CN107181758A - Recognize the method and system of hacker's behavior - Google Patents

Recognize the method and system of hacker's behavior Download PDF

Info

Publication number
CN107181758A
CN107181758A CN201710520184.8A CN201710520184A CN107181758A CN 107181758 A CN107181758 A CN 107181758A CN 201710520184 A CN201710520184 A CN 201710520184A CN 107181758 A CN107181758 A CN 107181758A
Authority
CN
China
Prior art keywords
hacker
behavior
url
user
payload
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710520184.8A
Other languages
Chinese (zh)
Inventor
承复明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Weimeng Chuangke Network Technology China Co Ltd
Original Assignee
Weimeng Chuangke Network Technology China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Weimeng Chuangke Network Technology China Co Ltd filed Critical Weimeng Chuangke Network Technology China Co Ltd
Priority to CN201710520184.8A priority Critical patent/CN107181758A/en
Publication of CN107181758A publication Critical patent/CN107181758A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Abstract

Inventive network technical field of safety protection, and in particular to the method and system of identification hacker's behavior, including, setting up set has hacker's test payload data payload used rule base;Each uniform resource position mark URL to be identified is matched with all payload in rule base, judges that the corresponding users of current URL whether there is doubtful hacker's behavior, the URL to be identified is extracted from user's Request Log;The user that there will be doubtful hacker's behavior is matched with all payload in rule base respectively in the interior corresponding all URL of stipulated time section, judges that the user whether there is hacker's behavior.The present invention can carry out the hacker's behavior identification of active, can identify hacker's behavior before causing harm.

Description

Recognize the method and system of hacker's behavior
Technical field
Inventive network technical field of safety protection, and in particular to the method and system of identification hacker's behavior.
Background technology
Pre- attack that hacker is tested with the presence or absence of leak website and leak is further oozed after discovery leak Saturating attack etc. is referred to as hacker's behavior.The important process of network safety prevention is exactly to recognize hacker's behavior, and to hacker's row To make correspondence fence operation.
Networked asset refers to the set of networked asset information and asset of equipments information, and networked asset information includes bandwidth, ip Section, website and network traffic information etc., asset of equipments information include server, interchanger, storage device etc..
In the prior art, hacker's behavior is recognized generally by monitoring assets real time information.It is different according to assets information Often determine whether to receive the influence of hacker's behavior, be come passive discerning hacker according to hacker's behavior to the practical function of assets Behavior, the program can detect hacker's behavior in real time to the dramatic impact of assets information and be immediately performed emergency response operation, The safety of assets can be protected and the loss influenceed by hacker's behavior is reduced.It is similar black to find by monitoring assets information situation Objective behavior also includes monitoring server performance and network traffics etc..
Hacker's behavior is typically that the trial of sql injections is carried out to website, and hacker's behavior can construct different payload logarithms Made requests on according to storehouse, the request can be reflected in database monitoring system.If a large amount of requested databases of hacker's behavior can be caused The rising of database flow and the abnormal increase of database connection number, or even understand the alarm strategy of trigger data storehouse monitoring system.
Although it is effective that hacker's behavior is recognized by monitoring assets information, but is due to that the object of asset monitoring is whole The integral part and trend of individual business, therefore to part hacker's behavior None- identified, the upper of identification database flow can only be passed through Rise and database connects the abnormal increase of number to determine whether to have hacker's behavior.So there is following lack in prior art Point:
1st, to a small amount of hacker's behaviors it is difficult identification, the behavior of hacker's craft wall scroll test leak is difficult to be identified;
2nd, the identification to hacker's behavior is based entirely on influence of the hacker's behavior to assets information, can so fail to report substantial amounts of Hacker's behavior;
3rd, normal flowed fluctuation is caused may also to report by mistake as hacker's behavior if as focus incident;
4th, identification behavior is passive type, only causes just be identified after certain harm.
The content of the invention
The technical problem to be solved in the present invention is that overcoming the shortcomings of existing technology, there is provided the side of identification hacker's behavior Method and system, it can carry out hacker's behavior identification of active, can identify hacker's behavior before causing harm.
To reach above-mentioned technical purpose, on the one hand, the method for identification hacker's behavior of the present invention, methods described bag Include:
Setting up set has hacker's test payload data payload used rule base;
Each uniform resource position mark URL to be identified is matched with all payload in rule base, judges to work as The corresponding user of preceding URL whether there is doubtful hacker's behavior, and the URL to be identified is extracted from user's Request Log;
There will be the user of doubtful hacker's behavior in stipulated time section corresponding all URL respectively with owning in rule base Payload is matched, and judges that the user whether there is hacker's behavior.
Another convenience, the system of identification hacker's behavior of the present invention, the system includes:
Regular library unit, has hacker's test payload data payload used rule base for setting up set;
Doubtful identifying unit, for will own in each uniform resource position mark URL to be identified and rule base Payload is matched, and judges that the corresponding user of current URL whether there is doubtful hacker's behavior, the URL to be identified be from Extracted in user's Request Log;
Behavior unit is judged, for there will be the user of doubtful hacker's behavior corresponding all URL in stipulated time section Matched respectively with all payload in rule base, judge that the user whether there is hacker's behavior.
In technical solutions according to the invention, by setting up the payload rule bases of hacker, by user's Request Log URL matched with payload, to judge hacker's behavior.The mode of monitoring network assets information has thus been broken away from, has made to deposit Just it is identified in spl injection stages in the user of hacker's behavior, rather than the rising when database flow or database Connection number exception increase when just identify hacker's behavior.Therefore, the technical scheme that the present invention is provided can carry out active Hacker's behavior is recognized, can be identified hacker's behavior before causing harm.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is method flow schematic diagram of the invention;
Fig. 2 is the method flow schematic diagram of the embodiment of the present invention;
Fig. 3 is the real system structure diagram of the present invention;
Fig. 4 is the system structure diagram of the embodiment of the present invention;
Fig. 5 is the structural representation of doubtful identifying unit in the embodiment of the present invention;
Fig. 6 is the structural representation of judgement behavior unit in the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
The request of user daily by network to website, is recorded to form user's Request Log by station method, system.Every The data of user's Request Log record include:Request header, URL, request content and the uid of correspondence user, the facility information used Etc. data.
As shown in figure 1, in one embodiment, the method for identification hacker's behavior of the present invention, including:
101st, setting up set has hacker's test payload data payload used rule base;
Rule base is exactly a kind of a large amount of hacker's test payload (payload data) used of set knowledge base.And it is black Visitor's test payload used is varied.For example:Commonly used during test xss '><script>alert (document.cookie)</script>Code, these special test codes can be done when hacker carries out the pre- attack at initial stage Leak test is used, is used in URL (URL).
102nd, each uniform resource position mark URL to be identified is matched with all payload in rule base, sentenced The corresponding user of settled preceding URL whether there is doubtful hacker's behavior, and the URL to be identified is extracted from user's Request Log 's;It is specific as follows:
Each URL to be identified by screening and duplicate removal is matched with all payload in rule base respectively;
If current URL includes the payload at least one described rule base, the corresponding users of current URL are judged There is doubtful hacker's behavior.
Match and refer to detecting the URL of wall scroll, be directed to the citing in step 101:If in the corresponding URL of user In comprising payload codes '><script>alert(document.cookie)</script>, we regarding the user with regard to carrying out Behavior be determined as doubtful hacker's behavior.
103rd, there will be the user of doubtful hacker's behavior in stipulated time section corresponding all URL respectively with rule base All payload are matched, and judge that the user whether there is hacker's behavior, specific as follows:
Collect the user that there is doubtful hacker's behavior owning in user's Request Log of initiation in stipulated time section URL;
All URL in stipulated time section are matched with all payload in rule base respectively;
If the URL existed no less than setting bar number includes the payload at least one described rule base, judging should There is hacker's behavior in user.
This step can confirm to information such as uid, the device numbers of URL correspondence users, collect under the uid of the user recently All user's Request Logs of association in stipulated time section, it includes whole URL requests in the nearest stipulated time sections of the uid, or Person, if in the case of no user uid, just associating all user's request days in nearest stipulated time section with corresponding device number Will.
In doubtful hacker's behavior is judged, the URL of used matching is the URL handled by screening and duplicate removal, such Purpose is to reduce the workload of server.And during hacker's behavior is judged, when the URL of used matching is nearest regulation Between all URL being collected into section, handled without screening and duplicate removal, such purpose is to improve identification hacker's behavior Accuracy.
As shown in Fig. 2 in another embodiment, the method for identification hacker's behavior of the present invention, including:
201st, setting up set has hacker's test payload data payload used rule base.
Rule base is exactly a kind of a large amount of hacker's test payload (payload data) used of set knowledge base.And it is black Visitor's test payload used is varied.For example:Commonly used during test xss '><script>alert (document.cookie)</script>Code, these special test codes can be done when hacker carries out the pre- attack at initial stage Leak test is used, is used in URL (URL).
202nd, all user's Request Logs that gathering station side is pushed.
203rd, each URL extracted in all user's Request Logs is screened according to default screening rule;
The screening rule refers to filtering out google in the URL being collected into, and the reptile of the search engine such as baidu please Ask, the normal heartbeat request that server ends are set.
204th, each URL after screening is subjected to duplicate removal, obtains URL to be identified;
Duplicate removal refers to the URL removals the repetition under same user uid, similar URL duplicate removals, such as http:// www.example.comS=123 and http://www.example.comS=345 is similar URL, can be based on canonical The mode matched somebody with somebody carries out duplicate removal;But should be noted http in duplicate removal://www.example.comS=123 and http:// www.example.comS=3456 is not similar URL, because URL content of parameter length is different.Will be by screening and duplicate removal User's Request Log deposit database after processing.
Then user's Request Log is stored by unique serial number of user uid, that is by all of same user uid User's Request Log is concluded to together.Because user's Request Log is only comprising a URL, so being wrapped under same user uid The URL of bar containing N.
205th, each uniform resource position mark URL to be identified is matched with all payload in rule base, sentenced The corresponding user of settled preceding URL whether there is doubtful hacker's behavior, and the URL to be identified is extracted from user's Request Log 's;It is specific as follows:
Each URL to be identified by screening and duplicate removal is matched with all payload in rule base respectively;
If current URL includes the payload at least one described rule base, the corresponding users of current URL are judged There is doubtful hacker's behavior.
Match and refer to detecting the URL of wall scroll, be directed to the citing in step 101:If in the corresponding URL of user In comprising payload codes '><script>alert(document.cookie)</script>, we regarding the user with regard to carrying out Behavior be determined as doubtful hacker's behavior.
206th, there will be the user of doubtful hacker's behavior in stipulated time section corresponding all URL respectively with rule base All payload are matched, and judge that the user whether there is hacker's behavior;It is specific as follows:
Collect the user that there is doubtful hacker's behavior owning in user's Request Log of initiation in stipulated time section URL;
All URL in stipulated time section are matched with all payload in rule base respectively;
If the URL existed no less than setting bar number includes the payload at least one described rule base, judging should There is hacker's behavior in user.
This step can confirm to information such as uid, the device numbers of URL correspondence users, collect under the uid of the user recently All user's Request Logs of association in stipulated time section, it includes whole URL requests in the nearest stipulated time sections of the uid, or Person, if in the case of no user uid, just associating all user's request days in nearest stipulated time section with corresponding device number Will.
In doubtful hacker's behavior is judged, the URL of used matching is the URL handled by screening and duplicate removal, such Purpose is to reduce the workload of server.And during hacker's behavior is judged, when the URL of used matching is nearest regulation Between all URL being collected into section, handled without screening and duplicate removal, such purpose is to improve identification hacker's behavior Accuracy.
207th, the hacker's behavior is classified according to corresponding payload;
208th, the hacker's behavior that will classify is stored to database;
Such purpose is, for later stage evidence obtaining, to be used to trace to the source, and the tender spots of web station sides can be found in time and is attracted black The leak point of visitor's attack.Based on other technologies, the Situation Awareness figure of station side's safety can be drawn.
209th, the classification hacker's behavior of manual confirmation storage.
Sorted hacker's behavior is manually reaffirmed, the accuracy rate of identification hacker's behavior can be improved.
As shown in figure 3, in one embodiment, the system of identification hacker's behavior of the present invention, including:
Regular library unit 11, has hacker's test payload data payload used rule base for setting up set;
Doubtful identifying unit 12, for will own in each uniform resource position mark URL to be identified and rule base Payload is matched, and judges that the corresponding user of current URL whether there is doubtful hacker's behavior, the URL to be identified be from Extracted in user's Request Log;
Judge behavior unit 13, the user of doubtful hacker's behavior is corresponding in stipulated time section to be owned for there will be URL is matched with all payload in rule base respectively, judges that the user whether there is hacker's behavior.
As shown in figure 4, as another embodiment, the system of identification hacker's behavior of the present invention, including:
Regular library unit 11, has hacker's test payload data payload used rule base for setting up set;
Collector unit 22, all user's Request Logs pushed for gathering station side;
Screening unit 23, each URL for will be extracted in all user's Request Logs is carried out according to default screening rule Screening;
Duplicate removal unit 24, for each URL after screening to be carried out into duplicate removal, obtains URL to be identified;
Doubtful identifying unit 12, for will own in each uniform resource position mark URL to be identified and rule base Payload is matched, and judges that the corresponding user of current URL whether there is doubtful hacker's behavior, the URL to be identified be from Extracted in user's Request Log;
Judge behavior unit 13, the user of doubtful hacker's behavior is corresponding in stipulated time section to be owned for there will be URL is matched with all payload in rule base respectively, judges that the user whether there is hacker's behavior;
Taxon 27, for the hacker's behavior to be classified according to corresponding payload;
Memory cell 28, for that will classify, hacker's behavior is stored to database;
Review unit 29, the classification hacker's behavior stored for manual confirmation.
Wherein, a kind of possible structure of the doubtful identifying unit 12, as shown in figure 5, including:
First matching module 121, for by by screening and duplicate removal each URL to be identified respectively with rule base All payload are matched;
First determination module 122, if including the payload at least one described rule base for current URL, sentences There is doubtful hacker's behavior in the corresponding user of settled preceding URL.
Wherein, a kind of possible structure for judging behavior unit 13, as shown in fig. 6, including:
Collection module 131, the user that there is doubtful hacker's behavior for collecting please in the interior user initiated of stipulated time section Seek all URL in daily record;
Second matching module 132, for by the stipulated time section in all URL respectively with rule base own Payload is matched;
Second determination module 133, if including at least one described rule base for the URL existed no less than setting bar number In payload, then judge that the user has hacker's behavior.
To judging that doubtful hacker's behavior is exemplified below in detail:
To have a payload in such as storehouse be a single quotation marks, it is necessary to which detection is currently http:// www.example.comWhether s=123 ' URL can match the payload for single quotation marks.Through overmatching, current URL In include single quotation marks;Therefore the corresponding users of current URL are then determined to have doubtful hacker's behavior.The matching is exactly to check Whether payload in storehouse is had comprising matching in current URL.The processing for noting this step URL is not that batch is carried out, and is basis Wall scroll URL is matched.
To judging that hacker's behavior is exemplified below in detail:
Illustrate as described above described, the URL that current and rule base is matched is:http://www.example.comS= 123’;
If detect two again is with the URL under the same user uid of above-mentioned URL:
http://www.example.comS=123and sleep (5);
http://www.example.comS=123union select 1,2,3--;
Other payload in rule base are contained in this two URL respectively;It then can be determined that the user has hacker's row For the user is carrying out the detection of sql injection loopholes to station side.The URL of this step processing is that batch is carried out.
Can dynamically it be adjusted for URL setting bar number, such as our strategy is matched under unification user uid There is a URL to include payload again, this does not include hacker's behavior;Two URL of matching just calculate hacker's behavior comprising payload.Hacker The identification strategy threshold values of behavior is determined according to practice effect.If there are a large amount of wrong reports in reported hacker's behavior empirical tests, Improve the threshold values quantity of bar number (setting), such as bring up to 4 URL of matching and there is payload and just assert hacker's behavior, 4 with Under be considered as common detection.If threshold values is too high to occur situation about failing to report, now need to reduce threshold values.
The present invention can effectively identify hacker's behavior of the hacker to website according to user's Request Log information, due to using The handling process (independent to obtain user's Request Log) of daily record under line so that workflow of the present invention do not influence the normal of station side Operation.The URL of all user's Request Logs is detected due to using so that the minor motion of each hacker can be sent out It is existing.Be adjusted as a result of dynamic strategy come the setting bar number to URL so that will not because of normal users maloperation quilt It is identified as hacker's behavior.
Above technical scheme recognizes that the benefit that hacker's behavior is brought is it will be evident that entering to the later stage according to hacker's behavior to station side Row evidence obtaining, traces to the source and is helpful, and carrying out further Situation Awareness for station side provides resource accumulation.
It should be understood that the particular order or level the step of during disclosed are the examples of illustrative methods.Based on setting Count preference, it should be appreciated that during the step of particular order or level can the protection domain for not departing from the disclosure feelings Rearranged under condition.Appended claim to a method gives the key element of various steps with exemplary order, and not It is to be limited to described particular order or level.
In above-mentioned detailed description, various features are combined in single embodiment together, to simplify the disclosure.No This open method should be construed to reflect such intention, i.e. the embodiment of theme claimed needs ratio The more features of feature clearly stated in each claim.On the contrary, as appended claims is reflected Like that, the present invention is in the state fewer than whole features of disclosed single embodiment.Therefore, appended claims It is hereby expressly incorporated into detailed description, wherein each claim is alone as the single preferred embodiment of the present invention.
To enable any technical staff in the art to realize or using the present invention, disclosed embodiment being entered above Description is gone.To those skilled in the art;The various modification modes of these embodiments will be apparent from, and this The General Principle of text definition can also be applied to other embodiments on the basis of the spirit and scope of the disclosure is not departed from. Therefore, the disclosure is not limited to embodiments set forth herein, but most wide with principle disclosed in the present application and novel features Scope is consistent.
Described above includes the citing of one or more embodiments.Certainly, in order to above-described embodiment is described and description portion The all possible combination of part or method is impossible, but it will be appreciated by one of ordinary skill in the art that each is implemented Example can do further combinations and permutations.Therefore, embodiment described herein is intended to fall into appended claims Protection domain in all such changes, modifications and variations.In addition, with regard to the term used in specification or claims "comprising", the mode that covers of the word is similar to term " comprising ", just as " including, " solved in the claims as link word As releasing.In addition, the use of any one term "or" in the specification of claims being to represent " non-exclusionism Or ".
Those skilled in the art will also be appreciated that the various illustrative components, blocks that the embodiment of the present invention is listed (illustrative logical block), unit, and step can be by the knots of electronic hardware, computer software, or both Conjunction is realized.To clearly show that the replaceability (interchangeability) of hardware and software, above-mentioned various explanations Property part (illustrative components), unit and step universally describe their function.Such work( Can be that the design requirement depending on specific application and whole system is realized by hardware or software.Those skilled in the art For every kind of specific application various methods can be used to realize described function, but this realization is understood not to The scope protected beyond the embodiment of the present invention.
Various illustrative logical blocks described in the embodiment of the present invention, or unit can by general processor, Digital signal processor, application specific integrated circuit (ASIC), field programmable gate array or other programmable logic devices, discrete gate Or the design of transistor logic, discrete hardware components, or any of the above described combination is come the function described by realizing or operate.General place It can be microprocessor to manage device, and alternatively, the general processor can also be any traditional processor, controller, microcontroller Device or state machine.Processor can also be realized by the combination of computing device, such as digital signal processor and microprocessor, Multi-microprocessor, one or more microprocessors combine a Digital Signal Processor Core, or any other like configuration To realize.
The step of method described in the embodiment of the present invention or algorithm can be directly embedded into hardware, computing device it is soft Part module or the combination of both.Software module can be stored in RAM memory, flash memory, ROM memory, EPROM storages Other any form of storage media in device, eeprom memory, register, hard disk, moveable magnetic disc, CD-ROM or this area In.Exemplarily, storage medium can be connected with processor, to allow processor to read information from storage medium, and Write information can be deposited to storage medium.Alternatively, storage medium can also be integrated into processor.Processor and storage medium can To be arranged in ASIC, ASIC can be arranged in user terminal.Alternatively, processor and storage medium can also be arranged at use In different parts in the terminal of family.
In one or more exemplary designs, above-mentioned functions described by the embodiment of the present invention can be in hardware, soft Part, firmware or any combination of this three are realized.If realized in software, these functions can be stored and computer-readable On medium, or with it is one or more instruction or code form be transmitted on the medium of computer-readable.Computer readable medium includes electricity Brain stores medium and is easy to so that allowing computer program to be transferred to other local telecommunication medias from a place.Storing medium can be with It is that any general or special computer can be with the useable medium of access.For example, such computer readable media can include but It is not limited to RAM, ROM, EEPROM, CD-ROM or other optical disc storage, disk storage or other magnetic storage devices, or other What can be used for carrying or store with instruct or data structure and it is other can be by general or special computer or general or specially treated Device reads the medium of the program code of form.In addition, any connection can be properly termed computer readable medium, example Such as, if software is to pass through a coaxial cable, fiber optic cables, double from web-site, server or other remote resources Twisted wire, Digital Subscriber Line (DSL) or with defined in being also contained in of the wireless way for transmitting such as infrared, wireless and microwave In computer readable medium.Described disk (disk) and disk (disc) include Zip disk, radium-shine disk, CD, DVD, floppy disk And Blu-ray Disc, disk is generally with magnetic duplication data, and disk generally carries out optical reproduction data with laser.Combinations of the above It can also be included in computer readable medium.
Above-described embodiment, has been carried out further to the purpose of the present invention, technical scheme and beneficial effect Describe in detail, should be understood that the embodiment that the foregoing is only the present invention, be not intended to limit the present invention Protection domain, within the spirit and principles of the invention, any modification, equivalent substitution and improvements done etc. all should be included Within protection scope of the present invention.

Claims (10)

1. a kind of method for recognizing hacker's behavior, it is characterised in that methods described includes:
Setting up set has hacker's test payload data payload used rule base;
Each uniform resource position mark URL to be identified is matched with all payload in rule base, judges current The corresponding users of URL whether there is doubtful hacker's behavior, and the URL to be identified is extracted from user's Request Log;
There will be the user of doubtful hacker's behavior in stipulated time section corresponding all URL respectively with owning in rule base Payload is matched, and judges that the user whether there is hacker's behavior.
2. the method for identification hacker's behavior according to claim 1, it is characterised in that described by each system to be identified One URLs URL with before all payload are matched in rule base, in addition to:
All user's Request Logs that gathering station side is pushed;
Each URL extracted in all user's Request Logs is screened according to default screening rule;
Each URL after screening is subjected to duplicate removal, URL to be identified is obtained.
3. the method for identification hacker's behavior according to claim 2, it is characterised in that described by each system to be identified One URLs URL is matched with all payload in rule base, judges the corresponding users of current URL with the presence or absence of doubtful Like hacker's behavior, the URL to be identified is extracted from user's Request Log, is specifically included:
Each URL to be identified by screening and duplicate removal is matched with all payload in rule base respectively;
If current URL includes the payload at least one described rule base, judge that the corresponding users of current URL are present Doubtful hacker's behavior.
4. the method for the identification hacker's behavior according to any one of claims 1 to 3, it is characterised in that it is described there will be it is doubtful Like hacker's behavior user the stipulated time section in corresponding all URL matched respectively with all payload in rule base, Judge that the user whether there is hacker's behavior, specifically include:
Collect all URLs of the user that there is doubtful hacker's behavior in stipulated time section in user's Request Log of initiation;
All URL in stipulated time section are matched with all payload in rule base respectively;
If the URL existed no less than setting bar number includes the payload at least one described rule base, the user is judged There is hacker's behavior.
5. the method for the identification hacker's behavior according to any one of claim 4, it is characterised in that the judgement user There is hacker's behavior, also include afterwards:
The hacker's behavior is classified according to corresponding payload;
The hacker's behavior that will classify is stored to database;
The classification hacker's behavior of manual confirmation storage.
6. a kind of system for recognizing hacker's behavior, it is characterised in that the system includes:
Regular library unit, has hacker's test payload data payload used rule base for setting up set;
Doubtful identifying unit, for all payload in each uniform resource position mark URL to be identified and rule base to be entered Row matching, judges that the corresponding users of current URL whether there is doubtful hacker's behavior, the URL to be identified is from user's request Extracted in daily record;
Behavior unit is judged, for there will be the user of doubtful hacker's behavior corresponding all URL difference in stipulated time section Matched with all payload in rule base, judge that the user whether there is hacker's behavior.
7. the system of identification hacker's behavior according to claim 6, it is characterised in that the system also includes:
Collector unit, all user's Request Logs pushed for gathering station side;
Screening unit, for each URL extracted in all user's Request Logs to be screened according to default screening rule;
Duplicate removal unit, for each URL after screening to be carried out into duplicate removal, obtains URL to be identified.
8. the system of identification hacker's behavior according to claim 7, it is characterised in that the doubtful identifying unit, including:
First matching module, for each URL to be identified by screening and duplicate removal is passed through respectively with owning in rule base Payload is matched;
First determination module, if including the payload at least one described rule base for current URL, judges current There is doubtful hacker's behavior in the corresponding users of URL.
9. the system of the identification hacker's behavior according to any one of claim 6 to 8, it is characterised in that the judgement row For unit, including:
, there is the user of doubtful hacker's behavior for collecting in the interior user's Request Log initiated of stipulated time section in collection module All URL;
Second matching module, for all URL in stipulated time section to be carried out with all payload in rule base respectively Matching;
Second determination module, if including for the URL existed no less than setting bar number at least one described rule base Payload, then judge that the user has hacker's behavior.
10. the system of identification hacker's behavior according to claim 9, it is characterised in that the system also includes:
Taxon, for the hacker's behavior to be classified according to corresponding payload;
Memory cell, for that will classify, hacker's behavior is stored to database;
Review unit, the classification hacker's behavior stored for manual confirmation.
CN201710520184.8A 2017-06-30 2017-06-30 Recognize the method and system of hacker's behavior Pending CN107181758A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710520184.8A CN107181758A (en) 2017-06-30 2017-06-30 Recognize the method and system of hacker's behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710520184.8A CN107181758A (en) 2017-06-30 2017-06-30 Recognize the method and system of hacker's behavior

Publications (1)

Publication Number Publication Date
CN107181758A true CN107181758A (en) 2017-09-19

Family

ID=59845565

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710520184.8A Pending CN107181758A (en) 2017-06-30 2017-06-30 Recognize the method and system of hacker's behavior

Country Status (1)

Country Link
CN (1) CN107181758A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111488577A (en) * 2019-01-29 2020-08-04 北京金睛云华科技有限公司 Vulnerability exploiting method and device based on artificial intelligence

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102316099A (en) * 2011-07-28 2012-01-11 中国科学院计算机网络信息中心 Network fishing detection method and apparatus thereof
CN102801697A (en) * 2011-12-20 2012-11-28 北京安天电子设备有限公司 Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator)
CN103338211A (en) * 2013-07-19 2013-10-02 腾讯科技(深圳)有限公司 Malicious URL (unified resource locator) authenticating method and device
CN103581909A (en) * 2012-07-31 2014-02-12 华为技术有限公司 Suspected mobile phone malicious software positioning method and device
CN103843003A (en) * 2011-07-08 2014-06-04 Uab研究基金会 Syntactical fingerprinting
CN103905421A (en) * 2013-12-17 2014-07-02 哈尔滨安天科技股份有限公司 Suspicious event detection method and system based on URL heterogeneity
CN104144142A (en) * 2013-05-07 2014-11-12 阿里巴巴集团控股有限公司 Web vulnerability discovery method and system
CN106131071A (en) * 2016-08-26 2016-11-16 北京奇虎科技有限公司 A kind of Web method for detecting abnormality and device
CN106230775A (en) * 2016-07-13 2016-12-14 杭州华三通信技术有限公司 Prevent from attacking method and the device of URL rule base
CN106254368A (en) * 2016-08-24 2016-12-21 杭州迪普科技有限公司 The detection method of Web vulnerability scanning and device
CN106302534A (en) * 2016-09-30 2017-01-04 微梦创科网络科技(中国)有限公司 A kind of detection and the method and system of process disabled user
CN106528805A (en) * 2016-11-15 2017-03-22 广东华仝九方科技有限公司 Mobile internet baleful program URL intelligent analyzing and mining method based on users

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103843003A (en) * 2011-07-08 2014-06-04 Uab研究基金会 Syntactical fingerprinting
CN102316099A (en) * 2011-07-28 2012-01-11 中国科学院计算机网络信息中心 Network fishing detection method and apparatus thereof
CN102801697A (en) * 2011-12-20 2012-11-28 北京安天电子设备有限公司 Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator)
CN103581909A (en) * 2012-07-31 2014-02-12 华为技术有限公司 Suspected mobile phone malicious software positioning method and device
CN104144142A (en) * 2013-05-07 2014-11-12 阿里巴巴集团控股有限公司 Web vulnerability discovery method and system
CN103338211A (en) * 2013-07-19 2013-10-02 腾讯科技(深圳)有限公司 Malicious URL (unified resource locator) authenticating method and device
CN103905421A (en) * 2013-12-17 2014-07-02 哈尔滨安天科技股份有限公司 Suspicious event detection method and system based on URL heterogeneity
CN106230775A (en) * 2016-07-13 2016-12-14 杭州华三通信技术有限公司 Prevent from attacking method and the device of URL rule base
CN106254368A (en) * 2016-08-24 2016-12-21 杭州迪普科技有限公司 The detection method of Web vulnerability scanning and device
CN106131071A (en) * 2016-08-26 2016-11-16 北京奇虎科技有限公司 A kind of Web method for detecting abnormality and device
CN106302534A (en) * 2016-09-30 2017-01-04 微梦创科网络科技(中国)有限公司 A kind of detection and the method and system of process disabled user
CN106528805A (en) * 2016-11-15 2017-03-22 广东华仝九方科技有限公司 Mobile internet baleful program URL intelligent analyzing and mining method based on users

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111488577A (en) * 2019-01-29 2020-08-04 北京金睛云华科技有限公司 Vulnerability exploiting method and device based on artificial intelligence
CN111488577B (en) * 2019-01-29 2023-05-26 北京金睛云华科技有限公司 Model building method and risk assessment method and device based on artificial intelligence

Similar Documents

Publication Publication Date Title
CN111092852B (en) Network security monitoring method, device, equipment and storage medium based on big data
CN105933163B (en) The real-time distributed debugging tracking of one kind and system
US10721245B2 (en) Method and device for automatically verifying security event
CN103379099B (en) Hostile attack identification method and system
US20180075240A1 (en) Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device
US11729183B2 (en) System and method for providing secure in-vehicle network
CN106302534B (en) A kind of method and system of detection and processing illegal user
CN103428196A (en) URL white list-based WEB application intrusion detecting method and apparatus
US20170244733A1 (en) Intrusion detection using efficient system dependency analysis
CN111064745A (en) Self-adaptive back-climbing method and system based on abnormal behavior detection
CN101388794B (en) Method and system for positioning network management system exception affair
CN105812200A (en) Abnormal behavior detection method and device
CN109561097B (en) Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language
US20170149800A1 (en) System and method for information security management based on application level log analysis
CN112953971A (en) Network security traffic intrusion detection method and system
CN107888604A (en) A kind of internet data acquisition methods and acquisition device
CN109428857A (en) A kind of detection method and device of malice detection behavior
CN102891861A (en) Client-based phishing website detecting method and device
CN104486320A (en) Intranet sensitive information disclosure evidence collection system and method based on honeynet technology
CN111526109B (en) Method and device for automatically detecting running state of web threat recognition defense system
CN108040036A (en) A kind of industry cloud Webshell safety protecting methods
CN107181758A (en) Recognize the method and system of hacker&#39;s behavior
CN111126729A (en) Intelligent safety event closed-loop disposal system and method thereof
CN111611590B (en) Method and device for data security related to application program
CN104104666B (en) Method of detecting abnormal cloud service and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170919