CN106534042A - Server invasion identifying method and apparatus based on data analysis and cloud safety system - Google Patents
Server invasion identifying method and apparatus based on data analysis and cloud safety system Download PDFInfo
- Publication number
- CN106534042A CN106534042A CN201510571634.7A CN201510571634A CN106534042A CN 106534042 A CN106534042 A CN 106534042A CN 201510571634 A CN201510571634 A CN 201510571634A CN 106534042 A CN106534042 A CN 106534042A
- Authority
- CN
- China
- Prior art keywords
- server
- data
- source data
- attack
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention discloses a server invasion identifying method and apparatus based on data analysis and a cloud safety system. The method includes the steps of analyzing attacking source data invading a server from security events recorded by one or more servers, searching the attacking source data in the accessing data of the current server, and determining that the current server is invaded if the access data generated by the attacking source data accessing the current server exists. According to the server invasion identifying scheme based on data analysis, security data recorded by one or more servers under the cloud environment can be effectively exploited and utilized, and the identifying scope can be expanded to multiple servers under the cloud environment.
Description
Technical field
The application is related to field of computer technology, and in particular to a kind of server based on data analysiss enters
Invade recognition methodss, a kind of a kind of server invasive biology device and Yunan County's complete set based on data analysiss
System.
Background technology
In today that cloud computing day is more popularized, the user of Cloud Server increasingly pays close attention to the peace of Cloud Server
Entirely, the safety of Cloud Server has become one of core competitiveness of cloud computing service.
Due to should on being short of of safety consciousness and the security capabilities by Cloud Server user, Cloud Server
With multiformity, web leaks, system vulnerability, 0day leaks, weak passwurd, server it is incorrect
The impact of the factors such as configuration, substantial amounts of Cloud Server are invaded by attack source, become broiler, the industry of user
Business and data safety are subject to serious threat.In this context, Cloud Server faces safely very severe
Challenge, server intrusion detection is extremely important.
Server invasive biology refer to attack source break through system of defense invasion server success after, can and
When identify event that server is invaded, and notify that user is processed, so as to contribute to reducing user
Loss, control cloud computing environment in broiler threaten, purify system for cloud computing environment.Therefore with clothes
Business device Prevention-Security means are compared, and the invasive biology of server is also critically important.
Traditional invasive biology method includes viral wooden horse scanning, web back door scanning, server log
The methods such as analysis.For example, the file inside server web catalogues is collected, is then carried out beyond the clouds
Webshell killings;Brute Force event is collected, is then intercepted etc..But the analysis of this scheme with
The data of detection are all produced by single server, and identification range is only resided within single server.
The content of the invention
In view of the above problems, it is proposed that the application is to provide one kind and overcome the problems referred to above or at least portion
The server invasive biology method based on data analysiss and corresponding being based on for solving the above problems with dividing is counted
According to the server invasive biology device of analysis.
According to the one side of the application, there is provided a kind of server invasive biology based on data analysiss
Method, including:The parsing invasion server from the security incident of one or more server record
Attack source data;The attack source data is searched in the access data of current server;If existing
The access data that the current server by described in the attack source data access is produced, it is determined that described current
Server is invaded.
Alternatively, collect the security incident of one or more server record.
Alternatively, when the security incident includes web attacks, the collection one or more
The security incident of server record includes:The web applications guard system for accessing the server obtains pin
Web attacks to the server, and/or, extract the mirror image of the network traffics of the server
The mirror image data and default detected rule are carried out rule match and are obtained for the service by data
The web attacks of device.
Alternatively, when the security incident includes server Brute Force event, the collection one
Or the security incident of multiple servers record includes:The login daily record of the server is gathered, by dividing
Analysis it is described log in daily record include login successfully event and login failure event is obtained for the service
The server Brute Force event of device.
Alternatively, when the security incident includes Denial of Service attack event, the collection one
Or the security incident of multiple servers record includes:The distributed denial of service for accessing the server is attacked
Hit system and obtain the Denial of Service attack event for the server.
Alternatively, it is described search in the access data of current server it is described attack source data packet include:
From the access data of the current server, parsing logs in the login source data of the current server,
And in the login source data of attack source data search parsing;If finding the login source data,
Then determine the access data for having that the current server by described in the attack source data access is produced.
Alternatively, the access data possess the mark attack source data to the server malice journey
The malice coefficient of degree, it is determined that have what the current server by described in the attack source data access was produced
After accessing data, methods described also includes:It is determined that the malice system of the attack source data for finding
Number is more than pre-set threshold value.
Alternatively, methods described also includes:Count
Hit number of times and attack frequency, and the attack source is calculated according to the number of times of attack and the attack frequency
The malice coefficient of data.
Alternatively, the current server is determined by before invading described, methods described also includes:
It is determined that the attack source data for finding was not logged in the current server before this access;
And/or, it is determined that the attack source data for finding not is commonly used logs in source data.
Alternatively, methods described also includes:Generation notifies the prompting letter invaded by the current server
Breath;
The information is illustrated on the current server, and/or, by under the information
It is dealt into the client for accessing the current server.
Alternatively, methods described also includes:If receiving user to be invaded for the current server
Information feedback wrong report information, then reduce it is described attack source data malice coefficient;And/or,
If not receiving the wrong report information of the information feedback invaded for the current server by user,
Then increase the malice coefficient for attacking source data.
Alternatively, methods described also includes:If not existing current by described in the attack source data access
The access data that server is produced, it is determined that the current server is not invaded, and extracts the visit
Ask that the corresponding source data that logs in of data is added to the conventional login source data of the current server.
Alternatively, parsing invasion server in the security incident from one or more server record
Attack source data packet include:The attack source IP ground of the parsing invasion server from the security incident
Location.
Alternatively, methods described also includes:By the attack source number imported outside preset interface
According to.
Alternatively, the security incident includes web attacks, server Brute Force event and refuses
At least one of exhausted service event.
According to the another aspect of the application, there is provided a kind of server invasive biology based on data analysiss
Device, including:Attack source data acquisition module, for the safety from one or more server record
The attack source data of the parsing invasion server in event;Data search module, for taking currently
The attack source data is searched in the access data of business device, and determines that presence is visited by the attack source data
Ask the access data that the current server is produced;Invasion determining module, for determining the current clothes
Business device is invaded.
Alternatively, described device also includes:Security incident collection module, for collecting one or more
The security incident of server record.
Alternatively, the access data possess the mark attack source data to the server malice journey
The malice coefficient of degree, described device also include:Malice coefficient judge module, for it is determined that exist by
After the access data that current server described in the attack source data access is produced, it is determined that find
The malice coefficient for attacking source data is more than pre-set threshold value.
Alternatively, described device also includes:Historical log determining module, for it is determined that described current
Server by before invading, it is determined that the attack source data for finding was not logged in before this access
Cross the current server;And/or, commonly use and log in determining module, for it is determined that the current service
Device is by before invading, it is determined that the attack source data for finding not is commonly used logs in source data.
According to the another further aspect of the application, there is provided a kind of cloud security system, including current server and
Attack source database;The attack source database, for the safety from one or more server record
The attack source data of the parsing invasion server in event;The current server includes:Data are looked into
Module is looked for, for searching the attack source data in the access data of the current server;Invasion
, if for there is the access that the current server by described in the attack source data access is produced in judge module
Data, it is determined that the current server is invaded.
According to the embodiment of the present application, the magnanimity of one or more server record under cloud computing environment
The attack source data of attack server is parsed in security incident, is looked in the access data of current server
The attack source data is looked for, when there are access data corresponding by attack source data, identification is current to be taken
Business device is invaded, so as to the secure data to one or more server record under cloud environment is carried out
Sufficiently effective excavation and utilization, identification range can expand the multiple servers under cloud environment to.
Described above is only the general introduction of technical scheme, in order to better understand the application's
Technological means, and being practiced according to the content of description, and in order to allow the above-mentioned of the application and
Other objects, features and advantages can become apparent, below especially exemplified by the specific embodiment party of the application
Formula.
Description of the drawings
By reading the detailed description of hereafter preferred implementation, various other advantages and benefit for
Those of ordinary skill in the art will be clear from understanding.Accompanying drawing is only used for illustrating the mesh of preferred implementation
, and it is not considered as the restriction to the application.And in whole accompanying drawing, with identical with reference to symbol
Number represent identical part.In the accompanying drawings:
Fig. 1 shows the server invasive biology side based on data analysiss according to the application one embodiment
The flow chart of method;
Fig. 2 shows the server invasive biology based on data analysiss according to another embodiment of the application
The flow chart of method;
Fig. 3 collects the schematic diagram of malice IP in showing the example of the embodiment of the present application;
Fig. 4 shows server invasive biology process schematic in the example of the embodiment of the present application;
Fig. 5 shows
The structured flowchart put;
Fig. 6 shows the server invasive biology based on data analysiss according to another embodiment of the application
The structured flowchart of device;
Fig. 7 shows the structured flowchart of the cloud security system according to the application one embodiment.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing in accompanying drawing
The exemplary embodiment of the disclosure is shown, it being understood, however, that may be realized in various forms the disclosure
And should not be limited by embodiments set forth here.On the contrary, there is provided these embodiments are able to more
Thoroughly understand the disclosure, and can be by the scope of the present disclosure complete technology for conveying to this area
Personnel.
With reference to Fig. 1, entering based on the server of data analysiss according to the application one embodiment is shown
The flow chart for invading recognition methodss, the method specifically may comprise steps of:
Step 101, the parsing invasion server from the security incident of one or more server record
Attack source data.
On server in cloud cluster, record has the security incident for having occurred, and security incident meets with for server
The attack received, such as web attacks, server password Brute Force event and server are stepped on
Record daily record etc..The application can extract security incident from wherein one server, or take from multiple stage
Security incident is extracted on business device respectively as subsequent analysis foundation.
The security incident of server record includes the relevant information of the attack source of attack server, is designated as
Source data is attacked, in the embodiment of the present application, the attack that source data can be mark invasion server is attacked
The information in source, can be specifically the network address (such as IP address, MAC Address etc.), or
The identifier server of the affiliated actual geographic position in attack source, or attack source place server or
It is the device identifier of terminal, can also be other any suitable information categories.
The various ways that attack source Data Source is subject in whole cloud computing platform is attacked, with cloud meter
The popularization of calculation, the growth of Cloud Server user, data volume will be increasing, attack classification with
Increasingly enrich, by attack event analysis be used for server invasive biology also will produce it is bigger
Value, and analytical effect can be more beneficial for comprehensively clothes with the increase of the data volume of attack
Business device Prevention-Security.
Step 102, searches the attack source data in the access data of current server.
After the attack source information for parsing attack source to the security incident that history occurs, further may be used
It is monitored for the access behavior to occurring on certain current server, can be using access data
The access behavior that record occurs on current server, further in the access data of current server
The attack source data is searched, is accessed in data with the presence or absence of being produced by attack source attack server with determining
Raw access data.
The access data can record various Access Events of the external equipment to current server, example
Such as, it can be the logon data for recording external equipment in the log-in events of current server to access data,
Can also be record search data of the external equipment to the search events of current server, can also be note
The data of record other types Access Events, the application are without limitation.
The attack source data is searched in the access data, if there is whole or portion in accessing data
Divide the attack source data, it is determined that current server is invaded.
, if there is the access number that the current server by described in the attack source data access is produced in step 103
According to, it is determined that the current server is invaded.
If finding the attack source data in the access data of current server, can determine and deposit
In the access data produced by attack source data access current server, then current server is attacked
Source is invaded.
