CN107181758A - Recognize the method and system of hacker's behavior - Google Patents
Recognize the method and system of hacker's behavior Download PDFInfo
- Publication number
- CN107181758A CN107181758A CN201710520184.8A CN201710520184A CN107181758A CN 107181758 A CN107181758 A CN 107181758A CN 201710520184 A CN201710520184 A CN 201710520184A CN 107181758 A CN107181758 A CN 107181758A
- Authority
- CN
- China
- Prior art keywords
- hacker
- behavior
- url
- user
- payload
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
Inventive network technical field of safety protection, and in particular to the method and system of identification hacker's behavior, including, setting up set has hacker's test payload data payload used rule base;Each uniform resource position mark URL to be identified is matched with all payload in rule base, judges that the corresponding users of current URL whether there is doubtful hacker's behavior, the URL to be identified is extracted from user's Request Log;The user that there will be doubtful hacker's behavior is matched with all payload in rule base respectively in the interior corresponding all URL of stipulated time section, judges that the user whether there is hacker's behavior.The present invention can carry out the hacker's behavior identification of active, can identify hacker's behavior before causing harm.
Description
Technical field
Inventive network technical field of safety protection, and in particular to the method and system of identification hacker's behavior.
Background technology
Pre- attack that hacker is tested with the presence or absence of leak website and leak is further oozed after discovery leak
Saturating attack etc. is referred to as hacker's behavior.The important process of network safety prevention is exactly to recognize hacker's behavior, and to hacker's row
To make correspondence fence operation.
Networked asset refers to the set of networked asset information and asset of equipments information, and networked asset information includes bandwidth, ip
Section, website and network traffic information etc., asset of equipments information include server, interchanger, storage device etc..
In the prior art, hacker's behavior is recognized generally by monitoring assets real time information.It is different according to assets information
Often determine whether to receive the influence of hacker's behavior, be come passive discerning hacker according to hacker's behavior to the practical function of assets
Behavior, the program can detect hacker's behavior in real time to the dramatic impact of assets information and be immediately performed emergency response operation,
The safety of assets can be protected and the loss influenceed by hacker's behavior is reduced.It is similar black to find by monitoring assets information situation
Objective behavior also includes monitoring server performance and network traffics etc..
Hacker's behavior is typically that the trial of sql injections is carried out to website, and hacker's behavior can construct different payload logarithms
Made requests on according to storehouse, the request can be reflected in database monitoring system.If a large amount of requested databases of hacker's behavior can be caused
The rising of database flow and the abnormal increase of database connection number, or even understand the alarm strategy of trigger data storehouse monitoring system.
Although it is effective that hacker's behavior is recognized by monitoring assets information, but is due to that the object of asset monitoring is whole
The integral part and trend of individual business, therefore to part hacker's behavior None- identified, the upper of identification database flow can only be passed through
Rise and database connects the abnormal increase of number to determine whether to have hacker's behavior.So there is following lack in prior art
Point:
1st, to a small amount of hacker's behaviors it is difficult identification, the behavior of hacker's craft wall scroll test leak is difficult to be identified;
2nd, the identification to hacker's behavior is based entirely on influence of the hacker's behavior to assets information, can so fail to report substantial amounts of
Hacker's behavior;
3rd, normal flowed fluctuation is caused may also to report by mistake as hacker's behavior if as focus incident;
4th, identification behavior is passive type, only causes just be identified after certain harm.
The content of the invention
The technical problem to be solved in the present invention is that overcoming the shortcomings of existing technology, there is provided the side of identification hacker's behavior
Method and system, it can carry out hacker's behavior identification of active, can identify hacker's behavior before causing harm.
To reach above-mentioned technical purpose, on the one hand, the method for identification hacker's behavior of the present invention, methods described bag
Include:
Setting up set has hacker's test payload data payload used rule base;
Each uniform resource position mark URL to be identified is matched with all payload in rule base, judges to work as
The corresponding user of preceding URL whether there is doubtful hacker's behavior, and the URL to be identified is extracted from user's Request Log;
There will be the user of doubtful hacker's behavior in stipulated time section corresponding all URL respectively with owning in rule base
Payload is matched, and judges that the user whether there is hacker's behavior.
