CN106487771A - The acquisition methods of intrusion behavior and device - Google Patents
The acquisition methods of intrusion behavior and device Download PDFInfo
- Publication number
- CN106487771A CN106487771A CN201510553172.6A CN201510553172A CN106487771A CN 106487771 A CN106487771 A CN 106487771A CN 201510553172 A CN201510553172 A CN 201510553172A CN 106487771 A CN106487771 A CN 106487771A
- Authority
- CN
- China
- Prior art keywords
- attribute information
- character string
- web pages
- malicious web
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
This application discloses a kind of acquisition methods of intrusion behavior and device.Wherein, the method includes:The attribute information of malicious web pages script is obtained, wherein, the malicious web pages script is the file being stored in destination host;According to the attribute information from default static rule storehouse, search whether there is the character string that mates with the attribute information, wherein, the static rule storehouse includes:At least one character string and the intrusion behavior corresponding to any one character string;If existing, the intrusion behavior corresponding to the character string that mates with the attribute information is read, determining the reason for destination host is invaded for the corresponding intrusion behavior of the character string.Present application addresses as prior art analyzes, based on access log, the technical problem that accurately cannot be analyzed the reason for main frame is invaded caused due to main frame is invaded.
Description
Technical field
The application is related to information security field, in particular to a kind of acquisition methods of intrusion behavior and device.
Background technology
The most popular and welcome resource access techniques in internet are WEB technology at present.Web technology also known as web technology,
Which uses HTTP (HyperText Transfer Protocol, the HTTP) agreement of application layer.HTTP
Agreement be for from www server transmission hypertext to local browser host-host protocol.It can make browser more
Efficiently, reduce network transmission.It not only ensures that computer correctly rapidly transmits hypertext document, also determines that transmission
Which part in document, and where partial content shows (such as text is prior to figure) etc. first.
Http protocol is the application layer communication protocol between client browser or other program and Web servers, client
Machine needs to transmit hypertext information to be accessed by http protocol.Http protocol includes order and transmission information,
Cannot be only used for web access, it is also possible to for the communication between other the Internet/intranet application systems, so as to reality
It is integrated that existing types of applications resource hypermedia is accessed, and then, the main information in current internet is exchanged and productive life
All employ Web technology.
After a website is successfully established, it is likely that attacked by hacker.Main cause is that have one on the website
A little hacker's data interested, hacker are wanted to steal these data;Still further aspect is it could also be possible that there is leakage in website itself
The website is invaded using the attack tool of mass in hole, hacker, so that the website is used as his " broiler chicken ".No matter
Which kind of reason, the website that there is currently internet all have the risk that is invaded at any time.
(File Upload) is attacked using most attack technology means for upper transmitting file currently for invasion website, be
Refer to directly upload the script file of a malice to Website server.When script file is written to the file directory of website,
And when Web server can be parsed to the script, it is possible to obtained by website visiting
Webshell.Wherein, WebShell is a malicious web pages script based on Web language, once find to deposit in main frame
In Webshell, then it is considered that main frame is invaded.
When being analyzed the reason for invaded to main frame, the general Intrusion analysis method using based on web log,
However, under cloud environment, access log to be extracted is divided into two methods:A kind of method is cloud control end from directly access
The disk file collector journal of cloud main frame;Another kind is the method collection access log in cloud front end using traffic mirroring.
For first method because cloud host web site is complicated and be related to rights concerns, without any Jia Yun factory
Business adopts this method;And access log is extracted for the method using traffic mirroring, as mirroring device is deployed in cloud
End edge circle, so the mutual access log of cloud internal host cannot be extracted, causes part day additionally, due to high in the clouds flow is excessive
There is situation about losing in will, lead to not accurately and comprehensively to analyze main frame the reason for being invaded so that the safety of main frame
Property be subject to larger threat.
For above-mentioned problem, effective solution is not yet proposed at present.
Content of the invention
The embodiment of the present application provides a kind of acquisition methods of intrusion behavior and device, at least to solve due to prior art
The technology that accurately cannot be analyzed the reason for main frame is invaded caused based on the reason for access log analysis main frame is invaded
Problem.
A kind of one side according to the embodiment of the present application, there is provided acquisition methods of intrusion behavior, including:Obtain and dislike
The attribute information of meaning page script, wherein, the malicious web pages script is the file being stored in destination host;According to
The attribute information searches whether there is the character string that mates with the attribute information from default static rule storehouse,
Wherein, the static rule storehouse includes:At least one character string and the intrusion behavior corresponding to any one character string;
If existing, the intrusion behavior corresponding to the character string that mates with the attribute information is read, determines the destination host quilt
The reason for invasion is the corresponding intrusion behavior of the character string.
According to the another aspect of the embodiment of the present application, a kind of acquisition device of intrusion behavior is additionally provided, including:Obtain
Unit, for obtaining the attribute information of malicious web pages script, wherein, the malicious web pages script is for being stored in target master
File in machine;Matching unit, for, according to the attribute information from default static rule storehouse, searching whether to deposit
In the character string that mates with the attribute information, wherein, the static rule storehouse includes:At least one character string and appoint
Intrusion behavior corresponding to one character string of meaning;First determining unit, if for existing, read and the attribute information
Intrusion behavior corresponding to the character string of coupling, determines that the reason for destination host is invaded is corresponded to for the character string
Intrusion behavior.
In the embodiment of the present application, using the attribute information for obtaining malicious web pages script, wherein, malicious web pages script is
The file being stored in destination host;According to attribute information from default static rule storehouse, search whether exist and category
The character string of property information matches, wherein, static rule storehouse includes:At least one character string and any one character string institute
Corresponding intrusion behavior;If existing, the intrusion behavior corresponding to the character string that mates with attribute information is read, determines mesh
The reason for mark main frame is invaded is the mode of the corresponding intrusion behavior of character string, by the static state according to malicious web pages script
Attribute is not, the reason for analyzing main frame and invaded, relying on access log, even if access log is lost and can also be carried out point
Analysis, just can carry out leak reparation to main frame after the reason for main frame is invaded is determined, prevent main frame from being invaded again,
Purpose the reason for accurate analysis main frame is invaded has been reached, it is achieved thereby that the technique effect of Host Security is improved,
Further solve and accurately cannot be analyzed due to what prior art was caused based on due to access log analysis main frame is invaded
The technical problem of the reason for main frame is invaded.
Description of the drawings
Accompanying drawing described herein is used for providing further understanding of the present application, constitutes the part of the application, this Shen
Schematic description and description please does not constitute the improper restriction to the application for explaining the application.In accompanying drawing
In:
Fig. 1 is a kind of hardware knot of the terminal of the acquisition methods of the operation intrusion behavior according to the embodiment of the present application
Structure block diagram;
Fig. 2 is the schematic flow sheet of the acquisition methods of a kind of optional intrusion behavior according to the embodiment of the present application;
Fig. 3 is the schematic flow sheet of the acquisition methods of another kind of optional intrusion behavior according to the embodiment of the present application;
Fig. 4 is the schematic flow sheet of the acquisition methods of another the optional intrusion behavior according to the embodiment of the present application;
Fig. 5 is the structural representation of the acquisition device of a kind of optional intrusion behavior according to the embodiment of the present application;
Fig. 6 is the structural representation of a kind of optional matching unit according to the embodiment of the present application;
Fig. 7 is the structural representation of the acquisition device of another kind of optional intrusion behavior according to the embodiment of the present application.
Specific embodiment
In order that those skilled in the art more fully understand application scheme, below in conjunction with the embodiment of the present application
Accompanying drawing, is clearly and completely described to the technical scheme in the embodiment of the present application, it is clear that described embodiment
The only embodiment of the application part, rather than whole embodiments.Based on the embodiment in the application, ability
The every other embodiment obtained under the premise of creative work is not made by domain those of ordinary skill, should all belong to
The scope of the application protection.
It should be noted that the description and claims of this application and the term " first " in above-mentioned accompanying drawing, "
Two " be etc. for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that this
The data that sample is used can be exchanged in the appropriate case, so as to embodiments herein described herein can with except
Here the order beyond those for illustrating or describing is implemented.Additionally, term " comprising " and " having " and they
Any deformation, it is intended that cover non-exclusive process, the side for including, for example, containing series of steps or unit
Method, system, product or equipment are not necessarily limited to those steps that clearly lists or unit, but may include unclear
List or for other intrinsic steps of these processes, method, product or equipment or unit.
Embodiment 1
According to the embodiment of the present application, a kind of embodiment of the method for the acquisition methods of intrusion behavior is additionally provided, needs explanation
, can be in the such as computer system of one group of computer executable instructions the step of the flow process of accompanying drawing is illustrated
Execute, and, although show logical order in flow charts, but in some cases, can be to be different from this
The order at place executes shown or described step.
The embodiment of the method provided by the embodiment of the present application one can be in mobile terminal, terminal or similar fortune
Calculate in device and execute.By taking operation on computer terminals as an example, Fig. 1 is a kind of intrusion behavior of the embodiment of the present application
The hardware block diagram of the terminal of acquisition methods.As shown in figure 1, terminal 10 can include one
Or multiple (in figure only illustrates one) processors 102 (processor 102 can include but is not limited to Micro-processor MCV
Or the processing meanss of PLD FPGA etc.), the memory 104 for data storage and for communicating
The transmitting device 106 of function.It will appreciated by the skilled person that the structure shown in Fig. 1 is only and illustrates, its
The structure of above-mentioned electronic installation is not caused to limit.For example, terminal 10 is may also include than shown in Fig. 1
More or less component, or with the configuration different from shown in Fig. 1.
Memory 104 can be used to store software program and the module of application software, the such as invasion in the embodiment of the present application
Corresponding programmed instruction/the module of the acquisition methods of behavior, processor 102 are stored in memory 104 by operation
Software program and module, so as to execute various function application and data processing, that is, realize above-mentioned application program
Leak detection method.Memory 104 may include high speed random access memory, may also include nonvolatile memory, such as one
Individual or multiple magnetic storage devices, flash memory or other non-volatile solid state memories.In some instances, deposit
Reservoir 104 can further include the memory remotely located with respect to processor 102, and these remote memories can lead to
Network connection is crossed to terminal 10.The example of above-mentioned network includes but is not limited to internet, intranet, office
Domain net, mobile radio communication and combinations thereof.
Transmitting device 106 is used for receiving or sending data via a network.Above-mentioned network instantiation may include
The wireless network that the communication providerses of terminal 10 are provided.In an example, transmitting device 106 includes one
Individual network adapter (Network Interface Controller, NIC), which can be set with other networks by base station
Standby connected so as to being communicated with internet.In an example, transmitting device 106 can be radio frequency (Radio
Frequency, RF) module, which is used for wirelessly being communicated with internet.
Under above-mentioned running environment, this application provides the acquisition methods of intrusion behavior as shown in Figure 2.Fig. 2 is root
Flow chart according to the acquisition methods of the intrusion behavior of the embodiment of the present application one.
Step S202, obtains the attribute information of malicious web pages script, and wherein, malicious web pages script is for being stored in target master
File in machine.
In the application above-mentioned steps S202, when find destination host in be stored with malicious web pages script when, it is believed that target
Main frame is invaded.The acquisition methods of the intrusion behavior of the embodiment of the present application need to obtain the attribute letter of malicious web pages script first
Breath, wherein, attribute information include following one or more:MD5 (Message Digest Algorithm 5, letter
Breath digest algorithm the 5th edition), file path, file content and affiliated person.
It should be noted that the destination host of the embodiment of the present invention can be cloud main frame, or local host, also
The client computer under CS (Client/Server, client/server) framework, or can with BS (Browser/Server,
Browser/server) client computer under framework, the present embodiment is not construed as limiting to this.
Step S204, according to attribute information from default static rule storehouse, is searched whether to exist and is mated with attribute information
Character string, wherein, static rule storehouse includes:At least one character string and the invasion corresponding to any one character string
Behavior.
In the application above-mentioned steps S204, after the attribute information for getting malicious web pages script, can be according to category
Property information from default static rule storehouse, search whether there is the character string mated with attribute information.In the present embodiment,
Static rule storehouse to the effect that describes the character string of multiple dimensional information values such as MD5, file path, file content,
And the corresponding intrusion behavior of any one character string.It is understood that the attribute of actually malicious web pages script is believed
Breath is very complicated, including file size, file remarks, file header, document No., affiliated person, document creation, access
Time etc., the acquisition methods of the intrusion behavior of the application can set up static rule storehouse from more complicated dimension.Static
The collection of rule mostlys come from Network Intrusion instrument of automation etc., in addition, the invasion that arrives of Intrusion analysis each time
Behavior outcome can also strengthen static rule storehouse.The content example ground in static rule storehouse is as shown in table 1:
Table 1
In conjunction with shown in table 1, for example, the MD5 of a malicious web pages script is
" 80107f4688070123d20a9c54622601db ", search whether from table 1 exist with
The character string that " 80107f4688070123d20a9c54622601db " mates, if exist, then it is assumed that destination host quilt
The reason for the reason for invasion is invaded for the corresponding intrusion behavior of character string, i.e. destination host is held for XX method, system _ code
Row leak;Again for example, the file path of a malicious web pages script includes "/server/default/tmp/deploy/ ",
From table 1, then search whether exist and/server/default/tmp/deploy/ " character string mated, if presence,
Then think that the reason for the reason for destination host is invaded is the corresponding intrusion behavior of character string, i.e., destination host is invaded is
JBOSS_EJB_GETSHELL.
Step S206, if existing, being read the intrusion behavior corresponding to the character string that is mated with attribute information, determining target
The reason for main frame is invaded is the corresponding intrusion behavior of character string.
In the application above-mentioned steps S206, according to attribute information from default static rule storehouse, search whether to deposit
In the case of the character string that mates with attribute information, if there is the character string that mates with attribute information in static rule storehouse,
Then think that destination host is the intrusion behavior corresponding to the character string for matching the reason for invasion.As malicious web pages
The MD5 of script is " 80107f4688070123d20a9c54622601db ", searches whether to deposit from static rule storehouse
In the character string that mates with " 80107f4688070123d20a9c54622601db ", if existing, then it is assumed that target master
The reason for the reason for machine is invaded is invaded for the corresponding intrusion behavior of character string, i.e. destination host is XX method, system _ generation
Code executes leak;Again for example, the file path of a malicious web pages script includes
"/server/default/tmp/deploy/ ", then search whether from static rule storehouse exist with
The character string that/server/default/tmp/deploy/ " mates, if exist, then it is assumed that destination host is invaded
The reason for reason is invaded for the corresponding intrusion behavior of character string, i.e. destination host is JBOSS_EJB_GETSHELL.
After the reason for determining destination host and invaded, interface can be repaired by calling automatically leak, to target
Main frame carries out leak reparation, wherein, during calling leak to repair interface, can pass the IP of destination host
Defeated and determine the reason for destination host is invaded to leak repair interface.
If it should be noted that not existing, destination host can be analyzed by the cause of invasion according to custom algorithm, having
Will be described in detail in body method subsequent embodiment, do not repeat herein.
The acquisition methods of the intrusion behavior of the application can fast and accurately determine the reason for destination host is invaded, permissible
The leak reparation for being automated, make destination host after invasive discovery, leak is repaired rapidly, prevent again by
Invasion, improves destination host security.
From the foregoing, it will be observed that the scheme provided by the above embodiments of the present application one, by the static state category according to malicious web pages script
Property, the reason for analyzing main frame and invaded, not relying on access log, even if access log is lost and can also be analyzed,
Just leak reparation can be carried out to main frame after the reason for main frame is invaded is determined, prevent main frame from being invaded again, reach
To the accurate purpose that analyzes the reason for main frame is invaded, it is achieved thereby that improving the technique effect of Host Security, enter
And solve due to what prior art was caused based on due to access log analysis main frame is invaded and cannot accurately analyze master
The technical problem of the reason for machine is invaded.
As a kind of optional implementation of the embodiment of the present application, include MD5, file path, text in attribute information
In part in the case of perhaps affiliated person, above-mentioned steps S204, according to attribute information from default static rule storehouse, look into
Look for realizing step and can include with the presence or absence of the character string mated with attribute information:
Step S10, searches whether that from static rule storehouse presence includes MD5, file path, file content or institute
The character string of category person.
In the application above-mentioned steps S10, include MD5, file path, file content or affiliated person in attribute information
In the case of, search whether from static rule storehouse to exist and include MD5, file path, file content or affiliated person
Character string, i.e., in the case that attribute information only includes MD5, file path, file content or affiliated person, difference root
The coupling of character string is carried out according to MD5, file path, file content or affiliated person.
For example, the attribute information of a malicious web pages script includes file path, and this document path specifically includes
"/server/default/tmp/deploy/ ", then search whether from static rule storehouse exist with
The character string that/server/default/tmp/deploy/ " mates, if exist, then it is assumed that destination host is invaded
The reason for reason is invaded for the corresponding intrusion behavior of character string, i.e. destination host is JBOSS_EJB_GETSHELL.
As a kind of optional implementation of the embodiment of the present application, in the case that attribute information includes MD5, above-mentioned
Step S204, according to attribute information from default static rule storehouse, searches whether there is the word mated with attribute information
What symbol was gone here and there realizes step can include:
Step S20, does HASH algorithm to MD5, obtains the signing messages of malicious web pages script.
The signing messages of malicious web pages script in the application above-mentioned steps S20, can also be included in static rule storehouse, signed
Name information be by doing to MD5 obtained from HASH (hash) algorithm, therefore, including the feelings of MD5 in attribute information
Under condition, it is necessary first to HASH algorithm is done to MD5, obtain the signing messages of malicious web pages script.
Step S22, searches whether there is the character string for including signing messages from static rule storehouse.
In the application above-mentioned steps S22, after the signing messages for obtaining malicious web pages script, from static rule storehouse
Search whether there is the character string for including signing messages, i.e., according to signing messages queries static rule base, if there is
With signing messages identical character string, it is determined that the reason for destination host is invaded is the corresponding intrusion behavior of the character string.
As a kind of optional implementation of the embodiment of the present application, include file path, file content in attribute information
And at least two in affiliated person in the case of, above-mentioned steps S204, according to attribute information from default static rule storehouse
In, search whether to exist realizing step and can including for the character string mated with attribute information:
Step S30, calls default regular expression, search whether from static rule storehouse exist with file path,
The character string of at least two couplings in file content and affiliated person.
In the application above-mentioned steps S30, include in file path, file content and affiliated person at least in attribute information
In the case of two, the acquisition methods of the intrusion behavior of the embodiment of the present application call default regular expression to carry out word
Symbol String matching.Wherein, regular expression, also known as regular representation method, conventional expressing method, for using single character string
To state, mate a series of character strings for meeting certain syntactic rule.
As a kind of optional implementation of the embodiment of the present application, as shown in figure 3, the quantity in malicious web pages script
In the case of multiple, the acquisition methods of the intrusion behavior of the application also include:
Step S302, if not existing, calculates the file wound between malicious web pages script and a rear malicious web pages script
The absolute value of time difference is built, wherein, a rear malicious web pages script refers to first created after malicious web pages script
Individual malicious web pages script.
In the application above-mentioned steps S302, if there is no the character string that mates with attribute information in static rule storehouse, this
The reason for acquisition methods of the intrusion behavior of application embodiment are then invaded to destination host using custom algorithm is carried out
Analysis.Specifically, the file creation time difference between calculating malicious web pages script and a rear malicious web pages script is exhausted
To value, wherein, a rear malicious web pages script refers to the first malicious web pages pin created after malicious web pages script
This.
For example, be stored with destination host 5 malicious web pages scripts, respectively file 1, file 2, file 3, text
Part 4 and file 5, calculate the file creation time between malicious web pages script and a rear malicious web pages script first
Poor absolute value, i.e. file creation time difference 1=abs (2. creation times of file-file, 1. creation time);File is created
Build time difference 2=abs (3. creation times of file-file, 2. creation time);File creation time difference 3=abs (file 4.
3. creation time of creation time-file);(5. creation times of file-file 4. is created file creation time difference 4=abs
Time), wherein, abs () is ABS function.
Whether step S304, judge absolute value less than the first predetermined threshold value, and whether the size of malicious web pages script be more than
Second predetermined threshold value.
In the application above-mentioned steps S304, calculating between malicious web pages script and a rear malicious web pages script
After the absolute value of file creation time difference, whether the absolute value is judged less than the first predetermined threshold value, and malicious web pages pin
Whether this size is more than the second predetermined threshold value.
For example, judge file creation time differ from 1 whether less than 10s, file creation time differ from 2 whether less than 10s,
File creation time differs from 3 and whether whether differs from 4 less than 10s less than 10s and file creation time, and judge file
1. whether file size is more than 1024K.Wherein, if file creation time difference is too small, illustrate that the same time uploads
Multiple malicious web pages scripts.
Step S306, if so, then judges whether the affiliated person of malicious web pages script is predetermined object.
In the application above-mentioned steps S306, if conditions above is satisfied by, the institute of malicious web pages script is determined whether
Whether category person is predetermined object, for example judge the affiliated person of 1. file of file be whether ' [OWER:ftp,GROUP:ftp]'.
Step S308, if, it is determined that the reason for destination host is invaded is uploaded for predetermined object.
In the application above-mentioned steps S308, if conditions above is satisfied by, it is determined that the reason for destination host is invaded be
Predetermined object is uploaded, for example, be considered that ftp uploads the destination host for causing and invaded.
Exemplarily, the pass of multiple malicious web pages scripts on the destination host of above-mentioned steps S302 to step S308 is applied
Connection parser can include:
As shown in figure 4, the acquisition side so that malicious web pages script is as Webshell as an example, to the intrusion behavior of the application
Method carries out exemplary description:
Step A, obtains the attribute information of Webshell.
In the application above-mentioned steps A, when find destination host in be stored with Webshell when, it is believed that destination host quilt
Invasion.The acquisition methods of the intrusion behavior of the embodiment of the present application need to obtain the attribute information of Webshell first, wherein,
Attribute information include following one or more:MD5, file path, file content and affiliated person.
Step B, string matching, custom algorithm.
In the application above-mentioned steps B, after the attribute information for getting Webshell, can be according to attribute information
From default static rule storehouse, search whether there is the character string that mates with attribute information.In the present embodiment, static
Rule base to the effect that describes the character string of multiple dimensional information values such as MD5, file path, file content, and
The corresponding intrusion behavior of any one character string.It is understood that the actually attribute information of Webshell is very multiple
Miscellaneous, including file size, file remarks, file header, document No., affiliated person, document creation, access time etc.
Deng the acquisition methods of the intrusion behavior of the application can set up static rule storehouse from more complicated dimension.Static rule
Collection mostlys come from the Network Intrusion instrument of automation, and very popular Network Intrusion gimmick article on internet,
In addition, each time artificial Intrusion analysis to intrusion behavior result can also strengthen static rule storehouse.
If there is no the character string that mates with attribute information in static rule storehouse, the obtaining of the intrusion behavior of the embodiment of the present application
Take the reason for method is then invaded to destination host using custom algorithm and be analyzed:If not existing, malice is calculated
The absolute value of the file creation time difference between page script and a rear malicious web pages script, wherein, a rear malice
Page script refers to the first malicious web pages script created after malicious web pages script;Judge whether absolute value is less than
First predetermined threshold value, and whether the size of malicious web pages script is more than the second predetermined threshold value;If so, then judge malice net
Whether the affiliated person of page script is predetermined object;If, it is determined that the reason for destination host is invaded is in predetermined object
Pass.
Step C, obtains destination host the reason for invaded.
In the application above-mentioned steps C, according to attribute information from default static rule storehouse, search whether exist with
In the case of the character string of attribute information coupling, if there is the character string that mates with attribute information in static rule storehouse,
Think that destination host is the intrusion behavior corresponding to the character string for matching the reason for invasion.As a malicious web pages pin
This MD5 is " 80107f4688070123d20a9c54622601db ", searches whether exist from static rule storehouse
The character string that mates with " 80107f4688070123d20a9c54622601db ", if exist, then it is assumed that destination host
The reason for the reason for being invaded is invaded for the corresponding intrusion behavior of character string, i.e. destination host is XX method, system _ code
Execute leak;Again for example, the file path of a malicious web pages script includes
"/server/default/tmp/deploy/ ", then search whether from static rule storehouse exist with
The character string that/server/default/tmp/deploy/ " mates, if exist, then it is assumed that destination host is invaded
The reason for reason is invaded for the corresponding intrusion behavior of character string, i.e. destination host is JBOSS_EJB_GETSHELL.
Step D, calls leak to repair interface automatically.
In the application above-mentioned steps D, target master can quickly be analyzed by file static attribute (i.e. attribute information)
The reason for machine is invaded, after the reason for analyzing destination host and invaded, repairs interface by calling automatically leak,
Leak reparation is carried out to destination host, wherein, during calling leak to repair interface, can be by destination host
IP transmit and determine the reason for destination host is invaded to leak repair interface.
Step E, does not find the reason for being invaded.
In the application above-mentioned steps E, if being mated by static nature storehouse and custom algorithm does not find destination host quilt
The reason for invasion, then the reason for invasion by manual analysis destination host.
Step F, the reason for manual analysis destination host is invaded.
In the application above-mentioned steps F, after manual analysis goes out the reason for destination host is invaded, rule is added to quiet
State rule base.
It follows that the partial log that causes as high in the clouds flow is excessive that prior art is present has situation about losing, lead
Cause the reason for cannot accurately and comprehensively analyzing main frame and invaded so that the security of main frame is subject to the problem of larger threat,
The application proposes a kind of attribute information based on malicious web pages script and carries out analysis side the reason for destination host is invaded
Method, attribute information is combined with default static rule storehouse, therefore fast and accurately can be divided without the need for access log
Main frame is separated out by the cause of invasion, the cause of invasion analysis efficiency and accuracy can be increased substantially.
It should be noted that for aforesaid each method embodiment, in order to be briefly described, therefore which is all expressed as one it is
The combination of actions of row, but those skilled in the art should know, and the application is not limited by described sequence of movement
System, because according to the application, some steps using other orders or while can be carried out.Secondly, art technology
Personnel should also know that embodiment described in this description belongs to preferred embodiment, involved action and module
Not necessarily necessary to the application.
Through the above description of the embodiments, those skilled in the art is can be understood that according to above-mentioned enforcement
The method of example can add the mode of required general hardware platform by software to realize, naturally it is also possible to by hardware, but
The former is more preferably embodiment in many cases.Based on such understanding, the technical scheme of the application substantially or
Say that the part contributed by prior art can be embodied in the form of software product, the computer software product is deposited
Storage is used so that a station terminal including some instructions in a storage medium (as ROM/RAM, magnetic disc, CD)
Equipment (can be mobile phone, computer, server, or network equipment etc.) is executed described in each embodiment of the application
Method.
Embodiment 2
According to the embodiment of the present application, a kind of device embodiment for implementing said method embodiment, this Shen is additionally provided
Please the device that provided of above-described embodiment can run on computer terminals.
Fig. 5 is the structural representation of the acquisition device of the intrusion behavior according to the embodiment of the present application.
As shown in figure 5, the acquisition device of the intrusion behavior can include acquiring unit 502, matching unit 504 and
First determining unit 506.
Wherein, acquiring unit 502, for obtaining the attribute information of malicious web pages script, wherein, the malicious web pages
Script is the file being stored in destination host;Matching unit 504, for according to the attribute information from default quiet
In state rule base, search whether there is the character string that mates with the attribute information, wherein, the static rule storehouse bag
Include:At least one character string and the intrusion behavior corresponding to any one character string;First determining unit 506, is used for
If existing, the intrusion behavior corresponding to the character string that mates with the attribute information is read, determines the destination host quilt
The reason for invasion is the corresponding intrusion behavior of the character string.
From the foregoing, it will be observed that the scheme provided by the above embodiments of the present application two, by the static state category according to malicious web pages script
Property, the reason for analyzing main frame and invaded, not relying on access log, even if access log is lost and can also be analyzed,
Just leak reparation can be carried out to main frame after the reason for main frame is invaded is determined, prevent main frame from being invaded again, reach
To the accurate purpose that analyzes the reason for main frame is invaded, it is achieved thereby that improving the technique effect of Host Security, enter
And solve due to what prior art was caused based on due to access log analysis main frame is invaded and cannot accurately analyze master
The technical problem of the reason for machine is invaded.
Herein it should be noted that above-mentioned acquiring unit 502, matching unit 504 and the first determining unit 506 pairs
Should be in step S202 in embodiment one to step S206, example that three modules are realized with corresponding step and should
Identical with scene, but it is not limited to one disclosure of that of above-described embodiment.It should be noted that above-mentioned module is used as dress
The part that puts is may operate in the terminal 10 of the offer of embodiment one, can be realized by software, also may be used
To be realized by hardware.
Alternatively, the attribute information include following one or more:Message digest algorithm the 5th edition MD5, file road
Footpath, file content and affiliated person.
Alternatively, the MD5, the file path, the file content or the institute are included in the attribute information
In the case of category person, the matching unit 504 is used for executing following steps according to the attribute information from default static state
In rule base, search whether there is the character string that mates with the attribute information:Searching from the static rule storehouse is
No have the character string for including the MD5, the file path, the file content or the affiliated person.
Alternatively, as shown in fig. 6, in the case that the attribute information includes the MD5, the matching unit 504
Including:Computing module 602 and searching modul 604.
Wherein, computing module 602, for doing HASH algorithm to the MD5, obtain the label of the malicious web pages script
Name information;Searching modul 604, for searching whether that presence includes the signing messages from the static rule storehouse
The character string.
Herein it should be noted that above-mentioned computing module 602 and searching modul 604 are corresponding to the step in embodiment one
, to step S22, two modules are identical with the example realized by corresponding step and application scenarios, but are not limited to for S20
State one disclosure of that of embodiment.It should be noted that above-mentioned module may operate in reality as a part for device
Apply in the terminal 10 of the offer of example one, can be realized by software, it is also possible to realized by hardware.
Alternatively, include in the file path, the file content and the affiliated person extremely in the attribute information
In the case of few two, the matching unit 504 is used for executing following steps according to the attribute information from default quiet
In state rule base, search whether there is the character string that mates with the attribute information:Default regular expression is called,
Search whether from the static rule storehouse exist with the file path, the file content and the affiliated person in
The character string of at least two couplings.
Alternatively, as shown in fig. 7, the acquisition device of intrusion behavior can also include:Computing unit 702, first are sentenced
Disconnected unit 704, the second judging unit 706 and the second determining unit 708.
Wherein, computing unit 702, if for not existing, calculate the malicious web pages script with a rear malice net
The absolute value of the file creation time difference between page script, wherein, a rear malicious web pages script is referred to described
The first malicious web pages script created after malicious web pages script;First judging unit 704, described exhausted for judging
The first predetermined threshold value whether is less than to value, and whether the size of the malicious web pages script is more than the second predetermined threshold value;The
Two judging units 706, whether the affiliated person for if so, then judging the malicious web pages script is predetermined object;The
Two determining units 708, if for, it is determined that the reason for destination host is invaded is uploaded for predetermined object.
Herein it should be noted that above-mentioned computing unit 702, the first judging unit 704, the second judging unit 706
And second determining unit 708 corresponding to step S302 in embodiment one to step S308, four modules with corresponding
The step of the example realized identical with application scenarios, but be not limited to one disclosure of that of above-described embodiment.Need
Bright, above-mentioned module is may operate in the terminal 10 of the offer of embodiment one as a part for device,
Can be realized by software, it is also possible to realized by hardware.
It follows that the partial log that causes as high in the clouds flow is excessive that prior art is present has situation about losing, lead
Cause the reason for cannot accurately and comprehensively analyzing main frame and invaded so that the security of main frame is subject to the problem of larger threat,
The application proposes a kind of attribute information based on malicious web pages script and carries out analysis side the reason for destination host is invaded
Method, attribute information is combined with default static rule storehouse, therefore fast and accurately can be divided without the need for access log
Main frame is separated out by the cause of invasion, the cause of invasion analysis efficiency and accuracy can be increased substantially.
Embodiment 3
Embodiments herein additionally provides a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium
Can be used for preserving the program code performed by the acquisition methods of the intrusion behavior provided by above-described embodiment one.
Alternatively, in the present embodiment, above-mentioned storage medium is may be located in computer network Computer terminal group
In any one terminal, or in any one mobile terminal in mobile terminal group.
Alternatively, in the present embodiment, storage medium is arranged to store the program code for executing following steps:
The attribute information of malicious web pages script is obtained, wherein, the malicious web pages script is the file being stored in destination host;
According to the attribute information from default static rule storehouse, search whether there is the character mated with the attribute information
String, wherein, the static rule storehouse includes:At least one character string and the invasion row corresponding to any one character string
For;If existing, the intrusion behavior corresponding to the character string that mates with the attribute information is read, determines the target master
The reason for machine is invaded is the corresponding intrusion behavior of the character string.
Alternatively, storage medium is also configured to store the program code for executing following steps:From the static rule
Then search whether to exist in storehouse and include the MD5, the file path, the file content or the affiliated person
The character string.
Alternatively, storage medium is also configured to store the program code for executing following steps:The MD5 is done
HASH algorithm, obtains the signing messages of the malicious web pages script;Search whether there is bag from the static rule storehouse
The character string containing the signing messages.
Alternatively, storage medium is also configured to store the program code for executing following steps:Call default just
Then expression formula, searches whether exist and the file path, the file content and institute from the static rule storehouse
State the character string of at least two couplings in affiliated person.
Alternatively, storage medium is also configured to store the program code for executing following steps:If not existing,
The absolute value of the file creation time difference between the malicious web pages script and a rear malicious web pages script is calculated, wherein,
A rear malicious web pages script refers to the first malicious web pages script created after the malicious web pages script;
Whether the absolute value is judged less than the first predetermined threshold value, and whether the size of the malicious web pages script is pre- more than second
If threshold value;If so, then judge whether the affiliated person of the malicious web pages script is predetermined object;If, it is determined that institute
State the reason for destination host is invaded and upload for predetermined object.
Alternatively, in the present embodiment, above-mentioned storage medium can be included but is not limited to:USB flash disk, read-only storage (ROM,
Read-Only Memory), random access memory (RAM, Random Access Memory), portable hard drive,
Magnetic disc or CD etc. are various can be with the medium of store program codes.
Alternatively, the specific example in the present embodiment may be referred to the example described in above-described embodiment 1, this enforcement
Example will not be described here.
Above-mentioned the embodiment of the present application sequence number is for illustration only, does not represent the quality of embodiment.
In above-described embodiment of the application, the description to each embodiment all emphasizes particularly on different fields, and does not have in certain embodiment
The part of detailed description, may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that the processing meanss of disclosed sequence information,
Can realize by another way.Wherein, device embodiment described above is only schematically, for example described
The division of unit, only a kind of division of logic function, there can be other dividing mode when actually realizing, for example many
Individual unit or component can in conjunction with or be desirably integrated into another system, or some features can be ignored, or not execute.
Another, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces,
The INDIRECT COUPLING or communication connection of unit or module, can be electrical or other forms.
The unit that illustrates as separating component can be or may not be physically separate, aobvious as unit
The part for showing can be or may not be physical location, you can be located at a place, or can also be distributed to
On multiple NEs.Some or all of unit therein can be selected according to the actual needs to realize the present embodiment
The purpose of scheme.
In addition, each functional unit in each embodiment of the application can be integrated in a processing unit, it is also possible to
It is that unit is individually physically present, it is also possible to which two or more units are integrated in a unit.Above-mentioned integrated
Unit both can be realized in the form of the hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is realized and as independent production marketing or use using in the form of SFU software functional unit
When, can be stored in a computer read/write memory medium.Based on such understanding, the technical scheme of the application
The part for substantially in other words prior art being contributed or all or part of the technical scheme can be with softwares
The form of product is embodied, and the computer software product is stored in a storage medium, including some instructions in order to
So that a computer equipment (can be personal computer, server or network equipment etc.) executes each reality of the application
Apply all or part of step of a methods described.And aforesaid storage medium includes:USB flash disk, read-only storage (ROM,
Read-Only Memory), random access memory (RAM, Random Access Memory), portable hard drive,
Magnetic disc or CD etc. are various can be with the medium of store program codes.
The above is only the preferred embodiment of the application, it is noted that for the ordinary skill people of the art
For member, on the premise of without departing from the application principle, some improvements and modifications can also be made, these improve and moisten
Decorations also should be regarded as the protection domain of the application.
Claims (12)
1. a kind of acquisition methods of intrusion behavior, it is characterised in that include:
The attribute information of malicious web pages script is obtained, wherein, the malicious web pages script is for being stored in destination host
In file;
According to the attribute information from default static rule storehouse, search whether exist and the attribute information
The character string that joins, wherein, the static rule storehouse includes:At least one character string and any one character string institute
Corresponding intrusion behavior;
If existing, the intrusion behavior corresponding to the character string that mates with the attribute information is read, determines the mesh
The reason for mark main frame is invaded is the corresponding intrusion behavior of the character string.
2. method according to claim 1, it is characterised in that the attribute information include following one or more:
Message digest algorithm the 5th edition MD5, file path, file content and affiliated person.
3. method according to claim 2, it is characterised in that include the MD5, described in the attribute information
In the case of file path, the file content or the affiliated person, described according to the attribute information from default
Static rule storehouse in, search whether that there is the character string mated with the attribute information is included:
Search whether that presence includes the MD5, the file path, the text from the static rule storehouse
The character string of perhaps described affiliated person in part.
4. method according to claim 2, it is characterised in that include the situation of the MD5 in the attribute information
Under, described according to the attribute information from default static rule storehouse, search whether to exist and believe with the attribute
The character string of breath coupling includes:
HASH algorithm is done to the MD5, obtains the signing messages of the malicious web pages script;
Search whether there is the character string for including the signing messages from the static rule storehouse.
5. method according to claim 2, it is characterised in that the attribute information include the file path,
In the case of at least two in the file content and the affiliated person, described according to the attribute information from pre-
If static rule storehouse in, search whether that there is the character string mated with the attribute information is included:
Call default regular expression, search whether from the static rule storehouse exist with the file path,
The character string of at least two couplings in the file content and the affiliated person.
6. method according to claim 1, it is characterised in that be multiple in the quantity of the malicious web pages script
In the case of, methods described also includes:
If not existing, the document creation between the malicious web pages script and a rear malicious web pages script is calculated
The absolute value of time difference, wherein, a rear malicious web pages script is referred to after the malicious web pages script
The first malicious web pages script for creating;
Whether the absolute value is judged less than the first predetermined threshold value, and whether the size of the malicious web pages script is big
In the second predetermined threshold value;
If so, then judge whether the affiliated person of the malicious web pages script is predetermined object;
If, it is determined that the reason for destination host is invaded is uploaded for predetermined object.
7. a kind of acquisition device of intrusion behavior, it is characterised in that include:
Acquiring unit, for obtaining the attribute information of malicious web pages script, wherein, the malicious web pages script is
The file being stored in destination host;
Matching unit, for according to the attribute information from default static rule storehouse, search whether exist with
The character string of the attribute information coupling, wherein, the static rule storehouse includes:At least one character string and appoint
Intrusion behavior corresponding to one character string of meaning;
First determining unit, if for existing, read entering corresponding to the character string that mates with the attribute information
Behavior is invaded, determines the reason for destination host is invaded for the corresponding intrusion behavior of the character string.
8. device according to claim 7, it is characterised in that the attribute information include following one or more:
Message digest algorithm the 5th edition MD5, file path, file content and affiliated person.
9. device according to claim 8, it is characterised in that include the MD5, described in the attribute information
In the case of file path, the file content or the affiliated person, the matching unit is used for executing following step
Suddenly, according to the attribute information from default static rule storehouse, search whether to exist and mate with the attribute information
Character string:
Search whether that presence includes the MD5, the file path, the text from the static rule storehouse
The character string of perhaps described affiliated person in part.
10. device according to claim 8, it is characterised in that include the situation of the MD5 in the attribute information
Under, the matching unit includes:
Computing module, for doing HASH algorithm to the MD5, obtains the A.L.S. of the malicious web pages script
Breath;
Searching modul, for searching whether from the static rule storehouse to there is the institute for including the signing messages
State character string.
11. devices according to claim 8, it is characterised in that the attribute information include the file path,
In the case of at least two in the file content and the affiliated person, the matching unit is following for executing
Step searches whether exist and the attribute information according to the attribute information from default static rule storehouse
The character string that joins:
Call default regular expression, search whether from the static rule storehouse exist with the file path,
The character string of at least two couplings in the file content and the affiliated person.
12. devices according to claim 7, it is characterised in that also include:
Computing unit, if for not existing, calculate the malicious web pages script with a rear malicious web pages script
Between file creation time difference absolute value, wherein, a rear malicious web pages script is referred in the evil
The first malicious web pages script created after meaning page script;
First judging unit, for whether judging the absolute value less than the first predetermined threshold value, and the malice net
Whether the size of page script is more than the second predetermined threshold value;
Second judging unit, whether the affiliated person for if so, then judging the malicious web pages script is predetermined right
As;
Second determining unit, if for, it is determined that the reason for destination host is invaded is in predetermined object
Pass.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510553172.6A CN106487771B (en) | 2015-09-01 | 2015-09-01 | Network behavior acquisition method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510553172.6A CN106487771B (en) | 2015-09-01 | 2015-09-01 | Network behavior acquisition method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106487771A true CN106487771A (en) | 2017-03-08 |
| CN106487771B CN106487771B (en) | 2020-07-24 |
Family
ID=58237853
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510553172.6A Active CN106487771B (en) | 2015-09-01 | 2015-09-01 | Network behavior acquisition method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106487771B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110659490A (en) * | 2019-09-20 | 2020-01-07 | 哈尔滨安天科技集团股份有限公司 | Malicious sample processing method and device, electronic equipment and storage medium |
| CN111800405A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Detection method, detection device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101562618A (en) * | 2009-04-08 | 2009-10-21 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting web Trojan |
| CN101599947A (en) * | 2008-06-06 | 2009-12-09 | 盛大计算机(上海)有限公司 | Trojan horse virus scanning method based on the WEB webpage |
| WO2012073233A1 (en) * | 2010-11-29 | 2012-06-07 | Biocatch Ltd. | Method and device for confirming computer end-user identity |
| CN104253786A (en) * | 2013-06-26 | 2014-12-31 | 北京思普崚技术有限公司 | Deep packet detection method based on regular expression |
-
2015
- 2015-09-01 CN CN201510553172.6A patent/CN106487771B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599947A (en) * | 2008-06-06 | 2009-12-09 | 盛大计算机(上海)有限公司 | Trojan horse virus scanning method based on the WEB webpage |
| CN101562618A (en) * | 2009-04-08 | 2009-10-21 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting web Trojan |
| WO2012073233A1 (en) * | 2010-11-29 | 2012-06-07 | Biocatch Ltd. | Method and device for confirming computer end-user identity |
| CN104253786A (en) * | 2013-06-26 | 2014-12-31 | 北京思普崚技术有限公司 | Deep packet detection method based on regular expression |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110659490A (en) * | 2019-09-20 | 2020-01-07 | 哈尔滨安天科技集团股份有限公司 | Malicious sample processing method and device, electronic equipment and storage medium |
| CN110659490B (en) * | 2019-09-20 | 2023-02-24 | 安天科技集团股份有限公司 | Malicious sample processing method and device, electronic equipment and storage medium |
| CN111800405A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Detection method, detection device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106487771B (en) | 2020-07-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109117634B (en) | Malicious software detection method and system based on network traffic multi-view fusion | |
| Xing et al. | Survey on botnet detection techniques: Classification, methods, and evaluation | |
| CN103733590B (en) | Compiler for regular expressions | |
| CN113315742B (en) | Attack behavior detection method and device and attack detection equipment | |
| Sija et al. | A survey of automatic protocol reverse engineering approaches, methods, and tools on the inputs and outputs view | |
| CN108229170B (en) | Software analysis method and apparatus using big data and neural network | |
| CN111371778B (en) | Attack group identification method, device, computing equipment and medium | |
| Al-Daweri et al. | An adaptive method and a new dataset, UKM-IDS20, for the network intrusion detection system | |
| CN111935185A (en) | Method and system for constructing large-scale trapping scene based on cloud computing | |
| US10984111B2 (en) | Data driven parser selection for parsing event logs to detect security threats in an enterprise system | |
| CN103440454B (en) | A kind of active honeypot detection method based on search engine keywords | |
| CN114024761B (en) | Network threat data detection method and device, storage medium and electronic equipment | |
| CN108055166A (en) | A kind of the state machine extraction system and its extracting method of the application layer protocol of nesting | |
| CN112788065B (en) | Internet of things zombie network tracking method and device based on honeypots and sandboxes | |
| CN106487771A (en) | The acquisition methods of intrusion behavior and device | |
| Chen et al. | Using adversarial examples to bypass deep learning based url detection system | |
| US20230254340A1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| CN113794731B (en) | Method, device, equipment and medium for identifying CDN (content delivery network) -based traffic masquerading attack | |
| CN113992371B (en) | Threat label generation method and device for traffic log and electronic equipment | |
| CN113810342B (en) | Intrusion detection method, device, equipment and medium | |
| CN108595453A (en) | URL identity maps acquisition methods and device | |
| CN113688346A (en) | Illegal website identification method, device, equipment and storage medium | |
| CN112436969A (en) | Internet of things equipment management method, system, equipment and medium | |
| CN111639277A (en) | Automated extraction method of machine learning sample set and computer-readable storage medium | |
| Zhao et al. | Research on the Speed and Accuracy of Full Port Scanning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |