Summary of the invention
The detection method of Web vulnerability scanning that the application provides and device, to solve cannot to detect in prior art point
The problem of cloth Web vulnerability scanning.
According to the detection method of a kind of Web vulnerability scanning that the embodiment of the present application provides, described method includes:
Obtain request and/or the behavior characteristics of reply data of detected Web target;
Described behavior characteristics is mated in default attack signature rule base;Described attack signature rule base wraps
Containing attack signature and attack score value, and described attack signature with attack score value one_to_one corresponding;
According to the attack score value that the behavior characteristics hitting described attack signature rule base is corresponding, described in statistics preset duration
The attack total score of detected Web target;
In the case of described attack total score is more than predetermined threshold value, show that described detected Web target suffers distributed
The testing result of Web vulnerability scanning.
Optionally, the described attack score value corresponding according to the behavior characteristics hitting described attack signature rule base, statistics is pre-
If the attack total score of described detected Web target in duration, specifically include:
The single attack score value of the single source IP of the described detected Web target of all access in statistics preset duration;Described
Single attack score value is attack score value sum corresponding to behavior characteristics that this single source IP hits described attack signature rule base;
The single attack score value of all single source IP is added, obtains the attack total score of described detected Web target.
Optionally, the single source IP of the described detected Web target of all access single in described statistics preset duration
After attacking score value, described method also includes:
From the single attack score value of described all single source IP, filter out the single attack score value that score value is the highest;
In the case of the single attack score value that described score value is the highest is more than and presets score value, draw described detected Web mesh
Mark suffers the testing result of the Web vulnerability scanning from the source IP corresponding to the highest single attack score value of described score value.
Optionally, described single attack score value obtains in the following way:
Obtain this single source IP and hit attack score value corresponding to behavior characteristics and the hit time of described attack signature rule base
Number;
Attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtain this hit behavior characteristics
One score value;
Being added by the first score value obtained by the behavior characteristics of all hits, the single attack obtaining this single source IP divides
Value.
Optionally, described single attack score value obtains in the following way:
Obtain this single source IP and hit attack score value corresponding to behavior characteristics and the hit time of described attack signature rule base
Number;
In the case of hit-count is equal to 1, attack score value corresponding for the behavior characteristics hit is multiplied by hit-count,
Obtain the second score value of the attack signature of this hit;
In the case of hit-count is more than 1, attack score value corresponding for the behavior characteristics hit is multiplied by hit-count
After, then it is multiplied by weighted value, obtain the 3rd score value of the attack signature of this hit;
The second score value obtained by the behavior characteristics of all hits and the 3rd score value are added, obtain the list of this single source IP
One attacks score value.
According to the detection device of a kind of Web vulnerability scanning that the embodiment of the present application provides, described device includes:
Acquiring unit, for obtaining request and/or the behavior characteristics of reply data of detected Web target;
Matching unit, for mating described behavior characteristics in default attack signature rule base;Described attack
Characterization rules storehouse comprises attack signature and attack score value, and described attack signature with attack score value one_to_one corresponding;
Statistic unit, for the attack score value corresponding according to the behavior characteristics hitting described attack signature rule base, statistics
The attack total score of described detected Web target in preset duration;
Detector unit, in the case of at described attack total score more than predetermined threshold value, draws described detected Web mesh
Mark suffers the testing result of distributed Web vulnerability scanning.
Optionally, described statistic unit, specifically include:
First statistics subelement, the single source IP of the described detected Web target of all access in adding up preset duration
Single attack score value;Described single attack score value is the behavior characteristics pair that this single source IP hits described attack signature rule base
The attack score value sum answered;
Second statistics subelement, for being added by the single attack score value of all single source IP, obtains described detected Web
The attack total score of target.
