CN107332811A

CN107332811A - The methods, devices and systems of intrusion detection

Info

Publication number: CN107332811A
Application number: CN201610285472.5A
Authority: CN
Inventors: 李可弈
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2016-04-29
Filing date: 2016-04-29
Publication date: 2017-11-07

Abstract

The invention discloses a kind of methods, devices and systems of intrusion detection.Wherein, this method includes：Obtain the interbehavior of front-end client；Detection interbehavior whether be attacking network application attack；In the case of it is determined that interbehavior is the attack of attacking network application, triggering front-end client monitoring occurs in local behavior.The present invention solves the analysis means that prior art is performed intrusion detection using rear end detection or daily record data analysis etc. in rear end, causes the technical problem of the behavior poor in timeliness of monitor client generation.

Description

Method, device and system for intrusion detection

Technical Field

The present invention relates to the field of data processing, and in particular, to a method, an apparatus, and a system for intrusion detection.

Background

Due to the continuous development of the web2.0 technology and the continuous evolution of the service capability of cloud computing, more and more applications and services are presented to the client in the form of B/S (Browser/Server). The intrusion attack means of hackers also increasingly favor attacks with the Web as a breach of intrusion. Conventional intrusion detection systems are more biased towards detecting patterns of their own applications and matching security policies.

Currently, intrusion analysis methods commonly used in the industry are based on back-end detection or data-driven analysis of intrusion traces, and it is necessary to extract and analyze potential intrusion features from a large amount of log data, which belongs to "after-the-fact" behavior. Conventional intrusion detection systems are classified into the following:

1. integrity analysis, namely, whether a certain file or a certain object is changed or not is monitored, for example, the attribute of the file or the directory, the MD5 value of the file and the like, if the preset file or object is monitored to be changed, it is considered that an intruder illegally invades to change the certain file or object, and an alarm is started.

2. And matching the pattern, namely detecting whether an aggressive behavior exists or not by matching a security policy form through collected network information such as a Uniform Resource Locator (URL) and parameters requested by a user, and if a similar security policy is matched, triggering an alarm mechanism to notify an administrator of the suspected intrusion phenomenon.

3. And statistical analysis, namely collecting various operation log records and behavior records, and analyzing the operation possibly having the aggressive behavior by utilizing a big data calculation method, wherein the aggressive behavior is mostly expressed as large request quantity, high speed and the like. Some abnormal traffic interactions can be mathematically analyzed to analyze offensive operation records from a large number of operation log records.

The present intrusion detection system mostly achieves the purpose of intrusion detection by detecting self application, monitoring network transmission data or monitoring the integrity of the system, and the tracing to the intrusion mainly locates the attack path of an intruder and the IP address of the intruder by log analysis. However, the analysis situation is too passive, the timeliness is poor, and the intrusion behavior of an attacker and a real-time monitoring means for the intruder cannot be actively discovered in the first time.

Aiming at the problem that the timeliness of behaviors of a monitoring client is poor due to the fact that analysis means such as back-end detection or log data analysis are adopted in the prior art to conduct intrusion detection at the back end, an effective solution is not provided at present.

Disclosure of Invention

The embodiment of the invention provides an intrusion detection method, device and system, which at least solve the technical problem of poor timeliness of behaviors of a monitoring client caused by adopting analysis means such as back-end detection or log data analysis for carrying out intrusion detection at the back end in the prior art.

According to an aspect of an embodiment of the present invention, there is provided an intrusion detection method, including: acquiring an interactive behavior of a front-end client; detecting whether the interaction behavior is an attack behavior attacking the network application; and in the case that the interactive behavior is determined to be the attack behavior of the attack network application, triggering the front-end client to monitor the behavior occurring in the local area.

According to another aspect of the embodiments of the present invention, there is also provided an intrusion detection apparatus, including: the first acquisition module is used for acquiring the interactive behavior of the front-end client; the detection module is used for detecting whether the interaction behavior is an attack behavior attacking the network application; and the monitoring module is used for triggering the front-end client to monitor the local behavior under the condition that the interactive behavior is determined to be the attack behavior of attacking the network application.

According to another aspect of the embodiments of the present invention, there is also provided an intrusion detection system, including: the front-end client is used for sending the interactive behavior; the intermediate device has a communication relation with the front-end client and is used for detecting whether the interactive behavior is the attack behavior of attacking the network application or not and triggering the front-end client to monitor the behavior occurring in the local area under the condition that the interactive behavior is determined to be the attack behavior of attacking the network application.

According to another aspect of the embodiments of the present invention, there is also provided an intrusion detection method, including: the front-end client detects whether the locally-generated interaction behavior is an attack behavior for attacking the network application; in the event that the interactive behavior is determined to be an attack behavior that attacks the web application, the front-end client monitors the behavior occurring locally.

Therefore, the technical scheme provided by the invention is as follows: acquiring an interactive behavior of a front-end client; detecting whether the interaction behavior is an attack behavior attacking the network application; the method comprises the steps that under the condition that the interactive behavior is determined to be the attack behavior of attacking the network application, a front-end client is triggered to monitor the behavior occurring in the local area, so that a scheme for discovering an intrusion behavior means by utilizing a front-end technology is provided, the intrusion analysis means commonly used in the industry is based on back-end detection or data driving to analyze an intrusion track, possible potential intrusion characteristics are generally required to be extracted and analyzed from a large amount of log data, and the method belongs to 'after-the-fact' behavior. According to the method, the technical effect of monitoring the interactive behavior of the front-end client in real time is achieved by detecting the interactive behavior of the front-end client, the technical effect of tracking and monitoring the invasive behavior is achieved once the issued interactive behavior is the invasive behavior, the attribute of the front end is fully utilized, the invasive behavior can be found in the first time, and an attacker can be accurately positioned, so that the technical problem that the timeliness of monitoring the behavior of the client is poor due to the fact that the analysis means of carrying out intrusion detection at the rear end such as rear-end detection or log data analysis and the like are adopted in the prior art is solved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:

fig. 1 is a block diagram of a hardware configuration of a computer terminal of a method of intrusion detection according to an embodiment of the present invention;

fig. 2 is a flowchart of a method of intrusion detection according to embodiment 1 of the present invention;

fig. 3 is a schematic diagram of an alternative intrusion detection method according to embodiment 1 of the present invention;

fig. 4 is an information interaction diagram of an alternative intrusion detection method according to embodiment 1 of the present invention;

fig. 5 is a schematic structural diagram of an intrusion detection system according to embodiment 2 of the present invention;

fig. 6 is a schematic structural diagram of an alternative intrusion detection system according to embodiment 2 of the present invention;

fig. 7 is a schematic diagram of an intrusion detection apparatus according to embodiment 3 of the present invention;

fig. 8 is a schematic diagram of an alternative intrusion detection apparatus according to embodiment 3 of the present invention;

fig. 9 is a schematic diagram of an alternative intrusion detection apparatus according to embodiment 3 of the present invention;

fig. 10 is a schematic diagram of an alternative intrusion detection apparatus according to embodiment 3 of the present invention;

fig. 11 is a schematic diagram of an alternative intrusion detection apparatus according to embodiment 3 of the present invention;

fig. 12 is a schematic diagram of an alternative intrusion detection apparatus according to embodiment 3 of the present invention;

fig. 13 is a flowchart of another intrusion detection method according to embodiment 4 of the present invention; and

fig. 14 is a block diagram of a computer terminal according to embodiment 5 of the present application.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:

WAF: a website Application level intrusion prevention system, Web Application Firewall, is used to secure Web applications by enforcing a series of security policies for HTTP/HTTPs.

An intrusion detection system: the network security device is a network security device which can monitor network transmission immediately, and send out an alarm or take active reaction measures when finding suspicious transmission. For example: a WAF system (WebApplication Firewall, website application level intrusion prevention system) deployed at a gateway or switch layer.

HOOK: the Chinese is translated into a hook, which is a message processing mechanism, namely, an application program can monitor a certain message in a specified window or function, and when the message arrives, the window or function is notified by a system, and the program can respond in the first time.

Javascript: javascript is an transliterated script language with built-in support types for adding dynamic functions to HTML web pages.

webRTC: namely, Web Real-Time communication, which is a technology supporting a Web browser to perform Real-Time voice conversation or video conversation.

And (3) interactive behavior: for example, the user clicks a certain control or a certain web page link in a front-end web page using a mouse, if the clicking action occurs in a blank area of the front-end web page and an access request is not generated, the action is not the interaction action of the front-end client, and if the clicking action is successful and an access request is generated, the clicking action may be considered as the interaction action of the front-end client.

Attack behavior of attacking network applications: attacks on the network application and data in the system thereof are performed by utilizing the vulnerabilities or security defects existing in the network, for example, data in the network application is tampered or forged, and the performance of the network application is reduced.

Example 1

There is also provided, in accordance with an embodiment of the present invention, a method embodiment of a method for intrusion detection, it being noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than presented herein.

The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking the example of the present invention running on a computer terminal, fig. 1 is a block diagram of a hardware structure of a computer terminal of a method for intrusion detection according to an embodiment of the present invention. As shown in fig. 1, the computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission module 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.

The memory 104 may be used to store software programs and modules of application software, such as program instructions/modules corresponding to the intrusion detection method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by executing the software programs and modules stored in the memory 104, so as to implement the above-mentioned intrusion detection method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.

Under the operating environment, the application provides a method for intrusion detection as shown in fig. 2. Fig. 2 is a flowchart of a method of intrusion detection according to embodiment 1 of the present invention.

And step S21, acquiring the interactive behavior of the front-end client.

In the foregoing step, the interactive behavior may be a behavior in which the user clicks on a website of the front end currently to generate an access request, for example, the user clicks on a certain control or a certain web page link in a front end web page using a mouse, if the clicking behavior occurs in a blank area of the front end web page and an access request is not generated, the behavior is not an interactive behavior of the front end client, and if the clicking behavior is successful and an access request is generated, the clicking behavior may be considered as an interactive behavior of the front end client.

Step S23, detecting whether the interaction behavior is an attack behavior that attacks the network application.

In the above steps, the attack behavior for attacking the network application may be an attack on the network application and data in the system thereof by using a bug or security flaw existing in the network, for example, tampering or forging the data in the network application, reducing the performance of the network application, and the like.

In an alternative, the method and the device can detect the interaction behavior of the current front-end client through an intrusion detection system deployed in a front-end application layer. The intrusion detection system may be a WAF system (Web Application Firewall, website Application level intrusion prevention system) deployed in a gateway or switch layer, and the front end may refer to a foreground portion of a website in a network Application, and mainly includes a presentation layer and a structure of the website.

Specifically, in an optional example shown in fig. 3, when an attacker attempts to attack a website application of a front-end client, the preset security policy in the WAF system deployed on the upper layer of the B/S front-end application may be used to match an interactive behavior generated by the current front-end client, so as to detect whether the interactive behavior is an attack behavior.

And step S25, in case that the interactive behavior is determined to be an attack behavior of attacking the network application, triggering the front-end client to monitor the behavior occurring in the local area. In the above steps, the manner of confirming that the interactive behavior is the attack behavior may be various, and is not specifically limited herein. In an alternative scheme of detecting the interaction behavior of the current front-end client by using an intrusion detection system, the intrusion detection system may trigger and monitor the behavior of the front-end client initiating the attack behavior by transmitting the attack behavior to the front-end client.

It should be noted here that the behavior monitored by the front-end client is not limited to the contents of intrusion behavior, but also includes daily operation behaviors of the front-end client, such as operation records of I/O devices such as a keyboard and a mouse, operation records of application software of the front-end client by a user, and records of network traffic.

It should be further noted that, in the case that the intrusion detection system determines that the current interaction behavior is an attack behavior attacking a network application, the intrusion detection system transparently transmits data of the attack behavior, where the transparent transmission is used to indicate that the attack behavior is directly transmitted to a preset target (for example, the behavior analysis monitoring system shown in fig. 3) without any processing in the process of transmitting the attack behavior, and the device that can be used for the transparent transmission may further include a transparent transmission gateway, an infinite transparent transmission module (transparent transmission GRRS module, transparent transmission zigbee module), and the like.

Therefore, after determining that the current front-end client has the attack behavior, the front-end client is determined to be a high-risk attack source, and then the monitoring of the subsequent network interaction, equipment operation and other behaviors of the front-end client is started, for example, the subsequent intrusion behavior initiated by the front-end client is monitored, so that the scheme of monitoring the behavior of the front-end client in real time is realized, the follow-up log analysis and the like are not required to be waited for to determine the attack behavior, and the efficiency of monitoring the behavior of the front-end client is improved.

In addition, after the transparent transmission of the attack behavior, the monitoring content for monitoring the intrusion behavior of the front-end client may include: intrusion time of the intrusion behavior, intrusion destination, intrusion source and the like.

Fig. 3 is a schematic diagram of an optional intrusion detection method according to embodiment 1 of the present application, and with reference to the example shown in fig. 3, the above-mentioned scheme may implement detection of an interactive behavior of a front-end client by using an intrusion detection system, and determine whether the currently acquired interactive behavior of the front-end client is offensive, that is, determine whether the current interactive behavior of the front-end client is an offensive behavior, and if the current interactive behavior is an offensive behavior, obtain a corresponding monitoring module by transparently transmitting the offensive behavior, and further implement monitoring of locally occurring behaviors, including an intrusion behavior, by the front-end client by loading the corresponding monitoring module in the front-end client. And returning a normal interaction request to the front-end client under the condition that the interaction behavior is normal.

It should be noted that, in the above embodiment, when it is determined that the interactive behavior is an attack behavior of attacking a network application, the front-end client is monitored, and after a behavior monitoring result of the front-end client is obtained, an intrusion behavior may be determined according to the monitoring result, so as to locate an attacker who performs the intrusion behavior, and also perform defense against the intrusion behavior, or a new defense rule of the intrusion behavior is obtained by learning the intrusion behavior. In the intrusion detection method provided by the application, the intrusion detection system detects the interactive behavior and monitors the interactive behavior under the condition that the interactive behavior is confirmed to be the attack behavior.

It should be further noted that, in the method provided by the foregoing embodiment of the present application, the interactive behavior is detected while the front-end client performs the interactive behavior, and once the interactive behavior is found to be an attack behavior generated by the front-end client, the front-end client that has performed the attack behavior is immediately monitored, so that the technical effects of discovering the intrusion behavior in real time and analyzing the intrusion behavior in real time are achieved, and a delay caused by analyzing the intrusion behavior at the back end in the prior art is avoided.

Therefore, the present application provides a method for discovering intrusion behavior means by using front-end technology, and intrusion analysis means commonly used in the industry are all based on back-end detection or data-driven analysis of intrusion traces, and usually need to extract and analyze possible potential intrusion features from a large amount of log data, and belong to "after the fact" behavior. According to the method, the technical effect of monitoring the interactive behavior of the front-end client in real time is achieved by detecting the interactive behavior of the front-end client, the technical effect of tracking and monitoring the invasive behavior is achieved once the issued interactive behavior is the invasive behavior, the attribute of the front end is fully utilized, the invasive behavior can be found in the first time, and an attacker can be accurately positioned, so that the technical problem that the timeliness of monitoring the behavior of the client is poor due to the fact that the analysis means of carrying out intrusion detection at the rear end such as rear-end detection or log data analysis and the like are adopted in the prior art is solved.

Therefore, the scheme of the embodiment 1 provided by the application solves the technical problem that the behavior timeliness of the monitoring client is poor due to the fact that the prior art adopts an analysis means of intrusion detection at the back end, such as back end detection or log data analysis.

In the above embodiment of the present application, the above scheme for detecting the interaction behavior of the current front-end client by using the intrusion detection system deployed in the front-end application layer may be implemented by the following steps:

step S211, reading the pre-configured security policy information, where the security policy information includes: information for determining whether the interaction behavior is offensive.

Step S213, determining whether the requested content corresponding to the interactive behavior is offensive according to the security policy information.

In the above steps, the offensive request content may be modification, plagiarism, etc. of the network user data, and the offensive request content may be request content in the interaction behavior of the front-end client, in an optional embodiment, the front-end client forges a normal request to request for uploading forged user form data to the current web page, and after the web page receives the forged user form data, data of other users in the web page may be stolen or modified by the front-end client.

Judging whether the request content corresponding to the interactive behavior is aggressive or not may be matching the request content in the interactive behavior with information included in the security policy information for determining whether the interactive behavior is aggressive or not, and if the matching is successful, the request content of the interactive behavior may be considered to be aggressive, otherwise, the request content of the interactive behavior may not be aggressive.

Step S215, determining that the interactive behavior is an aggressive behavior when the requested content corresponding to the interactive behavior is aggressive.

Step S217, determining that the interactive behavior is a security behavior under the condition that the request content corresponding to the interactive behavior is not aggressive, and obtaining response information returned to the front-end client according to the request content.

In an optional embodiment, the security policy information may include a preset threshold of a request frequency, and when an access frequency of the interactive behavior to the front-end client is greater than the request frequency included in the security policy information, the interactive behavior may be considered to be aggressive, otherwise, the interactive behavior may be considered to be a security behavior.

It should be noted here that the security policy information may be multidimensional information, and is not limited to the request frequency, and may also be a security policy model obtained by learning a large number of secure interactive behaviors and a large number of offensive interactive behaviors, so that the type of the interactive behaviors can be determined more accurately.

After judging whether the interactive behavior is aggressive or not by combining the example shown in fig. 3, obtaining a result of whether the interactive behavior is an invasive behavior or not, confirming the interactive behavior invasive behavior under the condition that the interactive behavior is aggressive, and otherwise, confirming that the interactive behavior is a security behavior. And when the interactive behavior is confirmed to be the safe behavior, the access request of the safe behavior can be returned to the web server, and the web server returns the normal interactive request to the front-end client.

It is easy to note that, in the foregoing steps of the present application, the interactive behavior of the front-end client is determined through the preconfigured security policy information, so as to determine whether the interactive information of the front-end client is intrusion behavior information, thereby achieving a technical effect of determining the interactive behavior of the front-end client.

In the above embodiment of the present application, before the step S25 is executed to trigger the front-end client to monitor the behavior occurring locally, the following steps may also be executed:

step S231, obtaining an intrusion level corresponding to the attack behavior.

In the above steps, the intrusion level may be obtained according to multidimensional data, for example, the intrusion level may be determined according to the number of intrusions, or according to the access flow of the interactive behavior, but it should be noted here that no matter what kind of data or method is used to obtain the intrusion level in the above steps of the present application, the data can be quickly processed, and the intrusion level of the attack behavior can be determined through a large amount of multidimensional data in a short time.

It should be noted here that the intrusion level analysis may be performed by an intrusion level analysis server. As an optional scheme, after the WAF forwards the traffic data to the intrusion level analysis server at the back end, the intrusion level analysis server determines the threat level of the attack by splitting the traffic data of the attacker and by judging the importance degree of the website application, the number of times of the attack attempted by the attacker and the vulnerability risk degree, and notifies the intrusion behavior monitoring system at the front end of the embedded point when the threat level reaches the threshold value.

And step S233, selecting a behavior monitoring module matched with the intrusion level according to the intrusion level corresponding to the attack behavior.

In the above steps, since the attack behaviors have different intrusion levels, in order to achieve the purpose of monitoring the attack behavior corresponding to the different intrusion levels, different behavior monitoring modules need to be matched with the attack behaviors of the different intrusion levels.

And step S235, loading a behavior monitoring module matched with the intrusion level to the front-end client, wherein the monitoring module is used for monitoring and recording the intrusion behavior initiated by the front-end client.

And under the condition that the interactive behavior is confirmed to be an aggressive behavior, carrying out intrusion level analysis on the aggressive behavior through a threat level analysis system, wherein the analysis method can be to judge whether the threat value of the aggressive behavior reaches a preset threshold value, classify the aggressive behavior according to one or more threat threshold values, then transparently transmit the aggressive behavior through a gateway, and finally load a behavior monitoring module matched with the intrusion level to the front-end client, and the loading method can be to return an access request response carrying the behavior monitoring module corresponding to the intrusion level to the front-end client.

Taking the embodiment shown in fig. 3 as an example, the intrusion detection system may perform the steps 231 to S235, and in an optional embodiment where the intrusion detection system is a WAF system, the WAF system mainly detects whether there is an attack behavior in the interaction behavior of the user through various security policy configurations. The behavior of the notification is mainly represented by rendering the obfuscated code of different monitoring modules to the front end of the client. The method is generally deployed at the previous layer of the WEB server, such as a switch layer and a gateway layer.

It should be further noted that the core of the behavior analysis monitoring system is mainly implemented by Javascript, and different modules can be dynamically configured and selectively loaded to perform network monitoring on an attacker, and the system mainly comprises a key logger module, an info logger module and a full traffic monitoring module, wherein the key logger module mainly records onkeypress and onkeyDown objects in Javascript built-in objects in detail through a HOOK technology, and sends the key information of the attacker to the big data storage system. The info logger module is mainly used for collecting basic information of the client and sending the basic characteristic information to the big data storage system, so that source tracing analysis of an attacker in the later period is facilitated. The full-flow monitoring module deeply detects the network environment where the attacker is located by using a webRTC technology, tries to replace a DNS server in the network environment of the attacker, and achieves the purpose of full-flow monitoring. The modules are rendered in a browser of a front-end client after obfuscating the Javascript through a specific obfuscation algorithm.

It is worth noting that the behavior analysis monitoring system is realized by using the Javascript language, so that the behavior of an attacker can be recorded in real time in a manner of being closest to the attacker.

In the above embodiment of the present application, in step S231, obtaining the intrusion level corresponding to the attack behavior includes:

step S2311, traffic data corresponding to the attack behavior is acquired.

Step S2313, analyzing traffic data corresponding to the attack behavior to obtain at least any one or more of the following parameters: the importance of the network application, the number of times of initiating an attack, and the vulnerability risk level.

Since the numerical values of the three dimensions are all numerical values with unequal units and cannot be directly calculated, the numerical values of the three dimensions can be normalized.

In an alternative embodiment, in the preset level distribution data of the importance degree of the web application, the importance degree of the current web application is searched and is represented by data in 0 to 1, the more important the value is, the less important the value is, the more important the value is, for example, the importance degree of the web application of the website application of the government authority is 1, the importance degree of the video website mainly for entertainment is 0.5, or it may be that a certain enterprise judges the importance degree of the web application of all websites belonging to itself, for example, the importance degree of the bill data of the enterprise is 1, and the importance degree of the web application introduced by the product may be 0.7.

The normalization of the number of times of initiating the attack behavior may be to set a predetermined attack number, where a normalized value corresponding to the predetermined attack number is 1, and the normalization of the current attack number may be calculated according to the predetermined attack number, for example, the predetermined attack number is 10000, the current attack number is 2479, and the normalized value corresponding to the current attack number may be 0.25.

The calculation method of the normalized value of the vulnerability risk degree can be similar to the calculation method of the importance degree of the network application, and the risk degree corresponding to the current vulnerability is searched in the preset vulnerability risk degree to obtain the normalized value of the corresponding vulnerability risk degree.

Step S2315, an intrusion value corresponding to the attack behavior is calculated according to the importance degree of the network application, the number of times of initiating the attack behavior, the vulnerability risk degree, and the corresponding weight value.

In an optional embodiment provided by the invention, the steps can be executed through a threat level analysis system, the system mainly analyzes whether the interactive behavior of an attacker reaches a threshold value of threat level classification according to specific factors according to data input by a WAF system, if the interactive behavior of the attacker reaches a certain threat level threshold value, intrusion monitoring modules with different degrees are loaded on a page rendered at the front end of the attacker, and the core of the system is that the data can be rapidly processed, the threat level can be judged in a large amount of flow data in a short time, so that monitoring actions can be timely taken on the attacker.

The technology adopted by the threat level analysis system can be combined with a target system attacked by an attacker and historical attack data to judge the degree of danger carried by the attacker in the attack, and a danger level analysis result is given.

For example, the invention can realize that after the importance degree of the current network application, the times of launching the attack behavior, the vulnerability risk degree and the preset corresponding weight value are read, the sum operation is carried out to obtain the intrusion value of the attack behavior.

For example, in an application scenario, the importance of the network application, the number of times of initiating the attack behavior, and the weighted value of the vulnerability risk level may be: 0.5, 0.3, and 0.2, therefore, when the importance of the current network application is 1, the number of times of initiating the attack is 10, and the vulnerability risk is 2, the intrusion value y corresponding to the current attack can be obtained by calculating as follows, y is 0.5 × 1+0.3 × 10+0.2 × 2 is 3.4.

Step S2317, comparing the intrusion value with at least one intrusion threshold value, and determining an intrusion level corresponding to the attack behavior, wherein the intrusion level includes: a low level intrusion level, a medium level intrusion level, and a high level intrusion level.

In an alternative embodiment, two intrusion thresholds A, B are preset, where a < B, the attack behavior with intrusion less than a is a low-level intrusion level, the attack value greater than or equal to a and less than B is a medium-level intrusion level, the attack value greater than or equal to B is a high-level intrusion level, the importance of the web application, the number of times of initiating the attack behavior, the vulnerability risk level, and the corresponding weight values are 0.3,0.3, and 0.4, respectively, in the example based on the above case, the importance of the web application, the number of times of initiating the attack behavior, and the vulnerability risk level are obtained, and the attack behavior with normalized values of the importance of the web application, the number of times of initiating the attack behavior, and the vulnerability risk level are 0.7,0.25, and 0.61, respectively, may be as follows: the intrusion value W is 0.3 × 0.3+0.3 × 0.25+0.4 × 0.61 — 0.424, and if the two intrusion thresholds a are 0.3 and B is 0.7, it can be considered that the intrusion of the above-mentioned attack behavior is of a medium intrusion level.

In the above embodiment of the present application, in step S233, selecting a behavior monitoring module matched with the intrusion level according to the intrusion level corresponding to the attack behavior, includes:

step S2331, inquiring in a behavior analysis monitoring server according to the intrusion level corresponding to the attack behavior to obtain a corresponding behavior monitoring module; wherein,

in step S2333, the behavior monitoring module is empty when the intrusion level is a low level intrusion level.

In step S2335, the behavior monitoring module comprises an intrusion data collecting module under the condition that the intrusion level is a middle-level intrusion level.

Based on the technical scheme provided by the above steps, the behavior monitoring and analyzing system can determine the threat level of the current attack program according to the currently determined intrusion level, so as to load and open behavior recording modules of different modes, for example, a data collecting module is opened when a threat of a middle level threatens, that is, the Keylogger module and the info logger module determined by the behavior monitoring and analyzing system can be used for collecting intrusion data, wherein the Key logger module mainly records the Key input in the attack process of an attacker through an onkeypress object and an onkeyDown object in OK HOjavascript at the front end, and the info logger module mainly collects basic characteristic information of the attacker such as IP address, MAC address, user-agent and the like through javascript. The behavior of an attacker can be accurately analyzed through the information acquired by the Key logger module and the info logger module.

In step S2337, when the intrusion level is the high-level intrusion level, the behavior monitoring module includes: an intrusion data collection module and/or a full flow detection module.

In the above steps, the behavior analysis monitoring server may further include a webRTC module to start full traffic monitoring.

In an optional embodiment, when the threat level analysis system finds that an attack behavior belongs to a high-level threat, the front-end client is notified to start a full-traffic monitoring module while collecting attacker data, wherein the full-traffic monitoring system can capture an intranet IP address of the attacker through a webRTC technology, then tries to detect a router or a gateway IP of the attacker, further logs in a router to replace a default DNS server of the attacker, and adopts a full-traffic monitoring mode, so that finally, full-traffic information of the attacker can be stored in a large data storage system, and meanwhile, an alarm mechanism can be triggered, thereby facilitating the alarm network to perform full analysis on the behavior of the attacker.

With reference to the example shown in fig. 3, after the intrusion level of the intrusion behavior is confirmed, the intrusion detection system matches the corresponding behavior monitoring module according to the intrusion level, and when the intrusion level is a low level, the corresponding monitoring module is empty, and when the intrusion level is a medium level, the Key logger module and the info logger module are started to collect intrusion data, and when the intrusion level is a high level, the Key logger module and the info logger module are started, and the webRTC module is started to start full-flow monitoring on the attack behavior.

In the above embodiment of the present application, when the behavior monitoring module is empty, it is determined that the front-end client is a secure user.

In the above steps, when the behavior monitoring module is empty, it may be considered that the intrusion behavior does not need to be monitored, and thus the front-end client may be considered as a security user.

In the above embodiment, the determining that the front-end client is a secure user may include any one of the following cases, where the front-end client is a secure user, and is determined as an attack behavior due to similarity with the attack behavior when performing attack behavior detection, or the front-end client has an intrusion behavior, but the level of the intrusion is low, and it is not necessary to use a monitoring module to monitor the intrusion behavior, and therefore the front-end client may be considered as a secure user.

In the above embodiments of the present application, the intrusion data collecting module at least includes: the input information monitoring module is used for monitoring and recording the operation information of any one or more of the following input and output devices: the system comprises a keyboard, a mouse and a touch panel, wherein the front-end basic information monitoring module is used for monitoring and recording any one or more of the following information of a front-end client: the IP address, the MAC address, the login user information and the serial number of the front-end client.

In the above step, with reference to the example shown in fig. 3, the input information monitoring module may be a Key loader module, for example, when an attacker attacks a network application through a click operation, the input information monitoring module may monitor the click event and record data such as an event occurring in the click event, a click position, request information generated by the click event, and the like, and when obtaining operation information of any operation device, the input information detecting module may further send the monitored operation information to the big data storage system; the front-end basic information monitoring module may be an info loader module, and in an optional embodiment, the front-end basic information monitoring module may collect information such as an IP address, an MAC address, login user information, a serial number, and the like of the front-end client through javascript, and may also send the information to the big data storage system after obtaining the information of the front-end client.

In an alternative embodiment, the modules render the Javascript on the front end of the web application after being obfuscated by a specific obfuscating algorithm.

It should be noted here that, when the intrusion level of the attack behavior is a medium level, the accurate attack behavior of the front-end client can be analyzed and obtained through the operation information and the front-end information acquired by the intrusion data collection module and/or the full traffic detection module.

In the above embodiment of the present application, the full traffic detection module is configured to detect one or more of the following parameter information in a network environment where the front-end client is located: the intranet IP address, the router address, the gateway address and the DNS server address of the front-end client.

With reference to the example shown in fig. 3, the full traffic monitoring module uses the webRTC technology to perform deep detection on the network environment where the attacker is located, and tries to replace the DNS server in the network environment of the front-end client, so as to achieve the purpose of full traffic monitoring. In an alternative embodiment, the full traffic detection module renders the Javascript in front of the browser after obfuscating the Javascript by a specific obfuscation algorithm.

In the above embodiment of the present application, in step S23, after triggering the front-end client to monitor the behavior occurring locally, the method may further perform the following steps:

and step S27, acquiring monitoring data obtained by monitoring the intrusion behavior of the front-end client.

And step S29, performing data structuring and/or visualization processing on the monitoring data through the big data engine to obtain an attack analysis result of the front-end client.

The system is mainly used for storing attack behavior data of an attacker, displaying the data in a structured and visualized manner through a big data engine (Hadoop or ODPS), and performing attack path analysis, attack graph analysis and traceability analysis on a front-end client.

With reference to the example shown in fig. 3, after the monitoring data for monitoring the intrusion behavior of the front-end client is obtained, the data may be uploaded to a big data storage system, the big data storage system performs attack analysis on the monitoring data through big data computing capability of the big data storage system, and after an analysis result of the monitoring data is obtained, the big data storage system may perform structured and/or visual processing on the analysis result, and may send the processed monitoring data to a display terminal.

It should be noted that both the intrusion level analyzing server and the big data storage system can use Hadoop or ODPS as a medium to process various data quickly and analyze the data quickly to obtain the threat result.

The following describes in detail the functions implemented by the application scenario of intrusion detection applied to any front-end network application according to the solution of the present application, with reference to fig. 4.

Step S402, detecting the interactive behavior of the front-end client through an intrusion detection system deployed at an application layer of the front-end client.

In the above step, the intrusion detection system may be deployed in an intermediate device such as a gateway, a switch, or the like, and the detecting of the interactive behavior of the front-end client may be performed by determining the aggressiveness of the interactive behavior according to the preconfigured security policy information, and determining the interactive behavior as the aggressive behavior when the request content corresponding to the interactive behavior is aggressive; and under the condition that the request content corresponding to the interactive behavior is not aggressive, determining the interactive behavior as a safety behavior.

Step S404, requesting to receive the request content of the front-end client when determining that the interactive behavior is a security behavior.

Step S406, the request server returns response information corresponding to the request content to the front-end client.

In step S408, in the case that it is determined that the interactive behavior is an attack behavior that attacks the web application, the attack behavior may be input to the intrusion level analysis server. And the intrusion level analysis server acquires the corresponding intrusion level after the attack action.

In the above steps, after receiving the attack behavior, the intrusion level analysis server obtains the intrusion level corresponding to the attack behavior.

Step S410, the behavior analysis monitoring server selects a behavior monitoring module matched with the intrusion level according to the intrusion level corresponding to the attack behavior.

In the above steps, the following method can be adopted as an attack behavior matching behavior monitoring module, and when the intrusion level is a low-level intrusion level, the behavior monitoring module is empty; when the intrusion level is a middle level intrusion level, the behavior monitoring module comprises an intrusion data collecting module; when the intrusion level is a high-level intrusion level, the behavior monitoring module comprises: an intrusion data collection module and/or a full flow detection module.

Step S412, the behavior analysis monitoring server loads the behavior monitoring module matched with the intrusion level to the front-end client.

In the above steps, after the behavior analysis monitoring server loads the behavior monitoring module matched with the intrusion level to the front-end client, the front-end client monitors local behaviors, such as monitoring data obtained from the intrusion behavior, and the data engine can perform data structuring and/or visualization processing on the monitoring data to obtain an attack analysis result of the front-end client.

In an optional embodiment, the steps can be realized through a big data storage system, the system is mainly used for storing attack behavior data of an attacker, and the big data engine is used for displaying the data in a structured and visualized manner and analyzing an attack path, an attack graph and a source tracing manner of the attacker.

In addition, the method can also perform log recording and back-end intrusion behavior analysis through a log server connected with the front-end client: recording all user request data, storing the user request data in a back end, analyzing and refining the data to obtain which requests have attack characteristics, reversely inquiring log records of user client characteristics (such as IP addresses and unique user identifications) and checking which attack behaviors are also performed by an attacker. And (4) predicting an attack path and an attack graph of an attacker.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.

Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.

Example 2

According to an embodiment of the present invention, there is also provided an intrusion detection system for implementing the method for detecting intrusion, as shown in fig. 5, the system includes:

a front-end client 50 for sending the interactive behavior; the intermediate device 52 has a communication relationship with the front-end client 50, and is configured to detect whether the interactive behavior is an attack behavior that attacks the network application, and trigger the front-end client to monitor a behavior occurring locally if it is determined that the interactive behavior is an attack behavior that attacks the network application.

In an alternative, the intermediate device 52 may be a forwarding device such as a gateway and a switch, which are deployed with an intrusion detection system, and may detect an interaction behavior of a front-end client through the intrusion detection system deployed at a front-end application layer of the intermediate device, where the intrusion detection system transparently transmits an attack behavior to the front-end client.

Fig. 6 is a schematic structural diagram of an optional intrusion detection system according to embodiment 2 of the present application, and in an optional embodiment, with reference to the system shown in fig. 6, after a network application on a front-end client initiates an interactive behavior, an intrusion detection server deployed in an intermediate device detects an aggressiveness of the interactive behavior, and in a case that it is determined that the interactive behavior is an aggressive behavior generated by an attacking device attacking the front-end client, the front-end client is triggered to continue monitoring various locally generated behaviors, so as to determine whether the subsequent interactive behavior is an aggressive behavior generated by an attacking device attacking.

In the foregoing system, in an optional embodiment, the intrusion detection system detects an interaction behavior of the front-end client, and may read preconfigured security policy information, where the security policy information includes: information for determining whether the interaction behavior is offensive; judging whether the request content corresponding to the interactive behavior has aggressivity or not according to the security policy information; determining the interactive behavior as an aggressive behavior under the condition that the request content corresponding to the interactive behavior is aggressive; and under the condition that the request content corresponding to the interactive behavior is not aggressive, determining the interactive behavior as a safety behavior, and obtaining response information returned to the front-end client according to the request content.

It should be noted that, in the above embodiment, when it is determined that the interactive behavior is an attack behavior of attacking a network application, the behavior of the front-end client is monitored, and after a monitoring result of the intrusion behavior of the front-end client is obtained, the intrusion behavior may be determined according to the monitoring result, so as to locate an attacker performing the intrusion behavior, and also perform defense against the intrusion behavior, or obtain a new defense rule of the intrusion behavior by learning the intrusion behavior. In the intrusion detection method provided by the application, the intrusion detection system detects the interactive behavior and monitors the interactive behavior under the condition that the interactive behavior is confirmed to be the attack behavior.

It should be further noted that, in the system provided in the foregoing embodiment of the present application, the front-end client detects the interactive behavior while generating the interactive behavior, and once the interactive behavior is found to be an intrusion behavior to the front-end client, the interactive behavior is immediately monitored, so that technical effects of discovering the intrusion behavior in real time and analyzing the intrusion behavior in real time are achieved, and a delay caused by analyzing the intrusion behavior at the back end in the prior art is avoided.

Therefore, the application provides a system for discovering intrusion behavior means by using front-end technology, and intrusion analysis means commonly used in the industry are all based on back-end detection or data-driven analysis of intrusion tracks, and usually need to extract and analyze possible potential intrusion features from a large amount of log data, and belong to 'after the fact' behavior. According to the method, the technical effect of monitoring the interactive behavior of the front-end client in real time is achieved by detecting the interactive behavior of the front-end client, the technical effect of tracking and monitoring the invasive behavior is achieved once the issued interactive behavior is the invasive behavior, the attribute of the front end is fully utilized, the invasive behavior can be found in the first time, and an attacker can be accurately positioned, so that the technical problem that the timeliness of monitoring the behavior of the client is poor due to the fact that the analysis means of carrying out intrusion detection at the rear end such as rear-end detection or log data analysis and the like are adopted in the prior art is solved.

Therefore, the scheme of the embodiment 2 provided by the application solves the technical problem that the behavior timeliness of the monitoring client is poor due to the fact that the prior art adopts an analysis means of intrusion detection at the back end, such as back end detection or log data analysis.

In the above embodiments of the present application, the system further includes:

and the request server 52 has a communication relationship with the front-end client, and is configured to receive the request content of the front-end client and return response information corresponding to the front-end client when the interactive behavior is determined to be the security behavior.

With reference to the example shown in fig. 3, the request server may be a web server, and has a communication relationship with the front-end client, and when the interactive behavior is a safe interactive behavior, the request server normally returns response information corresponding to the request content in the interactive behavior to the front-end client.

and the intrusion level analysis server 54 has a communication relationship with the front-end client, and is used for acquiring the intrusion level corresponding to the attack behavior.

The intrusion level analysis server can analyze whether the interaction behavior of an attacker reaches a threshold value of threat level division according to data input by the WAF and specific factors, and loads intrusion monitoring modules with different degrees on a page rendered at the front end of the attacker if the interaction behavior reaches a certain threshold value of the threat level.

In an optional embodiment, the intrusion level analysis server may determine the threat level of the attack by splitting the traffic data of the attacker and by determining the importance of the website application, the number of times the attacker attempts the attack, and the vulnerability risk level, and when reaching a threshold value of the threat level, notify the intrusion behavior monitoring system at the front end of the embedded point.

With reference to the example shown in fig. 3, the intrusion level analyzing server is configured to determine an intrusion level of the attack behavior after the intrusion detection system detects that the interactive behavior is the attack behavior, and in an alternative embodiment, the intrusion level may be divided into a low-level intrusion level, a medium-level intrusion level, and a high-level intrusion level. When the intrusion level of the attack behavior is confirmed, the intrusion level of the attack behavior can be determined by analyzing the traffic corresponding to the attack behavior, and the traffic data corresponding to the attack behavior is analyzed to obtain at least any one or more of the following parameters: the importance degree of the network application, the times of launching the attack behavior and the vulnerability risk degree; according to the importance degree of the network application, the times of launching the attack behavior, the vulnerability risk degree and the corresponding weight value, calculating to obtain an intrusion value corresponding to the attack behavior; and comparing the intrusion value with at least one intrusion threshold value, and determining the intrusion level corresponding to the attack behavior.

and the behavior analysis monitoring system is connected between the intrusion level analysis server and the front-end client and is used for selecting a behavior monitoring module matched with the intrusion level according to the intrusion level corresponding to the attack behavior and loading the behavior monitoring module matched with the intrusion level to the front-end client, wherein the monitoring module is used for monitoring and recording the intrusion behavior initiated by the front-end client.

With reference to the example shown in fig. 3, the intrusion detection server receives the intrusion level of the attack behavior uploaded by the intrusion level analysis server, and selects a corresponding detection module according to the intrusion level of the intrusion behavior, in an alternative embodiment, when the intrusion level is a low-level intrusion level, the behavior monitoring module is empty; when the intrusion level is a middle level intrusion level, the behavior monitoring module comprises an intrusion data collecting module; when the intrusion level is a high-level intrusion level, the behavior monitoring module comprises: an intrusion data collection module and/or a full flow detection module.

In the above embodiment of the present application, the intrusion level analysis server is further configured to obtain traffic data corresponding to the attack behavior; analyzing the flow data corresponding to the attack behavior to obtain at least any one or more of the following parameters: the importance degree of the network application, the times of launching the attack behavior and the vulnerability risk degree; according to the importance degree of the network application, the times of initiating the attack behavior, the vulnerability risk degree and the corresponding weight value, calculating to obtain an intrusion value corresponding to the attack behavior; comparing the intrusion value with at least one intrusion threshold value, and determining the intrusion level corresponding to the attack behavior, wherein the intrusion level comprises: a low level intrusion level, a medium level intrusion level, and a high level intrusion level.

In the above embodiment of the present application, the intrusion monitoring server is further configured to query the intrusion detection system according to the intrusion level corresponding to the attack behavior to obtain a corresponding behavior monitoring module; wherein, when the intrusion level is a low-level intrusion level, the behavior monitoring module is empty; when the intrusion level is a middle level intrusion level, the behavior monitoring module comprises an intrusion data collecting module; when the intrusion level is a high-level intrusion level, the behavior monitoring module comprises: an intrusion data collection module and/or a full flow detection module.

In the above embodiment of the present application, the system further includes an intrusion data collection module, where the intrusion data collection module at least includes: the input information monitoring module is used for monitoring and recording the operation information of any one or more of the following input and output devices: the system comprises a keyboard, a mouse and a touch panel, wherein the front-end basic information monitoring module is used for monitoring and recording any one or more of the following information of a front-end client: the IP address, the MAC address, the login user information and the serial number of the front-end client.

In the foregoing embodiment of the present application, the system further includes a full traffic detection module, configured to detect one or more of the following parameter information in a network environment where the front-end client is located: the intranet IP address, the router address, the gateway address and the DNS server address of the front-end client.

the big data storage server is used for acquiring monitoring data obtained by monitoring the intrusion behavior of the front-end client after monitoring the intrusion behavior of the front-end client initiating the attack behavior; and carrying out data structuring processing and/or visualization processing on the monitoring data to obtain an attack analysis result of the front-end client.

Example 3

According to an embodiment of the present invention, there is also provided an intrusion detection system for implementing the method for detecting intrusion, as shown in fig. 7, the system includes:

a first obtaining module 70, configured to obtain an interaction behavior of a front-end client; a detection module 72, configured to detect whether the interaction behavior is an attack behavior that attacks the network application; and a monitoring module 74, configured to trigger the front-end client to monitor the behavior occurring locally, in case it is determined that the interaction behavior is an attack behavior that attacks the network application.

It should be noted that the first acquiring module 70, the detecting module 72 and the monitoring module 74 correspond to steps S21 to S25 in embodiment 1, and the two modules are the same as the corresponding steps in the implementation example and the application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.

It should be noted that, in the above embodiment, when it is determined that the interactive behavior is an attack behavior of attacking a network application, the front-end client is monitored, and after a behavior monitoring result of the front-end client is obtained, an intrusion behavior may be determined according to the monitoring result, and then an attacker performing the intrusion behavior may be located, and the intrusion behavior may also be defended, or a new defense rule of the intrusion behavior may be obtained through learning the intrusion behavior. In the intrusion detection method provided by the application, the intrusion detection system detects the interactive behavior and monitors the interactive behavior under the condition that the interactive behavior is confirmed to be the attack behavior.

It should be further noted that, in the apparatus provided in the foregoing embodiment of the present application, the front-end client detects an interactive behavior while generating the interactive behavior, and once the interactive behavior is found to be an intrusion behavior to the front-end client, the interactive behavior is immediately monitored, so that technical effects of discovering the intrusion behavior in real time and analyzing the intrusion behavior in real time are achieved, and a delay caused by analyzing the intrusion behavior at the back end in the prior art is avoided.

Therefore, the present application provides a device for discovering intrusion behavior means by using front-end technology, and intrusion analysis means commonly used in the industry are all based on back-end detection or data-driven analysis of intrusion traces, and usually need to extract and analyze possible potential intrusion features from a large amount of log data, and belong to "after the fact" behavior. According to the method, the technical effect of monitoring the interactive behavior of the front-end client in real time is achieved by detecting the interactive behavior of the front-end client, the technical effect of tracking and monitoring the invasive behavior is achieved once the issued interactive behavior is the invasive behavior, the attribute of the front end is fully utilized, the invasive behavior can be found in the first time, and an attacker can be accurately positioned, so that the technical problem that the timeliness of monitoring the behavior of the client is poor due to the fact that the analysis means of carrying out intrusion detection at the rear end such as rear-end detection or log data analysis and the like are adopted in the prior art is solved.

In the above embodiment of the present application, with reference to fig. 8, the apparatus further includes, for detecting an interaction behavior of a front-end client by using an intrusion detection system deployed in a front-end application layer: :

and the transparent transmission module 80 is used for transmitting the attack behavior to the front-end client by the intrusion detection system.

The intrusion detection system can trigger and monitor the behavior of the front-end client initiating the attack behavior by transmitting the attack behavior to the front-end client.

In the above embodiment of the present application, as shown in fig. 9, the detecting module 70 includes:

a reading module 90, configured to read preconfigured security policy information, where the security policy information includes: information for determining whether the interaction behavior is offensive; the judging module 92 is configured to judge whether the request content corresponding to the interactive behavior is offensive according to the security policy information; a first determining module 94, configured to determine that an interactive behavior is an aggressive behavior when a request content corresponding to the interactive behavior is aggressive; the second determining module 96 is configured to determine that the interactive behavior is a security behavior under the condition that the request content corresponding to the interactive behavior is not offensive, and obtain response information returned to the front-end client according to the request content.

It should be noted here that the reading module 90, the judging module 92, the first determining module 94 and the second determining module 96 correspond to steps S211 to S217 in embodiment 1, and the two modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.

In the above embodiment of the present application, as shown in fig. 10, the apparatus further includes:

a second obtaining module 100, configured to obtain an intrusion level corresponding to an attack behavior; the matching module 102 is used for selecting a behavior monitoring module matched with the intrusion level according to the intrusion level corresponding to the attack behavior; and the loading module 104 is configured to load the behavior monitoring module matched with the intrusion level to the front-end client, where the behavior monitoring module is configured to monitor and record a behavior occurring at the front-end client.

It should be noted here that the second obtaining module 100, the matching module 102, and the loading module 104 correspond to steps S231 to S235 in embodiment 1, and the two modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.

In the above embodiment of the present application, as shown in fig. 11, the obtaining module 100 includes:

the obtaining sub-module 110 is configured to obtain traffic data corresponding to the attack behavior; an analysis module 112, configured to analyze traffic data corresponding to the attack behavior to obtain at least any one of the following degrees; the initiating module 114 is configured to calculate an intrusion value corresponding to the attack behavior according to the importance degree of the network application, the number of times of initiating the attack behavior, the vulnerability risk degree, and the corresponding weight value; a third determining module 116, configured to compare the intrusion value with at least one intrusion threshold, and determine an intrusion level corresponding to the attack behavior, where the intrusion level includes: a low level intrusion level, a medium level intrusion level, and a high level intrusion level.

It should be noted here that the obtaining sub-module 110, the analyzing module 112, the initiating module 114, and the third determining module 116 correspond to steps S2311 to S2317 in embodiment 1, and the two modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.

In the above embodiment of the present application, as shown in fig. 12, the matching module 102 includes:

the query module 120 is configured to query the behavior analysis monitoring server according to the intrusion level corresponding to the attack behavior to obtain a corresponding behavior monitoring module; wherein, when the intrusion level is a low-level intrusion level, the behavior monitoring module is empty; when the intrusion level is a middle level intrusion level, the behavior monitoring module comprises an intrusion data collecting module; when the intrusion level is a high-level intrusion level, the behavior monitoring module comprises: an intrusion data collection module and/or a full flow detection module.

It should be noted that the query module 120 corresponds to steps S2331 to S2337 in embodiment 1, and the two modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the embodiment one. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.

Example 4

In the operating environment of example 1, the present application provides a method of intrusion detection as shown in fig. 13. Fig. 13 is a flowchart of another intrusion detection method according to embodiment 4 of the present invention.

Step S131, the front-end client detects whether the interaction behavior occurring locally is an attack behavior attacking the network application.

In an alternative, the method and the device can detect the interaction behavior of the current front-end client through an intrusion detection system deployed in a front-end application layer. The intrusion detection system can be application software or plug-in with a function of detecting the attack behavior in the front-end client.

Step S133, in the case that it is determined that the interactive behavior is an attack behavior that attacks the network application, the front-end client monitors a behavior occurring locally.

It should be further noted that, in the present application, when determining that the local interaction behavior is an attack behavior attacking a network application, the front-end client transparently transmits data of the attack behavior, where the transparent transmission is used to indicate that, in a process of transmitting the attack behavior, the attack behavior is directly transmitted to a preset target (for example, the behavior analysis monitoring system shown in fig. 3) without any processing, and the device that can be used for the transparent transmission may further include a transparent transmission gateway, an infinite transparent transmission module (transparent transmission GRRS module, transparent transmission zigbee module), and the like.

Therefore, the above steps enable the monitoring of local subsequent network interaction, device operation and other behaviors, for example, the monitoring of the intrusion behavior subsequently initiated by the front-end client, after the current front-end client determines that the local attack behavior occurs, so that the scheme of monitoring the behavior in real time on the front-end client is realized, the follow-up log analysis and the like are not required to be waited for to determine the attack behavior, and the efficiency of monitoring the behavior of the front-end client is improved.

Fig. 3 is a schematic diagram of an optional intrusion detection method according to embodiment 1 of the present application, and with reference to the example shown in fig. 3, the above-mentioned scheme may implement detection of an interactive behavior of a front-end client by using an intrusion detection system, and determine whether a local interactive behavior of the current front-end client is offensive, that is, determine whether the local interactive behavior of the front-end client is an offensive behavior, where, in a case that the current interactive behavior is an offensive behavior, a corresponding monitoring module may be obtained by transparently transmitting the offensive behavior, and then implement monitoring of a locally occurring behavior of the front-end client, including an intrusion behavior, by loading the corresponding monitoring module in the front-end client. And returning a normal interaction request to the front-end client under the condition that the interaction behavior is normal.

It should be noted that, in the above embodiment, when it is determined that the interactive behavior is an attack behavior of attacking the network application, the behavior occurring at the front-end client is monitored, and after the behavior monitoring result of the front-end client is obtained, the intrusion behavior may be determined according to the monitoring result, so as to locate an attacker performing the intrusion behavior, and also perform defense against the intrusion behavior, or obtain a new defense rule of the intrusion behavior by learning the intrusion behavior. In the intrusion detection method provided by the application, the intrusion detection system detects the interactive behavior and monitors the interactive behavior under the condition that the interactive behavior is confirmed to be the attack behavior.

It should be further noted that, in the method provided by the foregoing embodiment of the present application, when the front-end client detects a local occurrence of an interactive behavior, the interactive behavior is detected, and once the interactive behavior is found to be an attack behavior occurring at the front-end client, the front-end client having the attack behavior is immediately monitored, so that the technical effects of finding the intrusion behavior in real time and analyzing the intrusion behavior in real time are achieved, and a delay caused by analyzing the intrusion behavior at the back end in the prior art is avoided.

Therefore, the present application provides a method for discovering intrusion behavior means by using front-end technology, and intrusion analysis means commonly used in the industry are all based on back-end detection or data-driven analysis of intrusion traces, and usually need to extract and analyze possible potential intrusion features from a large amount of log data, and belong to "after the fact" behavior. According to the method, the technical effect of monitoring the interaction behavior of the front-end client in real time is achieved, the technical effect of tracking and monitoring the intrusion behavior is achieved, the attributes of the front end are fully utilized, the intrusion behavior can be found in the first time, and an attacker can be accurately positioned, so that the technical problem that in the prior art, the timeliness of the behavior of the monitoring client is poor due to the fact that the analysis means of intrusion detection at the rear end such as rear-end detection or log data analysis is adopted is solved.

Example 5

The embodiment of the invention can provide a computer terminal which can be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.

Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.

In this embodiment, the computer terminal may execute the program code of the following steps in the method for intrusion detection of an application program: acquiring an interactive behavior of a front-end client; detecting whether the interaction behavior is an attack behavior attacking the network application; and in the case that the interactive behavior is determined to be the attack behavior of the attack network application, triggering the front-end client to monitor the behavior occurring in the local area.

Alternatively, fig. 14 is a block diagram of a computer terminal according to an embodiment of the present invention. As shown in fig. 14, the computer terminal 1400 may include: one or more processors 1402 (only one of which is shown), a memory 1404, and a transmitting device 1406.

The memory may be used to store software programs and modules, such as program instructions/modules corresponding to the intrusion detection method and apparatus in the embodiments of the present invention, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, that is, the method for detecting a system vulnerability attack is implemented. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located from the processor, and these remote memories may be connected to terminal a through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: acquiring an interactive behavior of a front-end client; detecting whether the interaction behavior is an attack behavior attacking the network application; and in the case that the interactive behavior is determined to be the attack behavior of the attack network application, triggering the front-end client to monitor the behavior occurring in the local area.

Optionally, the processor may further execute the program code of the following steps: detecting an interactive behavior of a front-end client by an intrusion detection system deployed at a front-end application layer, wherein before triggering the front-end client to monitor a behavior occurring locally, the method further comprises: and the intrusion detection system transparently transmits the attack behavior to the front-end client.

Optionally, the processor may further execute the program code of the following steps: reading pre-configured security policy information, wherein the security policy information comprises: information for determining whether the interaction behavior is offensive; judging whether the request content corresponding to the interactive behavior has aggressivity or not according to the security policy information; determining the interactive behavior as an aggressive behavior under the condition that the request content corresponding to the interactive behavior is aggressive; and under the condition that the request content corresponding to the interactive behavior is not aggressive, determining the interactive behavior as a safety behavior, and obtaining response information returned to the front-end client according to the request content.

Optionally, the processor may further execute the program code of the following steps: acquiring an intrusion level corresponding to the attack behavior; selecting a behavior monitoring module matched with the intrusion level according to the intrusion level corresponding to the attack behavior; and loading the behavior monitoring module matched with the intrusion level to the front-end client, wherein the monitoring module is used for monitoring and recording the intrusion behavior initiated by the front-end client.

Optionally, the processor may further execute the program code of the following steps: acquiring flow data corresponding to the attack behavior; analyzing the flow data corresponding to the attack behavior to obtain at least any one or more of the following parameters: the importance degree of the network application, the times of launching the attack behavior and the vulnerability risk degree; according to the importance degree of the network application, the times of initiating the attack behavior, the vulnerability risk degree and the corresponding weight value, calculating to obtain an intrusion value corresponding to the attack behavior; comparing the intrusion value with at least one intrusion threshold value, and determining the intrusion level corresponding to the attack behavior, wherein the intrusion level comprises: a low level intrusion level, a medium level intrusion level, and a high level intrusion level.

Optionally, the processor may further execute the program code of the following steps: inquiring in a behavior analysis monitoring server according to the intrusion level corresponding to the attack behavior to obtain a corresponding behavior monitoring module; wherein, when the intrusion level is a low-level intrusion level, the behavior monitoring module is empty; when the intrusion level is a middle level intrusion level, the behavior monitoring module comprises an intrusion data collecting module; when the intrusion level is a high-level intrusion level, the behavior monitoring module comprises: an intrusion data collection module and/or a full flow detection module.

Optionally, the processor may further execute the program code of the following steps: and under the condition that the behavior monitoring module is empty, determining that the front-end client is a safe user.

Optionally, the processor may further execute the program code of the following steps: the intrusion data collection module at least comprises: the input information monitoring module is used for monitoring and recording the operation information of any one or more of the following input and output devices: the system comprises a keyboard, a mouse and a touch panel, wherein the front-end basic information monitoring module is used for monitoring and recording any one or more of the following information of a front-end client: the IP address, the MAC address, the login user information and the serial number of the front-end client.

Optionally, the processor may further execute the program code of the following steps: the full flow detection module is used for detecting the following parameter information in the network environment where the front-end client is located: the intranet IP address, the router address, the gateway address and the DNS server address of the front-end client.

Optionally, the processor may further execute the program code of the following steps: acquiring monitoring data obtained by monitoring the intrusion behavior of a front-end client; and carrying out data structuring and/or visualization processing on the monitoring data through a big data engine to obtain an attack analysis result of the front-end client.

Therefore, the present application provides a scheme for discovering intrusion behavior means by using front-end technology, and intrusion analysis means commonly used in the industry are all based on back-end detection or data-driven analysis of intrusion traces, and usually need to extract and analyze possible potential intrusion features from a large amount of log data, and belong to "after the fact" behavior. According to the method, the technical effect of monitoring the interactive behavior of the front-end client in real time is achieved by detecting the interactive behavior of the front-end client, the technical effect of tracking and monitoring the invasive behavior is achieved once the issued interactive behavior is the invasive behavior, the attribute of the front end is fully utilized, the invasive behavior can be found in the first time, and an attacker can be accurately positioned, so that the technical problem that the timeliness of monitoring the behavior of the client is poor due to the fact that the analysis means of carrying out intrusion detection at the rear end such as rear-end detection or log data analysis and the like are adopted in the prior art is solved.

It can be understood by those skilled in the art that the structure shown in fig. 14 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 14 is a diagram illustrating a structure of the electronic device. For example, computer terminal 1400 may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in diagram 1400, or have a different configuration than shown in diagram 1400.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.

Example 6

The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the intrusion detection method provided in the first embodiment.

Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: acquiring an interactive behavior of a front-end client; detecting whether the interaction behavior is an attack behavior attacking the network application; and in the case that the interactive behavior is determined to be the attack behavior of the attack network application, triggering the front-end client to monitor the behavior occurring in the local area.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: reading pre-configured security policy information, wherein the security policy information comprises: information for determining whether the interaction behavior is offensive; judging whether the request content corresponding to the interactive behavior has aggressivity or not according to the security policy information; determining the interactive behavior as an aggressive behavior under the condition that the request content corresponding to the interactive behavior is aggressive; and under the condition that the request content corresponding to the interactive behavior is not aggressive, determining the interactive behavior as a safety behavior, and obtaining response information returned to the front-end client according to the request content.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: acquiring an intrusion level corresponding to the attack behavior; selecting a behavior monitoring module matched with the intrusion level according to the intrusion level corresponding to the attack behavior; and loading the behavior monitoring module matched with the intrusion level to the front-end client, wherein the monitoring module is used for monitoring and recording the intrusion behavior initiated by the front-end client.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: acquiring flow data corresponding to the attack behavior; analyzing the flow data corresponding to the attack behavior to obtain at least any one or more of the following parameters: the importance degree of the network application, the times of launching the attack behavior and the vulnerability risk degree; according to the importance degree of the network application, the times of initiating the attack behavior, the vulnerability risk degree and the corresponding weight value, calculating to obtain an intrusion value corresponding to the attack behavior; comparing the intrusion value with at least one intrusion threshold value, and determining the intrusion level corresponding to the attack behavior, wherein the intrusion level comprises: a low level intrusion level, a medium level intrusion level, and a high level intrusion level.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: inquiring in a behavior analysis monitoring server according to the intrusion level corresponding to the attack behavior to obtain a corresponding behavior monitoring module; wherein, when the intrusion level is a low-level intrusion level, the behavior monitoring module is empty; when the intrusion level is a middle level intrusion level, the behavior monitoring module comprises an intrusion data collecting module; when the intrusion level is a high-level intrusion level, the behavior monitoring module comprises: an intrusion data collection module and/or a full flow detection module.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: and under the condition that the behavior monitoring module is empty, determining that the front-end client is a safe user.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the intrusion data collection module at least comprises: the input information monitoring module is used for monitoring and recording the operation information of any one or more of the following input and output devices: the system comprises a keyboard, a mouse and a touch panel, wherein the front-end basic information monitoring module is used for monitoring and recording any one or more of the following information of a front-end client: the IP address, the MAC address, the login user information and the serial number of the front-end client.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the full flow detection module is used for detecting the following parameter information in the network environment where the front-end client is located: the intranet IP address, the router address, the gateway address and the DNS server address of the front-end client.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: acquiring monitoring data obtained by monitoring the intrusion behavior of a front-end client; and carrying out data structuring and/or visualization processing on the monitoring data through a big data engine to obtain an attack analysis result of the front-end client.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.

The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims

1. A method of intrusion detection, comprising:

acquiring an interactive behavior of a front-end client;

detecting whether the interaction behavior is an attack behavior of attacking the network application;

and under the condition that the interactive behavior is determined to be the attack behavior of attacking the network application, triggering the front-end client to monitor the behavior occurring in the local area.

2. The method of claim 1, wherein the interactive behavior of the front-end client is detected by an intrusion detection system deployed at a front-end application layer, and wherein the method further comprises, before triggering the front-end client to monitor the behavior occurring locally: and the intrusion detection system transparently transmits the attack behavior to the front-end client.

3. The method of claim 2, wherein detecting the interaction behavior of the front-end client by an intrusion detection system deployed at a front-end application layer comprises:

reading pre-configured security policy information, wherein the security policy information comprises: information for determining whether the interaction behavior is offensive;

judging whether the request content corresponding to the interactive behavior has aggressivity or not according to the security policy information;

determining the interactive behavior as the aggressive behavior under the condition that the request content corresponding to the interactive behavior is aggressive;

and under the condition that the request content corresponding to the interactive behavior is not aggressive, determining that the interactive behavior is a safe behavior, and obtaining response information returned to the front-end client according to the request content.

4. The method of claim 1, wherein prior to triggering the front-end client to monitor the behavior occurring locally, the method further comprises:

acquiring an intrusion level corresponding to the attack behavior;

selecting a behavior monitoring module matched with the intrusion level according to the intrusion level corresponding to the attack behavior;

and loading a behavior monitoring module matched with the intrusion level to the front-end client, wherein the behavior monitoring module is used for monitoring and recording the behavior generated by the front-end client.

5. The method of claim 4, wherein obtaining the intrusion level corresponding to the attack behavior comprises:

acquiring flow data corresponding to the attack behavior;

analyzing the flow data corresponding to the attack behavior to obtain at least any one or more of the following parameters: the importance degree of the network application, the times of launching the attack behavior and the vulnerability risk degree;

according to the importance degree of the network application, the times of launching the attack behavior, the vulnerability risk degree and the corresponding weight value, calculating to obtain an intrusion value corresponding to the attack behavior;

comparing the intrusion value with at least one intrusion threshold value, and determining an intrusion level corresponding to the attack behavior, wherein the intrusion level comprises: a low level intrusion level, a medium level intrusion level, and a high level intrusion level.

6. The method of claim 5, wherein selecting the behavior monitoring module matching the intrusion level according to the intrusion level corresponding to the attack behavior comprises:

inquiring in a behavior analysis monitoring server according to the intrusion level corresponding to the attack behavior to obtain a corresponding behavior monitoring module; wherein,

when the intrusion level is the low-level intrusion level, the behavior monitoring module is empty;

when the intrusion level is the medium-level intrusion level, the behavior monitoring module comprises a data collecting module;

when the intrusion level is the advanced intrusion level, the behavior monitoring module comprises: the data collection module and/or the full flow detection module.

7. The method of claim 6, wherein the front-end client is determined to be a secure user if the behavior monitoring module is empty.

8. The method according to claim 6, characterized in that said data collection module comprises at least: the system comprises an input information monitoring module and/or a front-end basic information monitoring module, wherein the input information monitoring module is used for monitoring and recording the operation information of any one or more of the following input and output devices: the front-end basic information monitoring module is used for monitoring and recording any one or more of the following information of the front-end client: the IP address, the MAC address, the login user information and the serial number of the front-end client.

9. The method of claim 6, wherein the full traffic detection module is configured to detect one or more of the following parameter information in a network environment where the front-end client is located: the intranet IP address, the router address, the gateway address and the DNS server address of the front-end client.

10. The method according to any one of claims 1 to 9, wherein after triggering the front-end client to monitor the behavior occurring locally, the method further comprises:

acquiring monitoring data obtained by monitoring the behavior locally generated by the front-end client;

and carrying out data structuring processing and/or visualization processing on the monitoring data through a big data engine to obtain an attack analysis result of the front-end client.

11. A system for intrusion detection, comprising:

the front-end client is used for sending the interactive behavior;

and the intermediate device has a communication relation with the front-end client and is used for detecting whether the interactive behavior is an attack behavior attacking the network application or not and triggering the front-end client to monitor the behavior occurring in the local area under the condition that the interactive behavior is determined to be the attack behavior attacking the network application.

12. The system of claim 11, wherein the interactive behavior of the front-end client is detected by an intrusion detection system deployed at a front-end application layer of the middleware, wherein the intrusion detection system transparently passes the attack behavior to the front-end client.

13. The system of claim 11, further comprising:

and the request server has a communication relation with the front-end client and is used for receiving the request content of the front-end client and returning the request content to the response information corresponding to the front-end client under the condition that the interactive behavior is determined to be the safety behavior.

14. The system of claim 11, further comprising:

and the intrusion level analysis server has a communication relation with the intermediate equipment and is used for acquiring the intrusion level corresponding to the attack behavior.

15. An apparatus for intrusion detection, comprising:

the first acquisition module is used for acquiring the interactive behavior of the front-end client;

the detection module is used for detecting whether the interaction behavior is an attack behavior attacking the network application;

and the monitoring module is used for triggering the front-end client to monitor the local behavior under the condition that the interactive behavior is determined to be the attack behavior of attacking the network application.

16. The apparatus of claim 15, wherein the interactive behavior of the front-end client is detected by an intrusion detection system deployed at a front-end application layer, the apparatus further comprising:

and the transparent transmission module is used for transmitting the attack behavior to the front-end client by the intrusion detection system.

17. The apparatus of claim 16, wherein the detection module comprises:

a reading module, configured to read preconfigured security policy information, where the security policy information includes: information for determining whether the interaction behavior is offensive;

the judging module is used for judging whether the request content corresponding to the interactive behavior has the aggressivity or not according to the security policy information;

the first determining module is used for determining the interactive behavior as the attack behavior under the condition that the request content corresponding to the interactive behavior is aggressive;

and the second determining module is used for determining the interactive behavior as the safety behavior under the condition that the request content corresponding to the interactive behavior does not have the aggressivity, and obtaining response information returned to the front-end client according to the request content.

18. The apparatus of claim 15, further comprising:

the second acquisition module is used for acquiring the intrusion level corresponding to the attack behavior;

the matching module is used for selecting a behavior monitoring module matched with the intrusion level according to the intrusion level corresponding to the attack behavior;

and the loading module is used for loading the behavior monitoring module matched with the intrusion level to the front-end client, wherein the behavior monitoring module is used for monitoring and recording the behavior generated by the front-end client.

19. The apparatus of claim 18, wherein the obtaining module comprises:

the obtaining submodule is used for obtaining the flow data corresponding to the attack behavior;

the analysis module is used for analyzing the flow data corresponding to the attack behavior to obtain at least any one of the following degrees;

the initiating module is used for calculating and obtaining an intrusion value corresponding to the attack behavior according to the importance degree of the network application, the times of initiating the attack behavior, the vulnerability risk degree and the corresponding weight value;

a third determining module, configured to compare the intrusion value with at least one intrusion threshold, and determine an intrusion level corresponding to the attack behavior, where the intrusion level includes: a low level intrusion level, a medium level intrusion level, and a high level intrusion level.

20. The apparatus of claim 19, wherein the matching module comprises:

the query module is used for querying the behavior analysis monitoring server according to the intrusion level corresponding to the attack behavior to obtain a corresponding behavior monitoring module; wherein,

when the intrusion level is the medium-level intrusion level, the behavior monitoring module comprises an intrusion data collecting module;

when the intrusion level is the advanced intrusion level, the behavior monitoring module comprises: the intrusion data collection module and/or the full flow detection module.

21. A method of intrusion detection, comprising:

the front-end client detects whether the locally-generated interaction behavior is an attack behavior for attacking the network application;

and in the case that the interactive behavior is determined to be an attack behavior attacking the network application, the front-end client monitors the behavior occurring locally.