CN107395637A - Http tunnels active detecting method, terminal device and storage medium - Google Patents

Http tunnels active detecting method, terminal device and storage medium Download PDF

Info

Publication number
CN107395637A
CN107395637A CN201710753460.5A CN201710753460A CN107395637A CN 107395637 A CN107395637 A CN 107395637A CN 201710753460 A CN201710753460 A CN 201710753460A CN 107395637 A CN107395637 A CN 107395637A
Authority
CN
China
Prior art keywords
http
steps
server
packet
connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710753460.5A
Other languages
Chinese (zh)
Inventor
张婷
陈腾跃
梁煜麓
罗佳
吴鸿伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Anscen Network Technology Co Ltd
Original Assignee
Xiamen Anscen Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Anscen Network Technology Co Ltd filed Critical Xiamen Anscen Network Technology Co Ltd
Priority to CN201710753460.5A priority Critical patent/CN107395637A/en
Publication of CN107395637A publication Critical patent/CN107395637A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention discloses a kind of http tunnels active detecting method, comprises the following steps, S1:It is lasting to monitor the http packets that network is connected by port, until listening to http packets, then into S2 steps;S2:Static Detection is carried out to the http packets listened to, judges whether to meet http consensus standards, if so, then entering S3 steps;If it is not, then enter S6 steps;S3:The uplink traffic and downlink traffic of this connection are compared, judge whether the difference of flow exceeds threshold value, if so, then entering S4 steps;If it is not, then enter S5 steps;S4:The detection of the destination server of the packet to this connection is actively initiated, judges whether destination server matches the fingerprint characteristic of http-server, if so, then entering S5 steps;If it is not, then enter S6 steps;S5:Let pass this connection packet;S6:The packet of this connection is intercepted, early warning simultaneously carries out log recording.

Description

Http tunnels active detecting method, terminal device and storage medium
Technical field
The present invention relates to technical field of the computer network, specifically a kind of http tunnels active detecting method, terminal device And storage medium.
Background technology
With the development of firewall technology, many traditional Recall trojan horse programs can not under tight firewall rule Normal Hui Lian, the technology of the wooden horse firewall-penetrating of main flow is mainly two kinds at present:Multiplexed port and http tunnels, wherein http The mode in tunnel accounts for the overwhelming majority in common APT attacks, because even if taking precautions against tight Intranet big city leaves http Or https Internet channels.This Internet channel is also utilized to turn into the passage that many trojan horse programs carry out Hui Lian, trojan horse program The communication protocol that can be used, which is encapsulated in http tunnels, to be transmitted.For the common fire wall of such wooden horse nothing in a helpless situation Plan, this document describes a kind of new detection technique, the detection technique can be examined effectively to this kind of hostile network behavior Survey.
Common fire wall typically uses the detection of passive type, exactly by analyzing having established connection packet, Judged by the feature of http agreements, such as by detecting the user-agent fields of http request, if common is clear Look at device type, detect whether common GET, POST, HEAD, CONNECT request, whether detect the error code that returns from server Common 404,200,302, judge whether the http tunneling data bags of malice using consensus standard.Such as Application No. 201310248911.1 Chinese invention patent description be exactly this kind of method.This method for some ancient trojan horse programs also It is effective, but it is just helpless for some APT attackers Jing Guo well-designed exploitation, because wooden horse Program can completely simulate http agreements, the meticulous packet for constructing similar normal web page browsing.
The content of the invention
In order to solve the above problems, the present invention provides a kind of http tunnels active detecting method, terminal device and storage and is situated between Matter, by carrying out active detection to destination server, the packet constructed is sent to doubtful wooden horse server ip and port, Combining target server fingerprint characteristic identification technology, so as to more accurate judgement, whether the http tunnels of malice connect, it might even be possible to Identify and the unknown APT that Intranet is carried out is attacked.
A kind of http tunnels active detecting method of the present invention, comprises the following steps:
S1:Monitored data bag:It is lasting to monitor the http packets that network is connected by port, until listening to http numbers According to bag, then into S2 steps;
S2:Detect packet:Static Detection is carried out to the http packets listened to, judges whether to meet http Protocol Standards Standard, if so, then entering S3 steps;If it is not, then enter S6 steps;
S3:This connection flow-rate ratio compared with:The up http flows and descending http flows of this connection are compared, Judge whether the difference of flow exceeds threshold value, if so, then entering S4 steps;If it is not, then enter S5 steps;
S4:Server detects:The detection of the destination server of the packet to this connection is actively initiated, judges that target takes Whether business device matches the fingerprint characteristic of http-server, if so, then entering S5 steps;If it is not, then enter S6 steps;
S5:Clearance packet:The packet of this connection is let pass, and returns to S1 steps;
S6:Data interception bag:Packet of this connection is intercepted, while early warning and carries out corresponding daily record note Record, and return to S1 steps.
Further, in S2, judge whether to meet http consensus standards, be specially:Check that client issues service end Whether request command meets http consensus standards, and whether the response message that inspection service end issues client meets http Protocol Standards It is accurate.
Further, in S3, judge whether the difference of flow exceeds threshold value, be specially:Under if up http flows exceed Row http flows, and difference is more than or equal to threshold value, then is determined as that the difference of flow exceeds threshold value, if up http flows exceed Descending http flows, and difference is less than threshold value, or up http flows are then determined as the difference of flow without departing from descending http flows Value is without departing from threshold value.
Further, in S4, the detection of the destination server to this packet connected is actively initiated, judges that target takes Whether business device matches the fingerprint characteristic of http-server, is specially:Actively initiate the destination service of the packet to this connection The detection of device, by sending HEAD request data packages to destination server, by the feature of the packet of return and http-server Template is matched, the fingerprint characteristic of destination server matching http-server, the mesh if matching is unsuccessful if the match is successful Mark the fingerprint characteristic that server mismatches http-server.
Further, in S4, the fingerprint characteristic of http-server includes:The mark and http of all kinds of http service routines Processing of the server to lopsided HTTP heads.
A kind of http tunnels active detecting terminal device of the present invention, including memory, processor and it is stored in described deposit In reservoir and the computer program that can run on the processor, realized described in the computing device during computer program The step of http tunnels active detecting method.
A kind of computer-readable recording medium of the present invention, the computer-readable recording medium storage have computer program, The computer program realizes the step of http tunnels active detecting method when being executed by processor.
Beneficial effects of the present invention:
The present invention (is examined in traditional http tunnel detection methods using http consensus standards to two-way packet Survey) on the basis of, further by contrasting the uninterrupted and difference of uplink and downlink, carried out by the threshold value of warning set Matching, the destination server of the network connection for matching carry out active probe, judge whether to match main flow http-server Fingerprint characteristic, let pass packet if matching, mismatch and then intercept and early warning.So as to more accurate judgement whether malice Http tunnels connect, it might even be possible to identify and the unknown APT that Intranet is carried out is attacked.And active probe is alleviated by traffic filtering Workload, make testing result more efficiently and accurately.
Brief description of the drawings
Fig. 1 is the method flow diagram of the embodiment of the present invention one.
Embodiment
To further illustrate each embodiment, the present invention is provided with accompanying drawing.These accompanying drawings are the invention discloses the one of content Point, it can coordinate the associated description of specification to explain the operation principles of embodiment mainly to illustrate embodiment.Coordinate ginseng These contents are examined, those of ordinary skill in the art will be understood that other possible embodiments and advantages of the present invention.In figure Component be not necessarily to scale, and similar element numbers are conventionally used to indicate similar component.
In conjunction with the drawings and specific embodiments, the present invention is further described.
The present invention is deployed in Intranet egress switch, has the demand for the webpage that surfs the web suitable for Intranet, while have number again Unit or enterprise according to the demand of secrecy, it can effectively detect to carry out the network behavior of malice connection using http tunnels, really Protect the security of intranet data.
Wooden horse in APT attacks has such behavioural characteristic mostly:Attempt to get from the main frame of invasion Sensitive information or valuable information.And main behavior of the normal users during using browser access website is obtained from website Data, although the behavior that may also have upload is comparatively less, confidentiality is had higher requirements particularly with some Enterprise or government department for, file without permission uploads and easily causes the approach of information leakage.The present invention's Detection method is matched first by contrasting the uninterrupted and difference of uplink and downlink by the threshold value of warning set, Active probe is carried out for the network connection matched, judges whether to match the feature of main flow http-server, if matching Clearance packet, mismatch and then intercept simultaneously early warning.Overhaul flow chart is as shown in Figure 1.
Embodiment one:
Refer to shown in Fig. 1, the invention provides a kind of http tunnels active detecting method, comprise the following steps:
S1:Monitored data bag:It is lasting to monitor the http packets that network is connected by port, until listening to http numbers According to bag, then into S2 steps;
S2:Detect packet:Static Detection is carried out to the http packets listened to, judges whether to meet http Protocol Standards Standard,
Judge whether to meet http consensus standards, be specially:Whether the request command that inspection client issues service end accords with Http consensus standards are closed, whether the response message that inspection service end issues client meets http consensus standards.
If so, then enter S3 steps;If it is not, then enter S6 steps;
S3:This connection flow-rate ratio compared with:The up http flows and descending http flows of this connection are compared, Judge whether the difference of flow exceeds threshold value,
Judge whether the difference of flow exceeds threshold value, be specially:If up http flows exceed descending http flows, and poor Value is more than or equal to threshold value, then is determined as that the difference of flow exceeds threshold value, if up http flows exceed descending http flows, and Difference is less than threshold value, or up http flows are then determined as the difference of flow without departing from threshold value without departing from descending http flows.
If so, then enter S4 steps;If it is not, then enter S5 steps;
S4:Server detects:The detection of the destination server of the packet to this connection is actively initiated, judges that target takes Whether business device matches the fingerprint characteristic of http-server,
The detection of the destination server of the packet to this connection is actively initiated, judges whether destination server matches The fingerprint characteristic of http-server, it is specially:The detection of the destination server of the packet to this connection is actively initiated, is passed through HEAD request data packages are sent to destination server, the feature templates of the packet of return and http-server are matched, The fingerprint characteristic of destination server matching http-server if the match is successful, destination server mismatches if matching is unsuccessful The fingerprint characteristic of http-server.The fingerprint characteristic of http-server includes:Mark and the http clothes of all kinds of http service routines Processing of the business device to lopsided HTTP heads.
If so, then enter S5 steps;If it is not, then enter S6 steps;
S5:Clearance packet:The packet of this connection is let pass, and returns to S1 steps;
S6:Data interception bag:Packet of this connection is intercepted, while early warning and carries out corresponding daily record note Record, and return to S1 steps.
Wherein, the fingerprint characteristic of http-server mainly includes the mark of all kinds of http service routines, by sending HEAD Packet, can get the banner marks of all kinds of web services programs, such as sends HEAD to different httpserver and ask Ask, the packet that it is returned is as shown in Table 1:
Table one
By matching the Server fields returned it may determine which kind of http-server goes out is.
The fingerprint characteristic of http-server also includes processing http-server to lopsided HTTP heads, as shown in Table 2:
http server Request bag form Return bag form
IIS HEAD/HTTP/3.0 HTTP/1.1 200OK
Apache HEAD/HTTP/3.0 HTTP/1.1 400Bad Request
Table two
By to the http-server of main flow on the market largely test and summarize, some similar character modules are obtained Plate, the packet of return is matched by template matching algorithm, the feature for meeting main flow http-server is not then let pass, not That matches somebody with somebody intercept simultaneously early warning.
This method has good Detection results to the rogue program using http tunnels, due to http tunnels wooden horse all without Method and also It is not necessary to complete simulation http-server, the especially processing to some Abnormal Packets, http tunnels wooden horse clothes Business device can not be predicted and return to the packet of individual features, and packet is filtered in advance by discharge model, be alleviated The workload of active probe, make testing result more efficiently and accurately, http is used to several moneys found in the recent period using this method The wooden horse in tunnel is detected, and recall rate reaches 100%.
Embodiment two:
The present invention also provides a kind of http tunnels active detecting terminal device, including memory, processor and is stored in In the memory and the computer program that can run on the processor, described in the computing device during computer program Realize the step in above method embodiment of the embodiment of the present invention, such as the method and step of the step shown in Fig. 1.
Further, as an executable scheme, the http tunnels active detecting terminal device can be desktop The computing devices such as computer, notebook, palm PC and cloud server.The http tunnels active detecting terminal device can wrap Include, but be not limited only to, processor, memory.It will be understood by those skilled in the art that above-mentioned http tunnels active detecting terminal is set Standby composition structure is only the example of http tunnels active detecting terminal device, is not formed whole to http tunnels active detecting The restriction of end equipment, it can include, than above-mentioned more or less parts, either combining some parts or different parts, Such as the http tunnels active detecting terminal device can also include input-output equipment, network access equipment, bus etc., this Inventive embodiments are not limited this.
Further, as an executable scheme, alleged processor can be CPU (Central Processing Unit, CPU), it can also be other general processors, digital signal processor (Digital Signal Processor, DSP), it is application specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing Into programmable gate array (Field-Programmable Gate Array, FPGA) or other PLDs, discrete Door or transistor logic, discrete hardware components etc..General processor can be that microprocessor or the processor also may be used To be any conventional processor etc., the processor is the control centre of the http tunnels active detecting terminal device, profit With the various pieces of various interfaces and the whole http tunnels active detecting terminal device of connection.
The memory can be used for storing the computer program and/or module, and the processor is by running or performing The computer program and/or module being stored in the memory, and the data being stored in memory are called, described in realization The various functions of http tunnels active detecting terminal device.The memory can mainly include storing program area and data storage Area, wherein, storing program area can storage program area, the application program needed at least one function;Storage data field can store Created data etc. are used according to mobile phone.In addition, memory can include high-speed random access memory, can also include Nonvolatile memory, such as hard disk, internal memory, plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), safety Digital (Secure Digital, SD) card, flash card (Flash Card), at least one disk memory, flush memory device or Other volatile solid-state parts.
The present invention also provides a kind of computer-readable recording medium, and the computer-readable recording medium storage has computer Program, the computer program realizes the above method of embodiment of the present invention when being executed by processor the step of.
If the integrated module/unit of the http tunnels active detecting terminal device is real in the form of SFU software functional unit Now and as independent production marketing or in use, it can be stored in a computer read/write memory medium.Based on so Understanding, the present invention realizes all or part of flow in above-described embodiment method, can also be instructed by computer program Related hardware is completed, and described computer program can be stored in a computer-readable recording medium, the computer program When being executed by processor, can be achieved above-mentioned each embodiment of the method the step of.Wherein, the computer program includes computer Program code, the computer program code can be source code form, object identification code form, executable file or some centres Form etc..The computer-readable medium can include:Can carry the computer program code any entity or device, Recording medium, USB flash disk, mobile hard disk, magnetic disc, CD, computer storage, read-only storage (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), electric carrier signal, telecommunication signal and software Distribution medium etc..It should be noted that the content that includes of the computer-readable medium can be according to making laws in jurisdiction Appropriate increase and decrease is carried out with the requirement of patent practice, such as in some jurisdictions, according to legislation and patent practice, computer Computer-readable recording medium does not include electric carrier signal and telecommunication signal.
A kind of http tunnels active detecting method of the present invention, (is assisted in traditional http tunnel detection methods using http Assess a bid for tender and accurate two-way packet detected) on the basis of, further by contrasting the uninterrupted and difference of uplink and downlink Value, is matched by the threshold value of warning set, and the destination server of the network connection for matching carries out active probe, Judge whether the fingerprint characteristic of matching main flow http-server, packet of being let pass if matching, mismatch and then intercept simultaneously early warning. So as to more accurate judgement, whether the http tunnels of malice connect, it might even be possible to identify and the unknown APT that Intranet is carried out is attacked.It is and logical Inflow-rate of water turbine filters the workload for alleviating active probe, makes testing result more efficiently and accurately..
Although specifically showing and describing the present invention with reference to preferred embodiment, those skilled in the art should be bright In vain, do not departing from the spirit and scope of the present invention that appended claims are limited, in the form and details can be right The present invention makes a variety of changes, and is protection scope of the present invention.

Claims (7)

  1. A kind of 1. http tunnels active detecting method, it is characterised in that:Comprise the following steps:
    S1:Monitored data bag:It is lasting to monitor the http packets that network is connected by port, until listening to http data Bag, then into S2 steps;
    S2:Detect packet:Static Detection is carried out to the http packets listened to, judges whether to meet http consensus standards, If so, then enter S3 steps;If it is not, then enter S6 steps;
    S3:This connection flow-rate ratio compared with:The up http flows and descending http flows of this connection are compared, judged Whether the difference of flow exceeds threshold value, if so, then entering S4 steps;If it is not, then enter S5 steps;
    S4:Server detects:The detection of the destination server of the packet to this connection is actively initiated, judges destination server Whether the fingerprint characteristic of http-server is matched, if so, then entering S5 steps;If it is not, then enter S6 steps;
    S5:Clearance packet:The packet of this connection is let pass, and returns to S1 steps;
    S6:Data interception bag:Packet of this connection is intercepted, while early warning and carries out corresponding log recording, and Return to S1 steps.
  2. 2. http tunnels active detecting method as claimed in claim 1, it is characterised in that:In S2, judge whether to meet http Consensus standard, it is specially:Whether the request command that inspection client issues service end meets http consensus standards, checks service end Whether the response message for issuing client meets http consensus standards.
  3. 3. http tunnels active detecting method as claimed in claim 1, it is characterised in that:In S3, judging the difference of flow is It is no to exceed threshold value, be specially:If up http flows exceed descending http flows, and difference is more than or equal to threshold value, then judges Exceed threshold value for the difference of flow, if up http flows exceed descending http flows, and difference is less than threshold value, or up http Flow is then determined as the difference of flow without departing from threshold value without departing from descending http flows.
  4. 4. http tunnels active detecting method as claimed in claim 1, it is characterised in that:In S4, actively initiate to this company The detection of the destination server of the packet connect, judges whether destination server matches the fingerprint characteristic of http-server, specifically For:The detection of the destination server of the packet to this connection is actively initiated, by sending HEAD requests to destination server Packet, the feature templates of the packet of return and http-server are matched, the destination server if the match is successful Fingerprint characteristic with http-server, destination server mismatches the fingerprint characteristic of http-server if matching is unsuccessful.
  5. 5. http tunnels active detecting method as claimed in claim 4, it is characterised in that:In S4, the fingerprint of http-server Feature includes:Processing of the mark and http-server of all kinds of http service routines to lopsided HTTP heads.
  6. 6. a kind of http tunnels active detecting terminal device, including memory, processor and it is stored in the memory simultaneously The computer program that can be run on the processor, it is characterised in that:It is real during computer program described in the computing device Now such as the step of claim 1-5 methods describeds.
  7. 7. a kind of computer-readable recording medium, the computer-readable recording medium storage has computer program, and its feature exists In:Realized when the computer program is executed by processor such as the step of claim 1-5 methods describeds.
CN201710753460.5A 2017-08-29 2017-08-29 Http tunnels active detecting method, terminal device and storage medium Pending CN107395637A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710753460.5A CN107395637A (en) 2017-08-29 2017-08-29 Http tunnels active detecting method, terminal device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710753460.5A CN107395637A (en) 2017-08-29 2017-08-29 Http tunnels active detecting method, terminal device and storage medium

Publications (1)

Publication Number Publication Date
CN107395637A true CN107395637A (en) 2017-11-24

Family

ID=60345472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710753460.5A Pending CN107395637A (en) 2017-08-29 2017-08-29 Http tunnels active detecting method, terminal device and storage medium

Country Status (1)

Country Link
CN (1) CN107395637A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109214189A (en) * 2018-08-22 2019-01-15 深圳市腾讯网络信息技术有限公司 Method, apparatus, storage medium and the electronic equipment of recognizer loophole
CN110311850A (en) * 2019-07-04 2019-10-08 北京天融信网络安全技术有限公司 A kind of network-based data processing method and electronic equipment
CN111327596A (en) * 2020-01-19 2020-06-23 深信服科技股份有限公司 Method and device for detecting hypertext transfer protocol tunnel and readable storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594825A (en) * 2012-02-22 2012-07-18 北京百度网讯科技有限公司 Method and device for detecting intranet Trojans
CN103731429A (en) * 2014-01-08 2014-04-16 深信服网络科技(深圳)有限公司 Method and device for web application vulnerability detection
CN105227599A (en) * 2014-06-12 2016-01-06 腾讯科技(深圳)有限公司 The recognition methods of Web application and device
CN105939342A (en) * 2016-03-31 2016-09-14 杭州迪普科技有限公司 HTTP attack detection method and device
US20170093917A1 (en) * 2015-09-30 2017-03-30 Fortinet, Inc. Centralized management and enforcement of online behavioral tracking policies
CN106888194A (en) * 2015-12-16 2017-06-23 国家电网公司 Intelligent grid IT assets security monitoring systems based on distributed scheduling
US20170223049A1 (en) * 2016-01-29 2017-08-03 Zenedge, Inc. Detecting Human Activity to Mitigate Attacks on a Host

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594825A (en) * 2012-02-22 2012-07-18 北京百度网讯科技有限公司 Method and device for detecting intranet Trojans
CN103731429A (en) * 2014-01-08 2014-04-16 深信服网络科技(深圳)有限公司 Method and device for web application vulnerability detection
CN105227599A (en) * 2014-06-12 2016-01-06 腾讯科技(深圳)有限公司 The recognition methods of Web application and device
US20170093917A1 (en) * 2015-09-30 2017-03-30 Fortinet, Inc. Centralized management and enforcement of online behavioral tracking policies
CN106888194A (en) * 2015-12-16 2017-06-23 国家电网公司 Intelligent grid IT assets security monitoring systems based on distributed scheduling
US20170223049A1 (en) * 2016-01-29 2017-08-03 Zenedge, Inc. Detecting Human Activity to Mitigate Attacks on a Host
CN105939342A (en) * 2016-03-31 2016-09-14 杭州迪普科技有限公司 HTTP attack detection method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109214189A (en) * 2018-08-22 2019-01-15 深圳市腾讯网络信息技术有限公司 Method, apparatus, storage medium and the electronic equipment of recognizer loophole
CN109214189B (en) * 2018-08-22 2022-05-24 深圳市腾讯网络信息技术有限公司 Method, device, storage medium and electronic equipment for identifying program bugs
CN110311850A (en) * 2019-07-04 2019-10-08 北京天融信网络安全技术有限公司 A kind of network-based data processing method and electronic equipment
CN111327596A (en) * 2020-01-19 2020-06-23 深信服科技股份有限公司 Method and device for detecting hypertext transfer protocol tunnel and readable storage medium
CN111327596B (en) * 2020-01-19 2022-08-05 深信服科技股份有限公司 Method and device for detecting hypertext transfer protocol tunnel and readable storage medium

Similar Documents

Publication Publication Date Title
US20200389495A1 (en) Secure policy-controlled processing and auditing on regulated data sets
US20190213326A1 (en) Self-adaptive application programming interface level security monitoring
US11113412B2 (en) System and method for monitoring and verifying software behavior
US20200028864A1 (en) Non-harmful insertion of data mimicking computer network attacks
CN103179132B (en) A kind of method and device detecting and defend CC attack
CN103929440B (en) Webpage tamper resistant device and its method based on web server cache match
CN109167754A (en) A kind of network application layer security protection system
US20230362200A1 (en) Dynamic cybersecurity scoring and operational risk reduction assessment
CN107465651A (en) Network attack detecting method and device
Jiang et al. Multi‐scale anomaly detection for high‐speed network traffic
CN107196950A (en) Method of calibration, device and service end
CN105678193B (en) A kind of anti-tamper treating method and apparatus
CN106027520A (en) Method and device for detecting and processing stealing of website accounts
WO2019144548A1 (en) Security test method, apparatus, computer device and storage medium
CN107395637A (en) Http tunnels active detecting method, terminal device and storage medium
CN106161453A (en) A kind of SSLstrip defence method based on historical information
CN103152325B (en) Prevent the method by sharing mode access the Internet and device
CN107302586A (en) A kind of Webshell detection methods and device, computer installation, readable storage medium storing program for executing
CN107871279A (en) User ID authentication method and application server
Zalewski et al. Threat modeling for security assessment in cyberphysical systems
CN102880698B (en) A kind of crawl website defining method and device
CN113191892A (en) Account risk prevention and control method, device, system and medium based on equipment fingerprint
CN110572402B (en) Internet hosting website detection method and system based on network access behavior analysis and readable storage medium
CN105404796A (en) JavaScript source file protection method and apparatus
CN116738369A (en) Traffic data classification method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20171124

WD01 Invention patent application deemed withdrawn after publication