CN108282446B - Method and apparatus for identifying scanner - Google Patents

Method and apparatus for identifying scanner Download PDF

Info

Publication number
CN108282446B
CN108282446B CN201710010591.4A CN201710010591A CN108282446B CN 108282446 B CN108282446 B CN 108282446B CN 201710010591 A CN201710010591 A CN 201710010591A CN 108282446 B CN108282446 B CN 108282446B
Authority
CN
China
Prior art keywords
user equipment
scanner
time
event
triggered
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710010591.4A
Other languages
Chinese (zh)
Other versions
CN108282446A (en
Inventor
任宏伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201710010591.4A priority Critical patent/CN108282446B/en
Publication of CN108282446A publication Critical patent/CN108282446A/en
Application granted granted Critical
Publication of CN108282446B publication Critical patent/CN108282446B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Alarm Systems (AREA)

Abstract

The utility model aims at providing a scheme of discernment scanner for solve the problem that does not possess the commonality among the prior art, easily take place the wrong report, this scheme triggers the interception incident when discerning the attack request from user equipment, and to user equipment sends wrong suggestion page the wrong suggestion page has increased one and has buried the point relevant with the attack request in the wrong suggestion page, and this is buried the point and can't be triggered by the scanner, and can be triggered by normal user, therefore according to the different situation that user equipment triggered and buried the point after sending the attack request, judges whether this user equipment judges for the scanner. According to the scheme, the fingerprint characteristics of a specific scanner are not utilized, the universality of an application scene is high, and even if false interception occurs, a normal user can avoid false alarm by triggering a buried point.