Optionally, after described first adds up subelement, described device also includes:
Screening subelement, for from the single attack score value of described all single source IP, filters out the list that score value is the highest
One attacks score value;
Detection sub-unit, in the case of the single attack score value the highest at described score value is more than presetting score value, draws
Described detected Web target suffers the Web vulnerability scanning from the source IP corresponding to the highest single attack score value of described score value
Testing result.
Optionally, described first statistics subelement, specifically include:
Obtain subelement, hit corresponding the attacking of behavior characteristics of described attack signature rule base for obtaining this single source IP
Hit score value and hit-count;
First computation subunit, for attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtains
First score value of the behavior characteristics of this hit;
Summation subelement, for being added by the first score value obtained by the behavior characteristics of all hits, obtains this single source
The single attack score value of IP.
Optionally, described first statistics subelement, specifically include:
Obtain subelement, hit corresponding the attacking of behavior characteristics of described attack signature rule base for obtaining this single source IP
Hit score value and hit-count;
Second computation subunit, in the case of at hit-count equal to 1, attacks corresponding for the behavior characteristics hit
Hit score value and be multiplied by hit-count, obtain the second score value of the attack signature of this hit;
3rd computation subunit, in the case of at hit-count more than 1, attacks corresponding for the behavior characteristics hit
Hit after score value is multiplied by hit-count, then be multiplied by weighted value, obtain the 3rd score value of the attack signature of this hit;
Summation subelement, for the second score value obtained by the behavior characteristics of all hits and the 3rd score value are added,
Single attack score value to this single source IP.
In the embodiment of the present application, by attack signature being given a mark in attack signature rule base in advance, so that
The attack signature rule base preset comprises attack signature and attacks score value, and described attack signature with attack score value one a pair
Should.So, when detected Web target is detected, can be by the request of described detected Web target and/or answer number
According to behavior characteristics mate in described default attack signature rule base, according to the attack corresponding to behavior characteristics of hit
Score value adds up the attack total score of preset duration this detected Web target interior;At described attack total score more than predetermined threshold value
In the case of, show that described detected Web target suffers the testing result of distributed Web vulnerability scanning.Owing to described attack is total
Score value be added up active IP hit attack signature rule base situation, it is possible to realize detect distributed Web leak
The situation of scanning, it is to avoid be used as detecting the foundation of Web vulnerability scanning according only to single source IP.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Explained below relates to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they are only with the most appended
The example of the apparatus and method that some aspects that described in detail in claims, the application are consistent.
It is only merely for describing the purpose of specific embodiment at term used in this application, and is not intended to be limiting the application.
" a kind of ", " described " and " being somebody's turn to do " of singulative used in the application and appended claims is also intended to include majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wraps
Any or all containing one or more projects of listing being associated may combination.
Although should be appreciated that in the application possible employing term first, second, third, etc. to describe various information, but this
A little information should not necessarily be limited by these terms.These terms are only used for same type of information is distinguished from each other out.Such as, without departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depend on linguistic context, word as used in this " if " can be construed to " ... time " or " when ...
Time " or " in response to determining ".
As it was previously stated, general, safety protection equipment is mainly based upon the statistical of single IP to detect Web vulnerability scanning
's.In addition to the access frequency of above-mentioned single source IP, it is also possible to single source IP and URL access frequency, single source IP and Cookie
In preset time period, number of times of attack, single source IP carry out behavior characteristics frequency, single source IP in preset time period internal trigger
HTTP404 state number of times etc..But, regardless of mode, it is all based on the statistics of single source IP to detect Web vulnerability scanning
's.But, along with the development of Vulnerability-scanning technology, Web vulnerability scanning is from traditional unit Web vulnerability scanning mode development
To distributed Web vulnerability scanning pattern.And in the case of distributed Web vulnerability scanning, attacker can be by substantial amounts of
Client carries out Web vulnerability scanning to Web server, and each client may only scan minority several times, such above-mentioned base
Statistical in single IP often cannot detect the situation of distributed Web vulnerability scanning.The access frequency of the most described single source IP
As a example by rate, owing to, in distributed Web vulnerability scanning, the access frequency of single source IP is the lowest, by being far smaller than default threshold
Value, so distributed Web vulnerability scanning behavior cannot be detected.
In order to solve the above-mentioned problem that cannot detect distributed Web vulnerability scanning, refer to Fig. 1, implement for the application one
The flow chart of detection method of the Web vulnerability scanning that example provides, this embodiment is described from safety protection equipment side, including with
Lower step:
Step 110: obtain request and/or the behavior characteristics of reply data of detected Web target.
In the present embodiment, described detected Web target can be Web server.
Described request and/or reply data are to access the data that the client of described Web target sends.Such as, described visitor
When family end request accesses Web target, request data can be sent;
The most such as, and described Web target sends such as after the request data of checking to described client, accordingly,
Described client can also return the reply data for checking.
Specifically, safety protection equipment can be that request and/or reply data to detected Web target in real time is carried out
Monitoring.The most described safety protection equipment obtains request and/or the reply data of described detected Web target in real time, and extracts
Described request and/or the behavior characteristics of reply data.Certainly, in some other embodiment, described safety protection equipment also may be used
Being non real-time.
The mode of behavior characteristics of described request and/or reply data of extracting is as the most general technology, in the application
Embodiment repeats no more.
Described behavior characteristics can be the access true intention of acquired request and/or reply data.Generally, just it is divided into
Normal behavior characteristics (such as log in, verify, download etc.) and improper behavior characteristics are general by described improper behavior
Feature is referred to as attack signature (such as including that XSS is across station, SQL injection etc.).
Step 120: described behavior characteristics is mated in default attack signature rule base.
In the present embodiment, described attack signature rule base comprises attack signature and attacks score value, and described attack signature
With attack score value one_to_one corresponding.
Attack signature in described attack signature rule base can be generally believe in the industry for attack improper
Behavior characteristics.The most above-mentioned XSS is across station, SQL injection etc..Owing to attack signature is too many, the most one by one
It is illustrated.
The attack score value corresponding with described attack signature, can artificially be pre-configured with.Such as, A attacks, attacking of configuration
Hitting score value is 0.5 point;B attacks, and the attack score value of configuration is 0.7 point.
Generally, the when of artificially attacking score value for attack signature configuration, can enter according to the order of severity of this attack signature
Row marking.Such as, the order of severity that some attack signature is caused is higher, then corresponding attack score value to configure the most accordingly
Higher;Otherwise, the order of severity caused is relatively low, then corresponding attack to be configured lower of score value.
It is assumed that be divided into 5 grades for the order of severity of attack signature: I, II, III, IV, V.Grade gets over higher severity
The highest, the lowest grade order of severity is the lowest.It is the attack signature of V for grade, it is clear that the attack score value of configuration will compare
Wanting of other grade is high.
The when of attacking score value for attack signature configuration, it is also possible to be that the wrong report situation according to attack signature is given a mark.
Described wrong report it may is that confirm as the situation of this attack signature by mistake by other behavior characteristics.Such as, the first attack signature with
Second behavior characteristics is for the most similar, then when obtaining attack signature, may be considered by normal second behavior characteristics
This first attack signature.It is to say, for the attack signature that there may be wrong report, this attack signature got, the most also
Not necessarily it is really this attack signature, it is also possible to other normally performed activity feature or other attack signature.So, for
The attack signature that wrong report situation is more, corresponding score value of attacking needs the lower of corresponding configuration;Conversely, for wrong report situation relatively
Few attack signature, corresponding score value of attacking needs the higher of corresponding configuration.
It should be noted that in actual applications, attack signature there is likely to be situation about failing to report.That is, in esse
Attack signature, but may exist during actual acquisition and fail to report.Such as, a certain attack signature, 10 times the inside has only got 2
This attack signature secondary, then explanation there are situation about failing to report 8 times.So, for situation about failing to report, more for failing to report situation
Attack signature, corresponding score value of attacking needs the higher of corresponding configuration;Conversely, for the less attack signature of situation of failing to report,
Corresponding score value of attacking needs the lower of corresponding configuration.
It is noted that the attack signature in described attack signature rule base can artificially operate, such as, increase
New attack feature, the attack score value that corresponding configuration is corresponding;Delete existing attack signature, corresponding attack score value is also deleted
Remove;Revise existing attack signature, attack score value can be revised depending on the attack signature situation of this amendment and can not also revise attack
Score value.
Step 130: according to the attack score value that the behavior characteristics hitting described attack signature rule base is corresponding, when statistics is preset
The attack total score of described detected Web target in long.
In the present embodiment, safety protection equipment, can be according to hitting described attack signature rule base after mating
The attack score value that behavior characteristics is corresponding, the attack total score of described detected Web target in statistics preset duration.
Described preset duration can be the empirical value artificially pre-set.Such as, statistics half an hour (preset duration)
The attack total score of interior described detected Web target.
Specifically, described step 130, may include steps of:
A1: the single attack score value of the single source IP of the described detected Web target of all access in statistics preset duration;Institute
Stating single attack score value is attack score value sum corresponding to behavior characteristics that this single source IP hits described attack signature rule base;
A2: the single attack score value of all single source IP is added, obtains the attack total score of described detected Web target
Value.
In the present embodiment, described attack total score can be the described detected Web target of all access in preset duration
The summation of single attack score value of single source IP.
Described single attack score value can be that the behavior characteristics of the single source IP described attack signature rule base of hit is corresponding
Attack score value sum.
Specifically, described single attack score value can obtain in the following way:
Obtain this single source IP and hit attack score value corresponding to behavior characteristics and the hit time of described attack signature rule base
Number;
Attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtain this hit behavior characteristics
One score value;
Being added by the first score value obtained by the behavior characteristics of all hits, the single attack obtaining this single source IP divides
Value.
Understanding for convenience, below citing is illustrated:
Safety protection equipment obtains the detected request of Web target and/or the behavior characteristics of reply data is:
1. behavior characteristics: a, source IP:A, time: 12:25;
2. behavior characteristics: a, source IP:B, time: 12:26;
3. behavior characteristics: a, source IP:A, time: 12:31;
4. behavior characteristics: b, source IP:C, time: 12:35;
5. behavior characteristics: a, source IP:B, time: 12:37;
6. behavior characteristics: d, source IP:A, time: 12:40;
7. behavior characteristics: a, source IP:B, time: 12:48;
8. behavior characteristics: c, source IP:B, time: 12:51;
9. behavior characteristics: c, source IP:A, time: 12:59;
10. behavior characteristics: e, source IP:C, time: 13:10.
As a example by current time is as 13:00, preset duration is 30 minutes, the attack signature rule preset
Storehouse is as shown in table 1 below:
Attack signature |
Attack score value |
a |
0.8 |
b |
0.5 |
d |
0.4 |
e |
0.9 |
First, above-mentioned 10 behavior characteristicss are mated in the attack signature rule base shown in table 1, due in table 1
There is attack signature a, b, d, e, so the behavior characteristics hit of sequence number 1,2,3,4,5,6,7,10.
Further, according to the behavior characteristics of match hit, add up 30 minutes interior attack total score.And meet 30 minutes
The sequence number 3,4,5,6,7 of interior (12:30 to 13:00);Source IP includes A, B, C.
Adding up 30 minutes endogenous IP is the single attack score value of A (sequence number 3 and 6), 0.8 point * 1+0.4*1 time=1.2 points;
Adding up 30 minutes endogenous IP is the single attack score value of B (sequence number 5,7), 0.8 point * 2 times=1.6 points;
Adding up 30 minutes endogenous IP is the single attack score value of C (sequence number 4), 0.5 point * 1 time=0.5 point;
Afterwards, the single attack score value of all single source IP i.e. A, B, C is added, obtains described detected Web target
Attack total score, 1.2 points+1.6 points+0.5 point=3.3 points.
Step 140: in the case of described attack total score is more than predetermined threshold value, show that described detected Web target meets with
Testing result by distributed Web vulnerability scanning.
In the present embodiment, described predetermined threshold value can be the empirical value artificially pre-set.If described attack is total
Score value is more than predetermined threshold value, then can show that described detected Web target suffers the testing result of distributed Web vulnerability scanning;
If described attack total score is not more than predetermined threshold value, then illustrate that described detected Web target is not subject to distribution
Formula Web vulnerability scanning.In this case, described safety protection equipment can export a described detected Web target and do not meets with
Testing result by distributed Web vulnerability scanning, it is also possible to do not process.
By in the embodiment of the present application, utilize and in attack signature rule base, attack signature is given a mark in advance, thus
Make the attack signature rule base preset comprises attack signature and attack score value, and described attack signature with attack score value one
One is corresponding.So, when detected Web target is detected, can by the request of described detected Web target and/or should
The behavior characteristics of answer evidence mates in described default attack signature rule base, and the behavior characteristics according to hit is corresponding
Attack score value and add up the attack total score of preset duration this detected Web target interior;At described attack total score more than presetting
In the case of threshold value, show that described detected Web target suffers the testing result of distributed Web vulnerability scanning.Attack due to described
Hit total score be added up active IP hit attack signature rule base situation, it is possible to realize detect distributed Web
The situation of vulnerability scanning, it is to avoid be used as detecting the foundation of Web vulnerability scanning according only to single source IP.
At another of the application specifically in embodiment, on the basis of above-described embodiment, in described step A1: system
In meter preset duration after the single attack score value of the single source IP of the described detected Web target of all access, described method is also
Including:
From the single attack score value of described all single source IP, filter out the single attack score value that score value is the highest;
In the case of the single attack score value that described score value is the highest is more than and presets score value, draw described detected Web mesh
Mark suffers the testing result of the Web vulnerability scanning from the source IP corresponding to the highest single attack score value of described score value.
In the present embodiment, described default score value can be the empirical value artificially pre-set, and may be used for weighing list
Whether one source IP exists the situation of Web vulnerability scanning.
The example continued to use in above-described embodiment in step 130 is illustrated.The described quilt of all access in statistics preset duration
The single attack score value of the single source IP of detection Web target is:
Source IP is single attack score value=1.2 point of A;
Source IP is single attack score value=1.6 point of B;
Source IP is single attack score value=0.5 point of C.
Wherein, the single attack score value that score value is the highest is the single attack score value that source IP is B.
If the single attack score value 1.6 points that source IP is B is more than presetting score value, then explanation source IP is that B meets Web leak and sweeps
Situation about retouching, then safety protection equipment can draw described detected Web target to suffer from the highest single of described score value to attack
Hit the testing result of the Web vulnerability scanning of source IP corresponding to score value.
Whereas if the single attack score value 1.6 points that source IP is B is not more than presets score value, then explanation source IP is that B does not meets
The situation of Web vulnerability scanning, then safety protection equipment can show that described detected Web target is not subject to the Web leakage from B
The testing result of hole scanning, or can not also output detections result.
By the present embodiment, the behavior of the Web vulnerability scanning of single source IP can be detected.
In actual applications, if an attack signature repeats to be hit, and this attack signature is not critically important (as sternly
Weight degree is relatively low, report by mistake more), but repeat to have hit more than once, so finally add up the attack total score obtained and be likely to
Exceed predetermined threshold value.Such as, A is the attack signature that a wrong report is more, if A repeats to be hit 100 times, and adds up
The attack total score obtained has exceeded predetermined threshold value, but truth is in fact due to wrong report, is all for 90 times that normally performed activity is special
Levying, only 10 times is A, so show that the testing result that there is Web vulnerability scanning is the most inaccurate.
The most such as, B is the attack signature that an order of severity is the highest, if B repeats to be hit 5 times, and adds up
To attack total score be not above predetermined threshold value, so the testing result of Web vulnerability scanning cannot be obtained existing, but due to
The B order of severity is the highest, if let go unchecked, is likely to result in serious consequence.
In order to solve the problems referred to above, at another of the application specifically in embodiment, described single attack score value, permissible
Obtain in the following way:
Obtain this single source IP and hit attack score value corresponding to behavior characteristics and the hit time of described attack signature rule base
Number;
In the case of hit-count is equal to 1, attack score value corresponding for the behavior characteristics hit is multiplied by hit-count,
Obtain the second score value of the attack signature of this hit;
In the case of hit-count is more than 1, attack score value corresponding for the behavior characteristics hit is multiplied by hit-count
After, then it is multiplied by weighted value, obtain the 3rd score value of the attack signature of this hit;
The second score value obtained by the behavior characteristics of all hits and the 3rd score value are added, obtain the list of this single source IP
One attacks score value.
In the present embodiment, described weighted value can be the empirical value artificially pre-set.
In actual applications, weighted value can be set according to the significance level of attack signature.Such as, an attack signature
It is not critically important, then can be weakened when this attack signature repeats hit and attack score value, a weight i.e. can be set
It is worth, and this weighted value scope can be (0,1);
One attack signature is critically important, then strengthening can be attacked score value when this attack signature repeats hit,
To arrange a weighted value, and this weighted value scope may be greater than 1.
Continue to continue to use the example in step 130 in above-described embodiment, it is assumed that attack signature a is not critically important, the power of setting
Weight values is 0.2.So, adding up 30 minutes endogenous IP is the single attack score value of B (sequence number 5,7), 0.8 point of * 2 * 0.2=0.32
Point.
By the embodiment of the present application, to repeat the attack signature that is hit can in the way of weighted value is set, strengthen or
Weaken and attack score value, so can avoid adding up impact when attacking score value of the attack signature that repeats to be hit.Make last
The attack total score drawn is more accurate, i.e. improves the accuracy of final detection result.
Corresponding with the detection method embodiment of aforementioned Web vulnerability scanning, present invention also provides the inspection of Web vulnerability scanning
Survey the embodiment of device.
The embodiment of the detection device of the application Web vulnerability scanning can be applied on safety protection equipment respectively.Device
Embodiment can be realized by software, it is also possible to realizes by the way of hardware or software and hardware combining.As a example by implemented in software,
As the device on a logical meaning, it is that the processor by its place equipment is by calculating corresponding in nonvolatile memory
Machine programmed instruction reads and runs formation in internal memory.For hardware view, as in figure 2 it is shown, be the application Web vulnerability scanning
A kind of hardware structure diagram of detection device place equipment, except the processor shown in Fig. 2, network interface, internal memory and non-easily
Outside the property lost memorizer, in embodiment, the equipment at device place is generally according to the actual functional capability of the detection of this Web vulnerability scanning, also
Other hardware can be included.
Refer to Fig. 3, for the module map detecting device of the Web vulnerability scanning that the application one embodiment provides, described dress
Put and may include that acquiring unit 310, matching unit 320, statistic unit 330 and detector unit 340.
Wherein, described acquiring unit 310, the behavior of request and/or reply data for obtaining detected Web target is special
Levy;
Described matching unit 320, for mating described behavior characteristics in default attack signature rule base;Institute
State attack signature rule base comprises attack signature and attack score value, and described attack signature with attack score value one_to_one corresponding;
Described statistic unit 330, divides for the attack corresponding according to the behavior characteristics hitting described attack signature rule base
Value, the attack total score of described detected Web target in statistics preset duration;
Described detector unit 340, in the case of at described attack total score more than predetermined threshold value, draws described tested
Survey Web target and suffer the testing result of distributed Web vulnerability scanning.
In an optional implementation:
Described statistic unit 330, specifically may include that
First statistics subelement, the single source IP of the described detected Web target of all access in adding up preset duration
Single attack score value;Described single attack score value is the behavior characteristics pair that this single source IP hits described attack signature rule base
The attack score value sum answered;
Second statistics subelement, for being added by the single attack score value of all single source IP, obtains described detected Web
The attack total score of target.
In an optional implementation:
After described first adds up subelement, described device can also include:
Screening subelement, for from the single attack score value of described all single source IP, filters out the list that score value is the highest
One attacks score value;
Detection sub-unit, in the case of the single attack score value the highest at described score value is more than presetting score value, draws
Described detected Web target suffers the Web vulnerability scanning from the source IP corresponding to the highest single attack score value of described score value
Testing result.
In an optional implementation:
Described first statistics subelement, specifically may include that
Obtain subelement, hit corresponding the attacking of behavior characteristics of described attack signature rule base for obtaining this single source IP
Hit score value and hit-count;
First computation subunit, for attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtains
First score value of the behavior characteristics of this hit;
Summation subelement, for being added by the first score value obtained by the behavior characteristics of all hits, obtains this single source
The single attack score value of IP.
In an optional implementation:
Described first statistics subelement, specifically may include that
Obtain subelement, hit corresponding the attacking of behavior characteristics of described attack signature rule base for obtaining this single source IP
Hit score value and hit-count;
Second computation subunit, in the case of at hit-count equal to 1, attacks corresponding for the behavior characteristics hit
Hit score value and be multiplied by hit-count, obtain the second score value of the attack signature of this hit;
3rd computation subunit, in the case of at hit-count more than 1, attacks corresponding for the behavior characteristics hit
Hit after score value is multiplied by hit-count, then be multiplied by weighted value, obtain the 3rd score value of the attack signature of this hit;
Summation subelement, for the second score value obtained by the behavior characteristics of all hits and the 3rd score value are added,
Single attack score value to this single source IP.
In sum, by the embodiment of the present application, utilize and in attack signature rule base, attack signature is carried out in advance
Marking so that preset attack signature rule base in comprise attack signature and attack score value, and described attack signature with
Attack score value one_to_one corresponding.So, when detected Web target is detected, can asking described detected Web target
Ask and/or the behavior characteristics of reply data mates in described default attack signature rule base, according to the behavior of hit
What feature was corresponding attack score value adds up the attack total score of this detected Web target in preset duration;In described attack total score
Value, more than in the case of predetermined threshold value, show that described detected Web target suffers the testing result of distributed Web vulnerability scanning.
Due to described attack total score be added up active IP hit attack signature rule base situation, it is possible to realize detect
The situation of distributed Web vulnerability scanning, it is to avoid be used as detecting the foundation of Web vulnerability scanning according only to single source IP.
In said apparatus, the function of unit and the process that realizes of effect specifically refer to corresponding step in said method
Realize process, do not repeat them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part sees method in fact
The part executing example illustrates.Device embodiment described above is only schematically, wherein said as separating component
The unit illustrated can be or may not be physically separate, and the parts shown as unit can be or can also
It not physical location, i.e. may be located at a place, or can also be distributed on multiple NE.Can be according to reality
Need to select some or all of module therein to realize the purpose of the application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, i.e. it is appreciated that and implements.
Those skilled in the art, after considering description and putting into practice invention disclosed herein, will readily occur to its of the application
Its embodiment.The application is intended to any modification, purposes or the adaptations of the application, these modification, purposes or
Person's adaptations is followed the general principle of the application and includes the undocumented common knowledge in the art of the application
Or conventional techniques means.Description and embodiments is considered only as exemplary, and the true scope of the application and spirit are by following
Claim is pointed out.
It should be appreciated that the application is not limited to precision architecture described above and illustrated in the accompanying drawings, and
And various modifications and changes can carried out without departing from the scope.Scope of the present application is only limited by appended claim.