CN106254368A - The detection method of Web vulnerability scanning and device - Google Patents

The detection method of Web vulnerability scanning and device Download PDF

Info

Publication number
CN106254368A
CN106254368A CN201610728300.0A CN201610728300A CN106254368A CN 106254368 A CN106254368 A CN 106254368A CN 201610728300 A CN201610728300 A CN 201610728300A CN 106254368 A CN106254368 A CN 106254368A
Authority
CN
China
Prior art keywords
attack
score value
hit
behavior characteristics
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610728300.0A
Other languages
Chinese (zh)
Other versions
CN106254368B (en
Inventor
吴庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPtech Information Technology Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201610728300.0A priority Critical patent/CN106254368B/en
Publication of CN106254368A publication Critical patent/CN106254368A/en
Application granted granted Critical
Publication of CN106254368B publication Critical patent/CN106254368B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The detection method of the Web vulnerability scanning that the application provides and device, described method includes: obtain request and/or the behavior characteristics of reply data of detected Web target;Described behavior characteristics is mated in default attack signature rule base;Described attack signature rule base comprises attack signature and attack score value, and described attack signature with attack score value one_to_one corresponding;According to the attack score value that the behavior characteristics hitting described attack signature rule base is corresponding, the attack total score of described detected Web target in statistics preset duration;In the case of described attack total score is more than predetermined threshold value, show that described detected Web target suffers the testing result of distributed Web vulnerability scanning.Application the embodiment of the present application, it is possible to achieve detect the situation of distributed Web vulnerability scanning.

Description

The detection method of Web vulnerability scanning and device
Technical field
The application relates to Internet technical field, particularly relates to detection method and the device of a kind of Web vulnerability scanning.
Background technology
Web vulnerability scanning may be used for searching the leak in Web server.But, this technology easily is used for obtaining by hacker Take the leak on Web server, thus this Web server is attacked.
In prior art, safety protection equipment is mainly based upon the statistical of single IP to detect Web vulnerability scanning.Example As, add up the access frequency of single source IP in certain Web server, if described access frequency is more than predetermined threshold value, then say Bright this single source IP carries out Web vulnerability scanning to Web server.
But, along with the development of Vulnerability-scanning technology, Web vulnerability scanning is from traditional unit Web vulnerability scanning mould Formula develops into distributed Web vulnerability scanning pattern.And in the case of distributed Web vulnerability scanning, attacker can be by Substantial amounts of client carries out Web vulnerability scanning to Web server, and each client may only scan minority several times, so Above-mentioned statistical based on single IP often cannot detect the situation of distributed Web vulnerability scanning.
Summary of the invention
The detection method of Web vulnerability scanning that the application provides and device, to solve cannot to detect in prior art point The problem of cloth Web vulnerability scanning.
According to the detection method of a kind of Web vulnerability scanning that the embodiment of the present application provides, described method includes:
Obtain request and/or the behavior characteristics of reply data of detected Web target;
Described behavior characteristics is mated in default attack signature rule base;Described attack signature rule base wraps Containing attack signature and attack score value, and described attack signature with attack score value one_to_one corresponding;
According to the attack score value that the behavior characteristics hitting described attack signature rule base is corresponding, described in statistics preset duration The attack total score of detected Web target;
In the case of described attack total score is more than predetermined threshold value, show that described detected Web target suffers distributed The testing result of Web vulnerability scanning.
Optionally, the described attack score value corresponding according to the behavior characteristics hitting described attack signature rule base, statistics is pre- If the attack total score of described detected Web target in duration, specifically include:
The single attack score value of the single source IP of the described detected Web target of all access in statistics preset duration;Described Single attack score value is attack score value sum corresponding to behavior characteristics that this single source IP hits described attack signature rule base;
The single attack score value of all single source IP is added, obtains the attack total score of described detected Web target.
Optionally, the single source IP of the described detected Web target of all access single in described statistics preset duration After attacking score value, described method also includes:
From the single attack score value of described all single source IP, filter out the single attack score value that score value is the highest;
In the case of the single attack score value that described score value is the highest is more than and presets score value, draw described detected Web mesh Mark suffers the testing result of the Web vulnerability scanning from the source IP corresponding to the highest single attack score value of described score value.
Optionally, described single attack score value obtains in the following way:
Obtain this single source IP and hit attack score value corresponding to behavior characteristics and the hit time of described attack signature rule base Number;
Attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtain this hit behavior characteristics One score value;
Being added by the first score value obtained by the behavior characteristics of all hits, the single attack obtaining this single source IP divides Value.
Optionally, described single attack score value obtains in the following way:
Obtain this single source IP and hit attack score value corresponding to behavior characteristics and the hit time of described attack signature rule base Number;
In the case of hit-count is equal to 1, attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, Obtain the second score value of the attack signature of this hit;
In the case of hit-count is more than 1, attack score value corresponding for the behavior characteristics hit is multiplied by hit-count After, then it is multiplied by weighted value, obtain the 3rd score value of the attack signature of this hit;
The second score value obtained by the behavior characteristics of all hits and the 3rd score value are added, obtain the list of this single source IP One attacks score value.
According to the detection device of a kind of Web vulnerability scanning that the embodiment of the present application provides, described device includes:
Acquiring unit, for obtaining request and/or the behavior characteristics of reply data of detected Web target;
Matching unit, for mating described behavior characteristics in default attack signature rule base;Described attack Characterization rules storehouse comprises attack signature and attack score value, and described attack signature with attack score value one_to_one corresponding;
Statistic unit, for the attack score value corresponding according to the behavior characteristics hitting described attack signature rule base, statistics The attack total score of described detected Web target in preset duration;
Detector unit, in the case of at described attack total score more than predetermined threshold value, draws described detected Web mesh Mark suffers the testing result of distributed Web vulnerability scanning.
Optionally, described statistic unit, specifically include:
First statistics subelement, the single source IP of the described detected Web target of all access in adding up preset duration Single attack score value;Described single attack score value is the behavior characteristics pair that this single source IP hits described attack signature rule base The attack score value sum answered;
Second statistics subelement, for being added by the single attack score value of all single source IP, obtains described detected Web The attack total score of target.
Optionally, after described first adds up subelement, described device also includes:
Screening subelement, for from the single attack score value of described all single source IP, filters out the list that score value is the highest One attacks score value;
Detection sub-unit, in the case of the single attack score value the highest at described score value is more than presetting score value, draws Described detected Web target suffers the Web vulnerability scanning from the source IP corresponding to the highest single attack score value of described score value Testing result.
Optionally, described first statistics subelement, specifically include:
Obtain subelement, hit corresponding the attacking of behavior characteristics of described attack signature rule base for obtaining this single source IP Hit score value and hit-count;
First computation subunit, for attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtains First score value of the behavior characteristics of this hit;
Summation subelement, for being added by the first score value obtained by the behavior characteristics of all hits, obtains this single source The single attack score value of IP.
Optionally, described first statistics subelement, specifically include:
Obtain subelement, hit corresponding the attacking of behavior characteristics of described attack signature rule base for obtaining this single source IP Hit score value and hit-count;
Second computation subunit, in the case of at hit-count equal to 1, attacks corresponding for the behavior characteristics hit Hit score value and be multiplied by hit-count, obtain the second score value of the attack signature of this hit;
3rd computation subunit, in the case of at hit-count more than 1, attacks corresponding for the behavior characteristics hit Hit after score value is multiplied by hit-count, then be multiplied by weighted value, obtain the 3rd score value of the attack signature of this hit;
Summation subelement, for the second score value obtained by the behavior characteristics of all hits and the 3rd score value are added, Single attack score value to this single source IP.
In the embodiment of the present application, by attack signature being given a mark in attack signature rule base in advance, so that The attack signature rule base preset comprises attack signature and attacks score value, and described attack signature with attack score value one a pair Should.So, when detected Web target is detected, can be by the request of described detected Web target and/or answer number According to behavior characteristics mate in described default attack signature rule base, according to the attack corresponding to behavior characteristics of hit Score value adds up the attack total score of preset duration this detected Web target interior;At described attack total score more than predetermined threshold value In the case of, show that described detected Web target suffers the testing result of distributed Web vulnerability scanning.Owing to described attack is total Score value be added up active IP hit attack signature rule base situation, it is possible to realize detect distributed Web leak The situation of scanning, it is to avoid be used as detecting the foundation of Web vulnerability scanning according only to single source IP.