Description

Method and apparatus for identifying scanner
Technical Field
The application relates to the technical field of information, in particular to a scheme for identifying a scanner.
Background
With the development of public cloud technology, it is increasingly common to deploy Web page (Web) applications based on HTTP (HyperText Transfer Protocol), and Web level attacks are more and more, such as XSS (Cross Site script attack), SQL (Structured Query Language) injection, and the like.
Due to the characteristic of openness of the public cloud environment, if the loophole is not repaired in time, the loophole can be quickly discovered and utilized by a hacker, and great safety risk is brought. Hackers often use scanners and make extensive requests for offensive access based on common known or unknown vulnerability characteristics, and then determine if there is a vulnerability that can be exploited based on the Web application return results.
At present, a common security product for Web Application is a WAF (Web Application Firewall), and a hacker usually tries to scan by using a scanner (such as WVS, applscan, webattack, and the like) before initiating an attack, detects a WAF protection policy, and then initiates the attack with pertinence.
For most web sites, the number of access requests from the scanner is large. If the WAF can identify and intercept the request from the scanner, the WAF detection flow is reduced, and the WAF performance consumption is reduced. There are two common methods for identifying scanners: fingerprint identification and frequency statistics.
Fingerprint identification refers to that security personnel collect fingerprint characteristics for a common scanner and then identify the fingerprint characteristics. Such as WVS, whose request header contains key-value pairs named acetix-Aspect, acetix-Aspect-Password, acetix-Aspect-query, and URL (Uniform Resource Locator) also contains acetix _ WVS _ security _ test feature value. Upon receipt of the request, these features are detected and a determination can be made as to whether the request is from a scanner. However, the above approach, which relies mainly on the experience of security personnel, requires knowledge of most scanners and collection of sufficient scanner access logs to analyze extracted features, is not universal.
The frequency statistics refers to the number of times of interception by the WAF at a certain time according to an IP (Internet Protocol) address or a Cookie (browser cache), and if the number exceeds a set threshold, the scanner is identified to perform interception. Or counting the Response Status code (HTTP Response Status) of the access request of a single IP address in unit time to be 404, and identifying the single IP address as a scanner if the Response Status code exceeds a threshold value. The scheme has the defect that once the interception rule of the WAF is intercepted, a normal user is identified as a scanner, and the condition of false alarm is easy to occur.
Content of application
An object of the present application is to provide a solution for identifying a scanner, so as to solve the problems of lack of generality and easy occurrence of false alarm in the prior art.
To achieve the above object, the present application provides a method of identifying a scanner, the method comprising:
when an attack request from user equipment is identified, triggering an interception event, and sending an error prompt page to the user equipment, wherein the error prompt page comprises a buried point related to the interception event, and the buried point cannot be triggered by a scanner;
and determining the user equipment as a scanner according to the condition that the user equipment triggers the buried point.
In one embodiment, determining that the ue is a scanner according to the condition that the ue triggers the buried point includes:
and determining user equipment with the number of non-triggering events larger than or equal to a preset number as a scanner, wherein the non-triggering events are the buried points of the interception events which are not triggered by the user equipment.
In one embodiment, determining a number of user equipments with a number of non-triggering events greater than or equal to a preset number as a scanner includes:
and determining the user equipment with the number of the non-triggering events in the first preset time period being more than or equal to the preset number as the scanner.
In one embodiment, determining that the ue is a scanner according to the condition that the ue triggers the buried point includes:
and determining the user equipment with the existence of the non-triggering event as the scanner, wherein the non-triggering event is that the user equipment does not trigger the buried point related to the interception event.
In one embodiment, the method further comprises:
when the embedded point request of the user equipment is confirmed to be received, acquiring second time for receiving the embedded point request;
and when the difference value between the second time and the first time exceeds the duration of a second preset time period or the value of the second time is null, determining the non-triggering event of the user equipment, wherein the first time is the time for triggering the interception event.
In one embodiment, after determining that the user equipment is a scanner, the method further includes:
denying the access request from the user device.
According to another aspect of the present application, there is also provided an apparatus for identifying a scanner, the apparatus including:
the system comprises an interception device and an error prompt page, wherein the interception device is used for triggering an interception event and sending the error prompt page to user equipment when an attack request from the user equipment is identified, the error prompt page comprises a buried point related to the interception event, and the buried point cannot be triggered by a scanner;
and the identification device is used for determining the user equipment as a scanner according to the condition that the user equipment triggers the buried point.
In an embodiment, the identifying device is configured to determine, as the scanner, a user equipment whose number of non-trigger events is greater than or equal to a preset number, where the non-trigger event is that the user equipment does not trigger a buried point related to the interception event.
In an embodiment, the identifying means is configured to determine, as the scanner, the user equipment whose number of triggerless events in the first preset time period is greater than or equal to a preset number.
In one embodiment, the identifying means is configured to determine that there is a user equipment that has an triggerless event as the scanner, where the triggerless event is that the user equipment has not triggered a buried point related to the interception event.
In an embodiment, the identifying device is further configured to, when it is confirmed that the request for burying the point of the user equipment is received, obtain a second time when the request for burying the point is received; and determining an un-triggered event of the user equipment when the difference value between the second time and the first time exceeds the duration of a second preset time period or the value of the second time is null, wherein the first time is the time for triggering the interception event.
In one embodiment, the intercepting means is further configured to reject the access request from the user equipment after determining that the user equipment is a scanner.
An embodiment of the present application further provides an apparatus for identifying a scanner, where the apparatus includes:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to: when an attack request from user equipment is identified, triggering an interception event, and sending an error prompt page to the user equipment, wherein the error prompt page comprises a buried point related to the interception event, and the buried point cannot be triggered by a scanner; and determining the user equipment as a scanner according to the condition that the user equipment triggers the buried point.
Compared with the prior art, the technical scheme provided by the application triggers the interception event and sends an error prompt page to the user equipment when the attack request from the user equipment is identified, the embedded point related to the attack request is added in the error prompt page, the embedded point cannot be triggered by a scanner and can be triggered by a normal user, and therefore whether the user equipment is the scanner or not is judged according to different conditions that the embedded point is triggered after the attack request is sent by the user equipment. According to the scheme, the fingerprint characteristics of a specific scanner are not utilized, the universality of an application scene is high, and even if false interception occurs, a normal user can avoid false alarm by triggering a buried point.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
fig. 1 is a process flow diagram of a method for identifying a scanner according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an apparatus for identifying a scanner according to an embodiment of the present application;
FIG. 3 is a schematic diagram illustrating a detection process of a WAF-implemented identification scanner according to an embodiment of the present application;
FIG. 4 is a schematic diagram of intercepting data records in a log repository;
FIG. 5 is a schematic structural diagram of another apparatus for identifying a scanner according to an embodiment of the present disclosure;
the same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present application is described in further detail below with reference to the attached figures.
In a typical configuration of the present application, the terminal, the devices serving the network each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, which include both non-transitory and non-transitory, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The embodiment of the application provides a method for identifying a scanner, which can be applied to equipment (such as WAF) for carrying out security protection on a Web server and is used for accurately identifying the scanner. Taking WAF as an example, the processing flow of the method is described in detail, and the processing flow is shown in fig. 1, and comprises the following steps:
step S101, when the WAF identifies an attack request from the user equipment, the WAF triggers an interception event and sends an error prompt page to the user equipment. The error prompt page is often a static page, and the function of the error prompt page is to prompt the user equipment that the sent access request is identified as an attack request and intercepted.
The error prompt page in the embodiment of the application adds a buried point related to the interception event, and the buried point is characterized by being not triggered by a scanner and being triggered by a normal user. After the embedded point is added in the conventional error prompt page, if a normal user opens the error prompt page containing the embedded point through a browser, the embedded point is triggered.
In an actual scene, since a normal user accesses a web application through a browser, a returned error prompt page is normally opened by the browser, so that a buried point in the error prompt page is triggered. The scanner is a program tool, and does not process the error prompt page, namely, the returned error prompt page cannot be normally opened through the browser, so that a buried point in the error prompt page cannot be triggered.
Step S102, the WAF determines the user equipment as a scanner according to the condition that the user equipment triggers the buried point. Because the embedded point has the characteristics, whether the user equipment is a scanner or not can be judged according to different conditions that the user equipment triggers the embedded point after sending the attack request. According to the scheme, the fingerprint characteristics of a specific scanner are not utilized, the universality of an application scene is high, and even if false interception occurs, a normal user can avoid false alarm by triggering a buried point.
Taking the error prompt page provided in this embodiment as an example, the buried point may be a buried point link, for example, https:// errors. After the user equipment receives and opens the error prompt page containing the embedded point link through the browser, the embedded point is triggered, the embedded point request is initiated, and https:// errors. The embedded point request is also in one-to-one correspondence with the attack request triggered and intercepted, that is, if an access log corresponding to the embedded point request is obtained, which embedded point corresponding to the attack request is triggered by the user equipment can be determined. And if the corresponding access log does not exist, the user equipment is indicated not to trigger the corresponding buried point.
For example, in this embodiment, waf _ id 1001 in the fixed point connection refers to an interception event number, which can uniquely determine an interception event triggered by an attack request, and ensure that an access request corresponds to an interception event triggered by an attack request one by one. Therefore, the WAF can acquire the condition that the user equipment triggers the embedded point by acquiring the access log of the embedded point request with access https:// errors. Com may be a server dedicated to receiving an access log requested by a burial point, and after recording the access log, the server may notify the WAF of relevant information in the access log, so that the WAF can acquire a condition that the user equipment triggers the burial point.
Based on the characteristic that a buried point cannot be triggered by a scanner, a specific strategy for identifying the scanner provided by the embodiment of the application may be: and determining the user equipment with the existence of the non-triggering event as the scanner, wherein the non-triggering event is that the user equipment does not trigger the buried point related to the interception event.
In combination with the manner in which the embedded point link triggers the embedded point request in the embodiment of the present application, the process of determining whether an un-triggered event occurs may be: first, when confirming that the embedded point request of the user equipment is received, the WAF acquires a second time when the embedded point request is received. For example, for the attack request AR1, the WAF _ id of the triggered intercept event is 1002, the time of triggering the intercept event is recorded as the first time, and when the WAF triggers the intercept time, an error prompt page including a buried point is generated, where the buried point may include information of the WAF _ id of 1002, so that the triggered buried point request also includes the information. Thus, if the user equipment triggers a buried point request, the WAF may determine, based on the access log of the buried point request, that the user equipment triggered the buried point corresponding to the intercept event 1002. In another case, the WAF may not receive the request of the user equipment to bury the point, and the value of the second time is null and cannot be obtained.
And then, when the difference value between the second time and the first time exceeds the duration of a second preset time period or the value of the second time is empty, the WAF confirms that the non-triggering event of the user equipment occurs. The second preset time period may be a time period starting from the first time, and the time duration of the time period is generally enough for the user equipment to receive the error prompt page and complete sending of the point burying request, so as to ensure the accuracy of the judgment. In an actual scenario, the WAF may determine whether an un-triggered event occurs at the end of the second preset time period to determine whether the ue triggers a buried point for an interception event.
In the above two cases, if the ue initiates a request for embedding a point, the difference between the second time and the first time needs to be calculated, and compared with the duration of the second preset time period to determine the comparison result. In addition, if the user equipment does not initiate the point burying request, and the second time cannot be acquired at this time, the second time is empty, so that the WAF can confirm that the point burying request of the user equipment is not received, and an untethered event is generated. For example, the relevant information of the WAF record is shown in table 1:
time waf_id src_ip access_time
12:00:00 1003 1.1.1.1 12:00:05
12:00:01 1004 2.2.2.2 12:00:02
12:00:02 1005 3.3.3.3
TABLE 1
The time is the first time for triggering the interception event, the wf _ id is the interception event number, the src _ ip is the ip address of the user equipment and is used for identifying the user equipment, and the access _ time is the second time for receiving the embedding point request. Assuming that the second preset time period set in this embodiment is 3 seconds from the first time, for the interception event corresponding to the interception module 1003, a difference between the second time and the first time exceeds a duration of the second preset time period, so that it is determined that the user equipment with the IP address of 1.1.1.1 does not trigger a buried point related to the interception event, and an unsegged event corresponding to the interception event 1003 occurs. For the interception event corresponding to 1004, the difference value between the second time and the first time does not exceed the duration of the second preset time period, so that it is determined that the user equipment with the IP address of 2.2.2.2 triggers a buried point related to the interception event, and an unfired event corresponding to the interception event 1004 does not occur. For the interception event corresponding to the 1005, since the second time is empty, it may be considered that the request of the user equipment for burying the point is not received, and it is determined that the triggerless event corresponding to the interception event 1005 occurs.
For the above-described specific strategy of identifying a scanner, problems may arise in that: in a few cases, it is also possible that a normal user will not trigger a buried point. For example, a normal user closes the browser before receiving the error prompt page, so that a buried point therein cannot be triggered normally, or a network terminal occurs before the user equipment initiates a buried point request, or the user equipment receives the transmitted buried point request after a second preset time period due to network delay, or the like. At this time, the above-described strategy for identifying the scanner may be misjudged.
Therefore, the embodiment of the present application further provides another policy for identifying a scanner, where the policy is: and determining the user equipment with the number of the non-triggering events larger than or equal to the preset number as the scanner. That is, the policy contains two conditions, one of which is: there is an triggerless event for a certain user equipment; the second condition is as follows: the user equipment's non-triggering event occurs multiple times. Therefore, the situation that the scanner needs to generate the non-triggered buried point for multiple times is identified in the scheme, and in an actual scene, a normal user sends multiple attack requests and the probability that the buried point is not triggered is low, so that the scheme in the embodiment can reduce possible misjudgment and further improve the identification accuracy.
Taking the information shown in table 2 as an example:
time waf_id src_ip access_time
12:00:00 1003 1.1.1.1
12:00:01 1004 1.1.1.1
12:00:02 1005 1.1.1.1
12:00:03 1006 2.2.2.2 12:00:10
12:00:05 1007 1.1.1.1
12:00:06 1008 2.2.2.2 12:00:07
12:00:10 1008 2.2.2.2
TABLE 2
By counting the information in the data table, it can be determined that there are no triggering events for both the user equipments with ip addresses 1.1.1.1 and 2.2.2.2. If the preset number is set to 3 times in this embodiment, for the ue with ip address 1.1.1.1, the number of the non-trigger events is 5 times, which is greater than or equal to the preset number, and thus the ue with ip address 1.1.1.1 is determined as the scanner. For the user equipment with the ip address of 1.1.1.1, the number of the triggerless events is 2 times and is less than the preset number, so that the user equipment is judged to be a normal user.
In the above-mentioned decision identification process, the WAF may acquire the information in the data table once at a preset time interval (e.g., 1 second, etc.), and make a decision to attempt to identify the scanner.
In an actual scenario, since the scanning behavior of the scanner generally performs multiple scans within a certain time, if the multiple triggerless events of the same ue occur at long intervals, for example, 3 triggerless events, which occur in week 1, week 2, and week 5 of a week, respectively, the possibility that the ue is a scanner is relatively low, and if the 3 triggerless events occur within 1 minute, the ue is likely to be a scanner.
Therefore, in another embodiment of the present application, the policy for identifying the scanner may also be: and determining the user equipment with the number of the preset triggerless events in the first preset time period greater than or equal to the preset number as the scanner. The duration of the first preset period may be specifically set according to the requirements of the actual scene, and is set to 30 seconds, 1 minute, 2 minutes, or the like, for example. This can further improve the recognition accuracy.
For the user equipment determined as the scanner, the WAF may take corresponding measures, for example, in an embodiment of the present application, after determining that the user equipment is the scanner, the WAF may reject the access request from the user equipment, and block the detection behavior of the scanner, thereby reducing the performance consumption of the WAF and improving the security.
Based on the same inventive concept, the embodiment of the present application further provides a device for identifying a scanner, the corresponding method of the device is the method for identifying a scanner in the foregoing embodiment, and the principle of solving the problem is similar to the method.
The structure of the device for identifying a scanner provided by the embodiment of the application is shown in fig. 2, and the device can be used for performing security protection on a Web server and accurately identifying a scanner, such as a WAF. The apparatus comprises intercepting means 310 and identifying means 320. The intercepting device 310 is configured to trigger an intercepting event and send an error prompt page to the user equipment when an attack request from the user equipment is identified. And the identifying means 320 is configured to determine that the ue is a scanner according to the condition that the ue triggers the buried point.
The error prompt page is often a static page, and the function of the error prompt page is to prompt the user equipment that the sent access request is identified as an attack request and intercepted. The error prompt page in the embodiment of the application adds a buried point related to the interception event, and the buried point is characterized by being not triggered by a scanner and being triggered by a normal user. After the embedded point is added in the conventional error prompt page, if a normal user opens the error prompt page containing the embedded point through a browser, the embedded point is triggered.
In an actual scene, since a normal user accesses a web application through a browser, a returned error prompt page is normally opened by the browser, so that a buried point in the error prompt page is triggered. The scanner is a program tool, and does not process the error prompt page, namely, the returned error prompt page cannot be normally opened through the browser, so that a buried point in the error prompt page cannot be triggered.
Because the embedded point has the characteristics, whether the user equipment is a scanner or not can be judged according to different conditions that the user equipment triggers the embedded point after sending the attack request. According to the scheme, the fingerprint characteristics of a specific scanner are not utilized, the universality of an application scene is high, and even if false interception occurs, a normal user can avoid false alarm by triggering a buried point.
Taking the error prompt page provided in this embodiment as an example, the buried point may be a buried point link, for example, https:// errors. After the user equipment receives and opens the error prompt page containing the embedded point link through the browser, the embedded point is triggered, the embedded point request is initiated, and https:// errors. The embedded point request is also in one-to-one correspondence with the attack request triggered and intercepted, that is, if an access log corresponding to the embedded point request is obtained, which embedded point corresponding to the attack request is triggered by the user equipment can be determined. And if the corresponding access log does not exist, the user equipment is indicated not to trigger the corresponding buried point.
For example, in this embodiment, waf _ id 1001 in the fixed point connection refers to an interception event number, which can uniquely determine an interception event triggered by an attack request, and ensure that an access request corresponds to an interception event triggered by an attack request one by one. Therefore, the WAF can acquire the condition that the user equipment triggers the embedded point by acquiring the access log of the embedded point request with access https:// errors. Com may be a server dedicated to receiving an access log requested by a burial point, and after recording the access log, the server may notify the WAF of relevant information in the access log, so that the WAF can acquire a condition that the user equipment triggers the burial point.
Based on the characteristic that a buried point cannot be triggered by a scanner, a specific strategy for identifying the scanner provided by the embodiment of the application may be: the identifying means 320 determines the user equipment with the existence of the non-triggering event as the scanner, wherein the non-triggering event is the user equipment does not trigger the buried point about the interception event.
In combination with the manner in which the embedded point link triggers the embedded point request in the embodiment of the present application, the process of determining whether an un-triggered event occurs may be: first, the identifying device 320 acquires a second time when the user equipment receives the burial point request when confirming that the user equipment receives the burial point request. For example, for the attack request AR1, the WAF _ id of the triggered intercept event is 1002, the time of triggering the intercept event is recorded as the first time, and when the WAF triggers the intercept time, an error prompt page including a buried point is generated, where the buried point may include information of the WAF _ id of 1002, so that the triggered buried point request also includes the information. Thus, if the user equipment triggers a buried point request, the WAF may determine, based on the access log of the buried point request, that the user equipment triggered the buried point corresponding to the intercept event 1002. In another case, the WAF may not receive the request of the user equipment to bury the point, and the value of the second time is null and cannot be obtained.
Thereafter, the identifying device 320 confirms that the non-trigger event of the user equipment occurs when the difference between the second time and the first time exceeds the duration of the second preset time period or the value of the second time is empty. The second preset time period may be a time period starting from the first time, and the time duration of the time period is generally enough for the user equipment to receive the error prompt page and complete sending of the point burying request, so as to ensure the accuracy of the judgment. In an actual scenario, the WAF may determine whether an un-triggered event occurs at the end of the second preset time period to determine whether the ue triggers a buried point for an interception event.
In the above two cases, if the ue initiates a request for embedding a point, the difference between the second time and the first time needs to be calculated, and compared with the duration of the second preset time period to determine the comparison result. In addition, if the user equipment does not initiate the point burying request, and the second time cannot be acquired at this time, the second time is empty, so that the WAF can confirm that the point burying request of the user equipment is not received, and an untethered event is generated. For example, the relevant information of the WAF record is shown in table 1.
The time is the first time for triggering the interception event, the wf _ id is the interception event number, the src _ ip is the ip address of the user equipment and is used for identifying the user equipment, and the access _ time is the second time for receiving the embedding point request. Assuming that the second preset time period set in this embodiment is 3 seconds from the first time, for the interception event corresponding to the interception module 1003, a difference between the second time and the first time exceeds a duration of the second preset time period, so that it is determined that the user equipment with the IP address of 1.1.1.1 does not trigger a buried point related to the interception event, and an unsegged event corresponding to the interception event 1003 occurs. For the interception event corresponding to 1004, the difference value between the second time and the first time does not exceed the duration of the second preset time period, so that it is determined that the user equipment with the IP address of 2.2.2.2 triggers a buried point related to the interception event, and an unfired event corresponding to the interception event 1004 does not occur. For the interception event corresponding to the 1005, since the second time is empty, it may be considered that the request of the user equipment for burying the point is not received, and it is determined that the triggerless event corresponding to the interception event 1005 occurs.
For the above-described specific strategy of identifying a scanner, problems may arise in that: in a few cases, it is also possible that a normal user will not trigger a buried point. For example, a normal user closes the browser before receiving the error prompt page, so that a buried point therein cannot be triggered normally, or a network terminal occurs before the user equipment initiates a buried point request, or the user equipment receives the transmitted buried point request after a second preset time period due to network delay, or the like. At this time, the above-described strategy for identifying the scanner may be misjudged.
Therefore, the embodiment of the present application further provides another policy for identifying a scanner, where the policy is: the identifying means 320 determines the user equipment with the number of the non-triggering events greater than or equal to the preset number as the scanner. That is, the policy contains two conditions, one of which is: there is an triggerless event for a certain user equipment; the second condition is as follows: the user equipment's non-triggering event occurs multiple times. Therefore, the situation that the scanner needs to generate the non-triggered buried point for multiple times is identified in the scheme, and in an actual scene, a normal user sends multiple attack requests and the probability that the buried point is not triggered is low, so that the scheme in the embodiment can reduce possible misjudgment and further improve the identification accuracy.
Taking the information shown in table 2 as an example, by counting the information in the table, it can be determined that there is an triggerless event for both the user equipments with ip addresses 1.1.1.1 and 2.2.2.2. If the preset number is set to 3 times in this embodiment, for the ue with ip address 1.1.1.1, the number of the non-trigger events is 5 times, which is greater than or equal to the preset number, and thus the ue with ip address 1.1.1.1 is determined as the scanner. For the user equipment with the ip address of 1.1.1.1, the number of the triggerless events is 2 times and is less than the preset number, so that the user equipment is judged to be a normal user.
In the above determination and identification process, the identification device 320 may acquire the information in the data table once at a preset time interval (for example, 1 second, etc.), and make a determination to attempt to identify the scanner.
In an actual scenario, since the scanning behavior of the scanner generally performs multiple scans within a certain time, if the multiple triggerless events of the same ue occur at long intervals, for example, 3 triggerless events, which occur in week 1, week 2, and week 5 of a week, respectively, the possibility that the ue is a scanner is relatively low, and if the 3 triggerless events occur within 1 minute, the ue is likely to be a scanner.
Therefore, in another embodiment of the present application, the policy for identifying the scanner may also be: the identifying device 320 determines the user equipments with the number of the preset triggerless events in the first preset time period being greater than or equal to the preset number as the scanner. The duration of the first preset period may be specifically set according to the requirements of the actual scene, and is set to 30 seconds, 1 minute, 2 minutes, or the like, for example. This can further improve the recognition accuracy.
For the user equipment determined as the scanner, the WAF may take corresponding measures, for example, in an embodiment of the present application, the intercepting means is further configured to reject the access request from the user equipment after determining that the user equipment is the scanner, and block the detection behavior of the scanner, so as to reduce performance consumption of the WAF and improve security.
Fig. 3 shows a schematic detection flow diagram of a WAF identification-enabled scanner based on the present application, where the errors are Web applications built by the WAF, and are specifically used for collecting access logs of a site request, and the intercept log library is used for recording intercept events and related information in the access logs of the site request, where the information may include fields such as time (first time of a block trigger intercept event), wafjd (intercept event number), wafjdule (blocking rule type), host (host name), src _ ip (user equipment ip address), uri (request URL), and access _ time (second time of receiving the site request). The whole detection process specifically comprises the following steps:
in step S401, a user device (which may be a normal user or a scanner) initiates an access request to a web server, where the access request includes an attack feature.
Step S402, the WAF providing security protection for the web server receives the access request and passes the security rule detection. Since the access request contains the attack characteristics, the access request is identified as the attack request, the interception event is triggered, and the related information of the interception event is written into an interception log library, wherein the related information comprises time, wafjd, wafjdle, host, src _ ip, url and the like, and the wafjd is internally generated by the WAF, and the uniqueness is ensured.
In step S403, the WAF generates an error prompt page and sends the error prompt page to the user equipment. The error-alert page is distinguished from conventional error-alert pages, not just to prompt the user to access a static page for which a request is intercepted by a WAF, but rather to have a buried point in it. The embedded point can be triggered only by normal users using a browser to access; for the scanner, because of the program tool, the error prompt page is not processed, and the embedded point link in the error prompt page is not accessed. By using this feature, a normal user is distinguished from the scanner.
In the example of the error prompt page provided by the embodiment of the application, a buried point link https:// errors.xxx.com/reportwaf _ id is added to a page source code of the error prompt page 1001. The wafid corresponding to each interception event is also contained in the embedded point link of the error prompt page.
In step S404, after receiving the error prompt page, the user equipment displays the error prompt page in the browser.
In step S405, when the user equipment opens the error prompt page through the browser, the user equipment triggers a buried point, and initiates a buried point request for accessing https:// errors. Com is a Web application built by the WAF, and is specially used for collecting an access log of a buried point request, a report is an accessed URI (Uniform resource identifier) address, a wafid is an interception event number, and based on the uniqueness of the wafid, the buried point request can be determined to be triggered by the user equipment based on the buried point of the interception event.
And step S406, after the errors.xxx.com receives the embedded point request, resolving the wf _ id, updating the interception log library, finding the data record corresponding to the wf _ id, and writing the data record into the access _ time field from the current time. The data records in the intercept log library are shown in FIG. 4. Taking two data records as an example, the generator of the event intercepted by the waf _ id 1001 is a normal user, and after the embedded point request is triggered, the access _ time field is written into the access time of the embedded point request; while the wafjd is 1002 for an intercept event, the generator of which is likely to be a scanner, since its corresponding buried point is not triggered, the access _ time field is null.
In step S407, the data records in the interception log library may be scanned once per second, and the data records with access _ time exceeding time for 2 seconds or with access _ time being empty are filtered out. At this time, each filtered data record represents an triggerless event. Then, the number of data records of the same IP is counted in the filtered data records, the number of the data records exceeding 3 data records is counted, and the value of the src _ IP field in the data records is the IP address of the scanner. Thus, the WAF can identify the scanner. In addition, by adding the IP address of the scanner into the interception list, all access requests from the IP can be rejected, and the detection behavior of the scanner is blocked, so that the performance consumption of the WAF is reduced, and the safety is improved.
In summary, according to the technical scheme provided by the application, when an attack request from a user equipment is identified, an interception event is triggered, an error prompt page is sent to the user equipment, a buried point related to the attack request is added to the error prompt page, the buried point cannot be triggered by a scanner and can be triggered by a normal user, and therefore whether the user equipment is a scanner or not is judged according to different conditions that the user equipment triggers the buried point after sending the attack request. According to the scheme, the fingerprint characteristics of a specific scanner are not utilized, the universality of an application scene is high, and even if false interception occurs, a normal user can avoid false alarm by triggering a buried point.
In addition, some of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application through the operation of the computer. Program instructions which invoke the methods of the present application may be stored on a fixed or removable recording medium and/or transmitted via a data stream on a broadcast or other signal-bearing medium and/or stored within a working memory of a computer device operating in accordance with the program instructions. An embodiment according to the present application comprises an apparatus for acquiring a transmission file as shown in fig. 5, the apparatus comprising a memory 610 for storing computer program instructions and a processor 620 for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to execute a method and/or a solution according to the embodiments of the present application.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, implemented using Application Specific Integrated Circuits (ASICs), general purpose computers or any other similar hardware devices. In one embodiment, the software programs of the present application may be executed by a processor to implement the above steps or functions. Likewise, the software programs (including associated data structures) of the present application may be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.

Claims (11)

1. A method of identifying a scanner, wherein the method comprises:
when an attack request from user equipment is identified, triggering an interception event, and sending an error prompt page to the user equipment, wherein the error prompt page comprises a buried point related to the interception event, and the buried point cannot be triggered by a scanner;
determining the user equipment as a scanner according to the condition that the user equipment triggers the embedded point, wherein the condition that the user equipment triggers the embedded point comprises the occurrence of an un-triggered event, and determining the un-triggered event of the user equipment when the difference value between second time and first time exceeds the duration of a second preset time period or the value of the second time is empty, wherein the first time is the time for triggering an interception event, and the second time is the time for confirming the receipt of the embedded point request of the user equipment.
2. The method of claim 1, wherein determining that the user equipment is a scanner according to the condition that the user equipment triggers the buried point comprises:
and determining user equipment with the number of non-triggering events larger than or equal to a preset number as a scanner, wherein the non-triggering events are the buried points of the interception events which are not triggered by the user equipment.
3. The method of claim 1, wherein determining the number of the user equipment with the number of the non-triggering events greater than or equal to a preset number as the scanner comprises:
and determining the user equipment with the number of the non-triggering events in the first preset time period being more than or equal to the preset number as the scanner.
4. The method of claim 1, wherein determining that the user equipment is a scanner according to the condition that the user equipment triggers the buried point comprises:
and determining the user equipment with the existence of the non-triggering event as the scanner, wherein the non-triggering event is that the user equipment does not trigger the buried point related to the interception event.
5. The method of any of claims 1-4, wherein after determining that the user device is a scanner, further comprising:
denying the access request from the user device.
6. An apparatus for identifying a scanner, wherein the apparatus comprises:
the system comprises an interception device and an error prompt page, wherein the interception device is used for triggering an interception event and sending the error prompt page to user equipment when an attack request from the user equipment is identified, the error prompt page comprises a buried point related to the interception event, and the buried point cannot be triggered by a scanner;
the identification device is used for determining that the user equipment is a scanner according to the condition that the user equipment triggers the embedded point, wherein the condition that the user equipment triggers the embedded point comprises the occurrence of an un-triggered event, and when the difference value between second time and first time exceeds the duration of a second preset time period or the value of the second time is null, the un-triggered event of the user equipment is determined, the first time is the time for triggering an interception event, and the second time is the time for confirming the receipt of the embedded point request of the user equipment.
7. The device according to claim 6, wherein the identifying means is configured to determine, as the scanner, a user device with a number of non-triggering events greater than or equal to a preset number, where the non-triggering events are user devices that do not trigger a buried point related to the interception event.
8. The device according to claim 6, wherein the identifying means is configured to determine, as the scanner, user devices with a number of triggerless events in the first preset time period being greater than or equal to a preset number.
9. The device of claim 6, wherein the identifying means is configured to determine that there is a user device that has an un-triggered event as a scanner, wherein the un-triggered event is that the user device has not triggered a buried point with respect to the interception event.
10. The apparatus according to any of claims 6 to 9, wherein the intercepting means is further configured to deny the access request from the user equipment after determining that the user equipment is a scanner.
11. An apparatus for identifying a scanner, wherein the apparatus comprises:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to: when an attack request from user equipment is identified, triggering an interception event, and sending an error prompt page to the user equipment, wherein the error prompt page comprises a buried point related to the interception event, and the buried point cannot be triggered by a scanner; and determining the user equipment as a scanner according to the condition that the user equipment triggers the embedded point, wherein the condition that the user equipment triggers the embedded point comprises the occurrence of an un-triggered event, and the un-triggered event of the user equipment is determined when the difference value between second time and first time exceeds the duration of a second preset time period or the value of the second time is empty, wherein the first time is the time for triggering an interception event, and the second time is the time for confirming the receipt of the embedded point request of the user equipment.
CN201710010591.4A 2017-01-06 2017-01-06 Method and apparatus for identifying scanner Active CN108282446B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710010591.4A CN108282446B (en) 2017-01-06 2017-01-06 Method and apparatus for identifying scanner

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710010591.4A CN108282446B (en) 2017-01-06 2017-01-06 Method and apparatus for identifying scanner

Publications (2)

Publication Number Publication Date
CN108282446A CN108282446A (en) 2018-07-13
CN108282446B true CN108282446B (en) 2021-01-29

Family

ID=62800952

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710010591.4A Active CN108282446B (en) 2017-01-06 2017-01-06 Method and apparatus for identifying scanner

Country Status (1)

Country Link
CN (1) CN108282446B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109309679B (en) * 2018-09-30 2020-10-20 国网湖南省电力有限公司 Network scanning detection method and detection system based on TCP flow state
CN110445799B (en) * 2019-08-15 2021-11-05 杭州安恒信息技术股份有限公司 Method and device for determining intrusion stage and server
CN112003839B (en) * 2020-08-07 2022-08-23 杭州安恒信息安全技术有限公司 Equipment anti-identity recognition method and device, electronic device and storage medium
CN112148606B (en) * 2020-09-22 2024-05-17 京东科技控股股份有限公司 Buried point test method, buried point test device, buried point test equipment and computer readable medium
CN114257403B (en) * 2021-11-16 2024-03-26 北京网宿科技有限公司 False alarm detection method, equipment and readable storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255894A (en) * 2011-06-28 2011-11-23 北龙中网(北京)科技有限责任公司 Website information verification method, system and resolution server
US9621581B2 (en) * 2013-03-15 2017-04-11 Cisco Technology, Inc. IPV6/IPV4 resolution-less forwarding up to a destination
CN103546470A (en) * 2013-10-24 2014-01-29 腾讯科技(武汉)有限公司 Safe access method, system and device
CN104486397A (en) * 2014-12-10 2015-04-01 北京奇虎科技有限公司 Method for carrying out data transmission in browser, client and mobile terminal

Also Published As

Publication number Publication date
CN108282446A (en) 2018-07-13

Similar Documents

Publication Publication Date Title
CN108282446B (en) Method and apparatus for identifying scanner
CN106357696B (en) SQL injection attack detection method and system
CN109474575B (en) DNS tunnel detection method and device
CN108932426B (en) Unauthorized vulnerability detection method and device
CN113301012B (en) Network threat detection method and device, electronic equipment and storage medium
CN110602032A (en) Attack identification method and device
CN106713318B (en) WEB site safety protection method and system
CN103685294A (en) Method and device for identifying attack sources of denial of service attack
CN110417747B (en) Method and device for detecting violent cracking behavior
CN103701793A (en) Method and device for identifying server broiler chicken
CN107733699B (en) Internet asset security management method, system, device and readable storage medium
CN112131577A (en) Vulnerability detection method, device and equipment and computer readable storage medium
CN111756728B (en) Vulnerability attack detection method and device, computing equipment and storage medium
CN111314301A (en) Website access control method and device based on DNS (Domain name Server) analysis
CN102664872A (en) System used for detecting and preventing attack to server in computer network and method thereof
CN113810358A (en) Access limiting method, device, computer equipment and storage medium
CN114928452B (en) Access request verification method, device, storage medium and server
CN110933082B (en) Method, device and equipment for identifying lost host and storage medium
CN111953638B (en) Network attack behavior detection method and device and readable storage medium
CN107612946B (en) IP address detection method and device and electronic equipment
CN111786990B (en) Defense method and system for WEB active push skip page
CN111625700B (en) Anti-grabbing method, device, equipment and computer storage medium
CN115941280A (en) Penetration method, device, equipment and medium based on web fingerprint information
CN112738068B (en) Network vulnerability scanning method and device
US10484422B2 (en) Prevention of rendezvous generation algorithm (RGA) and domain generation algorithm (DGA) malware over existing internet services

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant