CN107528826A

CN107528826A - Detection method and device, terminal device and the computer-readable storage medium of network attack

Info

Publication number: CN107528826A
Application number: CN201710613906.4A
Authority: CN
Inventors: 刘超; 朱文雷; 吴雷; 李昌志; 刘金钊; 张酉夫; 李扬
Original assignee: Beijing Chaitin Tech Co Ltd
Current assignee: Beijing Pulsar Technology Co., Ltd.
Priority date: 2017-07-25
Filing date: 2017-07-25
Publication date: 2017-12-29

Abstract

Embodiment of the present invention provides detection method and device, terminal device and the computer-readable storage medium of network attack, is related to technical field of network security.Wherein, the detection method of the network attack includes：Aiming field is parsed from request data；The field value of the aiming field is decoded, to obtain the solution code value of the aiming field；Risk is carried out according to the solution code value to the request data to estimate；If estimating the risk for determining that the request data has network attack through the risk, attack detecting is carried out to the request data.In technical scheme provided by the invention, first request data progress risk is estimated before attack detecting is carried out, therefore can in time terminate and network attack detection is carried out to normal request data, so as to improve the detection efficiency of network attack.

Description

Detection method and device, terminal device and the computer-readable storage medium of network attack

Technical field

The present invention relates to technical field of network security, more particularly, be related to network attack detection method and device, Terminal device and computer-readable storage medium.

Background technology

Web (network) application firewall (WAF) can detect to the network request of protected Web applications, find it Present in threaten, and take corresponding alarm or intercept behavior.WAF should not cause work(to the Web applications that it is protected in itself Influence on energy, that is, have to meet that efficient detection, low wrong report and low drain report etc. require.Existing detection technique is mainly based on The detection technique of rule and the detection technique based on syntactic analysis.For rule-based detection technique, in order to examine Measure new attack or reduce wrong report, it is necessary to constantly increase and change regular expression, thus cause its maintenance cost meeting More and more higher, so as to reduce the efficiency of detection.Simultaneously as extracting attack pattern is needed based on as the process of detected rule Some attack samples, so rule-based detection technique is difficult to possess the detectability to unknown attack.And based on grammer point The detection technique of analysis can solve the subproblem of rule-based detection technique to a certain extent, but it still has Defect, for example, existing detection technique lacks carries out preanalysis to request data, the testing mechanism of complexity is applied into a large amount of safety Request on, so as to reduce the detection efficiency of network attack.

The content of the invention

Detection method and device, terminal device and the computer storage that embodiment of the present invention provides network attack are situated between Matter, to solve the above-mentioned technical problem in the presence of prior art.

In a first aspect, embodiment of the present invention provides a kind of detection method of network attack.

Specifically, methods described includes：

Aiming field is parsed from request data；

The field value of the aiming field is decoded, to obtain the solution code value of the aiming field；

Risk is carried out according to the solution code value to the request data to estimate；

If estimating the risk for determining that the request data has network attack through the risk, the request data is entered Row attack detecting.

Due in the present invention, first being estimated before attack detecting is carried out to request data progress risk, therefore can be timely Terminate and network attack detection is carried out to normal request data, so as to improve the detection efficiency of network attack.

With reference in a first aspect, in some implementations of the present invention, the request data is entered according to the solution code value Sector-style nearly estimate including：

It whether there is network attack characteristic using the automatic machine identification solution code value；

If there is network attack characteristic in the solution code value, it is determined that the request data has the risk of network attack.

With reference in a first aspect, in some implementations of the present invention, from request data parsing aiming field includes：

Aiming field is parsed from request data by automatic machine.

Due in the present invention, being parsed by automatic machine to request data, therefore, the present invention can expeditiously be held The resolving of row request data.

With reference in a first aspect, in some implementations of the present invention, mesh is parsed from request data by automatic machine Marking-up section includes：

The aiming field is directly parsed from the request data by the first automatic machine.

Carrier field is parsed from request data by the first automatic machine；

The aiming field is parsed from the field value of the carrier field by the second automatic machine.

With reference in a first aspect, in some implementations of the present invention, methods described also includes：

First automatic machine is built based on communication standard corresponding with the request data.

Second automatic machine is built based on communication standard corresponding with the carrier field.

With reference in a first aspect, in some implementations of the present invention, marked based on communication corresponding with the carrier field Standard, which builds second automatic machine, to be included：

From content type (content-type) dimension, it is determined that one or more request body communication standards；

Corresponding to one or more of request body communication standards, one or more second automatic machines of structure.

With reference in a first aspect, in some implementations of the present invention, by the second automatic machine from the carrier field Aiming field is parsed in field value to be included：

Determine the doubtful content type of the request body field；

Second automatic machine is chosen according to the doubtful content type；

Aiming field is parsed from the field value of the request body field by the second automatic machine selected.

Because the present invention is analyzed the request possible content type of body, and perform corresponding with the content type analyzed Dissection process, therefore can effectively prevent attacker from bypassing attack detecting using agreement.

With reference in a first aspect, in some implementations of the present invention, the doubtful content class of the request body field is determined Type includes：

The field value of the request body field is matched with the media formats feature set；

According to the media formats feature that the match is successful, the doubtful content type for asking body field is determined.

With reference in a first aspect, in some implementations of the present invention, the field value of the aiming field is decoded, Included with obtaining the solution code value of the aiming field：

Depth decoding is carried out to the field value of the aiming field, to obtain the result solution code value of the aiming field.

Due in the present invention, depth decoding being carried out to the field value of aiming field in request data, therefore, it is possible to effective The situation of multi-layer coding is tackled, improves decoding capability, and then improve the accuracy of network attack detection.