Accompanying drawing explanation
Fig. 1 is the flow chart of the detection method of Web vulnerability scanning in prior art;
Fig. 2 is a kind of hardware structure diagram of the detection device place equipment of the application Web vulnerability scanning;
Fig. 3 is the module map of the detection device of the Web vulnerability scanning that the application one embodiment provides.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Explained below relates to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they are only with the most appended The example of the apparatus and method that some aspects that described in detail in claims, the application are consistent.
It is only merely for describing the purpose of specific embodiment at term used in this application, and is not intended to be limiting the application. " a kind of ", " described " and " being somebody's turn to do " of singulative used in the application and appended claims is also intended to include majority Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wraps Any or all containing one or more projects of listing being associated may combination.
Although should be appreciated that in the application possible employing term first, second, third, etc. to describe various information, but this A little information should not necessarily be limited by these terms.These terms are only used for same type of information is distinguished from each other out.Such as, without departing from In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depend on linguistic context, word as used in this " if " can be construed to " ... time " or " when ... Time " or " in response to determining ".
As it was previously stated, general, safety protection equipment is mainly based upon the statistical of single IP to detect Web vulnerability scanning 's.In addition to the access frequency of above-mentioned single source IP, it is also possible to single source IP and URL access frequency, single source IP and Cookie In preset time period, number of times of attack, single source IP carry out behavior characteristics frequency, single source IP in preset time period internal trigger HTTP404 state number of times etc..But, regardless of mode, it is all based on the statistics of single source IP to detect Web vulnerability scanning 's.But, along with the development of Vulnerability-scanning technology, Web vulnerability scanning is from traditional unit Web vulnerability scanning mode development To distributed Web vulnerability scanning pattern.And in the case of distributed Web vulnerability scanning, attacker can be by substantial amounts of Client carries out Web vulnerability scanning to Web server, and each client may only scan minority several times, such above-mentioned base Statistical in single IP often cannot detect the situation of distributed Web vulnerability scanning.The access frequency of the most described single source IP As a example by rate, owing to, in distributed Web vulnerability scanning, the access frequency of single source IP is the lowest, by being far smaller than default threshold Value, so distributed Web vulnerability scanning behavior cannot be detected.
In order to solve the above-mentioned problem that cannot detect distributed Web vulnerability scanning, refer to Fig. 1, implement for the application one The flow chart of detection method of the Web vulnerability scanning that example provides, this embodiment is described from safety protection equipment side, including with Lower step:
Step 110: obtain request and/or the behavior characteristics of reply data of detected Web target.
In the present embodiment, described detected Web target can be Web server.
Described request and/or reply data are to access the data that the client of described Web target sends.Such as, described visitor When family end request accesses Web target, request data can be sent;
The most such as, and described Web target sends such as after the request data of checking to described client, accordingly, Described client can also return the reply data for checking.
Specifically, safety protection equipment can be that request and/or reply data to detected Web target in real time is carried out Monitoring.The most described safety protection equipment obtains request and/or the reply data of described detected Web target in real time, and extracts Described request and/or the behavior characteristics of reply data.Certainly, in some other embodiment, described safety protection equipment also may be used Being non real-time.
The mode of behavior characteristics of described request and/or reply data of extracting is as the most general technology, in the application Embodiment repeats no more.
Described behavior characteristics can be the access true intention of acquired request and/or reply data.Generally, just it is divided into Normal behavior characteristics (such as log in, verify, download etc.) and improper behavior characteristics are general by described improper behavior Feature is referred to as attack signature (such as including that XSS is across station, SQL injection etc.).
Step 120: described behavior characteristics is mated in default attack signature rule base.
In the present embodiment, described attack signature rule base comprises attack signature and attacks score value, and described attack signature With attack score value one_to_one corresponding.
Attack signature in described attack signature rule base can be generally believe in the industry for attack improper Behavior characteristics.The most above-mentioned XSS is across station, SQL injection etc..Owing to attack signature is too many, the most one by one It is illustrated.
The attack score value corresponding with described attack signature, can artificially be pre-configured with.Such as, A attacks, attacking of configuration Hitting score value is 0.5 point;B attacks, and the attack score value of configuration is 0.7 point.
Generally, the when of artificially attacking score value for attack signature configuration, can enter according to the order of severity of this attack signature Row marking.Such as, the order of severity that some attack signature is caused is higher, then corresponding attack score value to configure the most accordingly Higher;Otherwise, the order of severity caused is relatively low, then corresponding attack to be configured lower of score value.
It is assumed that be divided into 5 grades for the order of severity of attack signature: I, II, III, IV, V.Grade gets over higher severity The highest, the lowest grade order of severity is the lowest.It is the attack signature of V for grade, it is clear that the attack score value of configuration will compare Wanting of other grade is high.
The when of attacking score value for attack signature configuration, it is also possible to be that the wrong report situation according to attack signature is given a mark. Described wrong report it may is that confirm as the situation of this attack signature by mistake by other behavior characteristics.Such as, the first attack signature with Second behavior characteristics is for the most similar, then when obtaining attack signature, may be considered by normal second behavior characteristics This first attack signature.It is to say, for the attack signature that there may be wrong report, this attack signature got, the most also Not necessarily it is really this attack signature, it is also possible to other normally performed activity feature or other attack signature.So, for The attack signature that wrong report situation is more, corresponding score value of attacking needs the lower of corresponding configuration;Conversely, for wrong report situation relatively Few attack signature, corresponding score value of attacking needs the higher of corresponding configuration.
It should be noted that in actual applications, attack signature there is likely to be situation about failing to report.That is, in esse Attack signature, but may exist during actual acquisition and fail to report.Such as, a certain attack signature, 10 times the inside has only got 2 This attack signature secondary, then explanation there are situation about failing to report 8 times.So, for situation about failing to report, more for failing to report situation Attack signature, corresponding score value of attacking needs the higher of corresponding configuration;Conversely, for the less attack signature of situation of failing to report, Corresponding score value of attacking needs the lower of corresponding configuration.
It is noted that the attack signature in described attack signature rule base can artificially operate, such as, increase New attack feature, the attack score value that corresponding configuration is corresponding;Delete existing attack signature, corresponding attack score value is also deleted Remove;Revise existing attack signature, attack score value can be revised depending on the attack signature situation of this amendment and can not also revise attack Score value.
Step 130: according to the attack score value that the behavior characteristics hitting described attack signature rule base is corresponding, when statistics is preset The attack total score of described detected Web target in long.
In the present embodiment, safety protection equipment, can be according to hitting described attack signature rule base after mating The attack score value that behavior characteristics is corresponding, the attack total score of described detected Web target in statistics preset duration.
