP request is doubtful attack, if anticipation
As a result it is doubtful attack, then the request is intercepted, be sent to server after client request data are replaced with common content;
Step 2: client raw requests data are sent to server by the http response head that record server is sent;
Step 3: recording the http response head that server is sent again;
Step 4: whether http response head changes twice for comparison;If changing, judge that this client request is
Attack, if comparing result does not change, judges this client request for non-attack.
According to above scheme, if the anticipation result of step 1 is non-attack, conclude that this client request is non-attack.
Compared with prior art, the beneficial effects of the present invention are: accurately identifying to doubtful attack, it is identified to attack
Hit still non-attack;Accurate to determine whether attack comes into force, rate of false alarm is low;In addition, new attack method appearance after, do not need into
The analysis of row attack signature and supplement.
Detailed description of the invention
Fig. 1 is that the present invention is based on the accurate attack recognition method flow schematic diagrams of http response head variation.
Specific embodiment
The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.One kind provided by the invention
Based on the accurate Web attack recognition method of http response head variation, including client request tentatively judges, client request is blocked
It cuts, client submits data replacement, client request data to send, http response head compares, according to http response head comparison knot
Fruit come judge client request whether be attack etc. contents, as shown in Figure 1, details are as follows.
S101, receive client side HTTP request prejudged;
If it is doubtful attack that S102, step S101, which prejudge result,;
S103, the request intercepted first, client request data (pass through parameter submit content) is replaced with common
Server is sent to after content;
The http response head that S104, record server are sent;
S105, client request data (not having replacement request data, client raw requests) are sent to server;
The http response head that S106, record server are sent;
S107, comparison step S104 and S106 are as a result, see whether http response head changes twice;
If S108, change (not including Content-Lengt), judge this client request for attack;
If S109, step 107 a pair result do not change, judge this client request for non-attack;
If step S102 is judged as non-attack, this client request is non-attack.
Such as client requestHttp:// example.com/index? id=1, which is non-attack, directly should
Request is sent to server.
Such as client request are as follows:
Http:// example.com/viewSource.action? method:%23_memberAccess%3d@
Ognl.OgnlContext@DEFAULT_MEMBER_ACCESS, %23context [%23parameters.obj [0]]
.getWriter () .print (%23parameters.content [0] %2b201%2b20702), 1? %23xx:%
23request.toString&obj=com.opensymphony.xwork2.dispatche r.HttpServletRespon
Se&content=14998
First request is replaced withHttp:// example.com/viewSource.action? view, it is sent to server,
Server head response are as follows:
Server:Apache-Coyote/1.1
Content-Type:text/html
Transfer-Encoding:chunked
Date:Tue,14Jun 2016 08:47:36GMT
Connection:close
Retransmit client request
Http:// example.com/viewSource.action? method:%23_memberAccess%3d@ Ognl.OgnlContext@DEFAULT_MEMBER_ACCESS, %23context [%23parameters.obj [0]] .getWriter () .print (%23parameters.content [0] %2b201%2b20702), 1? %23xx:% 23request.toString&obj=com.opensymphony.xwork2.dispatche r.HttpServletRespon Se&content=14998, it is sent to server, server head response are as follows:
Server:Apache-Coyote/1.1
Content-Length:30
Date:Tue,14Jun 2016 08:48:00GMT
Connection:close
It was found that the head response that Twice requests server is sent has occurred variation and (once has Content-Type:text/
Html does not have once), judge the request for attack.
Claims (2)
1. a kind of accurate attack recognition method based on the variation of http response head, which comprises the following steps:
Step 1: receiving client side HTTP and request and prejudged, judge whether HTTP request is doubtful attack, when anticipation result
For doubtful attack, then the request is intercepted, and is sent to server after client request data are replaced with common content;
Step 2: client raw requests data are sent to server by the http response head that record server is sent;
Step 3: recording the http response head that server is sent again;
Step 4: whether http response head changes twice for comparison;If changing, and this variation is not Content-
Length judges that this client request for attack, if comparing result does not change, judges that this client request is attacked to be non-
It hits.