With reference in a first aspect, in some implementations of the present invention, depth is carried out to the field value of the aiming field Decoding includes：

Decoding operate is carried out to the field value of the aiming field, to obtain the intermediate decoded values of the aiming field；

Judge whether the intermediate decoded values need to carry out further decoding operate；

If desired further decoding operate is carried out, then decoding operate is carried out to the intermediate decoded values, to obtain the mesh Another intermediate decoded values of marking-up section, and return and perform following processing：Judge whether the intermediate decoded values are needed into traveling one Walk decoding operate.

With reference in a first aspect, in some implementations of the present invention, depth is carried out to the field value of the aiming field Decoding also includes：

If further decoding operate need not be carried out, it is determined that the intermediate decoded values are the result solution code value.

With reference in a first aspect, in some implementations of the present invention, judge whether the intermediate decoded values need to carry out Further decoding operate includes：

According to coded system corresponding with the intermediate decoded values, the multi-layer coding possibility for updating the aiming field is joined Number；

According to the comparative result between the multi-layer coding possibility parameter and given threshold after renewal, the intermediate solution is judged Whether code value needs to carry out further decoding operate.

Due in the present invention, before decoding operate is carried out to intermediate decoded values, first to the possibility of current multilayer coding Assessed, therefore the relatively low depth decoding of possibility can be terminated in time, so as to improve decoding efficiency.

With reference in a first aspect, in some implementations of the present invention, encoded according to corresponding with the intermediate decoded values Mode, updating the multi-layer coding possibility parameter of the aiming field includes：

The weighted value of the coded system is determined according to code tree；

The multi-layer coding possibility parameter is updated according to the weighted value.

The code tree is built based on network flow data and web (network) treatment mechanism applied.

With reference in a first aspect, in some implementations of the present invention, the field value of the aiming field is decoded Operation includes：

The field value is matched with the coding characteristic set；

Decoding operate corresponding with the coding characteristic that the match is successful is performed to the field value.

Due in the present invention, field value being matched with the coding characteristic set, therefore can realize to coding staff Formula carries out intelligent analysis, so as to ensure good decoding effect.

Second aspect, embodiment of the present invention provide a kind of detection means of network attack.

Specifically, described device includes：

Parsing module, for parsing aiming field from request data；

Decoder module, for being decoded to the field value of the aiming field, to obtain the decoding of the aiming field Value；

Risk estimates module, is estimated for carrying out risk to the request data according to the solution code value；

Detection module, for estimating the situation for the risk for determining that the request data has network attack through the risk Under, attack detecting is carried out to the request data.

With reference to second aspect, in some implementations of the present invention, the risk, which estimates module, to be included：

Recognition unit, for whether there is network attack characteristic using the automatic machine identification solution code value；

Risk determining unit, in the case of the solution code value has network attack characteristic, determining the number of request According to the risk that network attack be present.

With reference to second aspect, in some implementations of the present invention, the parsing module is used for real in the following manner Aiming field is now parsed from request data：Aiming field is parsed from request data by automatic machine.

With reference to second aspect, in some implementations of the present invention, the parsing module is used for real in the following manner Aiming field is now parsed from request data by automatic machine：Directly parsed by the first automatic machine from the request data Go out the aiming field.

With reference to second aspect, in some implementations of the present invention, the parsing module includes：

Carrier field resolution unit, for parsing carrier field from request data by the first automatic machine；

Aiming field resolution unit, it is described for being parsed by the second automatic machine from the field value of the carrier field Aiming field.

With reference to second aspect, in some implementations of the present invention, described device also includes：

First automechanism models block, for building described first certainly based on communication standard corresponding with the request data Motivation.

Second automechanism models block, for building described second certainly based on communication standard corresponding with the carrier field Motivation.

With reference to second aspect, in some implementations of the present invention, the second automechanism modeling block includes：

Communication standard determining unit, for the dimension from content type, it is determined that one or more request body communication standards；

Construction unit, for corresponding to one or more of request body communication standards, structure one or more described the Two automatic machines.

With reference to second aspect, in some implementations of the present invention, the aiming field resolution unit includes：

Content type determines component, for determining the doubtful content type of the request body field；

Component is chosen, for choosing the second automatic machine according to the doubtful content type；

Resolution component, mesh is parsed from the field value of the request body field for the second automatic machine by selecting Marking-up section.

With reference to second aspect, in some implementations of the present invention, the content type determines that component includes：

Sub-component is matched, for the field value of the request body field to be matched with the media formats feature set；

Sub-component is determined, for according to the media formats feature that the match is successful, determining the doubtful interior of the request body field Hold type.

With reference to second aspect, in some implementations of the present invention, the decoder module is used for real in the following manner Now the field value of the aiming field is decoded, to obtain the solution code value of the aiming field：To the aiming field Field value carries out depth decoding, to obtain the result solution code value of the aiming field.

With reference to second aspect, in some implementations of the present invention, the decoder module includes：

First decoding unit, for carrying out decoding operate to the field value of the aiming field, to obtain the target word The intermediate decoded values of section；

Judging unit, for judging whether the intermediate decoded values need to carry out further decoding operate；

Second decoding unit, in the case of needing to carry out further decoding operate, entering to the intermediate decoded values Row decoding operate, to obtain another intermediate decoded values of the aiming field.

With reference to second aspect, in some implementations of the present invention, the decoder module also includes：

As a result solve code value determining unit, in the case of need not carry out further decoding operate, determine it is described in Between solve code value be the result solution code value.

With reference to second aspect, in some implementations of the present invention, the judging unit includes：

More New Parent, for according to coded system corresponding with the intermediate decoded values, updating the more of the aiming field Layer codifiability parameter；

Determination component, for according to the comparative result between the multi-layer coding possibility parameter and given threshold after renewal, Judge whether the intermediate decoded values need to carry out further decoding operate.

With reference to second aspect, in some implementations of the present invention, the more New Parent includes：

Weight determines sub-component, for determining the weighted value of the coded system according to code tree；

Sub-component is updated, for updating the multi-layer coding possibility parameter according to the weighted value.

Module is built, the code tree is built for the treatment mechanism based on network flow data and web applications.

With reference to second aspect, in some implementations of the present invention, first decoding unit includes：

Matching component, for the field value to be matched with the coding characteristic set；

Decoding assembly, for performing decoding operate corresponding with the coding characteristic that the match is successful to the field value.

The third aspect, embodiment of the present invention provide a kind of terminal device.

The terminal device includes memory and processor；Wherein,

The memory is used to store one or more computer instruction, wherein, one or more computer instruction The detection method of any of the above-described network attack can be realized during the computing device.

Fourth aspect, embodiment of the present invention provide a kind of computer-readable storage medium.

The computer-readable storage medium is used to store one or more computer instruction, wherein, when described one or more Computer instruction can realize the detection method of any of the above-described network attack when being performed.

The aspects of the invention or other aspects can more straightforwards in the description of detailed description below.

Brief description of the drawings

It is required in being described below to embodiment in order to illustrate more clearly of the technical scheme of embodiment of the present invention The accompanying drawing used is made one and simply introduced, it should be apparent that, drawings in the following description are some embodiments of the present invention, right For those of ordinary skill in the art, on the premise of not paying creative work, it can also be obtained according to these accompanying drawings His accompanying drawing.

Fig. 1 is the flow chart according to the detection method of the network attack of the inventive method embodiment 1；

Fig. 2 shows a kind of embodiment of the processing S3 shown in Fig. 1；

Fig. 3 is the structural representation according to the finite-state automata of embodiment of the present invention；

Fig. 4 shows a kind of embodiment of the processing S1 shown in Fig. 1；

Fig. 5 shows a kind of embodiment of the processing S12 shown in Fig. 4；

Fig. 6 shows a kind of embodiment of the processing S121 shown in Fig. 5；

Fig. 7 shows a kind of embodiment of the processing S2 shown in Fig. 1；

Fig. 8 shows a kind of embodiment of the processing S22 shown in Fig. 7；

Fig. 9 shows a kind of embodiment of the processing S221 shown in Fig. 8；

Figure 10 shows a kind of embodiment of the processing S21 shown in Fig. 7；

Figure 11 is the structural representation according to the detection means of the network attack of product embodiment 1 of the present invention；

Figure 12 shows that the risk shown in Figure 11 estimates a kind of embodiment of module 13；

Figure 13 is the structural representation according to the detection means of the network attack of product embodiment 4 of the present invention；

Figure 14 shows a kind of embodiment of the parsing module 12 shown in Figure 13；

Figure 15 is the structural representation according to the detection means of the network attack of product embodiment 5 of the present invention；

Figure 16 shows a kind of embodiment of the second automechanism modeling block 17 ' shown in Figure 15；

Figure 17 shows a kind of embodiment of the aiming field resolution unit 122 ' shown in Figure 14；

The content type that Figure 18 shows shown in Figure 17 determines a kind of embodiment of component 1221 '；

Figure 19 shows a kind of embodiment of the decoder module 12 shown in Figure 11；

Figure 20 shows a kind of embodiment of the judging unit 122 shown in Figure 19；

Figure 21 shows a kind of embodiment of the more New Parent 1221 shown in Figure 20；

Figure 22 shows a kind of embodiment of the first decoding unit 121 shown in Figure 19.

Embodiment

It is described in detail to various aspects of the present invention below in conjunction with the drawings and specific embodiments.Wherein, in this hair In bright each embodiment, well-known operating process, program module, unit and its mutual connection, chain Connect, communicate or operate and be not shown or do not elaborate.

Also, described feature, framework or function can in one or more embodiments group in any way Close.

In addition, it will be appreciated by those skilled in the art that following various embodiments be served only for for example, not for Limit the scope of the invention.Those skilled in the art can also be readily appreciated that, each reality described herein and shown in the drawings Applying the program module in mode, unit or step can be combined and be designed by a variety of different configurations.

, unless otherwise specified, all should be with ability for the technical term not being specifically described in this manual The broadest meaning in domain explains.

In some flows of description in description and claims of this specification and above-mentioned accompanying drawing, contain according to Particular order occur multiple operations, but it should be clearly understood that these operation can not occur herein according to it is suitable Sequence is performed or performed parallel, the label such as 101,102 etc. of operation, is only used for distinguishing each different operation, label Any execution sequence is not represented for itself.In addition, these flows can include more or less operations, and these operations can To perform or perform parallel in order.It should be noted that the description such as " first " herein, " second ", is to be used to distinguish not Message together, equipment, module etc., do not represent sequencing, it is different types also not limit " first " and " second ".

Below in conjunction with accompanying drawing, the technical scheme in embodiment of the present invention is clearly and completely described, it is clear that Described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.Based on the present invention In embodiment, the every other embodiment party that those skilled in the art are obtained on the premise of creative work is not paid Formula, belong to the scope of protection of the invention.

【Method embodiment 1】

Fig. 1 is the flow chart according to the detection method of the network attack of the inventive method embodiment 1.Referring to Fig. 1, at this In embodiment, methods described includes：

S1：Aiming field is parsed from request data.

S2：The field value of the aiming field is decoded, to obtain the solution code value of the aiming field.

S3：Risk is carried out according to the solution code value to the request data to estimate.If estimated through the risk described in determination There is the risk of network attack in request data, then perform S4, determine that net is not present in the request data if being estimated through the risk The risk of network attack, then terminate current process.

S4：Attack detecting is carried out to the request data.

Request data is, for example, HTTP (HyperText Transfer Protocol, HTTP) requests.

Field value refers to the value of a certain field in request data.For example, " GET " is the word of method field in request data Segment value.

Solution code value refers to decoded result resulting after being decoded to a certain field value in request data.

【Method embodiment 2】

The method that present embodiment is provided includes the full content in method embodiment 1, will not be repeated here.Such as figure Shown in 2, in the present embodiment, processing S3 is accomplished by the following way：

S31：It whether there is network attack characteristic using the automatic machine identification solution code value.If so, S32 is then performed, if it is not, Then perform S33.

S32：Determine that the request data has the risk of network attack.

S33：Determine that the risk of network attack is not present in the request data.

The network attack characteristic is, for example, key structure specific to certain network attack, for example, operation expression " 1or 1=1 ", HTML (HyperText Markup Language, HyperText Markup Language) label "<Script " or SQL (Structured Query Language, SQL) keyword etc..

In the present embodiment, if the automatic machine identifies solution there is network attack characteristic in code value, records and exists Network attack characteristic corresponding to network attack type, in order to subsequently during attack detecting is carried out, for automatic machine The network attack type recorded targetedly performs attack detecting.

In addition, specifically, the automatic machine is, for example, the deterministic limited shape constructed based on various network attack characteristics State automatic machine, it is possible thereby to which realizing only needs single pass to analyze all network attack types that may be present.

【Method embodiment 3】

The method that present embodiment is provided includes the full content in method embodiment 1 or method embodiment 2, This is repeated no more.In the present embodiment, processing S1 is accomplished by the following way：

Aiming field is parsed from request data by automatic machine.

The automatic machine is completed to scan within the linear time to whole request data, and analyzes each composition of request data Part is for follow-up detection process.

Below by taking finite-state automata as an example, the running of automatic machine in present embodiment is specifically described.

Finite-state automata is made up of state node and transferred arc, and every transferred arc is pointed to from a state node The directed edge of another state node, if the mark on transferred arc represents that automatic machine receives the mark in preceding state and made The latter state can be then transferred to for input.As shown in figure 3, automatic machine is initially located in initial state, i.e. state 1, inputted when receiving When " G ", state 2 will be transferred to, when initially receiving input string " GET " from initial state, state 4 will be reached, and from shape State 3 completes the record of requesting method during being transferred to state 4, i.e., " GET ".

【Method embodiment 4】

The method that present embodiment is provided includes the full content in method embodiment 3, will not be repeated here.Its In, the direct carrier of the aiming field can be that request data can also be field value in request data.

If the direct carrier of aiming field is request data, processing S1 is accomplished by the following way：

Correspondingly, in the method that present embodiment is provided, institute is built based on communication standard corresponding with request data State the first automatic machine.

As shown in figure 4, if the direct carrier of aiming field is the field value in request data, it is accomplished by the following way Handle S1：

S11：Carrier field (the number of request containing aiming field is parsed from request data by first automatic machine According to field).

S12：The aiming field is parsed from the field value of the carrier field by the second automatic machine.

Correspondingly, in the method that present embodiment is provided, based on communication standard structure corresponding with the carrier field Build second automatic machine.

The carrier field is for example including asking body field, correspondingly, based on communication mark corresponding with the carrier field Standard, which builds second automatic machine, to be included：

(1) from the dimension of content type, it is determined that one or more request body communication standards；

(2) one or more of request body communication standards, one or more second automatic machines of structure are corresponded to.

【Method embodiment 5】

The method that present embodiment is provided includes the full content in method embodiment 4, will not be repeated here.Such as figure Shown in 5, S12 includes following processing：

S121：It is determined that the doubtful content type (the possible content type of request body field) of request body field.

S122：Second automatic machine is chosen according to the doubtful content type.

S123：Aiming field is parsed from the field value of the request body field by the second automatic machine selected.

【Method embodiment 6】

The method that present embodiment is provided includes the full content in method embodiment 5, will not be repeated here.Its In, as shown in fig. 6, in the present embodiment, processing S121 is accomplished by the following way：

S1211：The field value of the request body field is matched with the media formats feature set.

S1212：According to the media formats feature that the match is successful, the doubtful content type for asking body field is determined.

Media formats feature refer to the Internet media form (for example, JSON (JavaScript Object Notation, A kind of data interchange format of lightweight) form, XML (Extensible Markup Language, extensible markup language) Form, list form etc.) architectural feature.

【Method embodiment 7】

It is complete to any one of method embodiment 6 that the method that present embodiment is provided includes method embodiment 1 Portion's content, will not be repeated here.Wherein, in the present embodiment, S2 is accomplished by the following way：

The result solution code value refers to the decoding to being finally given after a certain field value progress depth decoding in request data As a result.

【Method embodiment 8】

The method that present embodiment is provided includes the full content in method embodiment 6, will not be repeated here.Such as Shown in Fig. 7, in the present embodiment, processing S2 is accomplished by the following way：

S21：Decoding operate is carried out to the field value of the aiming field, to obtain the intermediate decoded of the aiming field Value.

S22：Judge whether the intermediate decoded values need to carry out further decoding operate.If so, S23 is then performed, if it is not, Then perform S24.

S23：Decoding operate is carried out to the intermediate decoded values, to obtain another intermediate decoded values of the aiming field, And return and perform S22.

S24：It is the result solution code value to determine the intermediate decoded values.

The intermediate decoded values refer to the decoded result obtained during depth decodes.

【Method embodiment 9】

The method that present embodiment is provided includes the full content in method embodiment 8, will not be repeated here.Such as figure Shown in 8, in the present embodiment, processing S22 is accomplished by the following way：

S221：According to coded system corresponding with the intermediate decoded values, the multi-layer coding for updating the aiming field can Can property parameter.

S222：According to the comparative result between the multi-layer coding possibility parameter and given threshold after renewal, described in judgement Whether intermediate decoded values need to carry out further decoding operate.

【Method embodiment 10】

The method that present embodiment is provided includes the full content in method embodiment 9, will not be repeated here.Such as Shown in Fig. 9, in the present embodiment, processing S221 is accomplished by the following way：

S2211：The weighted value of the coded system is determined according to code tree.

S2212：The multi-layer coding possibility parameter is updated according to the weighted value.

Wherein, each node is possible coded system under corresponding father node in the code tree, and node describes corresponding volume The weighted value of code mode.The code tree can be built-up based on the treatment mechanism that network flow data and web are applied.Utilize Code tree can obtain the possibility assessed value of the combination of various multi-layer codings, by by the assessed value with setting threshold value It is compared, it can be determined that go out whether to also need to further to carry out decoding operate.

【Method embodiment 11】

It is complete to any one of method embodiment 10 that the method that present embodiment is provided includes method embodiment 8 Portion's content, will not be repeated here.As shown in Figure 10, in the present embodiment, processing S21 is accomplished by the following way：

S211：The field value is matched with the coding characteristic set.

S212：Decoding operate corresponding with the coding characteristic that the match is successful is performed to the field value.

The coding characteristic is, for example, distinctive coded identification in a certain coded system, such as " % ".

If a certain decoding operate failure, terminates corresponding decoding paths, but still continue to attempt to other possible decoding sides Formula.

Certainly, those skilled in the art can also be based on similar mode and intermediate decoded values are carried out with decoding operate, tool For body, intermediate decoded values are matched with the coding characteristic set；To the coding that intermediate decoded values perform with the match is successful Decoding operate corresponding to feature.

【Method embodiment 12】

It is complete to any one of method embodiment 11 that the method that present embodiment is provided includes method embodiment 1 Portion's content, will not be repeated here.In the present embodiment, according to customized flow restriction rule traffic Shape correction. Wherein, the flow restriction rule for example records：The request header that does not allow to occur, to the restriction rule of request header number or To the restriction rule of request header length.The demand that the user of product can apply according to itself web, the Flow Limit of customization is set System rule.

【Product embodiment 1】

Figure 11 is the structural representation according to the detection means of the network attack of product embodiment 1 of the present invention.Referring to figure 11, in the present embodiment, the detection means 10 of network attack includes：Parsing module 11, decoder module 12, risk estimate module 13 and detection module 14, specifically：

Parsing module 11 is used to parse aiming field from request data.

The field value for the aiming field that decoder module 12 is used to parse parsing module 11 decodes, described to obtain The solution code value of aiming field.

It is pre- for carrying out risk to the request data according to the solution code value that decoder module 12 obtains that risk estimates module 13 Estimate.

Detection module 14 determines that the request data has the feelings of the risk of network attack for estimating module 13 in risk Under shape, attack detecting is carried out to the request data.

【Product embodiment 2】

The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 1, This is repeated no more.As shown in figure 12, in the present embodiment, risk is estimated module 13 and included：Recognition unit 131 and risk determine Unit 132, specifically：

Recognition unit 131 is used to whether there is network attack characteristic using the automatic machine identification solution code value.

Risk determining unit 132 is used to identify that the solution code value has the feelings of network attack characteristic in recognition unit 131 Under shape, determine that the request data has the risk of network attack.

【Product embodiment 3】

The detection means for the network attack that present embodiment is provided includes product embodiment 1 or product embodiment 2 In full content, will not be repeated here.In the present embodiment, parsing module 11 is realized from request especially by the following manner Aiming field is parsed in data：Aiming field is parsed from request data by automatic machine.

【Product embodiment 4】

Figure 13 is the structural representation according to the detection means of the network attack of product embodiment 4 of the present invention.In this reality Apply in mode, the direct carrier of the aiming field can be that request data can also be field value in request data.Accordingly Ground, as shown in figure 13, the detection means 10 ' of network attack include：Parsing module 11 ', parsing module 12 ', decoder module 13 ', Risk estimates module 14 ' and detection module 15 ', specifically：

Parsing module 11 ' is used in the case of the direct carrier of aiming field is request data, passes through the first automatic machine The aiming field is directly parsed from the request data.

Parsing module 12 ' is used in the case of the field value during the direct carrier of aiming field is request data, pass through First automatic machine and the second automatic machine parse the aiming field from request data.Specifically, as shown in figure 14, parse Module 12 ' includes：Carrier field resolution unit 121 ' and aiming field resolution unit 122 ', specifically：

Carrier field resolution unit 121 ' is used to parse carrier field from request data by first automatic machine.

Aiming field resolution unit 122 ' is used for what is parsed by the second automatic machine from carrier field resolution unit 121 ' The aiming field is parsed in the field value of carrier field.

Decoder module 13 ', risk estimate module 14 ' and detection module 15 ' respectively with the decoding mould in product embodiment 1 Block 12, risk estimate module 13 and detection module 14, will not be repeated here.

【Product embodiment 5】

The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 4, This is repeated no more.As shown in figure 15, in the present embodiment, the detection means 10 ' of network attack also includes：First automechanism Block 16 ' and the second automechanism modeling block 17 ' are modeled, specifically：

First automechanism modeling block 16 ' is used for based on communication standard corresponding with request data structure described first Automatic machine.

Second automechanism modeling block 17 ' is used for based on communication standard corresponding with carrier field structure described second Automatic machine.

【Product embodiment 6】

The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 5, This is repeated no more.The carrier field is for example including asking body field, correspondingly, as shown in figure 16, the modeling of the second automechanism Block 17 ' includes：Communication standard determining unit 171 ' and construction unit 172 ', specifically：

Communication standard determining unit 171 ' is used for the dimension from content type, it is determined that one or more request body communication marks It is accurate.

Construction unit 172 ' is used to correspond to one or more request body communication standards that determining unit 171 ' is determined, structure Build one or more second automatic machines.

【Product embodiment 7】

The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 6, This is repeated no more.As shown in figure 17, aiming field resolution unit 122 ' includes：Content type determines component 1221 ', chooses component 1222 ' and resolution component 1223 ', specifically：

Content type determines that component 1221 ' is used for the doubtful content type for determining the request body field.

Component 1222 ' is chosen to be used to determine that doubtful content type that component 1221 ' determines chooses the according to content type Two automatic machines.

The second automatic machine that resolution component 1223 ' is used to select by choosing component 1222 ' asks body field from described Field value in parse aiming field.

【Product embodiment 8】

The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 7, This is repeated no more.As shown in figure 18, in the present embodiment, content type determines that component 1221 ' includes：Match sub-component 12211 ' and determine sub-component 12212 ', specifically：

Sub-component 12211 ' is matched to be used to carry out the field value of the request body field and the media formats feature of setting Matching.

Determine that sub-component 12212 ' is used to, according to the matching media formats feature that the match is successful of sub-component 12211 ', determine institute State the doubtful content type of request body field.

【Product embodiment 9】

The detection means for the network attack that present embodiment is provided includes product embodiment 1 to product embodiment 3 Any one of full content, will not be repeated here.In the present embodiment, decoder module 12 is realized especially by the following manner The field value of the aiming field is decoded, to obtain the solution code value of the aiming field：To the word of the aiming field Segment value carries out depth decoding, to obtain the result solution code value of the aiming field.

【Product embodiment 10】

The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 9, This is repeated no more.As shown in figure 19, in the present embodiment, decoder module 12 includes：First decoding unit 121, judging unit 122 and second decoding unit 123, specifically：

First decoding unit 121 is used to carry out decoding operate to the field value of the aiming field, to obtain the target The intermediate decoded values of field.

Judging unit 122 is used to judge that the intermediate decoded values that the first decoding unit 121 or the second decoding unit 123 obtain are It is no to need to carry out further decoding operate.

Second decoding unit 123 is used in the case of judging unit 122 judges to need to carry out further decoding operate, right The intermediate decoded values carry out decoding operate, to obtain another intermediate decoded values of the aiming field.

【Product embodiment 11】

The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 10, This is repeated no more.In the present embodiment, decoder module 12 also includes：As a result code value determining unit is solved, specifically：

The result solution code value determining unit is used to judge that the feelings of further decoding operate need not be carried out in judging unit 122 Under shape, it is the result solution code value to determine the intermediate decoded values.

【Product embodiment 12】

The detection means for the network attack that present embodiment is provided includes product embodiment 10 or product embodiment Full content in 11, will not be repeated here.As shown in figure 20, in the present embodiment, judging unit 122 includes：Renewal group Part 1221 and determination component 1222, specifically：

More New Parent 1221 is used to, according to coded system corresponding with the intermediate decoded values, update the aiming field Multi-layer coding possibility parameter.

Determination component 1222 is used for the multi-layer coding possibility parameter after being updated according to updated component 1221 and setting threshold Comparative result between value, judges whether the intermediate decoded values need to carry out further decoding operate.

【Product embodiment 13】

The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 12, This is repeated no more.As shown in figure 21, in the present embodiment, more New Parent 1221 includes：Weight determines sub-component 12211 and more New sub-component 12212, specifically：

Weight determines that sub-component 12211 is used for the weighted value that the coded system is determined according to code tree.

Renewal sub-component 12212 is used to determine that the weighted value that sub-component 12211 is determined updates the multilayer according to weight Codifiability parameter.

【Product embodiment 14】

The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 13, This is repeated no more.In the present embodiment, the detection means 10 of network attack also includes：Module is built, specifically：

The structure module is used to build the code tree based on the treatment mechanism that network flow data and web are applied.

【Product embodiment 15】

The detection means for the network attack that present embodiment is provided includes product embodiment 10 to product embodiment Any one of 14 full content, will not be repeated here.As shown in figure 22, in the present embodiment, the first decoding unit 121 wraps Include：Matching component 1211 and decoding assembly 1212, specifically：

Matching component 1211 is used to be matched the field value with the coding characteristic set.

Decoding assembly 1212 is used for corresponding with the coding characteristic that the match is successful of matching component 1211 to field value execution Decoding operate.

Embodiments of the present invention additionally provide a kind of terminal device, including memory and processor；Wherein,

The memory is used to store one or more computer instruction, wherein, one or more computer instruction Side as described in any one into method embodiment 12 of method embodiment 1 can be realized during the computing device Method.

In addition, embodiments of the present invention also provide a kind of computer-readable storage medium, the computer-readable storage medium is used for One or more computer instruction is stored, wherein, it can be realized such as side when one or more computer instruction is performed Method of the method embodiment 1 into method embodiment 12 described in any one.

Those skilled in the art can be understood that the present invention can be realized all by software, also can be by software Realized with reference to the mode of hardware platform.Based on such understanding, technical scheme contributes to background technology It can be embodied in whole or in part in the form of software product, the computer software product can be stored in storage medium In, such as ROM/RAM, magnetic disc, CD, including some instructions to cause a computer equipment (can be personal computer, Server, smart mobile phone either network equipment etc.) perform some part institutes of each embodiment of the present invention or embodiment The method stated.

Words such as " softwares " used herein refers both to any type of computer code or calculating in general sense Machine executable instruction set, the coding or instruction set can be run to make computer or other processor programs perform such as The various aspects of upper described technical scheme.Furthermore, it is necessary to explanation, according to the one side of embodiment, The one or more computer programs for implementing the method for technical scheme upon execution necessarily will be in a computer Or on processor, but in the module that can be distributed in multiple computers or processor, to perform the technical side of the present invention The various aspects of case.

Computer executable instructions can have many forms, such as program module, can by one or more computer or Other equipment performs.Usually, program module includes routine, program, object, component and data structure etc., performs specific Task or implement specific abstract data type.Especially, in various embodiments, the operation that program module is carried out can To be combined or split according to the needs of each different embodiments.

Also, technical scheme can be presented as a kind of method, and have been provided for methods described at least One example.Action can be performed by any suitable order, the movement displaying is the part in methods described. Therefore, embodiment can be configured to that action can be performed according to the order different from shown execution sequence, wherein it is possible to Including simultaneously performing some actions (although in the embodiment as shown, these actions are continuous).

Definition that is given in this article and using, definition in the document for dictionary should be compareed, being incorporated by reference into, And/or it generally looks like and understood.

In detail in the claims and in above-mentioned specification, all excessive phrases, such as " comprising ", " having ", " bag Containing ", " carrying ", " having ", " being related to ", " mainly by ... form " and similar word be understood as it is open, i.e. bag Contain but be not limited to.

The term and wording used in description of the invention is just to for example, be not intended to form restriction.Ability Field technique personnel should be appreciated that on the premise of the general principle of disclosed embodiment is not departed from, to above-mentioned embodiment In each details can carry out various change.Therefore, the scope of the present invention is only determined by claim, in the claims, unless It is otherwise noted, all terms should be understood by the broadest rational meaning.

A variety of embodiments of the present invention described in detail above, the description present invention is each in another form below The various aspects or feature of the technical scheme of embodiment, and it is not limited to a series of following paragraphs, for the sake of clarity, can Alphanumeric is specified to some or all of paragraphs in these paragraphs.Each section in these paragraphs can be with any suitable side Formula combines with the content of other one or more paragraphs.Under conditions of the example of some in not limiting suitable combination, under Some paragraphs in text especially quote other paragraphs and further limit other paragraphs.

A1, a kind of detection method of network attack, methods described include：

Aiming field is parsed from request data；

In A2, the method as described in A1, according to it is described solution code value to the request data carry out risk estimate including：

In A3, the method as described in A1 or A2, from request data parsing aiming field includes：

Aiming field is parsed from request data by automatic machine.

In A4, the method as described in A3, parsing aiming field from request data by automatic machine includes：

In A5, the method as described in A3, parsing aiming field from request data by automatic machine includes：

Carrier field is parsed from request data by the first automatic machine；

In A6, the method as described in A4 or A5, methods described also includes：

In A7, the method as described in A5, methods described also includes：

It is automatic based on communication standard corresponding with carrier field structure described second in A8, the method as described in A7 Machine includes：

From the dimension of content type, it is determined that one or more request body communication standards；

In A9, the method as described in A8, target is parsed from the field value of the carrier field by the second automatic machine Field includes：

Determine the doubtful content type of the request body field；

Second automatic machine is chosen according to the doubtful content type；

In A10, the method as described in A9, determining the doubtful content type of the request body field includes：

In A11, the method as described in A1 or A2, the field value of the aiming field is decoded, to obtain the mesh The solution code value of marking-up section includes：

In A12, the method as described in A11, the field value progress depth decoding to the aiming field includes：

In A13, the method as described in A12, the field value progress depth decoding to the aiming field also includes：

In A14, the method as described in A12, judge whether the intermediate decoded values need to carry out further decoding operate bag Include：

In A15, the method as described in A14, according to coded system corresponding with the intermediate decoded values, the target is updated The multi-layer coding possibility parameter of field includes：

The weighted value of the coded system is determined according to code tree；

A16, the method as described in A15, methods described also include：

The code tree is built based on network flow data and the web treatment mechanism applied.

In A17, the method as any one of A12 to A16, decoding operate is carried out to the field value of the aiming field Including：

The field value is matched with the coding characteristic set；

B18, a kind of detection means of network attack, described device include：

Parsing module, for parsing aiming field from request data；

In B19, the device as described in B18, the risk, which estimates module, to be included：

In B20, the device as described in B18 or B19, the parsing module is used to be accomplished by the following way from request data In parse aiming field：Aiming field is parsed from request data by automatic machine.

In B21, the device as described in B20, the parsing module be used for be accomplished by the following way by automatic machine from please Ask and aiming field is parsed in data：The aiming field is directly parsed from the request data by the first automatic machine.

In B22, the device as described in B20, the parsing module includes：

In B23, the device as described in B21 or B22, described device also includes：

In B24, the device as described in B22, described device also includes：

In B25, the device as described in B24, the second automechanism modeling block includes：

In B26, the device as described in B25, the aiming field resolution unit includes：

In B27, the device as described in B26, the content type determines that component includes：

In B28, the device as described in B18 or B19, the decoder module is used to be accomplished by the following way to the target The field value of field is decoded, to obtain the solution code value of the aiming field：The field value of the aiming field is carried out deeply Degree decoding, to obtain the result solution code value of the aiming field.

In B29, the device as described in B28, the decoder module includes：

In B30, the device as described in B29, the decoder module also includes：

In B31, the device as described in B29, the judging unit includes：

In B32, the device as described in B31, the more New Parent includes：

In B33, the device as described in B32, described device also includes：

In B34, the device as any one of B29 to B33, first decoding unit includes：

C35, a kind of terminal device, including memory and processor；Wherein,

The memory is used to store one or more computer instruction, wherein, one or more computer instruction Method as any one of A1 to A17 can be realized during the computing device.

D36, a kind of computer-readable storage medium, for storing one or more computer instruction, wherein, when described one or A plurality of computer instruction can realize the method as any one of A1 to A17 when being performed.

Claims

1. a kind of detection method of network attack, it is characterised in that methods described includes：

Aiming field is parsed from request data；

If estimating the risk for determining that the request data has network attack through the risk, the request data is attacked Hit detection.

2. the method as described in claim 1, it is characterised in that it is pre- that risk is carried out to the request data according to the solution code value Estimate including：

3. method as claimed in claim 1 or 2, it is characterised in that parsing aiming field from request data includes：

Aiming field is parsed from request data by automatic machine.

4. method as claimed in claim 3, it is characterised in that parse aiming field bag from request data by automatic machine Include：

5. method as claimed in claim 3, it is characterised in that parse aiming field bag from request data by automatic machine Include：

Carrier field is parsed from request data by the first automatic machine；

6. the method as described in claim 4 or 5, it is characterised in that methods described also includes：

7. method as claimed in claim 5, it is characterised in that methods described also includes：

8. method as claimed in claim 7, it is characterised in that institute is built based on communication standard corresponding with the carrier field Stating the second automatic machine includes：

9. method as claimed in claim 8, it is characterised in that by the second automatic machine from the field value of the carrier field Parsing aiming field includes：

Determine the doubtful content type of the request body field；

Second automatic machine is chosen according to the doubtful content type；

10. method as claimed in claim 9, it is characterised in that determining the doubtful content type of the request body field includes：

11. method as claimed in claim 1 or 2, it is characterised in that the field value of the aiming field is decoded, with Obtaining the solution code value of the aiming field includes：

12. method as claimed in claim 11, it is characterised in that depth decoding bag is carried out to the field value of the aiming field Include：

If desired further decoding operate is carried out, then decoding operate is carried out to the intermediate decoded values, to obtain the target word Another intermediate decoded values of section, and return and perform following processing：Judge whether the intermediate decoded values need further to be solved Code operation.

13. method as claimed in claim 12, it is characterised in that depth decoding is carried out also to the field value of the aiming field Including：

14. method as claimed in claim 12, it is characterised in that judge whether the intermediate decoded values need to carry out further Decoding operate includes：

According to coded system corresponding with the intermediate decoded values, the multi-layer coding possibility parameter of the aiming field is updated；

According to the comparative result between the multi-layer coding possibility parameter and given threshold after renewal, the intermediate decoded values are judged Whether need to carry out further decoding operate.

15. method as claimed in claim 14, it is characterised in that according to coded system corresponding with the intermediate decoded values, Updating the multi-layer coding possibility parameter of the aiming field includes：

The weighted value of the coded system is determined according to code tree；

16. method as claimed in claim 15, it is characterised in that methods described also includes：

The code tree is built based on network flow data and network the web treatment mechanism applied.

17. the method as any one of claim 12 to 16, it is characterised in that enter to the field value of the aiming field Row decoding operate includes：

The field value is matched with the coding characteristic set；

18. a kind of detection means of network attack, it is characterised in that described device includes：

Parsing module, for parsing aiming field from request data；

Decoder module, for being decoded to the field value of the aiming field, to obtain the solution code value of the aiming field；

Detection module, for estimated through the risk determine that the request data has the risk of network attack in the case of, Attack detecting is carried out to the request data.

19. device as claimed in claim 18, it is characterised in that the risk, which estimates module, to be included：

Risk determining unit, in the case of the solution code value has network attack characteristic, determining that the request data is deposited In the risk of network attack.

20. the device as described in claim 18 or 19, it is characterised in that

The parsing module is used to be accomplished by the following way from request data to parse aiming field：By automatic machine from please Ask and aiming field is parsed in data.

21. device as claimed in claim 20, it is characterised in that

The parsing module is used to be accomplished by the following way to parse aiming field from request data by automatic machine：Pass through First automatic machine directly parses the aiming field from the request data.

22. device as claimed in claim 20, it is characterised in that the parsing module includes：

Aiming field resolution unit, for parsing the target from the field value of the carrier field by the second automatic machine Field.

23. the device as described in claim 21 or 22, it is characterised in that described device also includes：

First automechanism models block, for automatic based on communication standard corresponding with request data structure described first Machine.

24. device as claimed in claim 22, it is characterised in that described device also includes：

Second automechanism models block, for automatic based on communication standard corresponding with carrier field structure described second Machine.

25. device as claimed in claim 24, it is characterised in that the second automechanism modeling block includes：

Construction unit, for corresponding to one or more of request body communication standards, structure one or more described second to be certainly Motivation.

26. device as claimed in claim 25, it is characterised in that the aiming field resolution unit includes：

Resolution component, target word is parsed from the field value of the request body field for the second automatic machine by selecting Section.

27. device as claimed in claim 26, it is characterised in that the content type determines that component includes：

Sub-component is determined, for according to the media formats feature that the match is successful, determining the doubtful content class for asking body field Type.

28. the device as described in claim 18 or 19, it is characterised in that

The decoder module is used to be accomplished by the following way to decode the field value of the aiming field, described to obtain The solution code value of aiming field：Depth decoding is carried out to the field value of the aiming field, to obtain the result of the aiming field Solve code value.

29. device as claimed in claim 28, it is characterised in that the decoder module includes：

First decoding unit, for carrying out decoding operate to the field value of the aiming field, to obtain the aiming field Intermediate decoded values；

Second decoding unit, in the case of needing to carry out further decoding operate, being solved to the intermediate decoded values Code operation, to obtain another intermediate decoded values of the aiming field.

30. device as claimed in claim 29, it is characterised in that the decoder module also includes：

As a result code value determining unit is solved, in the case of need not carry out further decoding operate, determining the intermediate solution Code value is the result solution code value.

31. device as claimed in claim 29, it is characterised in that the judging unit includes：

More New Parent, for according to coded system corresponding with the intermediate decoded values, the multilayer for updating the aiming field to be compiled Code possibility parameter；

Determination component, for according to the comparative result between the multi-layer coding possibility parameter and given threshold after renewal, judging Whether the intermediate decoded values need to carry out further decoding operate.

32. device as claimed in claim 31, it is characterised in that the more New Parent includes：

33. device as claimed in claim 32, it is characterised in that described device also includes：

34. the device as any one of claim 29 to 33, it is characterised in that first decoding unit includes：

35. a kind of terminal device, including memory and processor；Wherein,

The memory is used to store one or more computer instruction, wherein, one or more computer instruction is by institute The method as any one of claim 1 to 17 can be realized when stating computing device.

36. a kind of computer-readable storage medium, for storing one or more computer instruction, wherein, when described one or more Computer instruction can realize the method as any one of claim 1 to 17 when being performed.