Described preset duration can be the empirical value artificially pre-set.Such as, statistics half an hour (preset duration) The attack total score of interior described detected Web target.
Specifically, described step 130, may include steps of:
A1: the single attack score value of the single source IP of the described detected Web target of all access in statistics preset duration;Institute Stating single attack score value is attack score value sum corresponding to behavior characteristics that this single source IP hits described attack signature rule base;
A2: the single attack score value of all single source IP is added, obtains the attack total score of described detected Web target Value.
In the present embodiment, described attack total score can be the described detected Web target of all access in preset duration The summation of single attack score value of single source IP.
Described single attack score value can be that the behavior characteristics of the single source IP described attack signature rule base of hit is corresponding Attack score value sum.
Specifically, described single attack score value can obtain in the following way:
Obtain this single source IP and hit attack score value corresponding to behavior characteristics and the hit time of described attack signature rule base Number;
Attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtain this hit behavior characteristics One score value;
Being added by the first score value obtained by the behavior characteristics of all hits, the single attack obtaining this single source IP divides Value.
Understanding for convenience, below citing is illustrated:
Safety protection equipment obtains the detected request of Web target and/or the behavior characteristics of reply data is:
1. behavior characteristics: a, source IP:A, time: 12:25;
2. behavior characteristics: a, source IP:B, time: 12:26;
3. behavior characteristics: a, source IP:A, time: 12:31;
4. behavior characteristics: b, source IP:C, time: 12:35;
5. behavior characteristics: a, source IP:B, time: 12:37;
6. behavior characteristics: d, source IP:A, time: 12:40;
7. behavior characteristics: a, source IP:B, time: 12:48;
8. behavior characteristics: c, source IP:B, time: 12:51;
9. behavior characteristics: c, source IP:A, time: 12:59;
10. behavior characteristics: e, source IP:C, time: 13:10.
As a example by current time is as 13:00, preset duration is 30 minutes, the attack signature rule preset
Storehouse is as shown in table 1 below:
Attack signature Attack score value
a 0.8
b 0.5
d 0.4
e 0.9
First, above-mentioned 10 behavior characteristicss are mated in the attack signature rule base shown in table 1, due in table 1 There is attack signature a, b, d, e, so the behavior characteristics hit of sequence number 1,2,3,4,5,6,7,10.
Further, according to the behavior characteristics of match hit, add up 30 minutes interior attack total score.And meet 30 minutes The sequence number 3,4,5,6,7 of interior (12:30 to 13:00);Source IP includes A, B, C.
Adding up 30 minutes endogenous IP is the single attack score value of A (sequence number 3 and 6), 0.8 point * 1+0.4*1 time=1.2 points;
Adding up 30 minutes endogenous IP is the single attack score value of B (sequence number 5,7), 0.8 point * 2 times=1.6 points;
Adding up 30 minutes endogenous IP is the single attack score value of C (sequence number 4), 0.5 point * 1 time=0.5 point;
Afterwards, the single attack score value of all single source IP i.e. A, B, C is added, obtains described detected Web target Attack total score, 1.2 points+1.6 points+0.5 point=3.3 points.
Step 140: in the case of described attack total score is more than predetermined threshold value, show that described detected Web target meets with Testing result by distributed Web vulnerability scanning.
In the present embodiment, described predetermined threshold value can be the empirical value artificially pre-set.If described attack is total Score value is more than predetermined threshold value, then can show that described detected Web target suffers the testing result of distributed Web vulnerability scanning;
If described attack total score is not more than predetermined threshold value, then illustrate that described detected Web target is not subject to distribution Formula Web vulnerability scanning.In this case, described safety protection equipment can export a described detected Web target and do not meets with Testing result by distributed Web vulnerability scanning, it is also possible to do not process.
By in the embodiment of the present application, utilize and in attack signature rule base, attack signature is given a mark in advance, thus Make the attack signature rule base preset comprises attack signature and attack score value, and described attack signature with attack score value one One is corresponding.So, when detected Web target is detected, can by the request of described detected Web target and/or should The behavior characteristics of answer evidence mates in described default attack signature rule base, and the behavior characteristics according to hit is corresponding Attack score value and add up the attack total score of preset duration this detected Web target interior;At described attack total score more than presetting In the case of threshold value, show that described detected Web target suffers the testing result of distributed Web vulnerability scanning.Attack due to described Hit total score be added up active IP hit attack signature rule base situation, it is possible to realize detect distributed Web The situation of vulnerability scanning, it is to avoid be used as detecting the foundation of Web vulnerability scanning according only to single source IP.
At another of the application specifically in embodiment, on the basis of above-described embodiment, in described step A1: system In meter preset duration after the single attack score value of the single source IP of the described detected Web target of all access, described method is also Including:
From the single attack score value of described all single source IP, filter out the single attack score value that score value is the highest;
In the case of the single attack score value that described score value is the highest is more than and presets score value, draw described detected Web mesh Mark suffers the testing result of the Web vulnerability scanning from the source IP corresponding to the highest single attack score value of described score value.
In the present embodiment, described default score value can be the empirical value artificially pre-set, and may be used for weighing list Whether one source IP exists the situation of Web vulnerability scanning.
The example continued to use in above-described embodiment in step 130 is illustrated.The described quilt of all access in statistics preset duration The single attack score value of the single source IP of detection Web target is:
Source IP is single attack score value=1.2 point of A;
Source IP is single attack score value=1.6 point of B;
Source IP is single attack score value=0.5 point of C.
Wherein, the single attack score value that score value is the highest is the single attack score value that source IP is B.
If the single attack score value 1.6 points that source IP is B is more than presetting score value, then explanation source IP is that B meets Web leak and sweeps Situation about retouching, then safety protection equipment can draw described detected Web target to suffer from the highest single of described score value to attack Hit the testing result of the Web vulnerability scanning of source IP corresponding to score value.
Whereas if the single attack score value 1.6 points that source IP is B is not more than presets score value, then explanation source IP is that B does not meets The situation of Web vulnerability scanning, then safety protection equipment can show that described detected Web target is not subject to the Web leakage from B The testing result of hole scanning, or can not also output detections result.
By the present embodiment, the behavior of the Web vulnerability scanning of single source IP can be detected.
In actual applications, if an attack signature repeats to be hit, and this attack signature is not critically important (as sternly Weight degree is relatively low, report by mistake more), but repeat to have hit more than once, so finally add up the attack total score obtained and be likely to Exceed predetermined threshold value.Such as, A is the attack signature that a wrong report is more, if A repeats to be hit 100 times, and adds up The attack total score obtained has exceeded predetermined threshold value, but truth is in fact due to wrong report, is all for 90 times that normally performed activity is special Levying, only 10 times is A, so show that the testing result that there is Web vulnerability scanning is the most inaccurate.
The most such as, B is the attack signature that an order of severity is the highest, if B repeats to be hit 5 times, and adds up To attack total score be not above predetermined threshold value, so the testing result of Web vulnerability scanning cannot be obtained existing, but due to The B order of severity is the highest, if let go unchecked, is likely to result in serious consequence.
In order to solve the problems referred to above, at another of the application specifically in embodiment, described single attack score value, permissible Obtain in the following way:
Obtain this single source IP and hit attack score value corresponding to behavior characteristics and the hit time of described attack signature rule base Number;
In the case of hit-count is equal to 1, attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, Obtain the second score value of the attack signature of this hit;
In the case of hit-count is more than 1, attack score value corresponding for the behavior characteristics hit is multiplied by hit-count After, then it is multiplied by weighted value, obtain the 3rd score value of the attack signature of this hit;
The second score value obtained by the behavior characteristics of all hits and the 3rd score value are added, obtain the list of this single source IP One attacks score value.
In the present embodiment, described weighted value can be the empirical value artificially pre-set.
In actual applications, weighted value can be set according to the significance level of attack signature.Such as, an attack signature It is not critically important, then can be weakened when this attack signature repeats hit and attack score value, a weight i.e. can be set It is worth, and this weighted value scope can be (0,1);
One attack signature is critically important, then strengthening can be attacked score value when this attack signature repeats hit, To arrange a weighted value, and this weighted value scope may be greater than 1.
Continue to continue to use the example in step 130 in above-described embodiment, it is assumed that attack signature a is not critically important, the power of setting Weight values is 0.2.So, adding up 30 minutes endogenous IP is the single attack score value of B (sequence number 5,7), 0.8 point of * 2 * 0.2=0.32 Point.
By the embodiment of the present application, to repeat the attack signature that is hit can in the way of weighted value is set, strengthen or Weaken and attack score value, so can avoid adding up impact when attacking score value of the attack signature that repeats to be hit.Make last The attack total score drawn is more accurate, i.e. improves the accuracy of final detection result.
Corresponding with the detection method embodiment of aforementioned Web vulnerability scanning, present invention also provides the inspection of Web vulnerability scanning Survey the embodiment of device.
The embodiment of the detection device of the application Web vulnerability scanning can be applied on safety protection equipment respectively.Device Embodiment can be realized by software, it is also possible to realizes by the way of hardware or software and hardware combining.As a example by implemented in software, As the device on a logical meaning, it is that the processor by its place equipment is by calculating corresponding in nonvolatile memory Machine programmed instruction reads and runs formation in internal memory.For hardware view, as in figure 2 it is shown, be the application Web vulnerability scanning A kind of hardware structure diagram of detection device place equipment, except the processor shown in Fig. 2, network interface, internal memory and non-easily Outside the property lost memorizer, in embodiment, the equipment at device place is generally according to the actual functional capability of the detection of this Web vulnerability scanning, also Other hardware can be included.
Refer to Fig. 3, for the module map detecting device of the Web vulnerability scanning that the application one embodiment provides, described dress Put and may include that acquiring unit 310, matching unit 320, statistic unit 330 and detector unit 340.
Wherein, described acquiring unit 310, the behavior of request and/or reply data for obtaining detected Web target is special Levy;
Described matching unit 320, for mating described behavior characteristics in default attack signature rule base;Institute State attack signature rule base comprises attack signature and attack score value, and described attack signature with attack score value one_to_one corresponding;
Described statistic unit 330, divides for the attack corresponding according to the behavior characteristics hitting described attack signature rule base Value, the attack total score of described detected Web target in statistics preset duration;
Described detector unit 340, in the case of at described attack total score more than predetermined threshold value, draws described tested Survey Web target and suffer the testing result of distributed Web vulnerability scanning.
In an optional implementation:
Described statistic unit 330, specifically may include that
First statistics subelement, the single source IP of the described detected Web target of all access in adding up preset duration Single attack score value;Described single attack score value is the behavior characteristics pair that this single source IP hits described attack signature rule base The attack score value sum answered;
Second statistics subelement, for being added by the single attack score value of all single source IP, obtains described detected Web The attack total score of target.
In an optional implementation:
After described first adds up subelement, described device can also include:
Screening subelement, for from the single attack score value of described all single source IP, filters out the list that score value is the highest One attacks score value;
Detection sub-unit, in the case of the single attack score value the highest at described score value is more than presetting score value, draws Described detected Web target suffers the Web vulnerability scanning from the source IP corresponding to the highest single attack score value of described score value Testing result.
In an optional implementation:
Described first statistics subelement, specifically may include that
Obtain subelement, hit corresponding the attacking of behavior characteristics of described attack signature rule base for obtaining this single source IP Hit score value and hit-count;
First computation subunit, for attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtains First score value of the behavior characteristics of this hit;
Summation subelement, for being added by the first score value obtained by the behavior characteristics of all hits, obtains this single source The single attack score value of IP.
In an optional implementation:
Described first statistics subelement, specifically may include that
Obtain subelement, hit corresponding the attacking of behavior characteristics of described attack signature rule base for obtaining this single source IP Hit score value and hit-count;
Second computation subunit, in the case of at hit-count equal to 1, attacks corresponding for the behavior characteristics hit Hit score value and be multiplied by hit-count, obtain the second score value of the attack signature of this hit;
3rd computation subunit, in the case of at hit-count more than 1, attacks corresponding for the behavior characteristics hit Hit after score value is multiplied by hit-count, then be multiplied by weighted value, obtain the 3rd score value of the attack signature of this hit;
Summation subelement, for the second score value obtained by the behavior characteristics of all hits and the 3rd score value are added, Single attack score value to this single source IP.
In sum, by the embodiment of the present application, utilize and in attack signature rule base, attack signature is carried out in advance Marking so that preset attack signature rule base in comprise attack signature and attack score value, and described attack signature with Attack score value one_to_one corresponding.So, when detected Web target is detected, can asking described detected Web target Ask and/or the behavior characteristics of reply data mates in described default attack signature rule base, according to the behavior of hit What feature was corresponding attack score value adds up the attack total score of this detected Web target in preset duration;In described attack total score Value, more than in the case of predetermined threshold value, show that described detected Web target suffers the testing result of distributed Web vulnerability scanning. Due to described attack total score be added up active IP hit attack signature rule base situation, it is possible to realize detect The situation of distributed Web vulnerability scanning, it is to avoid be used as detecting the foundation of Web vulnerability scanning according only to single source IP.
In said apparatus, the function of unit and the process that realizes of effect specifically refer to corresponding step in said method Realize process, do not repeat them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part sees method in fact The part executing example illustrates.Device embodiment described above is only schematically, wherein said as separating component The unit illustrated can be or may not be physically separate, and the parts shown as unit can be or can also It not physical location, i.e. may be located at a place, or can also be distributed on multiple NE.Can be according to reality Need to select some or all of module therein to realize the purpose of the application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, i.e. it is appreciated that and implements.
Those skilled in the art, after considering description and putting into practice invention disclosed herein, will readily occur to its of the application Its embodiment.The application is intended to any modification, purposes or the adaptations of the application, these modification, purposes or Person's adaptations is followed the general principle of the application and includes the undocumented common knowledge in the art of the application Or conventional techniques means.Description and embodiments is considered only as exemplary, and the true scope of the application and spirit are by following Claim is pointed out.
It should be appreciated that the application is not limited to precision architecture described above and illustrated in the accompanying drawings, and And various modifications and changes can carried out without departing from the scope.Scope of the present application is only limited by appended claim.

Claims (10)

1. the detection method of a Web vulnerability scanning, it is characterised in that described method includes:
Obtain request and/or the behavior characteristics of reply data of detected Web target;
Described behavior characteristics is mated in default attack signature rule base;Described attack signature rule base comprises and attacks Hit feature and attack score value, and described attack signature with attack score value one_to_one corresponding;
According to the attack score value that the behavior characteristics hitting described attack signature rule base is corresponding, described tested in statistics preset duration Survey the attack total score of Web target;
In the case of described attack total score is more than predetermined threshold value, show that described detected Web target is leaked by distributed Web The testing result of hole scanning.
Method the most according to claim 1, it is characterised in that described according to the behavior hitting described attack signature rule base The attack score value that feature is corresponding, the attack total score of described detected Web target in statistics preset duration, specifically include:
The single attack score value of the single source IP of the described detected Web target of all access in statistics preset duration;Described single Attacking score value is attack score value sum corresponding to behavior characteristics that this single source IP hits described attack signature rule base;
The single attack score value of all single source IP is added, obtains the attack total score of described detected Web target.
Method the most according to claim 2, it is characterised in that all access are described tested in described statistics preset duration After the single attack score value of the single source IP surveying Web target, described method also includes:
From the single attack score value of described all single source IP, filter out the single attack score value that score value is the highest;
In the case of the single attack score value that described score value is the highest is more than and presets score value, show that described detected Web target meets with Testing result by the Web vulnerability scanning of the source IP corresponding to the single attack score value the highest from described score value.
Method the most according to claim 2, it is characterised in that described single attack score value obtains in the following way:
Obtain this single source IP and hit attack score value corresponding to behavior characteristics and the hit-count of described attack signature rule base;
Attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtains first point of behavior characteristics of this hit Value;
The first score value obtained by the behavior characteristics of all hits is added, obtains the single attack score value of this single source IP.
Method the most according to claim 2, it is characterised in that described single attack score value obtains in the following way:
Obtain this single source IP and hit attack score value corresponding to behavior characteristics and the hit-count of described attack signature rule base;
In the case of hit-count is equal to 1, attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtains Second score value of the attack signature of this hit;
In the case of hit-count is more than 1, after attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, then It is multiplied by weighted value, obtains the 3rd score value of the attack signature of this hit;
The second score value obtained by the behavior characteristics of all hits and the 3rd score value are added, obtain single the attacking of this single source IP Hit score value.
6. the detection device of a Web vulnerability scanning, it is characterised in that described device includes:
Acquiring unit, for obtaining request and/or the behavior characteristics of reply data of detected Web target;
Matching unit, for mating described behavior characteristics in default attack signature rule base;Described attack signature Rule base comprises attack signature and attack score value, and described attack signature with attack score value one_to_one corresponding;
Statistic unit, for the attack score value corresponding according to the behavior characteristics hitting described attack signature rule base, statistics is preset The attack total score of described detected Web target in duration;
Detector unit, in the case of at described attack total score more than predetermined threshold value, show that described detected Web target meets with Testing result by distributed Web vulnerability scanning.
Device the most according to claim 6, it is characterised in that described statistic unit, specifically includes:
First statistics subelement, the list of the single source IP of the described detected Web target of all access in adding up preset duration One attacks score value;Described single attack score value is that the behavior characteristics of this single source IP described attack signature rule base of hit is corresponding Attack score value sum;
Second statistics subelement, for being added by the single attack score value of all single source IP, obtains described detected Web target Attack total score.
Device the most according to claim 7, it is characterised in that after described first adds up subelement, described device is also Including:
Screening subelement, for from the single attack score value of described all single source IP, filters out the highest single of score value and attacks Hit score value;
Detection sub-unit, in the case of the single attack score value the highest at described score value is more than presetting score value, draws described Detected Web target suffers examining of the Web vulnerability scanning from the source IP corresponding to the highest single attack score value of described score value Survey result.
Device the most according to claim 7, it is characterised in that described first statistics subelement, specifically includes:
Obtain subelement, divide for the attack obtaining the behavior characteristics of this single source IP described attack signature rule base of hit corresponding Value and hit-count;
First computation subunit, for attack score value corresponding for the behavior characteristics hit is multiplied by hit-count, obtains this life In the first score value of behavior characteristics;
Summation subelement, for being added by the first score value obtained by the behavior characteristics of all hits, obtains this single source IP's Single attack score value.
Method the most according to claim 7, it is characterised in that described first statistics subelement, specifically includes:
Obtain subelement, divide for the attack obtaining the behavior characteristics of this single source IP described attack signature rule base of hit corresponding Value and hit-count;
Second computation subunit, in the case of at hit-count equal to 1, divides attack corresponding for the behavior characteristics hit Value is multiplied by hit-count, obtains the second score value of the attack signature of this hit;
3rd computation subunit, in the case of at hit-count more than 1, divides attack corresponding for the behavior characteristics hit After value is multiplied by hit-count, then it is multiplied by weighted value, obtains the 3rd score value of the attack signature of this hit;
Summation subelement, for the second score value obtained by the behavior characteristics of all hits and the 3rd score value being added, is somebody's turn to do The single attack score value of single source IP.
CN201610728300.0A 2016-08-24 2016-08-24 The detection method and device of Web vulnerability scanning Active CN106254368B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610728300.0A CN106254368B (en) 2016-08-24 2016-08-24 The detection method and device of Web vulnerability scanning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610728300.0A CN106254368B (en) 2016-08-24 2016-08-24 The detection method and device of Web vulnerability scanning

Publications (2)

Publication Number Publication Date
CN106254368A true CN106254368A (en) 2016-12-21
CN106254368B CN106254368B (en) 2019-09-06

Family

ID=57594869

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610728300.0A Active CN106254368B (en) 2016-08-24 2016-08-24 The detection method and device of Web vulnerability scanning

Country Status (1)

Country Link
CN (1) CN106254368B (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107181758A (en) * 2017-06-30 2017-09-19 微梦创科网络科技(中国)有限公司 Recognize the method and system of hacker's behavior
CN107819783A (en) * 2017-11-27 2018-03-20 深信服科技股份有限公司 A kind of network security detection method and system based on threat information
CN108737333A (en) * 2017-04-17 2018-11-02 腾讯科技(深圳)有限公司 A kind of data detection method and device
CN109413108A (en) * 2018-12-18 2019-03-01 杭州安恒信息技术股份有限公司 A kind of WAF detection method and system based on safety
CN109413022A (en) * 2018-04-28 2019-03-01 武汉思普崚技术有限公司 A kind of method and apparatus based on user behavior detection HTTP FLOOD attack
CN110381063A (en) * 2019-07-22 2019-10-25 秒针信息技术有限公司 A kind of method and device of determining cheating flow
CN110830510A (en) * 2019-12-05 2020-02-21 北京众享比特科技有限公司 Method, device, equipment and storage medium for detecting DOS attack
CN111079148A (en) * 2019-12-24 2020-04-28 杭州安恒信息技术股份有限公司 Method, device, equipment and storage medium for detecting SQL injection attack
CN111277555A (en) * 2018-12-05 2020-06-12 中国移动通信集团河南有限公司 Vulnerability false alarm screening method and device
CN111740999A (en) * 2020-06-22 2020-10-02 杭州安恒信息技术股份有限公司 DDOS attack identification method, system and related device
CN111935149A (en) * 2020-08-11 2020-11-13 北京天融信网络安全技术有限公司 Vulnerability detection method and system
CN112801157A (en) * 2021-01-20 2021-05-14 招商银行股份有限公司 Scanning attack detection method and device and computer readable storage medium
CN113055368A (en) * 2021-03-08 2021-06-29 云盾智慧安全科技有限公司 Web scanning identification method and device and computer storage medium
CN113438244A (en) * 2021-06-28 2021-09-24 安天科技集团股份有限公司 Penetration testing method and device, computing equipment and storage medium
CN113542310A (en) * 2021-09-17 2021-10-22 上海观安信息技术股份有限公司 Network scanning detection method and device and computer storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571870A (en) * 2010-12-31 2012-07-11 北京安码科技有限公司 Scoring method for web vulnerability scanning
US20150074806A1 (en) * 2013-09-10 2015-03-12 Symantec Corporation Systems and methods for using event-correlation graphs to detect attacks on computing systems
CN105072089A (en) * 2015-07-10 2015-11-18 中国科学院信息工程研究所 WEB malicious scanning behavior abnormity detection method and system
US9294497B1 (en) * 2014-12-29 2016-03-22 Nice-Systems Ltd. Method and system for behavioral and risk prediction in networks using automatic feature generation and selection using network topolgies
CN105763561A (en) * 2016-04-15 2016-07-13 杭州华三通信技术有限公司 Attack defense method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571870A (en) * 2010-12-31 2012-07-11 北京安码科技有限公司 Scoring method for web vulnerability scanning
US20150074806A1 (en) * 2013-09-10 2015-03-12 Symantec Corporation Systems and methods for using event-correlation graphs to detect attacks on computing systems
US9294497B1 (en) * 2014-12-29 2016-03-22 Nice-Systems Ltd. Method and system for behavioral and risk prediction in networks using automatic feature generation and selection using network topolgies
CN105072089A (en) * 2015-07-10 2015-11-18 中国科学院信息工程研究所 WEB malicious scanning behavior abnormity detection method and system
CN105763561A (en) * 2016-04-15 2016-07-13 杭州华三通信技术有限公司 Attack defense method and device

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737333A (en) * 2017-04-17 2018-11-02 腾讯科技(深圳)有限公司 A kind of data detection method and device
CN107181758A (en) * 2017-06-30 2017-09-19 微梦创科网络科技(中国)有限公司 Recognize the method and system of hacker's behavior
CN107819783A (en) * 2017-11-27 2018-03-20 深信服科技股份有限公司 A kind of network security detection method and system based on threat information
CN109413022B (en) * 2018-04-28 2021-07-13 武汉思普崚技术有限公司 Method and device for detecting HTTP FLOOD attack based on user behavior
CN109413022A (en) * 2018-04-28 2019-03-01 武汉思普崚技术有限公司 A kind of method and apparatus based on user behavior detection HTTP FLOOD attack
CN111277555A (en) * 2018-12-05 2020-06-12 中国移动通信集团河南有限公司 Vulnerability false alarm screening method and device
CN111277555B (en) * 2018-12-05 2022-03-11 中国移动通信集团河南有限公司 Vulnerability false alarm screening method and device
CN109413108B (en) * 2018-12-18 2021-07-02 杭州安恒信息技术股份有限公司 WAF detection method and system based on safety
CN109413108A (en) * 2018-12-18 2019-03-01 杭州安恒信息技术股份有限公司 A kind of WAF detection method and system based on safety
CN110381063A (en) * 2019-07-22 2019-10-25 秒针信息技术有限公司 A kind of method and device of determining cheating flow
CN110830510A (en) * 2019-12-05 2020-02-21 北京众享比特科技有限公司 Method, device, equipment and storage medium for detecting DOS attack
CN110830510B (en) * 2019-12-05 2022-01-07 北京众享比特科技有限公司 Method, device, equipment and storage medium for detecting DOS attack
CN111079148A (en) * 2019-12-24 2020-04-28 杭州安恒信息技术股份有限公司 Method, device, equipment and storage medium for detecting SQL injection attack
CN111079148B (en) * 2019-12-24 2022-03-18 杭州安恒信息技术股份有限公司 Method, device, equipment and storage medium for detecting SQL injection attack
CN111740999A (en) * 2020-06-22 2020-10-02 杭州安恒信息技术股份有限公司 DDOS attack identification method, system and related device
CN111740999B (en) * 2020-06-22 2022-11-25 杭州安恒信息技术股份有限公司 DDOS attack identification method, system and related device
CN111935149A (en) * 2020-08-11 2020-11-13 北京天融信网络安全技术有限公司 Vulnerability detection method and system
CN111935149B (en) * 2020-08-11 2023-04-07 北京天融信网络安全技术有限公司 Vulnerability detection method and system
CN112801157A (en) * 2021-01-20 2021-05-14 招商银行股份有限公司 Scanning attack detection method and device and computer readable storage medium
CN113055368A (en) * 2021-03-08 2021-06-29 云盾智慧安全科技有限公司 Web scanning identification method and device and computer storage medium
CN113438244A (en) * 2021-06-28 2021-09-24 安天科技集团股份有限公司 Penetration testing method and device, computing equipment and storage medium
CN113542310A (en) * 2021-09-17 2021-10-22 上海观安信息技术股份有限公司 Network scanning detection method and device and computer storage medium

Also Published As

Publication number Publication date
CN106254368B (en) 2019-09-06

Similar Documents

Publication Publication Date Title
CN106254368A (en) The detection method of Web vulnerability scanning and device
CN104301302B (en) Go beyond one's commission attack detection method and device
Makino et al. Evaluation of web vulnerability scanners
CN109302426B (en) Unknown vulnerability attack detection method, device, equipment and storage medium
CN110519208B (en) Anomaly detection method, device and computer readable medium
CN105376245A (en) Rule-based detection method of ATP attack behavior
CN104994091B (en) Detection method and device, the method and apparatus of defence Web attacks of abnormal flow
CN105939311A (en) Method and device for determining network attack behavior
CN103258165A (en) Processing method and device for leak evaluation
CN101950338A (en) Bug repair method based on hierarchical bug threat assessment
CN103581185B (en) Resist the cloud checking and killing method of test free to kill, Apparatus and system
CN113158197B (en) SQL injection vulnerability detection method and system based on active IAST
CN107508816A (en) A kind of attack traffic means of defence and device
CN105938533A (en) Scanning method and scanning device for system loopholes
CN109413016A (en) A kind of rule-based message detecting method and device
CN113259392A (en) Network security attack and defense method, device and storage medium
CN108282446A (en) Identify the method and apparatus of scanner
CN104852921A (en) Test system and method for protecting open port from attacking for network equipment
CN107347074B (en) A kind of method of determining network equipment safety
CN111314370B (en) Method and device for detecting service vulnerability attack behavior
CN107203720B (en) Risk value calculation method and device
CN115834231A (en) Honeypot system identification method and device, terminal equipment and storage medium
CN109711166A (en) Leak detection method and device
CN110933041B (en) Penetration testing method and related device
CN107896232A (en) A kind of IP address appraisal procedure and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant after: Hangzhou Dipu Polytron Technologies Inc

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant before: Hangzhou Dipu Technology Co., Ltd.

COR Change of bibliographic data
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210624

Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang.

Patentee after: Hangzhou Dip Information Technology Co.,Ltd.

Address before: 310051, 6 floor, Chung Cai mansion, 68 Tong he road, Binjiang District, Hangzhou, Zhejiang.

Patentee before: Hangzhou DPtech Technologies Co.,Ltd.