Another convenience, the system of identification hacker's behavior of the present invention, the system includes:
Regular library unit, has hacker's test payload data payload used rule base for setting up set;
Doubtful identifying unit, for will own in each uniform resource position mark URL to be identified and rule base
Payload is matched, and judges that the corresponding user of current URL whether there is doubtful hacker's behavior, the URL to be identified be from
Extracted in user's Request Log;
Behavior unit is judged, for there will be the user of doubtful hacker's behavior corresponding all URL in stipulated time section
Matched respectively with all payload in rule base, judge that the user whether there is hacker's behavior.
In technical solutions according to the invention, by setting up the payload rule bases of hacker, by user's Request Log
URL matched with payload, to judge hacker's behavior.The mode of monitoring network assets information has thus been broken away from, has made to deposit
Just it is identified in spl injection stages in the user of hacker's behavior, rather than the rising when database flow or database
Connection number exception increase when just identify hacker's behavior.Therefore, the technical scheme that the present invention is provided can carry out active
Hacker's behavior is recognized, can be identified hacker's behavior before causing harm.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is method flow schematic diagram of the invention;
Fig. 2 is the method flow schematic diagram of the embodiment of the present invention;
Fig. 3 is the real system structure diagram of the present invention;
Fig. 4 is the system structure diagram of the embodiment of the present invention;
Fig. 5 is the structural representation of doubtful identifying unit in the embodiment of the present invention;
Fig. 6 is the structural representation of judgement behavior unit in the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
The request of user daily by network to website, is recorded to form user's Request Log by station method, system.Every
The data of user's Request Log record include:Request header, URL, request content and the uid of correspondence user, the facility information used
Etc. data.
As shown in figure 1, in one embodiment, the method for identification hacker's behavior of the present invention, including:
101st, setting up set has hacker's test payload data payload used rule base;
Rule base is exactly a kind of a large amount of hacker's test payload (payload data) used of set knowledge base.And it is black
Visitor's test payload used is varied.For example:Commonly used during test xss '><script>alert
(document.cookie)</script>Code, these special test codes can be done when hacker carries out the pre- attack at initial stage
Leak test is used, is used in URL (URL).
102nd, each uniform resource position mark URL to be identified is matched with all payload in rule base, sentenced
The corresponding user of settled preceding URL whether there is doubtful hacker's behavior, and the URL to be identified is extracted from user's Request Log
's;It is specific as follows:
Each URL to be identified by screening and duplicate removal is matched with all payload in rule base respectively;
If current URL includes the payload at least one described rule base, the corresponding users of current URL are judged
There is doubtful hacker's behavior.
Match and refer to detecting the URL of wall scroll, be directed to the citing in step 101:If in the corresponding URL of user
In comprising payload codes '><script>alert(document.cookie)</script>, we regarding the user with regard to carrying out
Behavior be determined as doubtful hacker's behavior.
103rd, there will be the user of doubtful hacker's behavior in stipulated time section corresponding all URL respectively with rule base
All payload are matched, and judge that the user whether there is hacker's behavior, specific as follows:
Collect the user that there is doubtful hacker's behavior owning in user's Request Log of initiation in stipulated time section
URL;
All URL in stipulated time section are matched with all payload in rule base respectively;
If the URL existed no less than setting bar number includes the payload at least one described rule base, judging should
There is hacker's behavior in user.
This step can confirm to information such as uid, the device numbers of URL correspondence users, collect under the uid of the user recently
All user's Request Logs of association in stipulated time section, it includes whole URL requests in the nearest stipulated time sections of the uid, or
Person, if in the case of no user uid, just associating all user's request days in nearest stipulated time section with corresponding device number
Will.
In doubtful hacker's behavior is judged, the URL of used matching is the URL handled by screening and duplicate removal, such
Purpose is to reduce the workload of server.And during hacker's behavior is judged, when the URL of used matching is nearest regulation
Between all URL being collected into section, handled without screening and duplicate removal, such purpose is to improve identification hacker's behavior
Accuracy.
As shown in Fig. 2 in another embodiment, the method for identification hacker's behavior of the present invention, including:
201st, setting up set has hacker's test payload data payload used rule base.
Rule base is exactly a kind of a large amount of hacker's test payload (payload data) used of set knowledge base.And it is black
Visitor's test payload used is varied.For example:Commonly used during test xss '><script>alert
(document.cookie)</script>Code, these special test codes can be done when hacker carries out the pre- attack at initial stage
Leak test is used, is used in URL (URL).
202nd, all user's Request Logs that gathering station side is pushed.
203rd, each URL extracted in all user's Request Logs is screened according to default screening rule;
The screening rule refers to filtering out google in the URL being collected into, and the reptile of the search engine such as baidu please
Ask, the normal heartbeat request that server ends are set.
204th, each URL after screening is subjected to duplicate removal, obtains URL to be identified;
Duplicate removal refers to the URL removals the repetition under same user uid, similar URL duplicate removals, such as http://
www.example.comS=123 and http://www.example.comS=345 is similar URL, can be based on canonical
The mode matched somebody with somebody carries out duplicate removal;But should be noted http in duplicate removal://www.example.comS=123 and http://
www.example.comS=3456 is not similar URL, because URL content of parameter length is different.Will be by screening and duplicate removal
User's Request Log deposit database after processing.
Then user's Request Log is stored by unique serial number of user uid, that is by all of same user uid
User's Request Log is concluded to together.Because user's Request Log is only comprising a URL, so being wrapped under same user uid
The URL of bar containing N.
205th, each uniform resource position mark URL to be identified is matched with all payload in rule base, sentenced
The corresponding user of settled preceding URL whether there is doubtful hacker's behavior, and the URL to be identified is extracted from user's Request Log
's;It is specific as follows:
Each URL to be identified by screening and duplicate removal is matched with all payload in rule base respectively;
If current URL includes the payload at least one described rule base, the corresponding users of current URL are judged
There is doubtful hacker's behavior.
Match and refer to detecting the URL of wall scroll, be directed to the citing in step 101:If in the corresponding URL of user
In comprising payload codes '><script>alert(document.cookie)</script>, we regarding the user with regard to carrying out
Behavior be determined as doubtful hacker's behavior.
206th, there will be the user of doubtful hacker's behavior in stipulated time section corresponding all URL respectively with rule base
All payload are matched, and judge that the user whether there is hacker's behavior;It is specific as follows:
Collect the user that there is doubtful hacker's behavior owning in user's Request Log of initiation in stipulated time section
URL;
All URL in stipulated time section are matched with all payload in rule base respectively;
If the URL existed no less than setting bar number includes the payload at least one described rule base, judging should
There is hacker's behavior in user.
This step can confirm to information such as uid, the device numbers of URL correspondence users, collect under the uid of the user recently
All user's Request Logs of association in stipulated time section, it includes whole URL requests in the nearest stipulated time sections of the uid, or
Person, if in the case of no user uid, just associating all user's request days in nearest stipulated time section with corresponding device number
Will.
In doubtful hacker's behavior is judged, the URL of used matching is the URL handled by screening and duplicate removal, such
Purpose is to reduce the workload of server.And during hacker's behavior is judged, when the URL of used matching is nearest regulation
Between all URL being collected into section, handled without screening and duplicate removal, such purpose is to improve identification hacker's behavior
Accuracy.
207th, the hacker's behavior is classified according to corresponding payload;
208th, the hacker's behavior that will classify is stored to database;
Such purpose is, for later stage evidence obtaining, to be used to trace to the source, and the tender spots of web station sides can be found in time and is attracted black
The leak point of visitor's attack.Based on other technologies, the Situation Awareness figure of station side's safety can be drawn.
209th, the classification hacker's behavior of manual confirmation storage.
Sorted hacker's behavior is manually reaffirmed, the accuracy rate of identification hacker's behavior can be improved.
As shown in figure 3, in one embodiment, the system of identification hacker's behavior of the present invention, including:
Regular library unit 11, has hacker's test payload data payload used rule base for setting up set;
Doubtful identifying unit 12, for will own in each uniform resource position mark URL to be identified and rule base
Payload is matched, and judges that the corresponding user of current URL whether there is doubtful hacker's behavior, the URL to be identified be from
Extracted in user's Request Log;
Judge behavior unit 13, the user of doubtful hacker's behavior is corresponding in stipulated time section to be owned for there will be
URL is matched with all payload in rule base respectively, judges that the user whether there is hacker's behavior.
As shown in figure 4, as another embodiment, the system of identification hacker's behavior of the present invention, including:
Regular library unit 11, has hacker's test payload data payload used rule base for setting up set;
Collector unit 22, all user's Request Logs pushed for gathering station side;
Screening unit 23, each URL for will be extracted in all user's Request Logs is carried out according to default screening rule
Screening;
Duplicate removal unit 24, for each URL after screening to be carried out into duplicate removal, obtains URL to be identified;
Doubtful identifying unit 12, for will own in each uniform resource position mark URL to be identified and rule base
Payload is matched, and judges that the corresponding user of current URL whether there is doubtful hacker's behavior, the URL to be identified be from
Extracted in user's Request Log;
Judge behavior unit 13, the user of doubtful hacker's behavior is corresponding in stipulated time section to be owned for there will be
URL is matched with all payload in rule base respectively, judges that the user whether there is hacker's behavior;
Taxon 27, for the hacker's behavior to be classified according to corresponding payload;
Memory cell 28, for that will classify, hacker's behavior is stored to database;
Review unit 29, the classification hacker's behavior stored for manual confirmation.
Wherein, a kind of possible structure of the doubtful identifying unit 12, as shown in figure 5, including:
First matching module 121, for by by screening and duplicate removal each URL to be identified respectively with rule base
All payload are matched;
First determination module 122, if including the payload at least one described rule base for current URL, sentences
There is doubtful hacker's behavior in the corresponding user of settled preceding URL.
Wherein, a kind of possible structure for judging behavior unit 13, as shown in fig. 6, including:
Collection module 131, the user that there is doubtful hacker's behavior for collecting please in the interior user initiated of stipulated time section
Seek all URL in daily record;
Second matching module 132, for by the stipulated time section in all URL respectively with rule base own
Payload is matched;
Second determination module 133, if including at least one described rule base for the URL existed no less than setting bar number
In payload, then judge that the user has hacker's behavior.
To judging that doubtful hacker's behavior is exemplified below in detail:
To have a payload in such as storehouse be a single quotation marks, it is necessary to which detection is currently http://
www.example.comWhether s=123 ' URL can match the payload for single quotation marks.Through overmatching, current URL
In include single quotation marks;Therefore the corresponding users of current URL are then determined to have doubtful hacker's behavior.The matching is exactly to check
Whether payload in storehouse is had comprising matching in current URL.The processing for noting this step URL is not that batch is carried out, and is basis
Wall scroll URL is matched.
To judging that hacker's behavior is exemplified below in detail:
Illustrate as described above described, the URL that current and rule base is matched is:http://www.example.comS=
123’;
If detect two again is with the URL under the same user uid of above-mentioned URL:
http://www.example.comS=123and sleep (5);
http://www.example.comS=123union select 1,2,3--;
Other payload in rule base are contained in this two URL respectively;It then can be determined that the user has hacker's row
For the user is carrying out the detection of sql injection loopholes to station side.The URL of this step processing is that batch is carried out.
Can dynamically it be adjusted for URL setting bar number, such as our strategy is matched under unification user uid
There is a URL to include payload again, this does not include hacker's behavior;Two URL of matching just calculate hacker's behavior comprising payload.Hacker
The identification strategy threshold values of behavior is determined according to practice effect.If there are a large amount of wrong reports in reported hacker's behavior empirical tests,
Improve the threshold values quantity of bar number (setting), such as bring up to 4 URL of matching and there is payload and just assert hacker's behavior, 4 with
Under be considered as common detection.If threshold values is too high to occur situation about failing to report, now need to reduce threshold values.
The present invention can effectively identify hacker's behavior of the hacker to website according to user's Request Log information, due to using
The handling process (independent to obtain user's Request Log) of daily record under line so that workflow of the present invention do not influence the normal of station side
Operation.The URL of all user's Request Logs is detected due to using so that the minor motion of each hacker can be sent out
It is existing.Be adjusted as a result of dynamic strategy come the setting bar number to URL so that will not because of normal users maloperation quilt
It is identified as hacker's behavior.
Above technical scheme recognizes that the benefit that hacker's behavior is brought is it will be evident that entering to the later stage according to hacker's behavior to station side
Row evidence obtaining, traces to the source and is helpful, and carrying out further Situation Awareness for station side provides resource accumulation.
It should be understood that the particular order or level the step of during disclosed are the examples of illustrative methods.Based on setting
Count preference, it should be appreciated that during the step of particular order or level can the protection domain for not departing from the disclosure feelings
Rearranged under condition.Appended claim to a method gives the key element of various steps with exemplary order, and not
It is to be limited to described particular order or level.
In above-mentioned detailed description, various features are combined in single embodiment together, to simplify the disclosure.No
This open method should be construed to reflect such intention, i.e. the embodiment of theme claimed needs ratio
The more features of feature clearly stated in each claim.On the contrary, as appended claims is reflected
Like that, the present invention is in the state fewer than whole features of disclosed single embodiment.Therefore, appended claims
It is hereby expressly incorporated into detailed description, wherein each claim is alone as the single preferred embodiment of the present invention.
To enable any technical staff in the art to realize or using the present invention, disclosed embodiment being entered above
Description is gone.To those skilled in the art;The various modification modes of these embodiments will be apparent from, and this
The General Principle of text definition can also be applied to other embodiments on the basis of the spirit and scope of the disclosure is not departed from.
Therefore, the disclosure is not limited to embodiments set forth herein, but most wide with principle disclosed in the present application and novel features
Scope is consistent.
Described above includes the citing of one or more embodiments.Certainly, in order to above-described embodiment is described and description portion
The all possible combination of part or method is impossible, but it will be appreciated by one of ordinary skill in the art that each is implemented
Example can do further combinations and permutations.Therefore, embodiment described herein is intended to fall into appended claims
Protection domain in all such changes, modifications and variations.In addition, with regard to the term used in specification or claims
"comprising", the mode that covers of the word is similar to term " comprising ", just as " including, " solved in the claims as link word
As releasing.In addition, the use of any one term "or" in the specification of claims being to represent " non-exclusionism
Or ".
Those skilled in the art will also be appreciated that the various illustrative components, blocks that the embodiment of the present invention is listed
(illustrative logical block), unit, and step can be by the knots of electronic hardware, computer software, or both
Conjunction is realized.To clearly show that the replaceability (interchangeability) of hardware and software, above-mentioned various explanations
Property part (illustrative components), unit and step universally describe their function.Such work(
Can be that the design requirement depending on specific application and whole system is realized by hardware or software.Those skilled in the art
For every kind of specific application various methods can be used to realize described function, but this realization is understood not to
The scope protected beyond the embodiment of the present invention.
Various illustrative logical blocks described in the embodiment of the present invention, or unit can by general processor,
Digital signal processor, application specific integrated circuit (ASIC), field programmable gate array or other programmable logic devices, discrete gate
Or the design of transistor logic, discrete hardware components, or any of the above described combination is come the function described by realizing or operate.General place
It can be microprocessor to manage device, and alternatively, the general processor can also be any traditional processor, controller, microcontroller
Device or state machine.Processor can also be realized by the combination of computing device, such as digital signal processor and microprocessor,
Multi-microprocessor, one or more microprocessors combine a Digital Signal Processor Core, or any other like configuration
To realize.
The step of method described in the embodiment of the present invention or algorithm can be directly embedded into hardware, computing device it is soft
Part module or the combination of both.Software module can be stored in RAM memory, flash memory, ROM memory, EPROM storages
Other any form of storage media in device, eeprom memory, register, hard disk, moveable magnetic disc, CD-ROM or this area
In.Exemplarily, storage medium can be connected with processor, to allow processor to read information from storage medium, and
Write information can be deposited to storage medium.Alternatively, storage medium can also be integrated into processor.Processor and storage medium can
To be arranged in ASIC, ASIC can be arranged in user terminal.Alternatively, processor and storage medium can also be arranged at use
In different parts in the terminal of family.
In one or more exemplary designs, above-mentioned functions described by the embodiment of the present invention can be in hardware, soft
Part, firmware or any combination of this three are realized.If realized in software, these functions can be stored and computer-readable
On medium, or with it is one or more instruction or code form be transmitted on the medium of computer-readable.Computer readable medium includes electricity
Brain stores medium and is easy to so that allowing computer program to be transferred to other local telecommunication medias from a place.Storing medium can be with
It is that any general or special computer can be with the useable medium of access.For example, such computer readable media can include but
It is not limited to RAM, ROM, EEPROM, CD-ROM or other optical disc storage, disk storage or other magnetic storage devices, or other
What can be used for carrying or store with instruct or data structure and it is other can be by general or special computer or general or specially treated
Device reads the medium of the program code of form.In addition, any connection can be properly termed computer readable medium, example
Such as, if software is to pass through a coaxial cable, fiber optic cables, double from web-site, server or other remote resources
Twisted wire, Digital Subscriber Line (DSL) or with defined in being also contained in of the wireless way for transmitting such as infrared, wireless and microwave
In computer readable medium.Described disk (disk) and disk (disc) include Zip disk, radium-shine disk, CD, DVD, floppy disk
And Blu-ray Disc, disk is generally with magnetic duplication data, and disk generally carries out optical reproduction data with laser.Combinations of the above
It can also be included in computer readable medium.
Above-described embodiment, has been carried out further to the purpose of the present invention, technical scheme and beneficial effect
Describe in detail, should be understood that the embodiment that the foregoing is only the present invention, be not intended to limit the present invention
Protection domain, within the spirit and principles of the invention, any modification, equivalent substitution and improvements done etc. all should be included
Within protection scope of the present invention.
Claims (10)
1. a kind of method for recognizing hacker's behavior, it is characterised in that methods described includes:
Setting up set has hacker's test payload data payload used rule base;
Each uniform resource position mark URL to be identified is matched with all payload in rule base, judges current
The corresponding users of URL whether there is doubtful hacker's behavior, and the URL to be identified is extracted from user's Request Log;
There will be the user of doubtful hacker's behavior in stipulated time section corresponding all URL respectively with owning in rule base
Payload is matched, and judges that the user whether there is hacker's behavior.
2. the method for identification hacker's behavior according to claim 1, it is characterised in that described by each system to be identified
One URLs URL with before all payload are matched in rule base, in addition to:
All user's Request Logs that gathering station side is pushed;
Each URL extracted in all user's Request Logs is screened according to default screening rule;
Each URL after screening is subjected to duplicate removal, URL to be identified is obtained.
3. the method for identification hacker's behavior according to claim 2, it is characterised in that described by each system to be identified
One URLs URL is matched with all payload in rule base, judges the corresponding users of current URL with the presence or absence of doubtful
Like hacker's behavior, the URL to be identified is extracted from user's Request Log, is specifically included:
Each URL to be identified by screening and duplicate removal is matched with all payload in rule base respectively;
If current URL includes the payload at least one described rule base, judge that the corresponding users of current URL are present
Doubtful hacker's behavior.
4. the method for the identification hacker's behavior according to any one of claims 1 to 3, it is characterised in that it is described there will be it is doubtful
Like hacker's behavior user the stipulated time section in corresponding all URL matched respectively with all payload in rule base,
Judge that the user whether there is hacker's behavior, specifically include:
Collect all URLs of the user that there is doubtful hacker's behavior in stipulated time section in user's Request Log of initiation;
All URL in stipulated time section are matched with all payload in rule base respectively;
If the URL existed no less than setting bar number includes the payload at least one described rule base, the user is judged
There is hacker's behavior.
5. the method for the identification hacker's behavior according to any one of claim 4, it is characterised in that the judgement user
There is hacker's behavior, also include afterwards:
The hacker's behavior is classified according to corresponding payload;
The hacker's behavior that will classify is stored to database;
The classification hacker's behavior of manual confirmation storage.
6. a kind of system for recognizing hacker's behavior, it is characterised in that the system includes:
Regular library unit, has hacker's test payload data payload used rule base for setting up set;
Doubtful identifying unit, for all payload in each uniform resource position mark URL to be identified and rule base to be entered
Row matching, judges that the corresponding users of current URL whether there is doubtful hacker's behavior, the URL to be identified is from user's request
Extracted in daily record;
Behavior unit is judged, for there will be the user of doubtful hacker's behavior corresponding all URL difference in stipulated time section
Matched with all payload in rule base, judge that the user whether there is hacker's behavior.
7. the system of identification hacker's behavior according to claim 6, it is characterised in that the system also includes:
Collector unit, all user's Request Logs pushed for gathering station side;
Screening unit, for each URL extracted in all user's Request Logs to be screened according to default screening rule;
Duplicate removal unit, for each URL after screening to be carried out into duplicate removal, obtains URL to be identified.
8. the system of identification hacker's behavior according to claim 7, it is characterised in that the doubtful identifying unit, including:
First matching module, for each URL to be identified by screening and duplicate removal is passed through respectively with owning in rule base
Payload is matched;
First determination module, if including the payload at least one described rule base for current URL, judges current
There is doubtful hacker's behavior in the corresponding users of URL.
9. the system of the identification hacker's behavior according to any one of claim 6 to 8, it is characterised in that the judgement row
For unit, including:
, there is the user of doubtful hacker's behavior for collecting in the interior user's Request Log initiated of stipulated time section in collection module
All URL;
Second matching module, for all URL in stipulated time section to be carried out with all payload in rule base respectively
Matching;
Second determination module, if including for the URL existed no less than setting bar number at least one described rule base
Payload, then judge that the user has hacker's behavior.
10. the system of identification hacker's behavior according to claim 9, it is characterised in that the system also includes:
Taxon, for the hacker's behavior to be classified according to corresponding payload;
Memory cell, for that will classify, hacker's behavior is stored to database;
Review unit, the classification hacker's behavior stored for manual confirmation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710520184.8A CN107181758A (en) | 2017-06-30 | 2017-06-30 | Recognize the method and system of hacker's behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710520184.8A CN107181758A (en) | 2017-06-30 | 2017-06-30 | Recognize the method and system of hacker's behavior |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107181758A true CN107181758A (en) | 2017-09-19 |
Family
ID=59845565
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710520184.8A Pending CN107181758A (en) | 2017-06-30 | 2017-06-30 | Recognize the method and system of hacker's behavior |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107181758A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111488577A (en) * | 2019-01-29 | 2020-08-04 | 北京金睛云华科技有限公司 | Vulnerability exploiting method and device based on artificial intelligence |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102316099A (en) * | 2011-07-28 | 2012-01-11 | 中国科学院计算机网络信息中心 | Network fishing detection method and apparatus thereof |
CN102801697A (en) * | 2011-12-20 | 2012-11-28 | 北京安天电子设备有限公司 | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) |
CN103338211A (en) * | 2013-07-19 | 2013-10-02 | 腾讯科技(深圳)有限公司 | Malicious URL (unified resource locator) authenticating method and device |
CN103581909A (en) * | 2012-07-31 | 2014-02-12 | 华为技术有限公司 | Suspected mobile phone malicious software positioning method and device |
CN103843003A (en) * | 2011-07-08 | 2014-06-04 | Uab研究基金会 | Syntactical fingerprinting |
CN103905421A (en) * | 2013-12-17 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Suspicious event detection method and system based on URL heterogeneity |
CN104144142A (en) * | 2013-05-07 | 2014-11-12 | 阿里巴巴集团控股有限公司 | Web vulnerability discovery method and system |
CN106131071A (en) * | 2016-08-26 | 2016-11-16 | 北京奇虎科技有限公司 | A kind of Web method for detecting abnormality and device |
CN106230775A (en) * | 2016-07-13 | 2016-12-14 | 杭州华三通信技术有限公司 | Prevent from attacking method and the device of URL rule base |
CN106254368A (en) * | 2016-08-24 | 2016-12-21 | 杭州迪普科技有限公司 | The detection method of Web vulnerability scanning and device |
CN106302534A (en) * | 2016-09-30 | 2017-01-04 | 微梦创科网络科技(中国)有限公司 | A kind of detection and the method and system of process disabled user |
CN106528805A (en) * | 2016-11-15 | 2017-03-22 | 广东华仝九方科技有限公司 | Mobile internet baleful program URL intelligent analyzing and mining method based on users |
-
2017
- 2017-06-30 CN CN201710520184.8A patent/CN107181758A/en active Pending
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103843003A (en) * | 2011-07-08 | 2014-06-04 | Uab研究基金会 | Syntactical fingerprinting |
CN102316099A (en) * | 2011-07-28 | 2012-01-11 | 中国科学院计算机网络信息中心 | Network fishing detection method and apparatus thereof |
CN102801697A (en) * | 2011-12-20 | 2012-11-28 | 北京安天电子设备有限公司 | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) |
CN103581909A (en) * | 2012-07-31 | 2014-02-12 | 华为技术有限公司 | Suspected mobile phone malicious software positioning method and device |
CN104144142A (en) * | 2013-05-07 | 2014-11-12 | 阿里巴巴集团控股有限公司 | Web vulnerability discovery method and system |
CN103338211A (en) * | 2013-07-19 | 2013-10-02 | 腾讯科技(深圳)有限公司 | Malicious URL (unified resource locator) authenticating method and device |
CN103905421A (en) * | 2013-12-17 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Suspicious event detection method and system based on URL heterogeneity |
CN106230775A (en) * | 2016-07-13 | 2016-12-14 | 杭州华三通信技术有限公司 | Prevent from attacking method and the device of URL rule base |
CN106254368A (en) * | 2016-08-24 | 2016-12-21 | 杭州迪普科技有限公司 | The detection method of Web vulnerability scanning and device |
CN106131071A (en) * | 2016-08-26 | 2016-11-16 | 北京奇虎科技有限公司 | A kind of Web method for detecting abnormality and device |
CN106302534A (en) * | 2016-09-30 | 2017-01-04 | 微梦创科网络科技(中国)有限公司 | A kind of detection and the method and system of process disabled user |
CN106528805A (en) * | 2016-11-15 | 2017-03-22 | 广东华仝九方科技有限公司 | Mobile internet baleful program URL intelligent analyzing and mining method based on users |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111488577A (en) * | 2019-01-29 | 2020-08-04 | 北京金睛云华科技有限公司 | Vulnerability exploiting method and device based on artificial intelligence |
CN111488577B (en) * | 2019-01-29 | 2023-05-26 | 北京金睛云华科技有限公司 | Model building method and risk assessment method and device based on artificial intelligence |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111092852B (en) | Network security monitoring method, device, equipment and storage medium based on big data | |
CN105933163B (en) | The real-time distributed debugging tracking of one kind and system | |
US10721245B2 (en) | Method and device for automatically verifying security event | |
CN103379099B (en) | Hostile attack identification method and system | |
US20180075240A1 (en) | Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device | |
US11729183B2 (en) | System and method for providing secure in-vehicle network | |
CN106302534B (en) | A kind of method and system of detection and processing illegal user | |
CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
US20170244733A1 (en) | Intrusion detection using efficient system dependency analysis | |
CN111064745A (en) | Self-adaptive back-climbing method and system based on abnormal behavior detection | |
CN101388794B (en) | Method and system for positioning network management system exception affair | |
CN105812200A (en) | Abnormal behavior detection method and device | |
CN109561097B (en) | Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language | |
US20170149800A1 (en) | System and method for information security management based on application level log analysis | |
CN112953971A (en) | Network security traffic intrusion detection method and system | |
CN107888604A (en) | A kind of internet data acquisition methods and acquisition device | |
CN109428857A (en) | A kind of detection method and device of malice detection behavior | |
CN102891861A (en) | Client-based phishing website detecting method and device | |
CN104486320A (en) | Intranet sensitive information disclosure evidence collection system and method based on honeynet technology | |
CN111526109B (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
CN108040036A (en) | A kind of industry cloud Webshell safety protecting methods | |
CN107181758A (en) | Recognize the method and system of hacker's behavior | |
CN111126729A (en) | Intelligent safety event closed-loop disposal system and method thereof | |
CN111611590B (en) | Method and device for data security related to application program | |
CN104104666B (en) | Method of detecting abnormal cloud service and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170919 |