2. the accurate attack recognition method as described in claim 1 based on the variation of http response head, which is characterized in that if step
1 anticipation result is non-attack, then concludes that this client request is non-attack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610831649.7A CN106161478B (en) | 2016-09-19 | 2016-09-19 | Accurate attack recognition method based on the variation of http response head |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610831649.7A CN106161478B (en) | 2016-09-19 | 2016-09-19 | Accurate attack recognition method based on the variation of http response head |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106161478A CN106161478A (en) | 2016-11-23 |
| CN106161478B true CN106161478B (en) | 2019-02-19 |
Family
ID=57341328
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610831649.7A Active CN106161478B (en) | 2016-09-19 | 2016-09-19 | Accurate attack recognition method based on the variation of http response head |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106161478B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111818107B (en) * | 2020-09-14 | 2021-04-27 | 深圳赛安特技术服务有限公司 | Network request response method, device, equipment and readable storage medium |
| CN112351009B (en) * | 2020-10-27 | 2022-07-22 | 杭州安恒信息技术股份有限公司 | Network security protection method and device, electronic equipment and readable storage medium |
| CN115065540B (en) * | 2022-06-20 | 2024-03-12 | 北京天融信网络安全技术有限公司 | Method and device for detecting web vulnerability attack and electronic equipment |
| CN115296932B (en) * | 2022-09-30 | 2023-01-06 | 北京知其安科技有限公司 | Method and device for detecting WAF interception effectiveness and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072106A (en) * | 2006-05-12 | 2007-11-14 | 国际商业机器公司 | Method and system for protecting against denial of service attacks |
| CN101247395A (en) * | 2008-03-13 | 2008-08-20 | 武汉理工大学 | ISAPI access control system for Session ID fully transparent transmission |
| CN101764767A (en) * | 2008-12-23 | 2010-06-30 | 华为技术有限公司 | Network interconnection method, gateway facility and system |
| CN102541674A (en) * | 2011-12-26 | 2012-07-04 | 运软网络科技(上海)有限公司 | Control system and method of autonomic element model and server invasion protection and detection system |
| EP1990977B1 (en) * | 2007-05-09 | 2012-10-03 | Symantec Corporation | Client side protection against drive-by pharming via referrer checking |
-
2016
- 2016-09-19 CN CN201610831649.7A patent/CN106161478B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072106A (en) * | 2006-05-12 | 2007-11-14 | 国际商业机器公司 | Method and system for protecting against denial of service attacks |
| EP1990977B1 (en) * | 2007-05-09 | 2012-10-03 | Symantec Corporation | Client side protection against drive-by pharming via referrer checking |
| CN101247395A (en) * | 2008-03-13 | 2008-08-20 | 武汉理工大学 | ISAPI access control system for Session ID fully transparent transmission |
| CN101764767A (en) * | 2008-12-23 | 2010-06-30 | 华为技术有限公司 | Network interconnection method, gateway facility and system |
| CN102541674A (en) * | 2011-12-26 | 2012-07-04 | 运软网络科技(上海)有限公司 | Control system and method of autonomic element model and server invasion protection and detection system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106161478A (en) | 2016-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106161478B (en) | Accurate attack recognition method based on the variation of http response head | |
| CN105930727B (en) | Reptile recognition methods based on Web | |
| CN107786545A (en) | A kind of attack detection method and terminal device | |
| CN105337993B (en) | It is a kind of based on the mail security detection device being association of activity and inertia and method | |
| WO2005027016A2 (en) | Fraudulent message detection | |
| CN106341406B (en) | The accurate attack recognition method of entity text HTML dom tree variation is rung based on HTTP | |
| CN111641658A (en) | Request intercepting method, device, equipment and readable storage medium | |
| CN103179132A (en) | Method and device for detecting and defending CC (challenge collapsar) | |
| US10805327B1 (en) | Spatial cosine similarity based anomaly detection | |
| CN105516390B (en) | Domain name management method and device | |
| WO2015024490A1 (en) | Monitoring nat behaviors through uri dereferences in web browsers | |
| CN107911466A (en) | A kind of association method under multi-layer framework | |
| CN103634284B (en) | The method for detecting and device of a kind of network flood attack | |
| CN108063833A (en) | HTTP dns resolutions message processing method and device | |
| CN104092588B (en) | A kind of exception flow of network detection method combined based on SNMP with NetFlow | |
| KR101259910B1 (en) | Apparatus and method for detecting modified uniform resource locator | |
| US20060041794A1 (en) | Methods, systems and computer program products for providing system operational status information | |
| CN109787866A (en) | A kind of method and device identifying port | |
| CN106941440B (en) | Session anti-harassment method and device | |
| EP2560322B1 (en) | Method and apparatus for monitoring network traffic and determining the timing associated with an application | |
| CN106447369A (en) | Network access data processing method, terminal equipment, and server | |
| CN106982147A (en) | The communication monitoring method and device of a kind of Web communication applications | |
| KR101336998B1 (en) | Return on investment of advertisement measuring system using a deep packet inspection and measuring method thereof | |
| JP2010286868A (en) | Community forming system, community forming device thereof, data processing method thereof, and computer program | |
| CN111130993B (en) | Information extraction method and device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder |
Address after: 9/F, Building C, No. 28, North Tianfu Avenue, China (Sichuan) Pilot Free Trade Zone, Hi tech Zone, Chengdu, 610000, Sichuan Patentee after: CHENGDU KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd. Address before: 8th Floor, Building 5, No. 801, Middle Section of Tianfu Avenue, High tech Zone, Chengdu City, Sichuan Province, 610000 Patentee before: CHENGDU KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder |