CN106888210A - The alarming method for power and device of a kind of network attack - Google Patents
The alarming method for power and device of a kind of network attack Download PDFInfo
- Publication number
- CN106888210A CN106888210A CN201710141825.9A CN201710141825A CN106888210A CN 106888210 A CN106888210 A CN 106888210A CN 201710141825 A CN201710141825 A CN 201710141825A CN 106888210 A CN106888210 A CN 106888210A
- Authority
- CN
- China
- Prior art keywords
- network
- data content
- attack
- network packet
- network attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application discloses the alarming method for power and device of a kind of network attack, the method includes:Obtain the network packet of application layer in current network system;If determining that the network packet can carry out network attack to current network system after network attack detection is carried out to the network packet, the network attack characteristic of the network packet is obtained;The data content in network attack characteristic and the network packet according to the network packet, exports network attack alarm signal.This method, web influence caused by network attack is determined by the analysis of the network packet (i.e. bidirectional traffic) to application layer, the actual influence scope that above-mentioned network attack can be based on carries out network attack warning, the occurrence of reduction network attack is reported by mistake, such that it is able to improve the validity of network attack alarm so that safety management and safe O&M it is in hgher efficiency.
Description
Technical field
The application is related to field of computer technology, more particularly to a kind of network attack alarming method for power and device.
Background technology
Although the leak of network and system layer is gradually decreased, and Web art of attack and defense is also reaching its maturity,
Under the ordering about of interests, attack of the hackers to network system but never stopped, how the network that hackers are initiated
Attack carries out pith of the accurate warning as system security management and maintenance work.
Generally, the influence according to different leaks to network system or user, can be divided into multiple different danger by leak
Dangerous grade, for example, low danger leak, middle danger leak and high-risk leak etc., wherein, the danger classes of low danger leak is minimum, high-risk leakage
The danger classes highest in hole, the danger classes of the danger classes more than low danger leak of middle danger leak, and less than the danger of high-risk leak
Dangerous grade, danger classes can be associated with the influence to network system or user, for example, high-risk leak would generally trigger user
Extremely sensitive data (such as information of payment account) leakage etc..In order to accurately be alerted to network attack, people
The mode that uses for:Network attack is leaked according to the dangerous grade classification of the leak for being triggered into 3 warning levels, i.e. low danger
Hole alarm signal, middle danger leak alarm signal and high-risk leak alarm signal, user can be pointed out by different alarm signals
The network attack that leak of the concern based on different danger classes is triggered.
The warning way of above-mentioned network attack is carried out according to the danger classes of leak, but, present in system
Institute is leaky all repaired by corresponding patch after, if the current network for occurring being triggered based on high-risk leak is attacked
Hit, then then system still exports the alarm signal of high-risk leak, but the network attack can't but succeed, and that is to say, be
In the case that system is without leak, high-risk consequence can be not necessarily caused using high-risk attack meanses, so that, easily produce network to attack
The situation of wrong report is hit, the validity of network attack alarm is reduced so that warning of the user to system is lost confidence.
The content of the invention
The embodiment of the present application provides a kind of alarming method for power and device of network attack, is used to solve easily to produce network attack
The situation of wrong report, so that the validity reduction of network attack alarm, and safety management and safe O&M is less efficient
Problem.
A kind of alarming method for power of network attack that the embodiment of the present application is provided, methods described includes:
Obtain the network packet of application layer in current network system;
If determining that the network packet can be to current net after network attack detection is carried out to the network packet
Network system carries out network attack, then obtain the network attack characteristic of the network packet;
The data content in network attack characteristic and the network packet according to the network packet, exports network
Attack alarm signal.
Alternatively, in the data in the network attack characteristic and the network packet according to the network packet
Hold, export network attack alarm signal, including:
If the data content of the network packet includes data content corresponding with the network attack characteristic,
Output network attack alarm signal.
Alternatively, the network attack characteristic of the network packet includes vulnerability scanning behavioural characteristic, leak triggering behavior
Feature and system controlled behavioural characteristic,
If the data content of the network packet is included in data corresponding with the network attack characteristic
Hold, then export network attack alarm signal, including:
If the data content of the network packet is included in data corresponding with the vulnerability scanning behavioural characteristic
Hold, then export suspected attack cue;
If the data content of the network packet is included in data corresponding with leak triggering behavioural characteristic
Hold, then export network attack alarm signal;
If the data content of the network packet is included in data corresponding with the system controlled behavioural characteristic
Hold, then the controlled alarm signal of output system.
Alternatively, the leak triggering behavioural characteristic includes low danger leak triggering feature, middle danger leak triggering feature and height
Danger leak triggering feature,
If the data content of the network packet includes data content corresponding with leak triggering feature,
Output network attack alarm signal, including:
If the data content of the network packet include with the low danger leak triggering corresponding data of feature
Hold, then export low danger alarm signal;
If the data content of the network packet include with the middle danger leak triggering corresponding data of feature
Hold, then alarm signal of being endangered in exporting;
If the data content of the network packet is included in data corresponding with the high-risk leak triggering feature
Hold, then export high-risk alarm signal.
Alternatively, the output network attack alarm signal, including:
Send network attack information warning;Or,
The flicker of output alarm lamp or the control instruction lighted.
A kind of alarming device of network attack that the embodiment of the present application is provided, described device includes:
Packet acquisition module, the network packet for obtaining application layer in current network system;
Network attack characteristic acquisition module, if determining institute after for carrying out network attack detection to the network packet
Stating network packet can carry out network attack to current network system, then the network attack for obtaining the network packet is special
Levy;
Alarm signal output module, for the network attack characteristic according to the network packet and the network packet
In data content, export network attack alarm signal.
Alternatively, the alarm signal output module, if for the network packet data content include with
The corresponding data content of network attack characteristic, then export network attack alarm signal.
Alternatively, the network attack characteristic of the network packet includes vulnerability scanning behavioural characteristic, leak triggering behavior
Feature and system controlled behavioural characteristic,
The alarm signal output module, is used for:
If the data content of the network packet is included in data corresponding with the vulnerability scanning behavioural characteristic
Hold, then export suspected attack cue;
If the data content of the network packet is included in data corresponding with leak triggering behavioural characteristic
Hold, then export network attack alarm signal;
If the data content of the network packet is included in data corresponding with the system controlled behavioural characteristic
Hold, then the controlled alarm signal of output system.
Alternatively, the leak triggering behavioural characteristic includes low danger leak triggering feature, middle danger leak triggering feature and height
Danger leak triggering feature,
The alarm signal output module, is used for:
If the data content of the network packet include with the low danger leak triggering corresponding data of feature
Hold, then export low danger alarm signal;
If the data content of the network packet include with the middle danger leak triggering corresponding data of feature
Hold, then alarm signal of being endangered in exporting;
If the data content of the network packet is included in data corresponding with the high-risk leak triggering feature
Hold, then export high-risk alarm signal.
Alternatively, the alarm signal output module, for sending network attack information warning;Or, output alarm refers to
Show lamp flicker or the control instruction lighted.
The embodiment of the present application provides a kind of alarming method for power and device of network attack, by the current network system to obtaining
The network packet of middle application layer carries out network attack detection, it is determined that the network packet can be carried out to current network system
After network attack, the network attack characteristic of the network packet is obtained, and then, according to the network attack characteristic of the network packet
With the data content in the network packet, network attack alarm signal is exported, so, by the network packet to application layer
The analysis of (i.e. bidirectional traffic) determines the web influence caused by network attack, can be based on the reality of above-mentioned network attack
Coverage carries out network attack warning, the occurrence of reducing network attack and report by mistake, such that it is able to improve network attack alarm
Validity so that safety management and safe O&M it is in hgher efficiency.
Brief description of the drawings
Accompanying drawing described herein is used for providing further understanding of the present application, constitutes the part of the application, this Shen
Schematic description and description please does not constitute the improper restriction to the application for explaining the application.In the accompanying drawings:
A kind of flow chart of the alarming method for power of network attack that Fig. 1 is provided for the embodiment of the present application;
The flow chart of the alarming method for power of another network attack that Fig. 2 is provided for the embodiment of the present application;
A kind of alarming device structural representation of network attack that Fig. 3 is provided for the embodiment of the present application.
Specific embodiment
To make the purpose, technical scheme and advantage of the application clearer, below in conjunction with the application specific embodiment and
Corresponding accompanying drawing is clearly and completely described to technical scheme.Obviously, described embodiment is only the application one
Section Example, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Go out the every other embodiment obtained under the premise of creative work, belong to the scope of the application protection.
Embodiment one
As shown in figure 1, the embodiment of the present application provides a kind of alarming method for power of network attack, the executive agent of the method can be with
It is such as personal computer terminal device, or server or server cluster etc..The method specifically can include with
Lower step:
In step S101, the network packet of application layer in current network system is obtained.
Wherein, current network system can be based on multiple network system, such as the Open System Interconnection network system (OSI
(Open System Interconnection, Open System Interconnection) network system) or TCP/IP (Transmission
Control Protocol/Internet Protocol, transmission control protocol/Internet Protocol) network system etc..Net
The address information of sender and recipients can be included in network packet, and data to be interacted etc., network packet can be with
Be a packet, or by multiple data packet groups into packet set.
In force, in order that obtaining the application has more practicality and universality, current network system can be OSI network bodies
System, can include multiple layers in current network system, and these layers can be divided into low layer and high-rise two parts, wherein,
, concern is primarily with the transmission of initial data, high level is concern is primarily with the application program under network for low layer.Low layer can include
Physical layer, data link layer and three layers of Internet such as in the OSI network systems, high level can include such as the OSI network systems
In four layers such as transport layer, session layer, expression layer and application layer.
Although network and system layer leak have been gradually decreased, and Web art of attack and defense has also reached its maturity, hackers
The attack to network is not abandoned, the purpose for obtaining corresponding interests has been reached, therefore, the embodiment of the present application sets a kind of network
The detection of attack and alarming device.In order to not influence the normal work of the corresponding network system of current network system, the detection with
Alarming device can be connected in the way of monitor bypass with the network system, specifically, the input port of the detection and alarming device
Can be connected with the mirror port of the interchanger in the network system, or the detection can be deployed in alarming device and exchange
At the mirror port of machine, so, it may not be necessary to which depth adjustment is carried out to existing network, Web application architectures, you can obtain in real time
And preserve all-network request (such as HTTP (the HyperText Transfer Protocol, Hyper text transfer association of Internet
View) request or FTP (File Transfer Protocol, FTP) request etc.) and response packet, for this
Detection is further analyzed treatment with alarming device.Wherein, the image feature of interchanger can be to flowing through the network system
Flow carry out full flow mirror image, during full flow mirror image is carried out, it is possible to use such as website increment duplicate removal and difference pressure
The related algorithms such as contracting backup.By full flow mirror image, the detection can preserve nearest half a year or even 1 year with alarming device, or even
The number of the complete Web bidirectional traffics (being input to the network system and the flow from network system output) of longer time
According to.So, when user has found that attack occurs in network system, attack backtracking can be not only carried out, can also be utilized
Predetermined inspection policies are detected and screened again to historical data, so that it is determined that the relevant information of network attack, so that user can
Corresponding counter-measure is taken with for the network attack.
In order to improve the warning precision and detection efficiency of network intrusions, the embodiment of the present application is based on the network data of application layer
The detection for wrapping to realize network intrusions and warning.Based on said structure, when the exchange for thering is network packet to flow through the network system
During machine, the network packet of the application layer of acquisition can be carried out mirror image processing by interchanger by the image feature of itself, be obtained
The mirror image data of the network packet, can be supplied to the testing equipment by the mirror image data, so that the detection and alarming device
The mirror image data can be got, it is possible to which extraction reduction treatment is carried out to the network packet in the mirror image data, by network
The network packet of layer is reduced to the network packet of application layer in current network system.
In step s 102, if determining the network packet energy after network attack detection is carried out to above-mentioned network packet
It is enough that network attack is carried out to current network system, then obtain the network attack characteristic of the network packet.
Wherein, network attack characteristic can be including various, for example, the viral data characteristics of leak feature, implantation can be included
With the data characteristics in web virus etc., can specifically be determined according to actual conditions.In actual applications, leak therein
The corresponding leak of feature is the main path that hackers carry out network attack, and leak feature can include vulnerability scanning behavioural characteristic
Or leak triggering behavioural characteristic etc., a variety of leak features can include the different forms of expression, for example, vulnerability scanning
Behavioural characteristic can be SQL (Structured Query Language, SQL) injection features (such as URL
(Uniform Resource Locator, URL) includes select features), leak triggering behavioural characteristic can
Being directory traversal feature (such as directory listing occur in the page).In addition, it can include system controlled behavioural characteristic, for example
Including the feature of system command set keywords etc..
In force, identification and the detection algorithm of network attack, such as K-Means algorithms, decision tree can be pre-set
Algorithm, random forest tree algorithm or artificial neural network algorithm etc..When the network for getting input application layer and application layer output
After packet, it is possible to use the identification of the above-mentioned network attack for pre-setting and detection algorithm, in above-mentioned network packet
Application data is identified analysis and detection, the network attack characteristic of the application data is therefrom obtained, for example, can be in advance to net
Application data in network packet carries out feature extraction, the data characteristics of the data that are applied, can be by each data characteristics point
It is not updated in the above-mentioned identification for pre-setting and detection algorithm and is calculated, determines whether comprising can be to current network
System carries out the network attack characteristic of network attack, if comprising can obtain the data characteristics, it is possible to which the data are special
Levy as network attack characteristic.
It should be noted that the identification of network attack can only include a calculation in above-mentioned parser with detection algorithm
Method, it is also possible to including the polyalgorithm in above-mentioned algorithm, and, same algorithm can have different implementations, user's tool
Body can be set using which kind of implementation according to actual conditions, and the embodiment of the present application is not limited this.
In step s 103, in the data in the network attack characteristic according to above-mentioned network packet and the network packet
Hold, export network attack alarm signal.
In force, network attack characteristic that can be in network packet determines the class belonging to corresponding network attack
Type, such as leak or implantation virus.The network attack of the type can be determined based on the type belonging to the network attack determined
Need which critical data is network system transmit to requestor.The network of input application layer and application layer output can respectively be obtained
Whether packet, can be analyzed to the data content in network packet, and determine to analyze in the data for obtaining comprising upper
Critical data is stated, especially, whether the corresponding network of network attack characteristic is included in the network packet of analysis application layer output
The sensitive data or significant data attacked in acquired network system, if including can be to technical staff or network system
The supplier of system provides network attack alarm signal, for example, information warning is sent to, to point out technical staff or network system
Supplier can be taken appropriate measures for this network attack, reduce the loss that causes of network attack.If do not included,
Then it is considered that the network attack characteristic in the network packet of application layer is not attacked current network systems, or,
Network system has been mounted with the patch of the corresponding leak of the network attack characteristic, at this point it is possible to cue is only exported,
There is suspected attack or potential threat with the supplier for pointing out technical staff or network system;If do not existed in network packet
Network attack characteristic, then can not perform any operation.So, network attack institute is determined by the analysis to bidirectional traffic
The web influence for causing, and the actual influence scope based on above-mentioned network attack carries out network attack warning, such that it is able to improve
The validity of network attack alarm so that safety management and safe O&M it is in hgher efficiency.
The embodiment of the present application provides a kind of alarming method for power of network attack, by being applied in the current network system to obtaining
The network packet of layer carries out network attack detection, it is determined that the network packet can carry out network to current network system attacks
After hitting, the network attack characteristic of the network packet is obtained, and then, network attack characteristic and the net according to the network packet
Data content in network packet, exports network attack alarm signal, so, (i.e. double by the network packet to application layer
To data flow) analysis determine the web influence caused by network attack, the actual influence of above-mentioned network attack can be based on
Scope carries out network attack warning, the occurrence of reducing network attack and report by mistake, such that it is able to improve having for network attack alarm
Effect property so that safety management and safe O&M it is in hgher efficiency.
Embodiment two
As shown in Fig. 2 the embodiment of the present application provides a kind of alarming method for power of network attack, following steps are specifically included:
In step s 201, the network packet of application layer in current network system is obtained.
The step of above-mentioned steps S201 content content is identical the step of step S101 with above-described embodiment one, step S201
Treatment may refer to the related content of step S101 in above-described embodiment one, will not be repeated here.
In step S202, if determining the network packet energy after network attack detection is carried out to above-mentioned network packet
It is enough that network attack is carried out to current network system, then obtain the network attack characteristic of the network packet.
The step of above-mentioned steps S202 content content is identical the step of step S102 with above-described embodiment one, step S202
Treatment may refer to the related content of step S102 in above-described embodiment one, will not be repeated here.
Additionally, network attack characteristic can be including various, as vulnerability scanning behavioural characteristic, leak trigger behavioural characteristic and are
System controlled action feature etc..For different network attack characteristics, different network attack detection mechanism can be set, divided below
It is other that above-mentioned three kinds of network attack characteristics are illustrated, can specifically include herein below:
First, the assault in order to detect network system in time, can be in the detection and alarming device
Middle setting vulnerability scanning identification engine.Wherein, vulnerability scanning identification engine can be bonded by hardware and software, or
Realized by software, software section therein can use appropriate programming language, and realized by writing corresponding program code.
Programming language can determine that specific such as C language or JAVA programming languages, the embodiment of the present invention are not done to this according to actual conditions
Limit.
Recognize that engine can be identified to the vulnerability scanning behavior in network system by vulnerability scanning, wherein recognizing plan
Various, part recognition strategy presented below can slightly be included, it is as shown in table 1 below.
Table 1
For example, vulnerability scanning behavioural analysis can be carried out to the application data in network packet, the application data is detected
In whether include being able to carry out the application program or program code of vulnerability scanning event, can be by the application program or program code
It is defined as the vulnerability scanning behavioural characteristic of the application data.
Or, it is also possible to the application data is placed in the network system environment of advance simulation and is run, number is applied at this
During according to operation, the operation logic and operation purpose of the application data can be detected, can be from its operation logic and operation
The network attack characteristic of the application data is determined in purpose.For example, the application data can be placed on the network of advance simulation
Run in system environments, during operation, if vulnerability scanning identification engine detects the application in the network packet
Data are currently in use different passwords and HTTP passwords are cracked, and the application data uses different passwords to HTTP passwords
The number of times for cracking reaches pre-determined number threshold value (such as 10 times or 20 inferior), then can determine HTTP passwords by Brute Force,
At this point it is possible to the data characteristics of the application data is defined as into vulnerability scanning behavioural characteristic.
Second, in order to detect the event that the leak of network system is triggered in time, can be in the detection and warning
Dress centers leak triggering identification engine.Wherein, leak triggering identification engine can be bonded by hardware and software,
Or realized by software, software section therein can use appropriate programming language, and by writing corresponding program code
Realize.Programming language can determine that the embodiment of the present invention is not limited this according to actual conditions.
Triggering identification engine by leak can be identified to the triggering of leak in network system, according to leak to network
The extent of injury that system is caused is different, leak can be divided into low danger leak, middle danger leak and high-risk leak etc., wherein recognizing
Strategy can include various, part recognition strategy presented below, as shown in table 2 below.
Table 2
For example, leak triggering analysis can be carried out to the application data in network packet to be analyzed, the application is detected
Whether include that the application program or program code of leak can be triggered in data, the application program or program code can be determined
For the leak of the application data triggers behavioural characteristic.
Or, it is also possible to the application data is placed in the network system environment of advance simulation and is run, number is applied at this
During according to operation, the operation logic and operation purpose of the application data can be detected, can be from its operation logic and operation
The leak triggering behavioural characteristic of the application data is determined in purpose.For example, the application data can be placed on into advance simulation
Run in network system environment, during operation, if leak triggering identification engine detect in network packet should
Postgresql query statements are called by way of SQL injection with data, then can determine the data of the application data
It is characterized as that leak triggers behavioural characteristic.
Third, the controlled event in order to detect network system in time, can pre-set system controlled identification and draw
Hold up.Wherein, system controlled identification engine can be bonded by hardware and software, or be realized by software, therein soft
Part part can use appropriate programming language, and be realized by writing corresponding program code.Programming language can be according to reality
Border situation determines that the embodiment of the present invention is not limited this.
Recognize whether engine can be identified to network system by control by system controlled, wherein recognition strategy can be with
It is as shown in table 3 below including various, part recognition strategy presented below.
Table 3
For example, the running status of the corresponding network system of current network system can be detected, if the operation shape
State includes predetermined control operation information (corresponding control operation information in such as above-mentioned table 3), then system controlled identification is drawn
Holding up can determine that current network systems are controlled, at this point it is possible to using the corresponding data characteristics of above-mentioned control operation information as being
System controlled action feature.Wherein, the running status of the corresponding network system of detection current network system can be specifically:Can be by
The application data is run in being placed on the network system environment of advance simulation, during the application data is run, Ke Yijian
The operation logic and operation purpose of the application data are surveyed, current network systems can be determined from its operation logic and operation purpose
Whether controlled.For example, application data can be placed in the network system environment of advance simulation run, in the process of operation
In, if system controlled identification engine is detected network system and mysql quarter letters is called by way of SQL injection
Number or timestampadd functions, then can be special using the corresponding data characteristics of above-mentioned control operation information as system controlled behavior
Levy.
Can be by the data content in network packet compared with the corresponding data content of the network attack characteristic determined
Compared with to determine whether the network attack characteristic has carried out network attack or to current network generation shadow to current network systems
Ring, corresponding alarm signal is exported according to this, specifically may refer to the treatment of following step S203.
In step S203, if the data content of the network packet include it is corresponding with above-mentioned network attack characteristic
Data content, then export network attack alarm signal.
In force, the three kinds of network attack characteristics for being provided for above-mentioned steps S202, the specific place of above-mentioned steps S203
Reason may refer to situations below:
Situation one, if the data content of network packet is included in data corresponding with the vulnerability scanning behavioural characteristic
Hold, then export suspected attack cue.
Wherein, vulnerability scanning can be carried out to network system because vulnerability scanning behavioural characteristic only characterizes the network packet
Operation, and vulnerability scanning operation is not direct network attack, but network attack necessary condition, therefore, for
This situation, can only export suspected attack cue, and the supplier for pointing out technical staff or network system needs concern
This suspicious network packet, it is possible to network attack operation can be triggered.
Situation two, if the data content of network packet is included in data corresponding with leak triggering behavioural characteristic
Hold, then export network attack alarm signal.
Wherein, due to leak triggering behavioural characteristic characterize the network packet can trigger leak in network system so that
Network system is subjected to network attack, therefore, leak triggering behavior is the embodiment that straight-forward network is attacked, for this situation, can be with defeated
Go out network attack alarm signal, the supplier's network system for warning technology personnel or network system is subject to network attack.
Influence according to different leaks to network system or user, can be divided into multiple different danger etc. by leak
Level, for example, low danger leak, middle danger leak and high-risk leak etc., accordingly, above-mentioned leak triggering behavioural characteristic can also be divided into
Various different features, for example, low danger leak triggering feature, middle danger leak triggering feature and high-risk leak triggering feature etc..Base
In this, above-mentioned situation two can also include following three kinds of alarm signals:
If first, the data content of above-mentioned network packet is included in data corresponding with low danger leak triggering feature
Hold, then export low danger alarm signal.
If second, the data content of the network packet is included in data corresponding with middle danger leak triggering feature
Hold, then alarm signal of being endangered in exporting.
If third, the data content of the network packet is included in data corresponding with high-risk leak triggering feature
Hold, then export high-risk alarm signal.
Situation three, if the data content of above-mentioned network packet includes data corresponding with system controlled behavioural characteristic
Content, the then controlled alarm signal of output system.
Wherein, network attack is had been subjected to because system controlled behavioural characteristic characterizes current network systems, and is controlled,
Therefore, system controlled behavior is the result embodiment of network attack, i.e., system is controlled, and for this situation, can be received with output system
Control alarm signal, the supplier's current network systems for warning technology personnel or network system are controlled.
In addition, the treatment of the output network attack alarm signal in above-mentioned steps S203 can have various avatars, with
Two kinds of optional modes of lower offer, can specifically include herein below:
Mode one, sends network attack information warning.
Mode two, the flicker of output alarm lamp or the control instruction lighted.
It should be noted that the treatment of output network attack alarm signal not only includes above two mode, can be with
It can be that any network attack that can reach is alerted that network attack alarm signal is exported including other manner, in the embodiment of the present application
The mode of purpose, the embodiment of the present application is not limited this.
The embodiment of the present application provides a kind of alarming method for power of network attack, by being applied in the current network system to obtaining
The network packet of layer carries out network attack detection, it is determined that the network packet can carry out network to current network system attacks
After hitting, the network attack characteristic of the network packet is obtained, and then, network attack characteristic and the net according to the network packet
Data content in network packet, exports network attack alarm signal, so, (i.e. double by the network packet to application layer
To data flow) analysis determine the web influence caused by network attack, the actual influence of above-mentioned network attack can be based on
Scope carries out network attack warning, the occurrence of reducing network attack and report by mistake, such that it is able to improve having for network attack alarm
Effect property so that safety management and safe O&M it is in hgher efficiency.
Embodiment three
The alarming method for power of a kind of network attack for being provided for the embodiment of the present application above, based on same thinking, the application
Embodiment also provides a kind of alarming device of network attack, as shown in Figure 3.
The alarming device of the network attack includes:Packet acquisition module 301, network attack characteristic acquisition module 302
With alarm signal output module 303, wherein:
Packet obtains mould 301, the network packet for obtaining application layer in current network system;
Network attack characteristic acquisition module 302, if for being carried out to the network packet after network attack detection really
The fixed network packet can carry out network attack to current network system, then obtain the network attack of the network packet
Feature;
Alarm signal output module 303, for the network attack characteristic according to the network packet and the network number
According to the data content in bag, network attack alarm signal is exported.
Alternatively, the alarm signal output module 303, if included for the data content of the network packet
Data content corresponding with the network attack characteristic, then export network attack alarm signal.
Alternatively, the network attack characteristic of the network packet includes vulnerability scanning behavioural characteristic, leak triggering behavior
Feature and system controlled behavioural characteristic,
The alarm signal output module 303, is used for:
If the data content of the network packet is included in data corresponding with the vulnerability scanning behavioural characteristic
Hold, then export suspected attack cue;
If the data content of the network packet is included in data corresponding with leak triggering behavioural characteristic
Hold, then export network attack alarm signal;
If the data content of the network packet is included in data corresponding with the system controlled behavioural characteristic
Hold, then the controlled alarm signal of output system.
Alternatively, the leak triggering behavioural characteristic includes low danger leak triggering feature, middle danger leak triggering feature and height
Danger leak triggering feature,
The alarm signal output module 303, is used for:
If the data content of the network packet include with the low danger leak triggering corresponding data of feature
Hold, then export low danger alarm signal;
If the data content of the network packet include with the middle danger leak triggering corresponding data of feature
Hold, then alarm signal of being endangered in exporting;
If the data content of the network packet is included in data corresponding with the high-risk leak triggering feature
Hold, then export high-risk alarm signal.
Alternatively, the alarm signal output module 303, for sending network attack information warning;Or, output alarm
The control instruction that indicator lamp flashes or lights.
The embodiment of the present application provides a kind of alarming device of network attack, by being applied in the current network system to obtaining
The network packet of layer carries out network attack detection, it is determined that the network packet can carry out network to current network system attacks
After hitting, the network attack characteristic of the network packet is obtained, and then, network attack characteristic and the net according to the network packet
Data content in network packet, exports network attack alarm signal, so, (i.e. double by the network packet to application layer
To data flow) analysis determine the web influence caused by network attack, the actual influence of above-mentioned network attack can be based on
Scope carries out network attack warning, the occurrence of reducing network attack and report by mistake, such that it is able to improve having for network attack alarm
Effect property so that safety management and safe O&M it is in hgher efficiency.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium
Example.
Computer-readable medium includes that permanent and non-permanent, removable and non-removable media can be by any method
Or technology realizes information Store.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus
Or any other non-transmission medium, can be used to store the information that can be accessed by a computing device.Defined according to herein, calculated
Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
Also, it should be noted that term " including ", "comprising" or its any other variant be intended to nonexcludability
Comprising so that process, method, commodity or equipment including a series of key elements not only include those key elements, but also wrapping
Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment is intrinsic wants
Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described
Also there is other identical element in process, method, commodity or the equipment of element.
It will be understood by those skilled in the art that embodiments herein can be provided as method, system or computer program product.
Therefore, the application can be using the embodiment in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Form.And, the application can be used to be can use in one or more computers for wherein including computer usable program code and deposited
The shape of the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
Embodiments herein is the foregoing is only, the application is not limited to.For those skilled in the art
For, the application can have various modifications and variations.It is all any modifications made within spirit herein and principle, equivalent
Replace, improve etc., within the scope of should be included in claims hereof.
Claims (10)
1. a kind of alarming method for power of network attack, it is characterised in that methods described includes:
Obtain the network packet of application layer in current network system;
If determining that the network packet can be to current network body after network attack detection is carried out to the network packet
System carries out network attack, then obtain the network attack characteristic of the network packet;
The data content in network attack characteristic and the network packet according to the network packet, exports network attack
Alarm signal.
2. method according to claim 1, it is characterised in that the network attack characteristic according to the network packet
With the data content in the network packet, network attack alarm signal is exported, including:
If the data content of the network packet includes data content corresponding with the network attack characteristic, export
Network attack alarm signal.
3. method according to claim 2, it is characterised in that the network attack characteristic of the network packet includes leak
Scanning behavioural characteristic, leak triggering behavioural characteristic and system controlled behavioural characteristic,
If the data content of the network packet includes data content corresponding with the network attack characteristic,
Output network attack alarm signal, including:
If the data content of the network packet includes data content corresponding with the vulnerability scanning behavioural characteristic,
Output suspected attack cue;
If the data content of the network packet includes data content corresponding with leak triggering behavioural characteristic,
Output network attack alarm signal;
If the data content of the network packet includes data content corresponding with the system controlled behavioural characteristic,
The controlled alarm signal of output system.
4. method according to claim 3, it is characterised in that the leak triggering behavioural characteristic includes low danger leak triggering
Feature, middle danger leak triggering feature and high-risk leak triggering feature,
If the data content of the network packet includes data content corresponding with leak triggering feature, export
Network attack alarm signal, including:
If the data content of the network packet include with the low danger leak triggering corresponding data content of feature,
Export low danger alarm signal;
If the data content of the network packet include with the middle danger leak triggering corresponding data content of feature,
Endangered in output alarm signal;
If the data content of the network packet includes data content corresponding with the high-risk leak triggering feature,
Export high-risk alarm signal.
5. the method according to any one of claim 1-4, it is characterised in that the output network attack alarm signal,
Including:
Send network attack information warning;Or,
The flicker of output alarm lamp or the control instruction lighted.
6. a kind of alarming device of network attack, it is characterised in that described device includes:
Packet acquisition module, the network packet for obtaining application layer in current network system;
Network attack characteristic acquisition module, if determining the net after for carrying out network attack detection to the network packet
Network packet can carry out network attack to current network system, then obtain the network attack characteristic of the network packet;
Alarm signal output module, in the network attack characteristic according to the network packet and the network packet
Data content, exports network attack alarm signal.
7. device according to claim 6, it is characterised in that the alarm signal output module, if for the net
The data content of network packet includes data content corresponding with the network attack characteristic, then export network attack warning letter
Number.
8. device according to claim 7, it is characterised in that the network attack characteristic of the network packet includes leak
Scanning behavioural characteristic, leak triggering behavioural characteristic and system controlled behavioural characteristic,
The alarm signal output module, is used for:
If the data content of the network packet includes data content corresponding with the vulnerability scanning behavioural characteristic,
Output suspected attack cue;
If the data content of the network packet includes data content corresponding with leak triggering behavioural characteristic,
Output network attack alarm signal;
If the data content of the network packet includes data content corresponding with the system controlled behavioural characteristic,
The controlled alarm signal of output system.
9. device according to claim 8, it is characterised in that the leak triggering behavioural characteristic includes low danger leak triggering
Feature, middle danger leak triggering feature and high-risk leak triggering feature,
The alarm signal output module, is used for:
If the data content of the network packet include with the low danger leak triggering corresponding data content of feature,
Export low danger alarm signal;
If the data content of the network packet include with the middle danger leak triggering corresponding data content of feature,
Endangered in output alarm signal;
If the data content of the network packet includes data content corresponding with the high-risk leak triggering feature,
Export high-risk alarm signal.
10. the device according to any one of claim 6-9, it is characterised in that the alarm signal output module, is used for
Send network attack information warning;Or, the control instruction that output alarm lamp flashes or lights.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710141825.9A CN106888210A (en) | 2017-03-10 | 2017-03-10 | The alarming method for power and device of a kind of network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710141825.9A CN106888210A (en) | 2017-03-10 | 2017-03-10 | The alarming method for power and device of a kind of network attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106888210A true CN106888210A (en) | 2017-06-23 |
Family
ID=59180601
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710141825.9A Pending CN106888210A (en) | 2017-03-10 | 2017-03-10 | The alarming method for power and device of a kind of network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106888210A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107463845A (en) * | 2017-07-14 | 2017-12-12 | 上海斐讯数据通信技术有限公司 | A kind of detection method, system and the computer-processing equipment of SQL injection attack |
| CN114389856A (en) * | 2021-12-23 | 2022-04-22 | 南京理工大学 | Network attack detection system |
| CN117610018A (en) * | 2023-12-01 | 2024-02-27 | 深圳市马博士网络科技有限公司 | Vulnerability simulation method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350745A (en) * | 2008-08-15 | 2009-01-21 | 北京启明星辰信息技术股份有限公司 | Intrude detection method and device |
| CN103281177A (en) * | 2013-04-10 | 2013-09-04 | 广东电网公司信息中心 | Method and system for detecting hostile attack on Internet information system |
| US20160182541A1 (en) * | 2014-12-18 | 2016-06-23 | Gwangju Institute Of Science And Technology | Method for detecting intrusion in network |
| CN105939311A (en) * | 2015-08-11 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for determining network attack behavior |
| CN106330964A (en) * | 2016-10-14 | 2017-01-11 | 成都信息工程大学 | Network intrusion detection and active defense linkage control device |
-
2017
- 2017-03-10 CN CN201710141825.9A patent/CN106888210A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350745A (en) * | 2008-08-15 | 2009-01-21 | 北京启明星辰信息技术股份有限公司 | Intrude detection method and device |
| CN103281177A (en) * | 2013-04-10 | 2013-09-04 | 广东电网公司信息中心 | Method and system for detecting hostile attack on Internet information system |
| US20160182541A1 (en) * | 2014-12-18 | 2016-06-23 | Gwangju Institute Of Science And Technology | Method for detecting intrusion in network |
| CN105939311A (en) * | 2015-08-11 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for determining network attack behavior |
| CN106330964A (en) * | 2016-10-14 | 2017-01-11 | 成都信息工程大学 | Network intrusion detection and active defense linkage control device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107463845A (en) * | 2017-07-14 | 2017-12-12 | 上海斐讯数据通信技术有限公司 | A kind of detection method, system and the computer-processing equipment of SQL injection attack |
| CN107463845B (en) * | 2017-07-14 | 2021-04-20 | 深圳供电局有限公司 | Method and system for detecting SQL injection attack and computer processing equipment |
| CN114389856A (en) * | 2021-12-23 | 2022-04-22 | 南京理工大学 | Network attack detection system |
| CN117610018A (en) * | 2023-12-01 | 2024-02-27 | 深圳市马博士网络科技有限公司 | Vulnerability simulation method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210328969A1 (en) | Systems and methods to secure api platforms | |
| CN106888211A (en) | The detection method and device of a kind of network attack | |
| CN106850675A (en) | A kind of determination method and device of attack | |
| Abubakar et al. | A review of the advances in cyber security benchmark datasets for evaluating data-driven based intrusion detection systems | |
| CN109922075A (en) | Network security knowledge map construction method and apparatus, computer equipment | |
| US20160065600A1 (en) | Apparatus and method for automatically detecting malicious link | |
| US20140172495A1 (en) | System and method for automated brand protection | |
| CN102045319B (en) | Method and device for detecting SQL (Structured Query Language) injection attack | |
| US20150371044A1 (en) | Targeted security alerts | |
| Cho et al. | A method of monitoring and detecting APT attacks based on unknown domains | |
| US20210234877A1 (en) | Proactively protecting service endpoints based on deep learning of user location and access patterns | |
| CN101901232A (en) | Method and device for processing webpage data | |
| AU2020102142A4 (en) | Technique for multilayer protection from quantifiable vulnerabilities in industrial cyber physical system | |
| CN104077522A (en) | Process integrity detection method of operation system | |
| Ahmed et al. | Network traffic pattern analysis using improved information theoretic co-clustering based collective anomaly detection | |
| CN107770125A (en) | A kind of network security emergency response method and emergency response platform | |
| CN106228067A (en) | Malicious code dynamic testing method and device | |
| CN113872965B (en) | SQL injection detection method based on Snort engine | |
| CN109245944A (en) | Network safety evaluation method and system | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN106888210A (en) | The alarming method for power and device of a kind of network attack | |
| Berdibayev et al. | A concept of the architecture and creation for siem system in critical infrastructure | |
| CN113901484A (en) | Vulnerability management method and device based on risks | |
| CN105262730B (en) | Monitoring method and device based on enterprise domain name safety | |
| CN116094817A (en) | Network security detection system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170623 |
|
| RJ01 | Rejection of invention patent application after publication |