The content of the invention
Detection method and device, terminal device and the computer storage that embodiment of the present invention provides network attack are situated between
Matter, to solve the above-mentioned technical problem in the presence of prior art.
In a first aspect, embodiment of the present invention provides a kind of detection method of network attack.
Specifically, methods described includes:
Aiming field is parsed from request data;
The field value of the aiming field is decoded, to obtain the solution code value of the aiming field;
Risk is carried out according to the solution code value to the request data to estimate;
If estimating the risk for determining that the request data has network attack through the risk, the request data is entered
Row attack detecting.
Due in the present invention, first being estimated before attack detecting is carried out to request data progress risk, therefore can be timely
Terminate and network attack detection is carried out to normal request data, so as to improve the detection efficiency of network attack.
With reference in a first aspect, in some implementations of the present invention, the request data is entered according to the solution code value
Sector-style nearly estimate including:
It whether there is network attack characteristic using the automatic machine identification solution code value;
If there is network attack characteristic in the solution code value, it is determined that the request data has the risk of network attack.
With reference in a first aspect, in some implementations of the present invention, from request data parsing aiming field includes:
Aiming field is parsed from request data by automatic machine.
Due in the present invention, being parsed by automatic machine to request data, therefore, the present invention can expeditiously be held
The resolving of row request data.
With reference in a first aspect, in some implementations of the present invention, mesh is parsed from request data by automatic machine
Marking-up section includes:
The aiming field is directly parsed from the request data by the first automatic machine.
With reference in a first aspect, in some implementations of the present invention, mesh is parsed from request data by automatic machine
Marking-up section includes:
Carrier field is parsed from request data by the first automatic machine;
The aiming field is parsed from the field value of the carrier field by the second automatic machine.
With reference in a first aspect, in some implementations of the present invention, methods described also includes:
First automatic machine is built based on communication standard corresponding with the request data.
With reference in a first aspect, in some implementations of the present invention, methods described also includes:
Second automatic machine is built based on communication standard corresponding with the carrier field.
With reference in a first aspect, in some implementations of the present invention, marked based on communication corresponding with the carrier field
Standard, which builds second automatic machine, to be included:
From content type (content-type) dimension, it is determined that one or more request body communication standards;
Corresponding to one or more of request body communication standards, one or more second automatic machines of structure.
With reference in a first aspect, in some implementations of the present invention, by the second automatic machine from the carrier field
Aiming field is parsed in field value to be included:
Determine the doubtful content type of the request body field;
Second automatic machine is chosen according to the doubtful content type;
Aiming field is parsed from the field value of the request body field by the second automatic machine selected.
Because the present invention is analyzed the request possible content type of body, and perform corresponding with the content type analyzed
Dissection process, therefore can effectively prevent attacker from bypassing attack detecting using agreement.
With reference in a first aspect, in some implementations of the present invention, the doubtful content class of the request body field is determined
Type includes:
The field value of the request body field is matched with the media formats feature set;
According to the media formats feature that the match is successful, the doubtful content type for asking body field is determined.
With reference in a first aspect, in some implementations of the present invention, the field value of the aiming field is decoded,
Included with obtaining the solution code value of the aiming field:
Depth decoding is carried out to the field value of the aiming field, to obtain the result solution code value of the aiming field.
Due in the present invention, depth decoding being carried out to the field value of aiming field in request data, therefore, it is possible to effective
The situation of multi-layer coding is tackled, improves decoding capability, and then improve the accuracy of network attack detection.
With reference in a first aspect, in some implementations of the present invention, depth is carried out to the field value of the aiming field
Decoding includes:
Decoding operate is carried out to the field value of the aiming field, to obtain the intermediate decoded values of the aiming field;
Judge whether the intermediate decoded values need to carry out further decoding operate;
If desired further decoding operate is carried out, then decoding operate is carried out to the intermediate decoded values, to obtain the mesh
Another intermediate decoded values of marking-up section, and return and perform following processing:Judge whether the intermediate decoded values are needed into traveling one
Walk decoding operate.
With reference in a first aspect, in some implementations of the present invention, depth is carried out to the field value of the aiming field
Decoding also includes:
If further decoding operate need not be carried out, it is determined that the intermediate decoded values are the result solution code value.
With reference in a first aspect, in some implementations of the present invention, judge whether the intermediate decoded values need to carry out
Further decoding operate includes:
According to coded system corresponding with the intermediate decoded values, the multi-layer coding possibility for updating the aiming field is joined
Number;
According to the comparative result between the multi-layer coding possibility parameter and given threshold after renewal, the intermediate solution is judged
Whether code value needs to carry out further decoding operate.
Due in the present invention, before decoding operate is carried out to intermediate decoded values, first to the possibility of current multilayer coding
Assessed, therefore the relatively low depth decoding of possibility can be terminated in time, so as to improve decoding efficiency.
With reference in a first aspect, in some implementations of the present invention, encoded according to corresponding with the intermediate decoded values
Mode, updating the multi-layer coding possibility parameter of the aiming field includes:
The weighted value of the coded system is determined according to code tree;
The multi-layer coding possibility parameter is updated according to the weighted value.
With reference in a first aspect, in some implementations of the present invention, methods described also includes:
The code tree is built based on network flow data and web (network) treatment mechanism applied.
With reference in a first aspect, in some implementations of the present invention, the field value of the aiming field is decoded
Operation includes:
The field value is matched with the coding characteristic set;
Decoding operate corresponding with the coding characteristic that the match is successful is performed to the field value.
Due in the present invention, field value being matched with the coding characteristic set, therefore can realize to coding staff
Formula carries out intelligent analysis, so as to ensure good decoding effect.
Second aspect, embodiment of the present invention provide a kind of detection means of network attack.
Specifically, described device includes:
Parsing module, for parsing aiming field from request data;
Decoder module, for being decoded to the field value of the aiming field, to obtain the decoding of the aiming field
Value;
Risk estimates module, is estimated for carrying out risk to the request data according to the solution code value;
Detection module, for estimating the situation for the risk for determining that the request data has network attack through the risk
Under, attack detecting is carried out to the request data.
Due in the present invention, first being estimated before attack detecting is carried out to request data progress risk, therefore can be timely
Terminate and network attack detection is carried out to normal request data, so as to improve the detection efficiency of network attack.
With reference to second aspect, in some implementations of the present invention, the risk, which estimates module, to be included:
Recognition unit, for whether there is network attack characteristic using the automatic machine identification solution code value;
Risk determining unit, in the case of the solution code value has network attack characteristic, determining the number of request
According to the risk that network attack be present.
With reference to second aspect, in some implementations of the present invention, the parsing module is used for real in the following manner
Aiming field is now parsed from request data:Aiming field is parsed from request data by automatic machine.
Due in the present invention, being parsed by automatic machine to request data, therefore, the present invention can expeditiously be held
The resolving of row request data.
With reference to second aspect, in some implementations of the present invention, the parsing module is used for real in the following manner
Aiming field is now parsed from request data by automatic machine:Directly parsed by the first automatic machine from the request data
Go out the aiming field.
With reference to second aspect, in some implementations of the present invention, the parsing module includes:
Carrier field resolution unit, for parsing carrier field from request data by the first automatic machine;
Aiming field resolution unit, it is described for being parsed by the second automatic machine from the field value of the carrier field
Aiming field.
With reference to second aspect, in some implementations of the present invention, described device also includes:
First automechanism models block, for building described first certainly based on communication standard corresponding with the request data
Motivation.
With reference to second aspect, in some implementations of the present invention, described device also includes:
Second automechanism models block, for building described second certainly based on communication standard corresponding with the carrier field
Motivation.
With reference to second aspect, in some implementations of the present invention, the second automechanism modeling block includes:
Communication standard determining unit, for the dimension from content type, it is determined that one or more request body communication standards;
Construction unit, for corresponding to one or more of request body communication standards, structure one or more described the
Two automatic machines.
With reference to second aspect, in some implementations of the present invention, the aiming field resolution unit includes:
Content type determines component, for determining the doubtful content type of the request body field;
Component is chosen, for choosing the second automatic machine according to the doubtful content type;
Resolution component, mesh is parsed from the field value of the request body field for the second automatic machine by selecting
Marking-up section.
Because the present invention is analyzed the request possible content type of body, and perform corresponding with the content type analyzed
Dissection process, therefore can effectively prevent attacker from bypassing attack detecting using agreement.
With reference to second aspect, in some implementations of the present invention, the content type determines that component includes:
Sub-component is matched, for the field value of the request body field to be matched with the media formats feature set;
Sub-component is determined, for according to the media formats feature that the match is successful, determining the doubtful interior of the request body field
Hold type.
With reference to second aspect, in some implementations of the present invention, the decoder module is used for real in the following manner
Now the field value of the aiming field is decoded, to obtain the solution code value of the aiming field:To the aiming field
Field value carries out depth decoding, to obtain the result solution code value of the aiming field.
Due in the present invention, depth decoding being carried out to the field value of aiming field in request data, therefore, it is possible to effective
The situation of multi-layer coding is tackled, improves decoding capability, and then improve the accuracy of network attack detection.
With reference to second aspect, in some implementations of the present invention, the decoder module includes:
First decoding unit, for carrying out decoding operate to the field value of the aiming field, to obtain the target word
The intermediate decoded values of section;
Judging unit, for judging whether the intermediate decoded values need to carry out further decoding operate;
Second decoding unit, in the case of needing to carry out further decoding operate, entering to the intermediate decoded values
Row decoding operate, to obtain another intermediate decoded values of the aiming field.
With reference to second aspect, in some implementations of the present invention, the decoder module also includes:
As a result solve code value determining unit, in the case of need not carry out further decoding operate, determine it is described in
Between solve code value be the result solution code value.
With reference to second aspect, in some implementations of the present invention, the judging unit includes:
More New Parent, for according to coded system corresponding with the intermediate decoded values, updating the more of the aiming field
Layer codifiability parameter;
Determination component, for according to the comparative result between the multi-layer coding possibility parameter and given threshold after renewal,
Judge whether the intermediate decoded values need to carry out further decoding operate.
Due in the present invention, before decoding operate is carried out to intermediate decoded values, first to the possibility of current multilayer coding
Assessed, therefore the relatively low depth decoding of possibility can be terminated in time, so as to improve decoding efficiency.
With reference to second aspect, in some implementations of the present invention, the more New Parent includes:
Weight determines sub-component, for determining the weighted value of the coded system according to code tree;
Sub-component is updated, for updating the multi-layer coding possibility parameter according to the weighted value.
With reference to second aspect, in some implementations of the present invention, described device also includes:
Module is built, the code tree is built for the treatment mechanism based on network flow data and web applications.
With reference to second aspect, in some implementations of the present invention, first decoding unit includes:
Matching component, for the field value to be matched with the coding characteristic set;
Decoding assembly, for performing decoding operate corresponding with the coding characteristic that the match is successful to the field value.
Due in the present invention, field value being matched with the coding characteristic set, therefore can realize to coding staff
Formula carries out intelligent analysis, so as to ensure good decoding effect.
The third aspect, embodiment of the present invention provide a kind of terminal device.
The terminal device includes memory and processor;Wherein,
The memory is used to store one or more computer instruction, wherein, one or more computer instruction
The detection method of any of the above-described network attack can be realized during the computing device.
Due in the present invention, first being estimated before attack detecting is carried out to request data progress risk, therefore can be timely
Terminate and network attack detection is carried out to normal request data, so as to improve the detection efficiency of network attack.
Fourth aspect, embodiment of the present invention provide a kind of computer-readable storage medium.
The computer-readable storage medium is used to store one or more computer instruction, wherein, when described one or more
Computer instruction can realize the detection method of any of the above-described network attack when being performed.
Due in the present invention, first being estimated before attack detecting is carried out to request data progress risk, therefore can be timely
Terminate and network attack detection is carried out to normal request data, so as to improve the detection efficiency of network attack.
The aspects of the invention or other aspects can more straightforwards in the description of detailed description below.
Embodiment
It is described in detail to various aspects of the present invention below in conjunction with the drawings and specific embodiments.Wherein, in this hair
In bright each embodiment, well-known operating process, program module, unit and its mutual connection, chain
Connect, communicate or operate and be not shown or do not elaborate.
Also, described feature, framework or function can in one or more embodiments group in any way
Close.
In addition, it will be appreciated by those skilled in the art that following various embodiments be served only for for example, not for
Limit the scope of the invention.Those skilled in the art can also be readily appreciated that, each reality described herein and shown in the drawings
Applying the program module in mode, unit or step can be combined and be designed by a variety of different configurations.
, unless otherwise specified, all should be with ability for the technical term not being specifically described in this manual
The broadest meaning in domain explains.
In some flows of description in description and claims of this specification and above-mentioned accompanying drawing, contain according to
Particular order occur multiple operations, but it should be clearly understood that these operation can not occur herein according to it is suitable
Sequence is performed or performed parallel, the label such as 101,102 etc. of operation, is only used for distinguishing each different operation, label
Any execution sequence is not represented for itself.In addition, these flows can include more or less operations, and these operations can
To perform or perform parallel in order.It should be noted that the description such as " first " herein, " second ", is to be used to distinguish not
Message together, equipment, module etc., do not represent sequencing, it is different types also not limit " first " and " second ".
Below in conjunction with accompanying drawing, the technical scheme in embodiment of the present invention is clearly and completely described, it is clear that
Described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.Based on the present invention
In embodiment, the every other embodiment party that those skilled in the art are obtained on the premise of creative work is not paid
Formula, belong to the scope of protection of the invention.
【Method embodiment 1】
Fig. 1 is the flow chart according to the detection method of the network attack of the inventive method embodiment 1.Referring to Fig. 1, at this
In embodiment, methods described includes:
S1:Aiming field is parsed from request data.
S2:The field value of the aiming field is decoded, to obtain the solution code value of the aiming field.
S3:Risk is carried out according to the solution code value to the request data to estimate.If estimated through the risk described in determination
There is the risk of network attack in request data, then perform S4, determine that net is not present in the request data if being estimated through the risk
The risk of network attack, then terminate current process.
S4:Attack detecting is carried out to the request data.
Request data is, for example, HTTP (HyperText Transfer Protocol, HTTP) requests.
Field value refers to the value of a certain field in request data.For example, " GET " is the word of method field in request data
Segment value.
Solution code value refers to decoded result resulting after being decoded to a certain field value in request data.
Due in the present invention, first being estimated before attack detecting is carried out to request data progress risk, therefore can be timely
Terminate and network attack detection is carried out to normal request data, so as to improve the detection efficiency of network attack.
【Method embodiment 2】
The method that present embodiment is provided includes the full content in method embodiment 1, will not be repeated here.Such as figure
Shown in 2, in the present embodiment, processing S3 is accomplished by the following way:
S31:It whether there is network attack characteristic using the automatic machine identification solution code value.If so, S32 is then performed, if it is not,
Then perform S33.
S32:Determine that the request data has the risk of network attack.
S33:Determine that the risk of network attack is not present in the request data.
The network attack characteristic is, for example, key structure specific to certain network attack, for example, operation expression " 1or
1=1 ", HTML (HyperText Markup Language, HyperText Markup Language) label "<Script " or SQL
(Structured Query Language, SQL) keyword etc..
In the present embodiment, if the automatic machine identifies solution there is network attack characteristic in code value, records and exists
Network attack characteristic corresponding to network attack type, in order to subsequently during attack detecting is carried out, for automatic machine
The network attack type recorded targetedly performs attack detecting.
In addition, specifically, the automatic machine is, for example, the deterministic limited shape constructed based on various network attack characteristics
State automatic machine, it is possible thereby to which realizing only needs single pass to analyze all network attack types that may be present.
【Method embodiment 3】
The method that present embodiment is provided includes the full content in method embodiment 1 or method embodiment 2,
This is repeated no more.In the present embodiment, processing S1 is accomplished by the following way:
Aiming field is parsed from request data by automatic machine.
The automatic machine is completed to scan within the linear time to whole request data, and analyzes each composition of request data
Part is for follow-up detection process.
Below by taking finite-state automata as an example, the running of automatic machine in present embodiment is specifically described.
Finite-state automata is made up of state node and transferred arc, and every transferred arc is pointed to from a state node
The directed edge of another state node, if the mark on transferred arc represents that automatic machine receives the mark in preceding state and made
The latter state can be then transferred to for input.As shown in figure 3, automatic machine is initially located in initial state, i.e. state 1, inputted when receiving
When " G ", state 2 will be transferred to, when initially receiving input string " GET " from initial state, state 4 will be reached, and from shape
State 3 completes the record of requesting method during being transferred to state 4, i.e., " GET ".
Due in the present invention, being parsed by automatic machine to request data, therefore, the present invention can expeditiously be held
The resolving of row request data.
【Method embodiment 4】
The method that present embodiment is provided includes the full content in method embodiment 3, will not be repeated here.Its
In, the direct carrier of the aiming field can be that request data can also be field value in request data.
If the direct carrier of aiming field is request data, processing S1 is accomplished by the following way:
The aiming field is directly parsed from the request data by the first automatic machine.
Correspondingly, in the method that present embodiment is provided, institute is built based on communication standard corresponding with request data
State the first automatic machine.
As shown in figure 4, if the direct carrier of aiming field is the field value in request data, it is accomplished by the following way
Handle S1:
S11:Carrier field (the number of request containing aiming field is parsed from request data by first automatic machine
According to field).
S12:The aiming field is parsed from the field value of the carrier field by the second automatic machine.
Correspondingly, in the method that present embodiment is provided, based on communication standard structure corresponding with the carrier field
Build second automatic machine.
The carrier field is for example including asking body field, correspondingly, based on communication mark corresponding with the carrier field
Standard, which builds second automatic machine, to be included:
(1) from the dimension of content type, it is determined that one or more request body communication standards;
(2) one or more of request body communication standards, one or more second automatic machines of structure are corresponded to.
【Method embodiment 5】
The method that present embodiment is provided includes the full content in method embodiment 4, will not be repeated here.Such as figure
Shown in 5, S12 includes following processing:
S121:It is determined that the doubtful content type (the possible content type of request body field) of request body field.
S122:Second automatic machine is chosen according to the doubtful content type.
S123:Aiming field is parsed from the field value of the request body field by the second automatic machine selected.
Because the present invention is analyzed the request possible content type of body, and perform corresponding with the content type analyzed
Dissection process, therefore can effectively prevent attacker from bypassing attack detecting using agreement.
【Method embodiment 6】
The method that present embodiment is provided includes the full content in method embodiment 5, will not be repeated here.Its
In, as shown in fig. 6, in the present embodiment, processing S121 is accomplished by the following way:
S1211:The field value of the request body field is matched with the media formats feature set.
S1212:According to the media formats feature that the match is successful, the doubtful content type for asking body field is determined.
Media formats feature refer to the Internet media form (for example, JSON (JavaScript Object Notation,
A kind of data interchange format of lightweight) form, XML (Extensible Markup Language, extensible markup language)
Form, list form etc.) architectural feature.
【Method embodiment 7】
It is complete to any one of method embodiment 6 that the method that present embodiment is provided includes method embodiment 1
Portion's content, will not be repeated here.Wherein, in the present embodiment, S2 is accomplished by the following way:
Depth decoding is carried out to the field value of the aiming field, to obtain the result solution code value of the aiming field.
The result solution code value refers to the decoding to being finally given after a certain field value progress depth decoding in request data
As a result.
Due in the present invention, depth decoding being carried out to the field value of aiming field in request data, therefore, it is possible to effective
The situation of multi-layer coding is tackled, improves decoding capability, and then improve the accuracy of network attack detection.
【Method embodiment 8】
The method that present embodiment is provided includes the full content in method embodiment 6, will not be repeated here.Such as
Shown in Fig. 7, in the present embodiment, processing S2 is accomplished by the following way:
S21:Decoding operate is carried out to the field value of the aiming field, to obtain the intermediate decoded of the aiming field
Value.
S22:Judge whether the intermediate decoded values need to carry out further decoding operate.If so, S23 is then performed, if it is not,
Then perform S24.
S23:Decoding operate is carried out to the intermediate decoded values, to obtain another intermediate decoded values of the aiming field,
And return and perform S22.
S24:It is the result solution code value to determine the intermediate decoded values.
The intermediate decoded values refer to the decoded result obtained during depth decodes.
【Method embodiment 9】
The method that present embodiment is provided includes the full content in method embodiment 8, will not be repeated here.Such as figure
Shown in 8, in the present embodiment, processing S22 is accomplished by the following way:
S221:According to coded system corresponding with the intermediate decoded values, the multi-layer coding for updating the aiming field can
Can property parameter.
S222:According to the comparative result between the multi-layer coding possibility parameter and given threshold after renewal, described in judgement
Whether intermediate decoded values need to carry out further decoding operate.
Due in the present invention, before decoding operate is carried out to intermediate decoded values, first to the possibility of current multilayer coding
Assessed, therefore the relatively low depth decoding of possibility can be terminated in time, so as to improve decoding efficiency.
【Method embodiment 10】
The method that present embodiment is provided includes the full content in method embodiment 9, will not be repeated here.Such as
Shown in Fig. 9, in the present embodiment, processing S221 is accomplished by the following way:
S2211:The weighted value of the coded system is determined according to code tree.
S2212:The multi-layer coding possibility parameter is updated according to the weighted value.
Wherein, each node is possible coded system under corresponding father node in the code tree, and node describes corresponding volume
The weighted value of code mode.The code tree can be built-up based on the treatment mechanism that network flow data and web are applied.Utilize
Code tree can obtain the possibility assessed value of the combination of various multi-layer codings, by by the assessed value with setting threshold value
It is compared, it can be determined that go out whether to also need to further to carry out decoding operate.
【Method embodiment 11】
It is complete to any one of method embodiment 10 that the method that present embodiment is provided includes method embodiment 8
Portion's content, will not be repeated here.As shown in Figure 10, in the present embodiment, processing S21 is accomplished by the following way:
S211:The field value is matched with the coding characteristic set.
S212:Decoding operate corresponding with the coding characteristic that the match is successful is performed to the field value.
The coding characteristic is, for example, distinctive coded identification in a certain coded system, such as " % ".
If a certain decoding operate failure, terminates corresponding decoding paths, but still continue to attempt to other possible decoding sides
Formula.
Due in the present invention, field value being matched with the coding characteristic set, therefore can realize to coding staff
Formula carries out intelligent analysis, so as to ensure good decoding effect.
Certainly, those skilled in the art can also be based on similar mode and intermediate decoded values are carried out with decoding operate, tool
For body, intermediate decoded values are matched with the coding characteristic set;To the coding that intermediate decoded values perform with the match is successful
Decoding operate corresponding to feature.
【Method embodiment 12】
It is complete to any one of method embodiment 11 that the method that present embodiment is provided includes method embodiment 1
Portion's content, will not be repeated here.In the present embodiment, according to customized flow restriction rule traffic Shape correction.
Wherein, the flow restriction rule for example records:The request header that does not allow to occur, to the restriction rule of request header number or
To the restriction rule of request header length.The demand that the user of product can apply according to itself web, the Flow Limit of customization is set
System rule.
【Product embodiment 1】
Figure 11 is the structural representation according to the detection means of the network attack of product embodiment 1 of the present invention.Referring to figure
11, in the present embodiment, the detection means 10 of network attack includes:Parsing module 11, decoder module 12, risk estimate module
13 and detection module 14, specifically:
Parsing module 11 is used to parse aiming field from request data.
The field value for the aiming field that decoder module 12 is used to parse parsing module 11 decodes, described to obtain
The solution code value of aiming field.
It is pre- for carrying out risk to the request data according to the solution code value that decoder module 12 obtains that risk estimates module 13
Estimate.
Detection module 14 determines that the request data has the feelings of the risk of network attack for estimating module 13 in risk
Under shape, attack detecting is carried out to the request data.
Due in the present invention, first being estimated before attack detecting is carried out to request data progress risk, therefore can be timely
Terminate and network attack detection is carried out to normal request data, so as to improve the detection efficiency of network attack.
【Product embodiment 2】
The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 1,
This is repeated no more.As shown in figure 12, in the present embodiment, risk is estimated module 13 and included:Recognition unit 131 and risk determine
Unit 132, specifically:
Recognition unit 131 is used to whether there is network attack characteristic using the automatic machine identification solution code value.
Risk determining unit 132 is used to identify that the solution code value has the feelings of network attack characteristic in recognition unit 131
Under shape, determine that the request data has the risk of network attack.
【Product embodiment 3】
The detection means for the network attack that present embodiment is provided includes product embodiment 1 or product embodiment 2
In full content, will not be repeated here.In the present embodiment, parsing module 11 is realized from request especially by the following manner
Aiming field is parsed in data:Aiming field is parsed from request data by automatic machine.
Due in the present invention, being parsed by automatic machine to request data, therefore, the present invention can expeditiously be held
The resolving of row request data.
【Product embodiment 4】
Figure 13 is the structural representation according to the detection means of the network attack of product embodiment 4 of the present invention.In this reality
Apply in mode, the direct carrier of the aiming field can be that request data can also be field value in request data.Accordingly
Ground, as shown in figure 13, the detection means 10 ' of network attack include:Parsing module 11 ', parsing module 12 ', decoder module 13 ',
Risk estimates module 14 ' and detection module 15 ', specifically:
Parsing module 11 ' is used in the case of the direct carrier of aiming field is request data, passes through the first automatic machine
The aiming field is directly parsed from the request data.
Parsing module 12 ' is used in the case of the field value during the direct carrier of aiming field is request data, pass through
First automatic machine and the second automatic machine parse the aiming field from request data.Specifically, as shown in figure 14, parse
Module 12 ' includes:Carrier field resolution unit 121 ' and aiming field resolution unit 122 ', specifically:
Carrier field resolution unit 121 ' is used to parse carrier field from request data by first automatic machine.
Aiming field resolution unit 122 ' is used for what is parsed by the second automatic machine from carrier field resolution unit 121 '
The aiming field is parsed in the field value of carrier field.
Decoder module 13 ', risk estimate module 14 ' and detection module 15 ' respectively with the decoding mould in product embodiment 1
Block 12, risk estimate module 13 and detection module 14, will not be repeated here.
【Product embodiment 5】
The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 4,
This is repeated no more.As shown in figure 15, in the present embodiment, the detection means 10 ' of network attack also includes:First automechanism
Block 16 ' and the second automechanism modeling block 17 ' are modeled, specifically:
First automechanism modeling block 16 ' is used for based on communication standard corresponding with request data structure described first
Automatic machine.
Second automechanism modeling block 17 ' is used for based on communication standard corresponding with carrier field structure described second
Automatic machine.
【Product embodiment 6】
The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 5,
This is repeated no more.The carrier field is for example including asking body field, correspondingly, as shown in figure 16, the modeling of the second automechanism
Block 17 ' includes:Communication standard determining unit 171 ' and construction unit 172 ', specifically:
Communication standard determining unit 171 ' is used for the dimension from content type, it is determined that one or more request body communication marks
It is accurate.
Construction unit 172 ' is used to correspond to one or more request body communication standards that determining unit 171 ' is determined, structure
Build one or more second automatic machines.
【Product embodiment 7】
The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 6,
This is repeated no more.As shown in figure 17, aiming field resolution unit 122 ' includes:Content type determines component 1221 ', chooses component
1222 ' and resolution component 1223 ', specifically:
Content type determines that component 1221 ' is used for the doubtful content type for determining the request body field.
Component 1222 ' is chosen to be used to determine that doubtful content type that component 1221 ' determines chooses the according to content type
Two automatic machines.
The second automatic machine that resolution component 1223 ' is used to select by choosing component 1222 ' asks body field from described
Field value in parse aiming field.
Because the present invention is analyzed the request possible content type of body, and perform corresponding with the content type analyzed
Dissection process, therefore can effectively prevent attacker from bypassing attack detecting using agreement.
【Product embodiment 8】
The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 7,
This is repeated no more.As shown in figure 18, in the present embodiment, content type determines that component 1221 ' includes:Match sub-component
12211 ' and determine sub-component 12212 ', specifically:
Sub-component 12211 ' is matched to be used to carry out the field value of the request body field and the media formats feature of setting
Matching.
Determine that sub-component 12212 ' is used to, according to the matching media formats feature that the match is successful of sub-component 12211 ', determine institute
State the doubtful content type of request body field.
【Product embodiment 9】
The detection means for the network attack that present embodiment is provided includes product embodiment 1 to product embodiment 3
Any one of full content, will not be repeated here.In the present embodiment, decoder module 12 is realized especially by the following manner
The field value of the aiming field is decoded, to obtain the solution code value of the aiming field:To the word of the aiming field
Segment value carries out depth decoding, to obtain the result solution code value of the aiming field.
Due in the present invention, depth decoding being carried out to the field value of aiming field in request data, therefore, it is possible to effective
The situation of multi-layer coding is tackled, improves decoding capability, and then improve the accuracy of network attack detection.
【Product embodiment 10】
The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 9,
This is repeated no more.As shown in figure 19, in the present embodiment, decoder module 12 includes:First decoding unit 121, judging unit
122 and second decoding unit 123, specifically:
First decoding unit 121 is used to carry out decoding operate to the field value of the aiming field, to obtain the target
The intermediate decoded values of field.
Judging unit 122 is used to judge that the intermediate decoded values that the first decoding unit 121 or the second decoding unit 123 obtain are
It is no to need to carry out further decoding operate.
Second decoding unit 123 is used in the case of judging unit 122 judges to need to carry out further decoding operate, right
The intermediate decoded values carry out decoding operate, to obtain another intermediate decoded values of the aiming field.
【Product embodiment 11】
The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 10,
This is repeated no more.In the present embodiment, decoder module 12 also includes:As a result code value determining unit is solved, specifically:
The result solution code value determining unit is used to judge that the feelings of further decoding operate need not be carried out in judging unit 122
Under shape, it is the result solution code value to determine the intermediate decoded values.
【Product embodiment 12】
The detection means for the network attack that present embodiment is provided includes product embodiment 10 or product embodiment
Full content in 11, will not be repeated here.As shown in figure 20, in the present embodiment, judging unit 122 includes:Renewal group
Part 1221 and determination component 1222, specifically:
More New Parent 1221 is used to, according to coded system corresponding with the intermediate decoded values, update the aiming field
Multi-layer coding possibility parameter.
Determination component 1222 is used for the multi-layer coding possibility parameter after being updated according to updated component 1221 and setting threshold
Comparative result between value, judges whether the intermediate decoded values need to carry out further decoding operate.
Due in the present invention, before decoding operate is carried out to intermediate decoded values, first to the possibility of current multilayer coding
Assessed, therefore the relatively low depth decoding of possibility can be terminated in time, so as to improve decoding efficiency.
【Product embodiment 13】
The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 12,
This is repeated no more.As shown in figure 21, in the present embodiment, more New Parent 1221 includes:Weight determines sub-component 12211 and more
New sub-component 12212, specifically:
Weight determines that sub-component 12211 is used for the weighted value that the coded system is determined according to code tree.
Renewal sub-component 12212 is used to determine that the weighted value that sub-component 12211 is determined updates the multilayer according to weight
Codifiability parameter.
【Product embodiment 14】
The detection means for the network attack that present embodiment is provided includes the full content in product embodiment 13,
This is repeated no more.In the present embodiment, the detection means 10 of network attack also includes:Module is built, specifically:
The structure module is used to build the code tree based on the treatment mechanism that network flow data and web are applied.
【Product embodiment 15】
The detection means for the network attack that present embodiment is provided includes product embodiment 10 to product embodiment
Any one of 14 full content, will not be repeated here.As shown in figure 22, in the present embodiment, the first decoding unit 121 wraps
Include:Matching component 1211 and decoding assembly 1212, specifically:
Matching component 1211 is used to be matched the field value with the coding characteristic set.
Decoding assembly 1212 is used for corresponding with the coding characteristic that the match is successful of matching component 1211 to field value execution
Decoding operate.
Due in the present invention, field value being matched with the coding characteristic set, therefore can realize to coding staff
Formula carries out intelligent analysis, so as to ensure good decoding effect.
Embodiments of the present invention additionally provide a kind of terminal device, including memory and processor;Wherein,
The memory is used to store one or more computer instruction, wherein, one or more computer instruction
Side as described in any one into method embodiment 12 of method embodiment 1 can be realized during the computing device
Method.
In addition, embodiments of the present invention also provide a kind of computer-readable storage medium, the computer-readable storage medium is used for
One or more computer instruction is stored, wherein, it can be realized such as side when one or more computer instruction is performed
Method of the method embodiment 1 into method embodiment 12 described in any one.
Those skilled in the art can be understood that the present invention can be realized all by software, also can be by software
Realized with reference to the mode of hardware platform.Based on such understanding, technical scheme contributes to background technology
It can be embodied in whole or in part in the form of software product, the computer software product can be stored in storage medium
In, such as ROM/RAM, magnetic disc, CD, including some instructions to cause a computer equipment (can be personal computer,
Server, smart mobile phone either network equipment etc.) perform some part institutes of each embodiment of the present invention or embodiment
The method stated.
Words such as " softwares " used herein refers both to any type of computer code or calculating in general sense
Machine executable instruction set, the coding or instruction set can be run to make computer or other processor programs perform such as
The various aspects of upper described technical scheme.Furthermore, it is necessary to explanation, according to the one side of embodiment,
The one or more computer programs for implementing the method for technical scheme upon execution necessarily will be in a computer
Or on processor, but in the module that can be distributed in multiple computers or processor, to perform the technical side of the present invention
The various aspects of case.
Computer executable instructions can have many forms, such as program module, can by one or more computer or
Other equipment performs.Usually, program module includes routine, program, object, component and data structure etc., performs specific
Task or implement specific abstract data type.Especially, in various embodiments, the operation that program module is carried out can
To be combined or split according to the needs of each different embodiments.
Also, technical scheme can be presented as a kind of method, and have been provided for methods described at least
One example.Action can be performed by any suitable order, the movement displaying is the part in methods described.
Therefore, embodiment can be configured to that action can be performed according to the order different from shown execution sequence, wherein it is possible to
Including simultaneously performing some actions (although in the embodiment as shown, these actions are continuous).
Definition that is given in this article and using, definition in the document for dictionary should be compareed, being incorporated by reference into,
And/or it generally looks like and understood.
In detail in the claims and in above-mentioned specification, all excessive phrases, such as " comprising ", " having ", " bag
Containing ", " carrying ", " having ", " being related to ", " mainly by ... form " and similar word be understood as it is open, i.e. bag
Contain but be not limited to.
The term and wording used in description of the invention is just to for example, be not intended to form restriction.Ability
Field technique personnel should be appreciated that on the premise of the general principle of disclosed embodiment is not departed from, to above-mentioned embodiment
In each details can carry out various change.Therefore, the scope of the present invention is only determined by claim, in the claims, unless
It is otherwise noted, all terms should be understood by the broadest rational meaning.
A variety of embodiments of the present invention described in detail above, the description present invention is each in another form below
The various aspects or feature of the technical scheme of embodiment, and it is not limited to a series of following paragraphs, for the sake of clarity, can
Alphanumeric is specified to some or all of paragraphs in these paragraphs.Each section in these paragraphs can be with any suitable side
Formula combines with the content of other one or more paragraphs.Under conditions of the example of some in not limiting suitable combination, under
Some paragraphs in text especially quote other paragraphs and further limit other paragraphs.
A1, a kind of detection method of network attack, methods described include:
Aiming field is parsed from request data;
The field value of the aiming field is decoded, to obtain the solution code value of the aiming field;
Risk is carried out according to the solution code value to the request data to estimate;
If estimating the risk for determining that the request data has network attack through the risk, the request data is entered
Row attack detecting.
In A2, the method as described in A1, according to it is described solution code value to the request data carry out risk estimate including:
It whether there is network attack characteristic using the automatic machine identification solution code value;
If there is network attack characteristic in the solution code value, it is determined that the request data has the risk of network attack.
In A3, the method as described in A1 or A2, from request data parsing aiming field includes:
Aiming field is parsed from request data by automatic machine.
In A4, the method as described in A3, parsing aiming field from request data by automatic machine includes:
The aiming field is directly parsed from the request data by the first automatic machine.
In A5, the method as described in A3, parsing aiming field from request data by automatic machine includes:
Carrier field is parsed from request data by the first automatic machine;
The aiming field is parsed from the field value of the carrier field by the second automatic machine.
In A6, the method as described in A4 or A5, methods described also includes:
First automatic machine is built based on communication standard corresponding with the request data.
In A7, the method as described in A5, methods described also includes:
Second automatic machine is built based on communication standard corresponding with the carrier field.
It is automatic based on communication standard corresponding with carrier field structure described second in A8, the method as described in A7
Machine includes:
From the dimension of content type, it is determined that one or more request body communication standards;
Corresponding to one or more of request body communication standards, one or more second automatic machines of structure.
In A9, the method as described in A8, target is parsed from the field value of the carrier field by the second automatic machine
Field includes:
Determine the doubtful content type of the request body field;
Second automatic machine is chosen according to the doubtful content type;
Aiming field is parsed from the field value of the request body field by the second automatic machine selected.
In A10, the method as described in A9, determining the doubtful content type of the request body field includes:
The field value of the request body field is matched with the media formats feature set;
According to the media formats feature that the match is successful, the doubtful content type for asking body field is determined.
In A11, the method as described in A1 or A2, the field value of the aiming field is decoded, to obtain the mesh
The solution code value of marking-up section includes:
Depth decoding is carried out to the field value of the aiming field, to obtain the result solution code value of the aiming field.
In A12, the method as described in A11, the field value progress depth decoding to the aiming field includes:
Decoding operate is carried out to the field value of the aiming field, to obtain the intermediate decoded values of the aiming field;
Judge whether the intermediate decoded values need to carry out further decoding operate;
If desired further decoding operate is carried out, then decoding operate is carried out to the intermediate decoded values, to obtain the mesh
Another intermediate decoded values of marking-up section, and return and perform following processing:Judge whether the intermediate decoded values are needed into traveling one
Walk decoding operate.
In A13, the method as described in A12, the field value progress depth decoding to the aiming field also includes:
If further decoding operate need not be carried out, it is determined that the intermediate decoded values are the result solution code value.
In A14, the method as described in A12, judge whether the intermediate decoded values need to carry out further decoding operate bag
Include:
According to coded system corresponding with the intermediate decoded values, the multi-layer coding possibility for updating the aiming field is joined
Number;
According to the comparative result between the multi-layer coding possibility parameter and given threshold after renewal, the intermediate solution is judged
Whether code value needs to carry out further decoding operate.
In A15, the method as described in A14, according to coded system corresponding with the intermediate decoded values, the target is updated
The multi-layer coding possibility parameter of field includes:
The weighted value of the coded system is determined according to code tree;
The multi-layer coding possibility parameter is updated according to the weighted value.
A16, the method as described in A15, methods described also include:
The code tree is built based on network flow data and the web treatment mechanism applied.
In A17, the method as any one of A12 to A16, decoding operate is carried out to the field value of the aiming field
Including:
The field value is matched with the coding characteristic set;
Decoding operate corresponding with the coding characteristic that the match is successful is performed to the field value.
B18, a kind of detection means of network attack, described device include:
Parsing module, for parsing aiming field from request data;
Decoder module, for being decoded to the field value of the aiming field, to obtain the decoding of the aiming field
Value;
Risk estimates module, is estimated for carrying out risk to the request data according to the solution code value;
Detection module, for estimating the situation for the risk for determining that the request data has network attack through the risk
Under, attack detecting is carried out to the request data.
In B19, the device as described in B18, the risk, which estimates module, to be included:
Recognition unit, for whether there is network attack characteristic using the automatic machine identification solution code value;
Risk determining unit, in the case of the solution code value has network attack characteristic, determining the number of request
According to the risk that network attack be present.
In B20, the device as described in B18 or B19, the parsing module is used to be accomplished by the following way from request data
In parse aiming field:Aiming field is parsed from request data by automatic machine.
In B21, the device as described in B20, the parsing module be used for be accomplished by the following way by automatic machine from please
Ask and aiming field is parsed in data:The aiming field is directly parsed from the request data by the first automatic machine.
In B22, the device as described in B20, the parsing module includes:
Carrier field resolution unit, for parsing carrier field from request data by the first automatic machine;
Aiming field resolution unit, it is described for being parsed by the second automatic machine from the field value of the carrier field
Aiming field.
In B23, the device as described in B21 or B22, described device also includes:
First automechanism models block, for building described first certainly based on communication standard corresponding with the request data
Motivation.
In B24, the device as described in B22, described device also includes:
Second automechanism models block, for building described second certainly based on communication standard corresponding with the carrier field
Motivation.
In B25, the device as described in B24, the second automechanism modeling block includes:
Communication standard determining unit, for the dimension from content type, it is determined that one or more request body communication standards;
Construction unit, for corresponding to one or more of request body communication standards, structure one or more described the
Two automatic machines.
In B26, the device as described in B25, the aiming field resolution unit includes:
Content type determines component, for determining the doubtful content type of the request body field;
Component is chosen, for choosing the second automatic machine according to the doubtful content type;
Resolution component, mesh is parsed from the field value of the request body field for the second automatic machine by selecting
Marking-up section.
In B27, the device as described in B26, the content type determines that component includes:
Sub-component is matched, for the field value of the request body field to be matched with the media formats feature set;
Sub-component is determined, for according to the media formats feature that the match is successful, determining the doubtful interior of the request body field
Hold type.
In B28, the device as described in B18 or B19, the decoder module is used to be accomplished by the following way to the target
The field value of field is decoded, to obtain the solution code value of the aiming field:The field value of the aiming field is carried out deeply
Degree decoding, to obtain the result solution code value of the aiming field.
In B29, the device as described in B28, the decoder module includes:
First decoding unit, for carrying out decoding operate to the field value of the aiming field, to obtain the target word
The intermediate decoded values of section;
Judging unit, for judging whether the intermediate decoded values need to carry out further decoding operate;
Second decoding unit, in the case of needing to carry out further decoding operate, entering to the intermediate decoded values
Row decoding operate, to obtain another intermediate decoded values of the aiming field.
In B30, the device as described in B29, the decoder module also includes:
As a result solve code value determining unit, in the case of need not carry out further decoding operate, determine it is described in
Between solve code value be the result solution code value.
In B31, the device as described in B29, the judging unit includes:
More New Parent, for according to coded system corresponding with the intermediate decoded values, updating the more of the aiming field
Layer codifiability parameter;
Determination component, for according to the comparative result between the multi-layer coding possibility parameter and given threshold after renewal,
Judge whether the intermediate decoded values need to carry out further decoding operate.
In B32, the device as described in B31, the more New Parent includes:
Weight determines sub-component, for determining the weighted value of the coded system according to code tree;
Sub-component is updated, for updating the multi-layer coding possibility parameter according to the weighted value.
In B33, the device as described in B32, described device also includes:
Module is built, the code tree is built for the treatment mechanism based on network flow data and web applications.
In B34, the device as any one of B29 to B33, first decoding unit includes:
Matching component, for the field value to be matched with the coding characteristic set;
Decoding assembly, for performing decoding operate corresponding with the coding characteristic that the match is successful to the field value.
C35, a kind of terminal device, including memory and processor;Wherein,
The memory is used to store one or more computer instruction, wherein, one or more computer instruction
Method as any one of A1 to A17 can be realized during the computing device.
D36, a kind of computer-readable storage medium, for storing one or more computer instruction, wherein, when described one or
A plurality of computer instruction can realize the method as any one of A1 to A17 when being performed.