According to the embodiment of the present application, the magnanimity of one or more server record under cloud computing environment
Parse the attack source data of attack server in security incident, data search module, when existing by attacking
Source data it is corresponding access data when, identification current server invaded, so as to under cloud environment
The secure data of platform or multiple servers record has carried out sufficiently effective excavation and utilization, identification range
The multiple servers under cloud environment can be expanded to.In a preferred embodiment of the present application, the step
Rapid 102 can include:
Sub-step S1, the parsing from the access data of the current server log in the current server
Login source data, and the attack source data search parsing login source data.
Sub-step S2, if find the login source data, it is determined that exist by the attack source data
Access the access data that the current server is produced.
The login source number of the visitor for accessing current server has been recorded in the access data of current server
According to accessing to the one or many of current server due to accessing data and can record, accordingly, step on
Record source data can then correspond to the log-on message of one or more visitors.Log in source data and attack source
Data can be same type of data, for identifying the visitor of login service device, when certain access
When the login source data of person is identical with the attack source data of certain attack source, then the visitor is can determine
For attack source, therefore, it can search whether in the login source data that record has at least one attack source
There are the access data of current server, if existing, can determine that the already present access data are
Current server is accessed by the corresponding attack source of the attack source data to produce.
In the embodiment of the present application, the attack source that attack source data could be for identified attacks server is each
Kind of information, it can be the IP address of attack source that the embodiment of the present application preferably attacks source data, it is described from
In the security incident, the attack source data of each server of parsing invasion can include:
Sub-step S3, the attack source IP address of the parsing invasion server from the security incident.
With reference to Fig. 2, entering based on the server of data analysiss according to another embodiment of the application is shown
The flow chart for invading recognition methodss, the method specifically may comprise steps of:
Step 201, collects the security incident of one or more server record.
In a preferred embodiment of the present application, the security incident can include web attacks,
At least one of server Brute Force event and Denial of Service attack event, according to actual application environment
The other kinds of security incident of other systems record can also be included.The source of security incident can be
The cloud security related system disposed on server, can also originate from any other and can provide security incident
Source, the application is not restricted to this.
It is further preferred that when the security incident includes web attacks, the step 201
The middle security incident for collecting one or more server record can include:
Sub-step S4, the web applications guard system for accessing the server are obtained for the server
Web attacks.
And/or, sub-step S5 extracts the mirror image data of the network traffics of the server, by the mirror
Obtain attacking thing for the web of the server as data and default detected rule carry out rule match
Part.
In a kind of example of the application, web can be obtained by web applications guard system and attack thing
Part.Web applications guard system is used for protection and the web of server is attacked, and with web application firewalls is
Example, web application firewalls are by performing a series of security strategies for procotol come exclusively for web
Using protection is provided, by parsing the HTTP request that web client is initiated, content therein is carried out
Detection, refusal do not meet the request of HTTP standards, meanwhile, only allow the component options of http protocol
Pass through, so as to reduce the coverage of attack.For the request of refusal is carried out using web attacks
Record, can obtain the web attacks of record by accessing web application firewalls.
In another kind of example of the application, web attack things can also be obtained by analyzing network traffics
Part.The mirror image number of network traffics that the server with external equipment communicated is collected in advance can
According to.For example, web application firewalls can be linked in network by series connection or bypass mode,
The mirror image data of the network traffics of access server is replicated, or by the webserver and network road
Collecting device is arranged by equipment and replicates mirror image data, can also be gathered by other any suitable modes
The mirror image data of network traffics.
Further, according to for attack detected rule set in advance, by mirror image data and detection
Rule carries out rule match, obtains the web attacks for each server.Specific detection rule
Then can be set according to practical application, for example, include in mirror image data or do not include certain specific pass
Keyword, or the number of times that certain particular keywords occurs exceedes or is less than certain threshold value etc., further
The web attacks with rule match can be extracted from the mirror image data of network traffics.
In a preferred embodiment of the present application, when the security incident includes server Brute Force thing
During part, the security incident for collecting one or more server record in the step 201 can include:
Sub-step S6, gathers the login daily record of the server, is wrapped in the login daily record by analyzing
Include login successfully event and login failure event obtains the server Brute Force for the server
Event.
Brute Force is attacked and refers to attack source by systematically combining all possible log-on message combination,
The log-on message of crack servers is attempted, is remembered in the login daily record of server in login process for several times
Record logins successfully event and login failure event.
If repeatedly occurring, from the same login failure event for logging in source data, can determine and sending out
Brute Force event is given birth to;If after it there is multiple login failure event, logining successfully appearance and logging in
Success events, it is believed that successfully logged in by Brute Force.Can be according to even in the embodiment of the present application
The number of times of the login failure event occurred in continuous preset time period, there occurs from certain login with determining
The Brute Force event of source data, further determines that occur the login source after multiple login failure event
Data login successfully event, then record the Brute Force event.
In a preferred embodiment of the present application, when the security incident includes Denial of Service attack event
When, the security incident for collecting one or more server record in the step 201 includes:
Sub-step S7, the distributed denial of service attack system for accessing the server are obtained for described
The Denial of Service attack event of server.
Distributed denial of service attack (DistributedDenial of Service, DDoS) refer to by means of
Client/server technology, multiple computers are joined together as Attack Platform, to one or more mesh
Mark starts ddos attack, so as to exponentially improve the power of Denial of Service attack.Generally, attack source makes
DDoS primary control programs are installed on a computer with a stealing account number, in the time of a setting
Primary control program will be communicated with a large amount of Agents, and Agent has been installed within many meters on network
On calculation machine.With regard to offensive attack when Agent receives instruction.Using client/server technology, master control journey
Sequence can activate the operation of hundreds and thousands of Agents in seconds.In the embodiment of the present application, according to
The refusal attack recorded in the DDoS systems installed on server in extraction cloud cluster.Specifically can be with
Obtained by access target file, it is also possible to by obtaining to DDoS system requests.
Being different from background technology carries out invasion knowledge according to the secure data collected from server web client
Other scheme, in the above-mentioned preferred exemplary of the application, can extract the cloud security related system of server
The security incident of collection, and a kind of brand-new invasive biology method is provided accordingly.
In implementing, can be with the peace of the acquisition current server from other kinds of air control data
Total event, the application are not limited to this.
Step 202, the parsing invasion server from the security incident of one or more server record
Attack source data.
Step 203, by the attack source data imported outside preset interface.
Attack source data and may come from server password Brute Force event or web attacks etc. respectively
The assault of the form of kind, also may be from the malicious attack source database of third-party institution's offer.
In the present embodiment, attack source data and may come from external third-parties platform, by third party
Platform provides preset interface, receives the attack source data that third-party platform is sent by preset interface.
Step 204, counts the number of times of attack and attack frequency for attacking source data described in the security incident
Rate, and the malice system for attacking source data is calculated according to the number of times of attack and the attack frequency
Number.
In the present embodiment, the access data possess the mark attack source data and the server are disliked
The malice coefficient of meaning degree, the height of malice coefficient is with attack source is to the number of times of attack of the server and attacks
Hit frequency relevant, and malice coefficient is directly proportional to number of times of attack and attack frequency.The embodiment of the present application
Preferably, using number of times of attack and the product of frequency can be attacked as the malice coefficient for attacking source data,
In concrete implementation, can with according to number of times of attack and attack frequency according to any suitable calculating side
Formula obtains malice coefficient.
Step 205, searches the attack source data in the access data of current server.
, it is determined that there is the access that the current server by described in the attack source data access is produced in step 206
Data.
Step 207, it is determined that the malice coefficient of the attack source data for finding is more than pre-set threshold value.
From unlike last embodiment, in the present embodiment, it is determined that exist by attack source data access
After the access data that current server is produced, it is determined that current server is by before invading, in addition it is also necessary to Jing
Cross repeatedly judgement.
Judge firstly the need of the malice coefficient further to attacking the access data of source data, if disliking
Meaning coefficient is higher, more than certain pre-set threshold value, then judges into next step, if malice coefficient is simultaneously less
In the pre-set threshold value, it is determined that the current server is not invaded.
Step 208, it is determined that the attack source data for finding be not logged in before this access it is described
Current server.
After it is determined that the malice coefficient of the attack source data for finding is more than pre-set threshold value, determine whether
The attack source data whether logged current server before this access.Can specifically search current
Historical log information on server, wherein have recorded the visitor that historical log crosses current server
Source data is logged in, source data will be attacked and matched with historical log information, if in historical log information
It is middle to search less than the attack source data, then illustrate that the attack source data was not logged in current server, then
Judge into next step.Otherwise, however, it is determined that attack source data entry crosses current server, then explanation should
Log in source data not being intercepted, then can determine that this access that the login source data is produced is safety
, therefore, current server is not invaded.
Step 209, it is determined that the attack source data for finding not is commonly used logs in source data.
In the present embodiment, preset conventional login source data is commonly used and logs in source data for meeting certain login
The login source data that number of times is required, it is determined that the attack source data searched was not logged in before this access
Current server is crossed, then further the login source data is matched with conventional login source data, if
Matching, then the login source data is conventional login source data, if mismatching, into step 210.
Preferably, the IP address that source data can be visitor is attacked, the conventional source data that logs in can be
Conventional IP address and according to the actual geographic position that draws of IP address analysis, will attack source data with
When conventional login source data is matched, it can be determined that access whether the corresponding IP address of data is conventional
IP address, or access whether the affiliated geographical position of the corresponding IP address of data is conventional IP address
Corresponding geographical position or possesses certain matching relationship.
Step 210, determines that the current server is invaded.
By above-mentioned judgement, attack during source data is present in access data and malice coefficient is more than default valve
Value, and current server is not logged in before this access, and be not belonging to conventional login source data, then
Can determine that current server is invaded by the attack source data.Compared to last embodiment, this enforcement
Example increased multiple Rule of judgment, if being unsatisfactory for wherein any one Rule of judgment, it is determined that current to take
Business device do not invaded, by introduce malice coefficient be used as Rule of judgment, can will access data with it is current
Conventional login source data in server is associated judgement, it is also possible to will access data and historical log
Information is associated judgement, such that it is able to exclude the feelings simply with error in judgement during the Data Matching of attack source
Condition.
In implementing, above-mentioned each judges that the sequencing of step can be adjusted according to the actual requirements
It is whole, and wherein one or more can be performed as needed judge step, the application is not done to this
Limit.
Step 211, generation notify the information invaded by the current server.
If current server is invaded, corresponding information can be generated, information can include
The various information such as the server for attack source data, being invaded, the time for invading server, can be each
Plant the form being suitable for, such as combination of word, picture, audio frequency and video or various ways.
Step 212, the information is illustrated on the current server, and/or, will be described
Information is issued to the client for accessing the current server.
Information is illustrated on current server and refers to for the manager of current server, if working as
Front server configures have corresponding client, then can will be prompted to information and be issued to client, for remote
The manager of thread management current server refers to.
Step 213, if receive the information feedback invaded for the current server by user
Wrong report information, then reduce the malice coefficient for attacking source data.
For the information for showing, after user views the information, if being sent out according to practical experience
Existing, above-mentioned judgement determines that the attack source data of invasion server is the access number that safe visitor produces
According to then this information can be fed back by preset interface on interface and wrong report occurs, according to receiving
Wrong report information, then accordingly can reduce attack source data malice coefficient, so as to avoid next judgement
When, because the larger erroneous judgement current server of the malice coefficient of the attack source data is invaded.
Step 214, if do not receive the information feedback invaded for the current server by user
Wrong report information, then increase it is described attack source data malice coefficient.
If user does not feed back corresponding wrong report information for information, illustrate that the attack source data is true
Cause the server to be invaded in fact, the malice system for attacking source data can be increased according to this invasion
Number.
The above-mentioned adjustment amplitude to malice coefficient can be arranged according to the actual requirements, for example, in advance respectively
Setting malice coefficient value added and decreasing value, or the number of times of server is invaded according to the attack source data
Different value addeds and decreasing value is calculated, the application is not limited to this.
It is above-mentioned can select the step of increase or decrease malice coefficient it is one of perform or be performed both by,
The application is not limited to this.
, if there is no the access that the current server by described in the attack source data access is produced in step 215
Data, it is determined that the current server is not invaded, and extract the corresponding login of the access data
Source data is added to the conventional login source data of the current server.
In the judgement of above-mentioned steps 204, by data search module, when it is determined that not existing by attack source
During the access data that current server described in data access is produced, then what was certain was that the access data
Not produced by the attack source of current server, its corresponding login source data is safe login source number
According to the conventional login source data of current server can be further used as.Each can specifically be counted to step on
The number of times that record source data occurs, if certain logs in source data occurrence number reaches certain predetermined threshold values,
Can be used as the conventional login source of current server.
According to the embodiment of the present application, the magnanimity of one or more server record under cloud computing environment
The attack source data of attack server is parsed in security incident, is looked in the access data of current server
The attack source data is looked for, when there are access data corresponding by attack source data, identification is current to be taken
Business device is invaded, so as to the secure data to one or more server record under cloud environment is carried out
Sufficiently effective excavation and utilization, identification range can expand the multiple servers under cloud environment to.
For making those skilled in the art more fully understand the application, below by way of specific example to this Shen
A kind of server invasive biology method based on data analysiss please is illustrated.
Referring to Fig. 3, as a example by source data being attacked for attack source IP, show one of the embodiment of the present application
The schematic diagram of malice IP is collected in example.By server Brute Force event, web attacks,
Malicious attack is extracted in the malice IP storehouse that other assaults or other third-party institutions provide
Source IP, adds to malice IP storehouse the foundation whether invaded as subsequent analysis current server.
Referring to Fig. 4, as a example by source data being attacked for attack source IP, show one of the embodiment of the present application
Server invasive biology process schematic in example.
Step 1, judge login source IP whether in malice IP storehouse, if so, then execution step 2, if
It is no, then execution step 3.
Step 2, judge that whether the malice coefficient of malice IP exceedes threshold value, if so, then execution step 6,
If it is not, then execution step 4.
Step 3, conventional entry address and conventional login source IP is formed for the server.
Step 4, the whether once logged servers of login source IP, if so, then terminate to judge, if
It is no, then execution step 5.
Whether step 5, the address of login source IP are conventional entry address, if so, then terminate to judge, if
It is no, then execution step 6.
Step 6, abnormal login event is reported, notify that client server is invaded.
Whether step 7, user feed back wrong report, if so, then execution step 9, if it is not, then execution step
8。
Step 8, the malice index for increasing malice IP.
Step 9, the malice index for reducing malice IP.
With reference to Fig. 5, the server based on data analysiss according to the application one embodiment is it illustrates
The structured flowchart of invasive biology device, can specifically include:
Attack source data acquisition module 301, for from the security incident of one or more server record
The attack source data of the parsing invasion server.
Data search module 302, for searching the attack source number in the access data of current server
According to, and determine the access data for having that the current server by described in the attack source data access is produced.
Invasion determining module 303, for determining that the current server is invaded.
In the embodiment of the present application, it is preferable that the security incident includes web attacks, server
At least one of Brute Force event and Denial of Service attack event.
In the embodiment of the present application, it is preferable that the data search module includes:
Log in source data and search submodule, step on for parsing from the access data of the current server
The login source data of the current server is recorded, and in the login source of attack source data search parsing
Data;
Attack source accesses determination sub-module, if for finding the login source data, it is determined that exist
The access data that the current server by described in the attack source data access is produced.
In the embodiment of the present application, it is preferable that the attack source data acquisition module, specifically for from institute
State the attack source IP address of the parsing invasion server in security incident.
According to the embodiment of the present application, the magnanimity of one or more server record under cloud computing environment
Parse the attack source data of attack server in security incident, data search module, when existing by attacking
Source data it is corresponding access data when, identification current server invaded, so as to under cloud environment
The secure data of platform or multiple servers record has carried out sufficiently effective excavation and utilization, identification range
The multiple servers under cloud environment can be expanded to.
With reference to Fig. 6, the service based on data analysiss according to another embodiment of the application is it illustrates
The structured flowchart of device invasive biology device, can specifically include:
Security incident collection module 401, for collecting the security incident of one or more server record.
Attack source data acquisition module 402, for from the security incident of one or more server record
The attack source data of the parsing invasion server.
Attack source data import modul 403, for the attack source number by importing outside preset interface
According to.
Statistical module 404 is attacked, for counting the attack time for attacking source data described in the security incident
Number and attack frequency.
Malice coefficients calculation block 405, for calculating institute according to the number of times of attack and the attack frequency
State the malice coefficient for attacking source data.
Data search module 406, for searching the attack source number in the access data of current server
According to, and determine the access data for having that the current server by described in the attack source data access is produced.
Malice coefficient judge module 407, for determining the malice coefficient of the attack source data for finding
More than pre-set threshold value.
Historical log determining module 408, for it is determined that the current server is by before invading, it is determined that
The attack source data for finding was not logged in the current server before this access.
It is conventional to log in determining module 409, for it is determined that the current server is by before invading, it is determined that
The attack source data for finding not is commonly used and logs in source data.
Invasion determining module 410, for determining that the current server is invaded.
Information generation module 411, for generating the prompting for notifying the current server to be invaded letter
Breath;
Information display module 412, for being illustrated in the current server by the information
On, and/or, the information is issued to the client for accessing the current server.
Malice coefficient reduces module 413, if being invaded for the current server for receiving user
Information feedback wrong report information, then reduce it is described attack source data malice coefficient.
Malice coefficient increases module 414, if being entered for the current server for not receiving user
The wrong report information of the information feedback invaded, then increase the malice coefficient for attacking source data.
Conventional login source add module 415, if for do not exist by described in the attack source data access when
The access data that front server is produced, it is determined that the current server is not invaded, and extract described
Access the corresponding source data that logs in of data to add to the conventional login source data of the current server.
In the embodiment of the present application, it is preferable that when the security incident includes web attacks, institute
Stating security incident collection module includes:
First web attack acquisition submodules, access the web application guard systems of the server
Obtain the web attacks for the server;
And/or, the 2nd web attack acquisition submodules, for extracting the network flow of the server
The mirror image data and default detected rule are carried out rule match and are directed to by the mirror image data of amount
The web attacks of the server.
In the embodiment of the present application, it is preferable that when the security incident includes server Brute Force event
When, the security incident collection module includes:
Cracking event acquisition submodule, for gathering the login daily record of the server, by analyzing institute
State log in daily record include login successfully event and login failure event is obtained for the server
Server Brute Force event.
In the embodiment of the present application, it is preferable that when the security incident includes Denial of Service attack event
When, the security incident collection module includes:
Denial of Service attack event acquisition submodule, for accessing the distributed refusal clothes of the server
Business attacking system obtains the Denial of Service attack event for the server.
According to the embodiment of the present application, the magnanimity of one or more server record under cloud computing environment
Parse the attack source data of attack server in security incident, data search module, when existing by attacking
Source data it is corresponding access data when, identification current server invaded, so as to under cloud environment
The secure data of platform or multiple servers record has carried out sufficiently effective excavation and utilization, identification range
The multiple servers under cloud environment can be expanded to.
With reference to Fig. 7, the structural frames of the cloud security system according to the application one embodiment are it illustrates
Figure, the system can specifically include current server 601 and attack source database 602.
The attack source database 602, for solving from the security incident of one or more server record
The attack source data of the analysis invasion server;
The current server 601 includes:
Data search module 6011, for attacking described in the lookup in the access data of the current server
Hit source data;
, if for there is the current service by described in the attack source data access in invasion judge module 6012
The access data that device is produced, it is determined that the current server is invaded.
According to the embodiment of the present application, the magnanimity of one or more server record under cloud computing environment
Parse the attack source data of attack server in security incident, data search module, when existing by attacking
Source data it is corresponding access data when, identification current server invaded, so as to under cloud environment
The secure data of platform or multiple servers record has carried out sufficiently effective excavation and utilization, identification range
The multiple servers under cloud environment can be expanded to.
The method reality shown in aforementioned Fig. 1 and Fig. 2 is essentially corresponded to due to described device and system embodiment
Apply example, therefore not detailed part in the description of the present embodiment, may refer to the correlation in previous embodiment
Illustrate, here is not just repeated.
Provided herein algorithm and show not with any certain computer, virtual system or miscellaneous equipment
It is intrinsic related.Various general-purpose systems can also be used together based on teaching in this.According to above
Description, the structure constructed required by this kind of system is obvious.Additionally, the application is also not for
Any certain programmed language.It is understood that, it is possible to use various programming languages realize described here
The content of application, and the description done to language-specific above is for the optimal reality for disclosing the application
Apply mode.
In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that
Embodiments herein can be put into practice in the case where not having these details.In some instances,
Known method, structure and technology is not been shown in detail, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify during the disclosure helping is understood in terms of each application
It is individual or multiple, above in the description of the exemplary embodiment of the application, each feature of the application
Sometimes it is grouped together in single embodiment, figure or descriptions thereof.However, should be by
The method of the disclosure is construed to reflect following intention:It is i.e. required for protection this application claims ratio is at each
The more features of feature being expressly recited in claim.More precisely, as following right will
As asking book reflected, it is less than all spies of single embodiment disclosed above in terms of application
Levy.Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment party
Separate embodiments of the formula, wherein each claim as the application itself.
Those skilled in the art are appreciated that can be carried out to the module in the equipment in embodiment
Adaptively change and they are arranged in one or more different from embodiment equipment.
Module in embodiment or unit or component can be combined into a module or unit or component, and
In addition multiple submodule or subelement or sub-component can be divided into.Except such feature and/or
Outside at least some in process or unit is excluded each other, can be using any combinations to this explanation
All features disclosed in book (including adjoint claim, summary and accompanying drawing) and so disclosed
All processes or unit of any method or equipment are combined.Unless expressly stated otherwise, this theory
Each feature disclosed in bright book (including adjoint claim, summary and accompanying drawing) can be by offer phase
With the alternative features of, equivalent or similar purpose replacing.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include
Some included features rather than further feature in other embodiments, but the feature of different embodiments
Combination mean within scope of the present application and form different embodiments.For example, under
In the claims in face, embodiment required for protection one of arbitrarily can be in any combination
Mode is using.
The all parts embodiment of the application can be realized with hardware, or with one or more
The software module run on reason device is realized, or is realized with combinations thereof.Those skilled in the art
It should be appreciated that can be realized using microprocessor or digital signal processor (DSP) in practice
According to some in the server invasive biology equipment based on data analysiss of the embodiment of the present application or complete
The some or all functions of portion's part.The application is also implemented as described herein for performing
Some or all equipment of method or program of device (for example, computer program and computer journey
Sequence product).Such program for realizing the application can be stored on a computer-readable medium, Huo Zheke
In the form of with one or more signal.Such signal can be downloaded from internet website
Arrive, or provide on carrier signal, or provided with any other form.
It should be noted that above-described embodiment is illustrated rather than to the application limiting to the application
Make, and those skilled in the art can design without departing from the scope of the appended claims
Alternative embodiment.In the claims, any reference markss between bracket should not be configured to
Limitations on claims.Word "comprising" do not exclude the presence of element not listed in the claims or
Step.Word "a" or "an" before element does not exclude the presence of multiple such units
Part.The application can be by means of the hardware for including some different elements and by means of properly programmed
Computer is realizing.If in the unit claim for listing equipment for drying, some in these devices
Individual can be embodying by same hardware branch.Word first, second, and third
Using not indicating that any order.These words can be construed to title.
Claims (20)
1. a kind of server invasive biology method based on data analysiss, it is characterised in that include:
The attack source of the parsing invasion server from the security incident of one or more server record
Data;
The attack source data is searched in the access data of current server;
If there are the access data that the current server by described in the attack source data access is produced, really
The fixed current server is invaded.
2. the method for claim 1, it is characterised in that also include:Collect one or more
The security incident of server record.
3. method as claimed in claim 2, it is characterised in that when the security incident includes web
During attack, the security incident of one or more server record of collection includes:
The web applications guard system for accessing the server obtains the web attacks for the server
Event, and/or, extract the mirror image data of the network traffics of the server, by the mirror image data with
Default detected rule carries out rule match and obtains the web attacks for the server.
4. method as claimed in claim 2, it is characterised in that when the security incident includes service
During device Brute Force event, the security incident of one or more server record of collection includes:
Gather the login daily record of the server, by analyze it is described log in the login that includes of daily record into
Work(event and login failure event obtain the server Brute Force event for the server.
5. method as claimed in claim 2, it is characterised in that when the security incident includes refusal
During service event, the security incident of one or more server record of collection includes:
The distributed denial of service attack system for accessing the server obtains refusing for the server
Exhausted service event.
6. the method for claim 1, it is characterised in that the access in current server
Search the attack source data packet to include in data:
From the access data of the current server, parsing logs in the login source number of the current server
According to, and in the login source data of attack source data search parsing;
If finding the login source data, it is determined that exist by described in the attack source data access when
The access data that front server is produced.
7. the method for claim 1, it is characterised in that the access data possess mark institute
Attack malice coefficient of the source data to the server malice degree is stated, it is determined that existing by the attack
After source data accesses the access data that the current server is produced, methods described also includes:
It is determined that the malice coefficient of the attack source data for finding is more than pre-set threshold value.
8. method as claimed in claim 7, it is characterised in that methods described also includes:
Count the number of times of attack of attack source data described in the security incident and attack frequency, and according to
The number of times of attack and the attack frequency calculate the malice coefficient for attacking source data.
9. the method for claim 1, it is characterised in that determine the current service described
By before invading, methods described also includes device:
It is determined that the attack source data for finding was not logged in the current service before this access
Device;
And/or, it is determined that the attack source data for finding not is commonly used logs in source data.
10. method as claimed in claim 7, it is characterised in that methods described also includes:
Generation notifies the information invaded by the current server;
The information is illustrated on the current server, and/or, by under the information
It is dealt into the client for accessing the current server.
11. methods as claimed in claim 10, it is characterised in that methods described also includes:
If receiving the wrong report letter of the information feedback invaded for the current server by user
Breath, then reduce the malice coefficient for attacking source data;
And/or, if not receiving the information feedback invaded for the current server by user
Wrong report information, then increase the malice coefficient for attacking source data.
12. methods as claimed in claim 9, it is characterised in that methods described also includes:
If there are no the access data that the current server by described in the attack source data access is produced,
Determine that the current server is not invaded, and extract the corresponding source data that logs in of the access data and add
Add to the conventional login source data of the current server.
13. the method for claim 1, it is characterised in that described from one or more server
In the security incident of record, the attack source data packet of parsing invasion server is included:
The attack source IP address of the parsing invasion server from the security incident.
14. the method for claim 1, it is characterised in that methods described also includes:
By the attack source data imported outside preset interface.
15. the method for claim 1, it is characterised in that the security incident includes web
At least one of attack, server Brute Force event and Denial of Service attack event.
16. a kind of server invasive biology devices based on data analysiss, it is characterised in that include:
Attack source data acquisition module, for solving from the security incident of one or more server record
The attack source data of the analysis invasion server;
Data search module, for searching the attack source number in the access data of current server
According to, and determine the access data for having that the current server by described in the attack source data access is produced;
Invasion determining module, for determining that the current server is invaded.
17. devices as claimed in claim 16, it is characterised in that also include:
Security incident collection module, for collecting the security incident of one or more server record.
18. devices as claimed in claim 15, it is characterised in that the access data possess mark
The attack malice coefficient of the source data to the server malice degree, described device also include:
Malice coefficient judge module, for it is determined that exist current by described in the attack source data access
After the access data that server is produced, it is determined that the malice coefficient of the attack source data for finding is big
In pre-set threshold value.
19. devices as claimed in claim 15, it is characterised in that described device also includes:
Historical log determining module, for it is determined that the current server is by before invading, it is determined that look into
The attack source data for finding was not logged in the current server before this access;
And/or, commonly use and log in determining module, for it is determined that the current server is by before invading,
It is determined that the attack source data for finding not is commonly used logs in source data.
20. a kind of cloud security systems, it is characterised in that including current server and attack source data
Storehouse;
The attack source database, for parsing from the security incident of one or more server record
Invade the attack source data of the server;
The current server includes:
Data search module, for searching the attack source in the access data of the current server
Data;
Invasion judge module, if produce for there is the current server by described in the attack source data access
Raw access data, it is determined that the current server is invaded.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510571634.7A CN106534042A (en) | 2015-09-09 | 2015-09-09 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510571634.7A CN106534042A (en) | 2015-09-09 | 2015-09-09 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106534042A true CN106534042A (en) | 2017-03-22 |
Family
ID=58345704
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510571634.7A Pending CN106534042A (en) | 2015-09-09 | 2015-09-09 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106534042A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107317790A (en) * | 2016-04-27 | 2017-11-03 | 阿里巴巴集团控股有限公司 | The monitoring method and device of network behavior |
| CN108460279A (en) * | 2018-03-12 | 2018-08-28 | 北京知道创宇信息技术有限公司 | Attack recognition method, apparatus and computer readable storage medium |
| CN108958884A (en) * | 2018-06-22 | 2018-12-07 | 郑州云海信息技术有限公司 | A kind of method and relevant apparatus of Virtual Machine Manager |
| CN109167792A (en) * | 2018-09-19 | 2019-01-08 | 四川长虹电器股份有限公司 | A kind of novel WAF design method based on Nginx |
| CN109543419A (en) * | 2018-11-30 | 2019-03-29 | 杭州迪普科技股份有限公司 | Detect the method and device of assets security |
| CN109818974A (en) * | 2019-03-14 | 2019-05-28 | 北京百度网讯科技有限公司 | Method and apparatus for sending information |
| CN111262901A (en) * | 2019-07-29 | 2020-06-09 | 深圳百灵声学有限公司 | Many-to-many communication system and operation method thereof |
| CN111711599A (en) * | 2020-04-23 | 2020-09-25 | 北京凌云信安科技有限公司 | Safety situation perception system based on multivariate mass data fusion association analysis |
| CN112615865A (en) * | 2020-12-21 | 2021-04-06 | 曹佳乐 | Data anti-intrusion method based on big data and artificial intelligence and big data server |
| CN114826727A (en) * | 2022-04-22 | 2022-07-29 | 南方电网数字电网研究院有限公司 | Flow data acquisition method and device, computer equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
| CN103561004A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense system based on honey nets |
-
2015
- 2015-09-09 CN CN201510571634.7A patent/CN106534042A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
| CN103561004A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense system based on honey nets |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107317790A (en) * | 2016-04-27 | 2017-11-03 | 阿里巴巴集团控股有限公司 | The monitoring method and device of network behavior |
| CN108460279A (en) * | 2018-03-12 | 2018-08-28 | 北京知道创宇信息技术有限公司 | Attack recognition method, apparatus and computer readable storage medium |
| CN108958884A (en) * | 2018-06-22 | 2018-12-07 | 郑州云海信息技术有限公司 | A kind of method and relevant apparatus of Virtual Machine Manager |
| CN108958884B (en) * | 2018-06-22 | 2022-02-18 | 郑州云海信息技术有限公司 | Virtual machine management method and related device |
| CN109167792A (en) * | 2018-09-19 | 2019-01-08 | 四川长虹电器股份有限公司 | A kind of novel WAF design method based on Nginx |
| CN109543419A (en) * | 2018-11-30 | 2019-03-29 | 杭州迪普科技股份有限公司 | Detect the method and device of assets security |
| CN109543419B (en) * | 2018-11-30 | 2020-12-04 | 杭州迪普科技股份有限公司 | Method and device for detecting asset security |
| CN109818974A (en) * | 2019-03-14 | 2019-05-28 | 北京百度网讯科技有限公司 | Method and apparatus for sending information |
| CN111262901A (en) * | 2019-07-29 | 2020-06-09 | 深圳百灵声学有限公司 | Many-to-many communication system and operation method thereof |
| CN111711599A (en) * | 2020-04-23 | 2020-09-25 | 北京凌云信安科技有限公司 | Safety situation perception system based on multivariate mass data fusion association analysis |
| CN112615865A (en) * | 2020-12-21 | 2021-04-06 | 曹佳乐 | Data anti-intrusion method based on big data and artificial intelligence and big data server |
| CN114826727A (en) * | 2022-04-22 | 2022-07-29 | 南方电网数字电网研究院有限公司 | Flow data acquisition method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106534042A (en) | Server invasion identifying method and apparatus based on data analysis and cloud safety system | |
| CN109951500B (en) | Network attack detection method and device | |
| US9021583B2 (en) | System and method for network security including detection of man-in-the-browser attacks | |
| US9503469B2 (en) | Anomaly detection system for enterprise network security | |
| US9369479B2 (en) | Detection of malware beaconing activities | |
| CN107465651B (en) | Network attack detection method and device | |
| US9032521B2 (en) | Adaptive cyber-security analytics | |
| CN103701795B (en) | The recognition methods of the attack source of Denial of Service attack and device | |
| CN105577608B (en) | Network attack behavior detection method and device | |
| US7930746B1 (en) | Method and apparatus for detecting anomalous network activities | |
| EP3068095B1 (en) | Monitoring apparatus and method | |
| CN109962891A (en) | Monitor method, apparatus, equipment and the computer storage medium of cloud security | |
| EP3085023B1 (en) | Communications security | |
| CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
| CN103297433A (en) | HTTP botnet detection method and system based on net data stream | |
| KR20110009811A (en) | Web attack event extraction system and method based on monitoring data | |
| CN106506547A (en) | Processing method, WAF, router and system for Denial of Service attack | |
| CN107547490A (en) | A kind of scanner recognition method, apparatus and system | |
| JP2019536158A (en) | Method and system for verifying whether detection result is valid or not | |
| Massa et al. | A fraud detection system based on anomaly intrusion detection systems for e-commerce applications | |
| Choi et al. | Understanding the proxy ecosystem: A comparative analysis of residential and open proxies on the internet | |
| Atighetchi et al. | Attribute-based prevention of phishing attacks | |
| CN116781405A (en) | Attack processing method, device, equipment and medium | |
| CN106411951A (en) | Network attack behavior detection method and device | |
| US20120272314A1 (en) | Data collection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170322 |
|
| RJ01 | Rejection of invention patent application after publication |