CN106487771B - Network behavior acquisition method and device - Google Patents

Network behavior acquisition method and device Download PDF

Info

Publication number
CN106487771B
CN106487771B CN201510553172.6A CN201510553172A CN106487771B CN 106487771 B CN106487771 B CN 106487771B CN 201510553172 A CN201510553172 A CN 201510553172A CN 106487771 B CN106487771 B CN 106487771B
Authority
CN
China
Prior art keywords
character string
attribute information
file
rule base
webpage script
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510553172.6A
Other languages
Chinese (zh)
Other versions
CN106487771A (en
Inventor
陈建勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201510553172.6A priority Critical patent/CN106487771B/en
Publication of CN106487771A publication Critical patent/CN106487771A/en
Application granted granted Critical
Publication of CN106487771B publication Critical patent/CN106487771B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application discloses a method and a device for acquiring network behaviors. Wherein, the method comprises the following steps: acquiring attribute information of a malicious webpage script, wherein the malicious webpage script is a file stored in a target host; searching whether a character string matched with the attribute information exists in a preset static rule base according to the attribute information, wherein the static rule base comprises: at least one character string and a network behavior corresponding to any character string; and if so, reading the network behavior corresponding to the character string matched with the attribute information, and determining that the reason why the target host is invaded is the network behavior corresponding to the character string. The method and the device solve the technical problem that in the prior art, the reason why the host computer is invaded can not be accurately analyzed due to the fact that the host computer is invaded based on the access log analysis.

Description

Network behavior acquisition method and device
Technical Field
The application relates to the field of information security, in particular to a method and a device for acquiring network behaviors.
Background
Currently, the most popular and popular resource access technology of the internet is WEB technology. The Web technology is also called a website technology, and uses an HTTP (Hypertext Transfer Protocol) Protocol of an application layer. The HTTP protocol is a transport protocol for transferring hypertext from a WWW server to a local browser. It can make the browser more efficient, make the network transmission reduce. It not only ensures that a computer transmits a hypertext document correctly and quickly, but also determines which part of the transmitted document and which part of the content is displayed first (e.g., text before graphics), etc.
The HTTP protocol is an application-layer communication protocol between a client browser or other program and a Web (Web) server, through which a client needs to transmit hypertext information to be accessed. The HTTP protocol contains commands and transmission information, and can be used not only for Web access but also for communication between other internet/intranet application systems, thereby realizing integration of various application resource hypermedia access, and further, the main information exchange and production life of the internet use Web technology at present.
When a website is successfully established, it is likely to be attacked by hackers. The main reason is that there are some data interesting to hackers on the website, and the hackers want to steal the data; on the other hand, the website has a vulnerability, and a hacker uses a batched attack tool to invade the website so as to enable the website to be used as a broiler chicken. Regardless of the reason, the current websites with the internet are at risk of being invaded at any time.
Currently, the most used attack technology for invading websites is File Upload (File Upload), which means that a malicious script File is directly uploaded to a website server. When the script file is written into the file directory of the website and the Web server can analyze the script, the obtained Webshell can be accessed through the website. The WebShell is a malicious webpage script based on the Web language, and once the WebShell is found to exist in the host, the host can be considered to be invaded.
When analyzing the cause of the host computer being invaded, an invasion analysis method based on a website access log is generally adopted, however, in a cloud environment, the access log extraction method is divided into two methods: one method is that a cloud control end collects logs from a disk file directly accessing a cloud host; and the other method is to adopt a flow mirroring method to collect the access log at the front end of the cloud.
For the first method, because a cloud host website is complex and involves permission problems, no cloud manufacturer adopts the method; for extracting the access log by adopting the flow mirroring method, the mirror image device is deployed at the boundary of the cloud end, so that the mutual access log of the host in the cloud cannot be extracted, and in addition, the reason that the host is invaded cannot be accurately and comprehensively analyzed due to the fact that partial logs are lost due to overlarge flow of the cloud end, so that the security of the host is greatly threatened.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides a method and a device for acquiring network behaviors, so as to at least solve the technical problem that in the prior art, the reason why a host is invaded cannot be accurately analyzed due to the fact that the host is invaded based on access log analysis.
According to an aspect of an embodiment of the present application, a method for acquiring a network behavior is provided, including: acquiring attribute information of a malicious webpage script, wherein the malicious webpage script is a file stored in a target host; searching whether a character string matched with the attribute information exists in a preset static rule base according to the attribute information, wherein the static rule base comprises: at least one character string and a network behavior corresponding to any character string; and if so, reading the network behavior corresponding to the character string matched with the attribute information, and determining that the reason why the target host is invaded is the network behavior corresponding to the character string.
According to another aspect of the embodiments of the present application, there is also provided an apparatus for acquiring a network behavior, including: the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring attribute information of a malicious webpage script, and the malicious webpage script is a file stored in a target host; a matching unit, configured to search whether a character string matching the attribute information exists in a preset static rule base according to the attribute information, where the static rule base includes: at least one character string and a network behavior corresponding to any character string; and the first determining unit is used for reading the network behavior corresponding to the character string matched with the attribute information under the condition that the character string matched with the attribute information exists, and determining that the reason why the target host is invaded is the network behavior corresponding to the character string.
Optionally, in a case that the attribute information includes at least two of the file path, the file content, and the attribute, the matching unit is configured to perform the following steps to find whether a character string matching the attribute information exists from a preset static rule base according to the attribute information:
and calling a preset regular expression, and searching whether the character strings matched with at least two of the file path, the file content and the belongings exist in the static rule base.
Optionally, the apparatus further comprises: a calculating unit, configured to calculate an absolute value of a file creation time difference between the malicious web script and a subsequent malicious web script if the file creation time difference does not exist, where the subsequent malicious web script is a first malicious web script created after the malicious web script; the first judging unit is used for judging whether the absolute value is smaller than a first preset threshold value or not and whether the size of the malicious webpage script is larger than a second preset threshold value or not; the second judgment unit is used for judging whether the malicious webpage script belongs to a preset object or not if the malicious webpage script belongs to the preset object; and the second determination unit is used for determining that the reason why the target host is invaded is the uploading of the predetermined object if the target host is invaded.
In the embodiment of the application, attribute information of a malicious webpage script is acquired, wherein the malicious webpage script is a file stored in a target host; searching whether a character string matched with the attribute information exists in a preset static rule base, wherein the static rule base comprises: at least one character string and a network behavior corresponding to any character string; if the network behavior corresponding to the character string matched with the attribute information exists, the network behavior corresponding to the character string is read, the mode that the reason that the target host is invaded is determined to be the network behavior corresponding to the character string is determined, the reason that the host is invaded is analyzed according to the static attribute of the malicious webpage script, the access log is not relied on, even if the access log is lost, analysis can be carried out, vulnerability repair can be carried out on the host after the reason that the host is invaded is determined, the host is prevented from being invaded again, the purpose of accurately analyzing the reason that the host is invaded is achieved, the technical effect of improving the safety of the host is achieved, and the technical problem that the reason that the host is invaded cannot be accurately analyzed due to the fact that the host is invaded based on the access log in.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware configuration of a computer terminal that executes an acquisition method of network behavior according to an embodiment of the present application;
fig. 2 is a schematic flow chart of an alternative network behavior acquisition method according to an embodiment of the present application;
fig. 3 is a schematic flow chart of another alternative network behavior acquisition method according to an embodiment of the present application;
fig. 4(a) is a schematic flowchart of another alternative network behavior acquisition method according to an embodiment of the present application;
fig. 4(b) is a flowchart illustrating a method for acquiring a network behavior according to another alternative embodiment of the present application;
fig. 5 is a schematic structural diagram of an alternative network behavior acquisition apparatus according to an embodiment of the present application;
FIG. 6 is a schematic diagram of an alternative matching unit according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of another alternative network behavior acquisition apparatus according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The terms referred to in the embodiments of the present application are first explained as follows:
malicious web scripts: refers to scripts that are added, changed, or deleted from a software system for the purpose of making harm to or destroying system functionality, such as viruses, worms, trojan horses, and offensive scripts.
MD5(Message Digest Algorithm fifth edition): the hash function is widely used in the field of computer security and is used for ensuring the integrity and consistency of information transmission.
HASH algorithm: refers to the process of converting an input (pre-image) of arbitrary length into an output of fixed length through a hash algorithm, and the output is a hash value. The conversion is a kind of compression mapping, which is simply a function of compressing a message of an arbitrary length to a message digest of a fixed length.
IP Address (Internet Protocol Address): one way to address hosts on the Internet is also known as Internet protocol addresses.
The regular expression is as follows: also known as regular representation, conventional representation, is used to represent, match a series of strings that meet a certain syntactic rule using a single string.
Static feature library: the method is characterized by comprising multi-dimensional static rules, wherein the static rules are mainly collected from an automatic intrusion attack tool and the like, and the static rules represent the corresponding relation between network behaviors and malicious webpage scripts.
Example 1
There is also provided, in accordance with an embodiment of the present application, a method embodiment of a method for obtaining network behavior, it being noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking an example of the method running on a computer terminal, fig. 1 is a hardware structure block diagram of a computer terminal of the method for acquiring a network behavior according to the embodiment of the present application. As shown in fig. 1, the computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission device 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be configured to store software programs and modules of application software, such as program instructions/modules corresponding to the method for acquiring network behaviors in the embodiment of the present application, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implements the vulnerability detection method of the application program. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
Under the operating environment, the application provides a method for acquiring network behaviors as shown in fig. 2. Fig. 2 is a flowchart of a method for acquiring network behavior according to a first embodiment of the present application.
Step S202, obtaining attribute information of the malicious webpage script, wherein the malicious webpage script is a file stored in the target host.
In step S202, the target host is considered to be invaded when the malicious web script is found to be stored in the target host. The method for acquiring the network behavior in the embodiment of the application firstly needs to acquire the attribute information of the malicious webpage script, wherein the attribute information comprises one or more of the following: MD5(Message Digest Algorithm fifth edition), file path, file content, and the owner. In this embodiment, the malicious web script may refer to a malicious web script.
It should be noted that, the target host in the embodiment of the present application may be a cloud host, or may also be a local host, or may be a Client in a CS (Client/Server) architecture, or may be a Client in a BS (Browser/Server) architecture, which is not limited in this embodiment.
Step S204, searching whether a character string matched with the attribute information exists in a preset static rule base, wherein the static rule base comprises: at least one character string and the network behavior corresponding to any one character string.
In step S204, after obtaining the attribute information of the malicious web script, it may be found whether a character string matching the attribute information exists in a preset static rule base. In this embodiment, the main content of the static rule base is a character string describing a plurality of dimensional information values such as MD5, a file path, a file content, and the like, and a network behavior corresponding to any character string. In this embodiment, the network behavior may refer to an intrusion behavior.
It can be understood that, in fact, attribute information of the malicious web page script is complex, including file size, file remark, file header, file coding, owner, file creation, access time, and the like. The collection of the static rules mainly comes from an automatic intrusion attack tool and the like, and in addition, the network behavior result obtained by each intrusion analysis can also enhance a static rule base. The contents of the static rule base are illustratively shown in Table 1:
TABLE 1
Figure GDA0002473934220000061
With reference to table 1, for example, if MD5 of a malicious web script is "80107 f4688070123d20a9c54622601 db", it is found from table 1 whether a character string matching "80107 f4688070123d20a9c54622601 db" exists, if so, it is considered that the cause of the target host being invaded is a network behavior corresponding to the character string, that is, the cause of the target host being invaded is an XX-party system _ code execution vulnerability, and for example, if a file path of a malicious web script includes "/server/default/tmp/deploy/", it is found from table 1 whether a character string matching "/server/default/tmp/deploy/", if so, it is considered that the cause of the target host being invaded is a network behavior corresponding to the character string, that is, JBOSS _ EJB _ get she LL.
And step S206, if the network behavior corresponding to the character string matched with the attribute information exists, reading the network behavior corresponding to the character string, and determining that the reason why the target host is invaded is the network behavior corresponding to the character string.
In the above step S206, if the static rule base is searched for whether there is a character string matching the attribute information, if there is a character string matching the attribute information in the static rule base, it is determined that the target host is invaded because of the network behavior corresponding to the matched character string, if MD5 of a malicious web script is "80107 f4688070123d20a9c54622601 db", it is searched for whether there is a character string matching "80107 f4688070123d20a9c54622601 db" from the static rule base, if so, it is determined that the target host is invaded because of the network behavior corresponding to the character string, i.e., the target host is invaded because of the XX-party system _ code execution vulnerability, and if the file path of a malicious web script contains "/server/default/tmp/deploy/", it is searched for whether there is a network behavior corresponding to the character string matching "/server/default/tmp/deploy/", if there is found that there is a target host jjs LL, it is found that there is a target host jjs/shy.
After the reason that the target host is invaded is determined, the vulnerability can be repaired on the target host by automatically calling the vulnerability repairing interface, wherein in the process of calling the vulnerability repairing interface, the IP address of the target host and the reason that the target host is invaded are transmitted to the vulnerability repairing interface.
It should be noted that, if the intrusion detection result does not exist, the reason why the target host is intruded may be analyzed according to a custom algorithm, and detailed description will be given in the subsequent embodiments of the specific method, which is not described herein.
The network behavior acquisition method can quickly and accurately determine the reason why the target host is invaded, can carry out automatic vulnerability repair, enables the vulnerability of the target host to be repaired quickly after invasion is discovered, prevents the target host from being invaded again, and improves the safety of the target host.
Therefore, according to the scheme provided by the first embodiment of the application, the reason that the host is invaded is analyzed according to the static attribute of the malicious webpage script, the access log is not relied on, even if the access log is lost, the analysis can be performed, vulnerability repair can be performed on the host after the reason that the host is invaded is determined, the host is prevented from being invaded again, the purpose of accurately analyzing the reason that the host is invaded is achieved, the technical effect of improving the safety of the host is achieved, and the technical problem that the reason that the host is invaded cannot be accurately analyzed due to the fact that the host is invaded based on the access log in the prior art is solved.
As an optional implementation manner of the embodiment of the present application, in the case that the attribute information includes MD5, a file path, file content, or an attribute of the file, the step S204 of searching whether a character string matching the attribute information exists in a preset static rule base may include:
step S10, find out from the static rule base whether there is a character string containing MD5, file path, file content or their attributes.
In the above step S10 of the present application, if the attribute information includes MD5, file path, file content, or owner, it is searched from the static rule base whether there is a character string including MD5, file path, file content, or owner, that is, if the attribute information includes only MD5, file path, file content, or owner, the character string is matched according to MD5, file path, file content, or owner, respectively.
For example, the attribute information of a malicious web script includes a file path, where the file path specifically includes "/server/default/tmp/default/", and then it is searched from the static rule base whether a character string matching "/server/default/tmp/default/", and if so, it is considered that the cause of the target host being invaded is a network behavior corresponding to the character string, that is, the cause of the target host being invaded is JBOSS _ EJB _ get she LL.
As an optional implementation manner of the embodiment of the present application, in the case that the attribute information includes MD5, the step S204 of searching whether there is a character string matching the attribute information from a preset static rule base may include:
and step S20, performing a HASH algorithm on the MD5 to obtain signature information of the malicious webpage script.
In the above step S20, the static rule base may also include signature information of the malicious web script, and the signature information is obtained by performing a HASH algorithm on MD5, so that when the attribute information includes MD5, the HASH algorithm needs to be performed on MD5 to obtain the signature information of the malicious web script.
In step S22, it is checked whether a character string including signature information exists in the static rule base.
In the above step S22, after the signature information of the malicious web script is obtained, it is searched from the static rule base whether a character string including the signature information exists, that is, the static rule base is queried according to the signature information, and if a character string identical to the signature information exists, it is determined that the cause of the intrusion of the target host is the network behavior corresponding to the character string.
As an optional implementation manner of the embodiment of the present application, in the case that the attribute information includes at least two of a file path, a file content, and an attribute, the step S204 of searching whether a character string matching the attribute information exists in a preset static rule base may include:
step S30, calling a preset regular expression, and searching whether there are character strings matching at least two of the file path, the file content, and the file from the static rule base.
In step S30, when the attribute information includes at least two of a file path, a file content, and an attribute of the file path, the file content, and the attribute of the file, the method for acquiring a network behavior in the embodiment of the present application calls a preset regular expression to perform string matching. The regular expression, also called regular expression or regular expression, is used to express and match a series of character strings that meet a certain syntactic rule by using a single character string.
As an optional implementation manner of the embodiment of the present application, as shown in fig. 3, in a case that the number of the malicious web scripts is multiple, the method for acquiring the network behavior further includes:
step S302, if the file does not exist, calculating an absolute value of a file creation time difference between the malicious webpage script and a later malicious webpage script, wherein the later malicious webpage script is a first malicious webpage script created after the malicious webpage script.
In the above step S302, if there is no character string matching with the attribute information in the static rule base, the method for acquiring a network behavior in the embodiment of the present application analyzes the reason why the target host is invaded by using a custom algorithm. Specifically, an absolute value of a file creation time difference between the malicious web script and a later malicious web script is calculated, where the later malicious web script refers to a first malicious web script created after the malicious web script.
For example, the target host stores 5 malicious web scripts, which are file 1, file 2, file 3, file 4, and file 5, and first calculates an absolute value of a file creation time difference between the malicious web script and a subsequent malicious web script, that is, a file creation time difference 1 ═ abs (file 2. creation time — file 1. creation time); file creation time difference 2 ═ abs (file 3. creation time-file 2. creation time); file creation time difference 3 ═ abs (file 4. creation time-file 3. creation time); the file creation time difference 4 is abs (file 5. creation time-file 4. creation time), where abs () is an absolute value function.
Step S304, it is determined whether the absolute value is smaller than a first preset threshold and whether the size of the malicious webpage script is larger than a second preset threshold.
In step S304, after calculating an absolute value of a file creation time difference between the malicious web script and a subsequent malicious web script, it is determined whether the absolute value is smaller than a first preset threshold, and whether the size of the malicious web script is larger than a second preset threshold.
For example, it is determined whether the file creation time difference 1 is less than 10s, the file creation time difference 2 is less than 10s, the file creation time difference 3 is less than 10s, and the file creation time difference 4 is less than 10s, and it is determined whether the file 1, the file size is greater than 1024K. If the file creation time difference is too small, it indicates that a plurality of malicious webpage scripts are uploaded at the same time.
Step S306, if yes, judging whether the person of the malicious webpage script is a preset object.
In the above step S306, if the above conditions are all satisfied, it is further determined whether the owner of the malicious web script is a predetermined object, for example, it is determined whether the file 1 is 'owner: ftp, GROUP: ftp'.
Step S308, if yes, it is determined that the reason why the target host is invaded is the predetermined object upload.
In step S308, if the above conditions are all satisfied, it is determined that the reason why the target host is invaded is the predetermined object upload, for example, it is considered that the target host is invaded due to ftp upload.
For example, the association analysis algorithm for multiple malicious web scripts on the target host applying the above steps S302 to S308 may include:
if (malicious webpage script number >5) front page
File creation time difference 1 ═ abs (file 2. creation time-file 1. creation time)// take absolute value of file creation time difference
File creation time difference 2 ═ abs (file 3. creation time-file 2. creation time)
File creation time difference 3 abs (file 4. creation time-file 3. creation time)
File creation time difference 4 as abs (file 5. creation time-file 4. creation time)
if (file creation time difference 1<10s & & file creation time difference 2<10s & & file creation time difference 3<10s & & file creation time difference 4<10s) & (pre-drawing) front
Figure GDA0002473934220000101
As shown in fig. 4(a), taking a malicious web script as Webshell as an example, an obtaining method of a network behavior of the present application is exemplarily described:
and step A, acquiring the attribute information of the Webshell.
In the step a, when the target host is found to store the Webshell, the target host is considered to be invaded. The method for acquiring the network behavior in the embodiment of the application needs to acquire the attribute information of the Webshell, wherein the attribute information comprises one or more of the following: MD5, file path, file content, and owner.
And B, matching character strings and customizing an algorithm.
In the step B, after the attribute information of the Webshell is obtained, whether a character string matching the attribute information exists or not can be searched from a preset static rule base. In this embodiment, the main content of the static rule base is a character string describing a plurality of dimensional information values such as MD5, a file path, a file content, and the like, and a network behavior corresponding to any character string. It can be understood that, in fact, the attribute information of the Webshell is complex, including file size, file remark, file header, file encoding, owner, file creation, access time, and the like, and the network behavior acquisition method of the present application can establish a static rule base from a more complex dimension. The collection of the static rules mainly comes from an automatic intrusion attack tool and popular intrusion attack manipulation articles on the Internet, and in addition, the network behavior result obtained by each manual intrusion analysis can also enhance a static rule base.
If the static rule base does not have the character string matched with the attribute information, the method for acquiring the network behavior in the embodiment of the application analyzes the reason why the target host is invaded by adopting a custom algorithm: if the file does not exist, calculating the absolute value of the file creation time difference between the malicious webpage script and the next malicious webpage script, wherein the next malicious webpage script is the first malicious webpage script created after the malicious webpage script; judging whether the absolute value is smaller than a first preset threshold value or not and whether the size of the malicious webpage script is larger than a second preset threshold value or not; if so, judging whether the owner of the malicious webpage script is a preset object or not; and if so, determining that the reason why the target host is invaded is the uploading of the predetermined object.
And C, acquiring the reason why the target host is invaded.
In the above step C of the present application, in the case that whether a character string matching attribute information exists is searched from a preset static rule base, if a character string matching attribute information exists in the static rule base, it is considered that a cause of the target host being invaded is a network behavior corresponding to the matched character string, if an MD5 of a malicious web script is "80107 f4688070123d20a9C54622601 db", it is searched from the static rule base whether a character string matching "80107 f4688070123d20a9C54622601 db" exists, if it exists, it is considered that a cause of the target host being invaded is a network behavior corresponding to the character string, that is, the cause of the target host being invaded is an XX-side system _ code execution vulnerability, and for example, a file path of a malicious web script includes "/server/default/tmp/deploid/", it is searched from the static rule base whether a character string matching document path includes "/server/default/depault/tmp/deploid/", and it is considered that a cause of the target host being invaded is a cause of a target host being invaded is a jjs — LL.
As another example, if (malicious webpage script number >5) retaining front
File creation time difference 1 ═ abs (file 2. creation time-file 1. creation time)// take absolute value of file creation time difference
File creation time difference 2 ═ abs (file 3. creation time-file 2. creation time)
File creation time difference 3 abs (file 4. creation time-file 3. creation time)
File creation time difference 4 as abs (file 5. creation time-file 4. creation time)
if (file creation time difference 1<10s & & file creation time difference 2<10s & & file creation time difference 3<10s & & file creation time difference 4<10s) & (pre-drawing) front
Figure GDA0002473934220000121
And step D, automatically calling the bug fixing interface.
In the above step D of the present application, the reason that the target host is invaded can be quickly analyzed through the static attribute (i.e. attribute information) of the file, and after the reason that the target host is invaded is analyzed, the vulnerability is repaired by automatically calling the vulnerability repairing interface to the target host, wherein, in the process of calling the vulnerability repairing interface, the target host can be subjected to IP transmission and the reason that the target host is invaded to the vulnerability repairing interface can be determined.
And step E, finding no invaded reason.
In the step E, if the reason why the target host is invaded is not found through the static feature library matching and the custom algorithm, the reason why the target host is invaded is manually analyzed.
And F, manually analyzing the reason of the target host computer being invaded.
In the step F, after the reason why the target host is invaded is manually analyzed, the rule is added to the static rule base.
Therefore, the reason that the host is invaded cannot be accurately and comprehensively analyzed due to the fact that partial logs are lost due to overlarge cloud flow in the prior art, and the security of the host is greatly threatened.
In an alternative solution provided by the foregoing embodiment of the present application, as shown in fig. 4(b), the method for acquiring a website behavior according to the embodiment of the present application may include the following steps:
step a, acquiring attribute information of the malicious webpage script.
The malicious webpage script is a file stored in the target host.
And b, searching whether a character string matched with the attribute information exists in a preset static rule base.
Wherein, the static rule base includes: at least one character string and the network behavior corresponding to any one character string.
And c, if the network behavior exists, reading the network behavior corresponding to the character string matched with the attribute information, and determining that the reason why the target host is invaded is the network behavior corresponding to the character string.
And d, automatically calling the vulnerability repair interface to repair the vulnerability of the target host.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
Example 2
According to the embodiment of the present application, there is also provided an embodiment of an apparatus for implementing the above method embodiment, where the apparatus provided by the above embodiment of the present application can be run on a computer terminal.
Fig. 5 is a schematic structural diagram of an apparatus for acquiring network behavior according to an embodiment of the present application.
As shown in fig. 5, the acquiring means of the network behavior may include an acquiring unit 502, a matching unit 504, and a first determining unit 506.
The acquiring unit 502 is configured to acquire attribute information of a malicious web script, where the malicious web script is a file stored in a target host; a matching unit 504, configured to search, according to the attribute information, whether a character string matching the attribute information exists in a preset static rule base, where the static rule base includes: at least one character string and a network behavior corresponding to any character string; a first determining unit 506, configured to, if there is a character string matching the attribute information, read a network behavior corresponding to the character string matching the attribute information, and determine that a cause of the intrusion of the target host is the network behavior corresponding to the character string.
Therefore, according to the scheme provided by the second embodiment of the application, the reason that the host is invaded is analyzed according to the static attribute of the malicious webpage script, the access log is not relied on, even if the access log is lost, the analysis can be performed, vulnerability repair can be performed on the host after the reason that the host is invaded is determined, the host is prevented from being invaded again, the purpose of accurately analyzing the reason that the host is invaded is achieved, the technical effect of improving the safety of the host is achieved, and the technical problem that the reason that the host is invaded cannot be accurately analyzed due to the fact that the host is invaded based on the access log in the prior art is solved.
It should be noted here that the acquiring unit 502, the matching unit 504, and the first determining unit 506 correspond to steps S202 to S206 in the first embodiment, and the three modules are the same as the corresponding steps in the implementation example and application scenarios, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as a part of the apparatus may be run in the computer terminal 10 provided in the first embodiment, and may be implemented by software or hardware.
Optionally, the attribute information includes one or more of the following: the information digest algorithm fifth version MD5, file path, file content, and the owner.
Optionally, in a case that the attribute information includes the MD5, the file path, the file content, or the owner, the matching unit 504 is configured to perform the following steps to find whether a character string matching the attribute information exists from a preset static rule base according to the attribute information: looking up from the static rule base whether the character string containing the MD5, the file path, the file content, or the owner exists.
Optionally, as shown in fig. 6, in a case that the attribute information includes the MD5, the matching unit 504 includes: a calculation module 602 and a lookup module 604.
The computing module 602 is configured to perform a HASH algorithm on the MD5 to obtain signature information of the malicious webpage script; a searching module 604, configured to search the static rule base for whether the character string containing the signature information exists.
It should be noted here that the calculating module 602 and the searching module 604 correspond to steps S20 to S22 in the first embodiment, and the two modules are the same as the example and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the first embodiment. It should be noted that the modules described above as a part of the apparatus may be run in the computer terminal 10 provided in the first embodiment, and may be implemented by software or hardware.
Optionally, in a case that the attribute information includes at least two of the file path, the file content, and the attribute, the matching unit 504 is configured to perform the following steps to find whether a character string matching the attribute information exists from a preset static rule base according to the attribute information: and calling a preset regular expression, and searching whether the character strings matched with at least two of the file path, the file content and the belongings exist in the static rule base.
Optionally, as shown in fig. 7, the obtaining apparatus of the network behavior may further include: a calculation unit 702, a first determination unit 704, a second determination unit 706, and a second determination unit 708.
The calculating unit 702 is configured to calculate an absolute value of a file creation time difference between the malicious web script and a subsequent malicious web script if the file creation time difference does not exist, where the subsequent malicious web script refers to a first malicious web script created after the malicious web script; a first determining unit 704, configured to determine whether the absolute value is smaller than a first preset threshold, and whether the size of the malicious web script is larger than a second preset threshold; a second determining unit 706, configured to determine whether the malicious web script belongs to a predetermined object if the malicious web script belongs to the predetermined object; a second determining unit 708, configured to determine that the reason for the intrusion of the target host is a predetermined object upload if the intrusion is detected.
It should be noted here that the calculating unit 702, the first judging unit 704, the second judging unit 706, and the second determining unit 708 correspond to steps S302 to S308 in the first embodiment, and the four modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as a part of the apparatus may be run in the computer terminal 10 provided in the first embodiment, and may be implemented by software or hardware.
Therefore, the reason that the host is invaded cannot be accurately and comprehensively analyzed due to the fact that partial logs are lost due to overlarge cloud flow in the prior art, and the security of the host is greatly threatened.
Example 3
Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the network behavior obtaining method provided in the first embodiment.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: acquiring attribute information of a malicious webpage script, wherein the malicious webpage script is a file stored in a target host; searching whether a character string matched with the attribute information exists in a preset static rule base according to the attribute information, wherein the static rule base comprises: at least one character string and a network behavior corresponding to any character string; and if so, reading the network behavior corresponding to the character string matched with the attribute information, and determining that the reason why the target host is invaded is the network behavior corresponding to the character string.
Optionally, the storage medium is further arranged to store program code for performing the steps of: looking up from the static rule base whether the character string containing the MD5, the file path, the file content, or the owner exists.
Optionally, the storage medium is further arranged to store program code for performing the steps of: performing a HASH algorithm on the MD5 to obtain signature information of the malicious webpage script; and searching whether the character string containing the signature information exists in the static rule base.
Optionally, the storage medium is further arranged to store program code for performing the steps of: and calling a preset regular expression, and searching whether the character strings matched with at least two of the file path, the file content and the belongings exist in the static rule base.
Optionally, the storage medium is further arranged to store program code for performing the steps of: if the file does not exist, calculating the absolute value of the file creation time difference between the malicious webpage script and the next malicious webpage script, wherein the next malicious webpage script is the first malicious webpage script created after the malicious webpage script; judging whether the absolute value is smaller than a first preset threshold value or not and whether the size of the malicious webpage script is larger than a second preset threshold value or not; if yes, judging whether the person of the malicious webpage script is a preset object or not; and if so, determining that the reason why the target host is invaded is uploading a preset object.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Optionally, the specific example in this embodiment may refer to the example described in embodiment 1 above, and this embodiment is not described again here.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In several embodiments provided in the present application, it should be understood that the disclosed order information processing apparatus may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims (9)

1. A method for acquiring network behavior is characterized by comprising the following steps:
acquiring attribute information of a malicious webpage script, wherein the malicious webpage script is a file stored in a target host;
searching whether a character string matched with the attribute information exists in a preset static rule base, wherein the static rule base comprises: at least one character string and a network behavior corresponding to any character string;
if so, reading the network behavior corresponding to the character string matched with the attribute information, and determining that the reason why the target host is invaded is the network behavior corresponding to the character string;
in a case where the number of the malicious web scripts is plural, the method further includes: if the file does not exist, calculating the absolute value of the file creation time difference between the malicious webpage script and the next malicious webpage script, wherein the next malicious webpage script is the first malicious webpage script created after the malicious webpage script; judging whether the absolute value is smaller than a first preset threshold value or not and whether the size of the malicious webpage script is larger than a second preset threshold value or not; if yes, judging whether the person of the malicious webpage script is a preset object or not; and if so, determining that the reason why the target host is invaded is uploading a preset object.
2. The method of claim 1, wherein the attribute information comprises one or more of the following: the information digest algorithm fifth version MD5, file path, file content, and the owner.
3. The method according to claim 2, wherein in a case that the attribute information includes the MD5, the file path, the file content, or the owner, the searching whether a character string matching the attribute information exists from a preset static rule base according to the attribute information comprises:
looking up from the static rule base whether the character string containing the MD5, the file path, the file content, or the owner exists.
4. The method according to claim 2, wherein in a case that the attribute information includes the MD5, the searching whether a character string matching the attribute information exists from a preset static rule base according to the attribute information comprises:
performing a HASH algorithm on the MD5 to obtain signature information of the malicious webpage script;
and searching whether the character string containing the signature information exists in the static rule base.
5. The method according to claim 2, wherein in a case that the attribute information includes at least two of the file path, the file content, and the owner, the searching whether a character string matching the attribute information exists from a preset static rule base according to the attribute information comprises:
and calling a preset regular expression, and searching whether the character strings matched with at least two of the file path, the file content and the belongings exist in the static rule base.
6. An apparatus for acquiring network behavior, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring attribute information of a malicious webpage script, and the malicious webpage script is a file stored in a target host;
a matching unit, configured to search, from a preset static rule base, whether a character string matching the attribute information exists, where the static rule base includes: at least one character string and a network behavior corresponding to any character string;
a first determining unit, configured to, in the presence of a character string matching the attribute information, read a network behavior corresponding to the character string matching the attribute information, determine that a cause of the target host being invaded is the network behavior corresponding to the character string, and in the case that the number of malicious web scripts is multiple: if the file does not exist, calculating the absolute value of the file creation time difference between the malicious webpage script and the next malicious webpage script, wherein the next malicious webpage script is the first malicious webpage script created after the malicious webpage script; judging whether the absolute value is smaller than a first preset threshold value or not and whether the size of the malicious webpage script is larger than a second preset threshold value or not; if yes, judging whether the person of the malicious webpage script is a preset object or not; and if so, determining that the reason why the target host is invaded is uploading a preset object.
7. The apparatus of claim 6, wherein the attribute information comprises one or more of: the information digest algorithm fifth version MD5, file path, file content, and the owner.
8. The apparatus according to claim 7, wherein the matching unit is further configured to, in a case that the attribute information includes the MD5, the file path, the file content, or the owner, perform the following steps to find whether a character string matching the attribute information exists from a preset static rule base according to the attribute information: looking up from the static rule base whether the character string containing the MD5, the file path, the file content, or the owner exists.
9. The apparatus of claim 7, wherein the matching unit is further configured to perform a HASH algorithm on the MD5 to obtain signature information of the malicious webpage script if the attribute information includes the MD 5; and searching whether the character string containing the signature information exists in the static rule base.
CN201510553172.6A 2015-09-01 2015-09-01 Network behavior acquisition method and device Active CN106487771B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510553172.6A CN106487771B (en) 2015-09-01 2015-09-01 Network behavior acquisition method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510553172.6A CN106487771B (en) 2015-09-01 2015-09-01 Network behavior acquisition method and device

Publications (2)

Publication Number Publication Date
CN106487771A CN106487771A (en) 2017-03-08
CN106487771B true CN106487771B (en) 2020-07-24

Family

ID=58237853

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510553172.6A Active CN106487771B (en) 2015-09-01 2015-09-01 Network behavior acquisition method and device

Country Status (1)

Country Link
CN (1) CN106487771B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110659490B (en) * 2019-09-20 2023-02-24 安天科技集团股份有限公司 Malicious sample processing method and device, electronic equipment and storage medium
CN111800405A (en) * 2020-06-29 2020-10-20 深信服科技股份有限公司 Detection method, detection device and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101562618A (en) * 2009-04-08 2009-10-21 深圳市腾讯计算机系统有限公司 Method and device for detecting web Trojan
WO2012073233A1 (en) * 2010-11-29 2012-06-07 Biocatch Ltd. Method and device for confirming computer end-user identity

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101599947B (en) * 2008-06-06 2014-04-23 盛趣信息技术(上海)有限公司 Trojan horse virus scanning method based on WEB page
CN104253786B (en) * 2013-06-26 2017-07-07 北京思普崚技术有限公司 A kind of deep packet inspection method based on regular expression

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101562618A (en) * 2009-04-08 2009-10-21 深圳市腾讯计算机系统有限公司 Method and device for detecting web Trojan
WO2012073233A1 (en) * 2010-11-29 2012-06-07 Biocatch Ltd. Method and device for confirming computer end-user identity

Also Published As

Publication number Publication date
CN106487771A (en) 2017-03-08

Similar Documents

Publication Publication Date Title
US20240121266A1 (en) Malicious script detection
CN107026821B (en) Message processing method and device
CN103559441B (en) Cross-platform detection method and system under a kind of malicious file cloud environment
US20160070911A1 (en) Rapid malware inspection of mobile applications
JP6687761B2 (en) Coupling device, coupling method and coupling program
KR101874373B1 (en) A method and apparatus for detecting malicious scripts of obfuscated scripts
CN107302586B (en) Webshell detection method and device, computer device and readable storage medium
CN108667770B (en) Website vulnerability testing method, server and system
CN106992981B (en) Website backdoor detection method and device and computing equipment
CN107463844B (en) WEB Trojan horse detection method and system
CN106534268B (en) Data sharing method and device
CN106815524B (en) Malicious script file detection method and device
US11270001B2 (en) Classification apparatus, classification method, and classification program
US20190306186A1 (en) Upload interface identification method, identification server and system, and storage medium
JP6708794B2 (en) Judgment device, judgment method, and judgment program
EP2998902B1 (en) Method and apparatus for processing file
CN111371778B (en) Attack group identification method, device, computing equipment and medium
WO2020108357A1 (en) Program classification model training method, program classification method, and device
Paturi et al. Mobile malware visual analytics and similarities of Attack Toolkits (Malware gene analysis)
CN108182360B (en) Risk identification method and equipment, storage medium and electronic equipment thereof
CN112668005A (en) Webshell file detection method and device
CN107786529B (en) Website detection method, device and system
CN106487771B (en) Network behavior acquisition method and device
CN111291288B (en) Webpage link extraction method and system
CN113704569A (en) Information processing method and device and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant