CN108400957A - A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing - Google Patents

A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing Download PDF

Info

Publication number
CN108400957A
CN108400957A CN201710067543.9A CN201710067543A CN108400957A CN 108400957 A CN108400957 A CN 108400957A CN 201710067543 A CN201710067543 A CN 201710067543A CN 108400957 A CN108400957 A CN 108400957A
Authority
CN
China
Prior art keywords
loophole
access end
detecting system
request
url
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710067543.9A
Other languages
Chinese (zh)
Inventor
杨育斌
江浩良
柯宗贵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Blue Shield Information Security Technology Co Ltd
Bluedon Information Security Technologies Co Ltd
Original Assignee
Blue Shield Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Blue Shield Information Security Technology Co Ltd filed Critical Blue Shield Information Security Technology Co Ltd
Priority to CN201710067543.9A priority Critical patent/CN108400957A/en
Publication of CN108400957A publication Critical patent/CN108400957A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The method that the intelligence based on detecting system that the invention discloses a kind of fighting Web vulnerability scannings and realizes selfreparing, the invention finds web vulnerability scanning behaviors using the detection combined based on loophole feature database and the detection for being not based on feature database, and loophole whether there is for server of testing oneself by the request of hacker, to the purpose realized the ability protected with detection for vulnerability scanning and can realize loophole selfreparing.

Description

A kind of intelligence confrontation based on detecting system and realizes selfreparing at Web vulnerability scannings Method
Technical field
The present invention relates to a kind of field of information security technology, more particularly to a kind of intelligence confrontation Web based on detecting system Vulnerability scanning and the method for realizing selfreparing.
Background technology
Currently, being all based on disclosed loophole distribution platform on internet mostly to the guard technology of vulnerability scanning, summarize The feature database to spring a leak, and remove the prevention policies that generation is coped with using these features.Also one method is be implanted into access end Js codes send out the HTTP request based on code and judge to detect whether as web vulnerability scanning rows according to judging whether access end has For.But the method for these protection is all not comprehensive enough at present, there is certain method around detection, user can utilize by hand Browser detection service device whether there is loophole, or parse the js generations that concurrent inspection examining system is set using program simulation Code simultaneously sends corresponding http request;Or if immediate updating loophole feature database, server are not all to belong to dangerous at this time State.
Invention content
To overcome above-mentioned the deficiencies in the prior art, the present invention to provide a kind of intelligence confrontation Web loopholes based on detecting system The method for scanning and realizing selfreparing, the invention is using the detection combined based on loophole feature database and the detection for being not based on feature database It was found that web vulnerability scanning behaviors, and loophole whether there is for server of testing oneself by the request of hacker, to realize for leakage The protection of hole scanning and the ability detected and the purpose that can realize loophole selfreparing.Its technical solution is as follows:
1. going the feature of the request bag of matching access end using loophole feature database;If it does, then illustrating that access end is visited There are loopholes for the resource asked.
2. on the basis of scheme 1 is unmatched, access end is detected.First, need to exception be set to different IP Threshold value, for a such as access end within the regular hour, the 404 responsive state codes generated to server request have been more than threshold value, this The request of IP all can be by " suspicious IP detection modules ";In this module, detecting system can be recorded right in this period of time The URL for the IP requests answered, forms a corresponding URL table, when the URL of suspicious IP requests is found with recorded in table this section In URL there are similar, then counter score values+1;After counter reaches the threshold value of setting, then it is assumed that this, which is accessed, rectifies Implementing vulnerability scanning attack.
When access end is identified that the request of this access end will be sent to vulnerability scanning after implementing vulnerability scanning attack Protection object processing module;In the module, the URL information that access end is asked can be recorded in database first, and It is in real time 404 redirection answer code to access end, while browser interface equally disguises oneself as the interface of server 404;Camouflage The reason of be:Hacker is not allowed to know that server has detecting system protection as possible, it is desirable to which hacker gives up attacking in next step as early as possible Thought, rather than the detection for detecting system of trying every possible means to have bypassed.While pretending 404 response, this module can also be final The URL information being collected into is being tested oneself by inside, checks whether there is that there are loopholes, if it find that in the URL tables that preserve There are loophole, system will automatically come out the feature extraction of these loopholes, be saved in loophole feature database.
The advantageous effect that technical solution of the present invention is brought:
Technical solution through the invention combines the detection module for network vulnerability scanning in feature based library, and It is not based on the vulnerability scanning detection module of feature database, the protective capacities attacked for vulnerability scanning is enhanced, realizes to being based on The vulnerability scanning of undocumented loophole has protective action.In protection process, collects hacker and the URL accessed is asked to be used for certainly It surveys, if it find that there is the loophole for being not present in loophole feature database, before being utilized prior to hacker, realizes reviewing one's lessons by oneself for loophole It is multiple.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Other attached drawings are obtained according to these attached drawings.
Fig. 1 is techniqueflow schematic diagram proposed by the present invention;
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts Embodiment shall fall within the protection scope of the present invention.
1, the http request information at read access end, using the resource path accessed in loophole feature database matching request whether There are loopholes present in loophole feature database.If so, detecting system thinks that this IP is just implementing vulnerability scanning attack, it will this Vulnerability scanning protection object processing module is sent in the request of IP whithin a period of time.If not, it will second is implemented to request Step detection.
2, the responsive state code that the request server that each corresponds to access end generates is recorded.If conditional code is 404, Counter score values+1;It goes in next step;If it is not, terminating detection.
3, when access IP reaches threshold value for the counter values of server response 404, it will it is suspicious to this IP generations, Within next a period of time, the request that IP is sent out to server will be sent to suspicious IP detection modules.
4, in suspicious IP detection modules, the URL of request is saved in exclusive table, as the URL and this section for finding request There are similar, counter+1 by the URL write into time;When counter values reach threshold value, detecting system is thinking this IP just Implement vulnerability scanning attack, it will vulnerability scanning protection object processing module is sent in the request of this IP whithin a period of time.
5, in vulnerability scanning protection object processing module, access end request whithin a period of time can be preserved first and is accessed URL.It is 404 states that redirection, which can be responded, to access end simultaneously, is pretended, prevents hacker from finding loophole existing for server. It is then detected that system can utilize the URL simulations of this IP collected to access server, if it find that there are loophole, then can Corresponding loophole feature is generated, is added in the loophole feature database for detection, realizes selfreparing loophole.
After disposing corresponding strategies in conjunction with Fig. 1, it is set as 10 suspicious threshold value is generated in responsive state logging modle, can The threshold value that similar URL is found out in doubtful IP detection modules is set as 3 times.Simultaneously according to online well-known such as CVE, black clouds, the leakage of benefit day The open loophole feature within recent five years, the loophole feature database as the embodiment are had updated on the platform of hole.
Shielded server will appear following situations:
1, when loophole disclosed in loophole platform, which is utilized, in access end accesses server, detecting system first time It has been fitted on loophole feature, source IP is set as loophole protection object.Server responsive state has been redirected first, while at one section URLs of this IP for scanning is collected in time.Then the URl being collected into is accessed service on the detection system by simulating request Device, if there is loophole, it will the feature of this loophole is updated into loophole feature database automatically.
2, when the loophole that hacker uses is not present in the loophole feature database of detecting system (the reason is that the loophole that hacker obtains Come from itself discovery or loophole is not disclosed, or updates the loophole feature of itself in loophole platform prior to detecting system Library), since hacker is still in the detection phase, it is not clear that loophole is present in true path.During detection, based on leakage The attack characteristics of hole scanning are confirmed as IP implementation vulnerability scanning by the detection of suspicious IP detection modules, are equally sent to the request of IP Loophole protection object processing module.Therefore newest loophole that server may be grasped using hacker is tested oneself, and is found certainly prior to hacker Loophole existing for body, and loophole reparation is carried out in time.
3, due to being the user normally accessed, it sometimes can also meet the resource of request and be generated because of the update of server 404, since there are responsive state logging modle, threshold value is all arranged in suspicious IP detection modules.So not influencing this certain customers All normal access of server.
A kind of intelligence confrontation based on detecting system is provided for the embodiments of the invention above Web vulnerability scannings and to realize The method of selfreparing is described in detail, and specific case used herein carries out the principle of the present invention and embodiment It illustrates, the explanation of above example is only intended to facilitate the understanding of the method and its core concept of the invention;Meanwhile for this field Those skilled in the art, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, to sum up Described, the content of the present specification should not be construed as limiting the invention.

Claims (5)

1. a kind of method that the intelligence based on detecting system fights Web vulnerability scannings and realizes selfreparing, in conjunction with based on loophole spy It levies the detection in library and is not based on the detection discovery web vulnerability scanning behaviors of feature database, and by the request of hacker for clothes of testing oneself Device be engaged in the presence or absence of loophole.The attack characteristics of attack means and vulnerability scanning for current hacker, the invention is from following manner Detect vulnerability scanning attack:(1) feature of the request bag of matching access end is gone using loophole feature database;(2) access end is carried out Detection.
2. a kind of intelligence confrontation Web vulnerability scannings based on detecting system according to claim 1 simultaneously realize selfreparing Method, it is characterised in that the feature of the request bag of matching access end is gone using loophole feature database;If it does, it can be said that being illustrated There are loopholes for the resource that access end accesses.
3. a kind of intelligence confrontation Web vulnerability scannings based on detecting system according to claim 1 simultaneously realize selfreparing Method, it is characterised in that can not such as be matched when the feature for going the request bag of matching access end using loophole feature database, then to accessing End is detected.
4. a kind of intelligence confrontation Web vulnerability scannings based on detecting system according to claim 1 simultaneously realize selfreparing Method, it is characterised in that different IP need to be arranged abnormal threshold value, a such as access end is within the regular hour, to server The 404 responsive state codes that request generates have been more than threshold value, the request of this IP all can be by " suspicious IP detection modules ";In this mould In block, detecting system can record the URL of corresponding IP requests in this period of time, a corresponding URL table be formed, when suspicious The URL of IP requests is found to the URL in this period recorded in table there are similar, then counter score values+1;When After counter reaches the threshold value of setting, then it is assumed that this access, which is rectified, is implementing vulnerability scanning attack.
5. a kind of intelligence confrontation Web vulnerability scannings based on detecting system according to claim 1 simultaneously realize selfreparing Method, which is characterized in that when access end is identified that the request of this access end will be sent to after implementing vulnerability scanning attack Vulnerability scanning protection object processing module;In the module, the URL information that access end is asked can be recorded in database first and worked as In, and in real time to access end redirection answer code be 404;Browser interface equally disguises oneself as the boundary of server 404 simultaneously Face;While pretending 404 response, this module can also tested oneself the URL information being finally collected by inside, inspection Whether have there are loophole, will be automatically the spy of these loopholes if it find that there are loopholes, system in the URL tables that preserve if looking into Sign extracts, and is saved in loophole feature database.
CN201710067543.9A 2017-02-07 2017-02-07 A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing Pending CN108400957A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710067543.9A CN108400957A (en) 2017-02-07 2017-02-07 A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710067543.9A CN108400957A (en) 2017-02-07 2017-02-07 A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing

Publications (1)

Publication Number Publication Date
CN108400957A true CN108400957A (en) 2018-08-14

Family

ID=63093616

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710067543.9A Pending CN108400957A (en) 2017-02-07 2017-02-07 A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing

Country Status (1)

Country Link
CN (1) CN108400957A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109768992A (en) * 2019-03-04 2019-05-17 深信服科技股份有限公司 Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing
CN110460571A (en) * 2019-07-05 2019-11-15 深圳壹账通智能科技有限公司 Operation system loophole processing method, device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469045A (en) * 2010-11-05 2012-05-23 中科正阳信息安全技术有限公司 Method for improving concurrency of WEB security gateway
CN104426850A (en) * 2013-08-23 2015-03-18 南京理工大学常熟研究院有限公司 Vulnerability detection method based on plug-in
CN104580230A (en) * 2015-01-15 2015-04-29 广州唯品会信息科技有限公司 Website attack verification method and device
CN105227582A (en) * 2015-11-03 2016-01-06 蓝盾信息安全技术股份有限公司 Hacker's behavior based on intrusion detection and vulnerability scanning interlock finds and analyzes
CN106302337A (en) * 2015-05-22 2017-01-04 腾讯科技(深圳)有限公司 leak detection method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469045A (en) * 2010-11-05 2012-05-23 中科正阳信息安全技术有限公司 Method for improving concurrency of WEB security gateway
CN104426850A (en) * 2013-08-23 2015-03-18 南京理工大学常熟研究院有限公司 Vulnerability detection method based on plug-in
CN104580230A (en) * 2015-01-15 2015-04-29 广州唯品会信息科技有限公司 Website attack verification method and device
CN106302337A (en) * 2015-05-22 2017-01-04 腾讯科技(深圳)有限公司 leak detection method and device
CN105227582A (en) * 2015-11-03 2016-01-06 蓝盾信息安全技术股份有限公司 Hacker's behavior based on intrusion detection and vulnerability scanning interlock finds and analyzes

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109768992A (en) * 2019-03-04 2019-05-17 深信服科技股份有限公司 Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing
CN109768992B (en) * 2019-03-04 2021-09-17 深信服科技股份有限公司 Webpage malicious scanning processing method and device, terminal device and readable storage medium
CN110460571A (en) * 2019-07-05 2019-11-15 深圳壹账通智能科技有限公司 Operation system loophole processing method, device, computer equipment and storage medium
CN110460571B (en) * 2019-07-05 2022-11-04 深圳壹账通智能科技有限公司 Business system vulnerability processing method and device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
US11374960B2 (en) Methods, systems and media for evaluating layered computer security products
US10178121B2 (en) Domain reputation evaluation process and method
Fraunholz et al. Demystifying deception technology: A survey
US20210240825A1 (en) Multi-representational learning models for static analysis of source code
Nikiforakis et al. Privaricator: Deceiving fingerprinters with little white lies
CN111490970A (en) Tracing analysis method for network attack
CN105915532B (en) A kind of recognition methods of host of falling and device
Onarlioglu et al. Insights into User Behavior in Dealing with Internet Attacks.
CN107046543A (en) A kind of threat intelligence analysis system traced to the source towards attack
Sharma et al. A comparative analysis and awareness survey of phishing detection tools
CN111786966A (en) Method and device for browsing webpage
Shabut et al. Cyber attacks, countermeasures, and protection schemes—A state of the art survey
CN108369542A (en) System and method for detecting transverse movement and data leak
Ng et al. Honeypot frameworks and their applications: a new framework
CN103986706A (en) Safety architecture design method for coping with APT attack
CN108400957A (en) A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing
US10462158B2 (en) URL selection method, URL selection system, URL selection device, and URL selection program
Bodeau et al. Characterizing effects on the cyber adversary: A vocabulary for analysis and assessment
CN112583841B (en) Virtual machine safety protection method and system, electronic equipment and storage medium
KR102381277B1 (en) Method And Apparatus for Providing Security for Defending Cyber Attack
CN116566687A (en) Early warning treatment system and method based on network attack recognition behavior
Bodeau et al. Characterizing effects on the cyber adversary
Kara Don't bite the bait: phishing attack for internet banking (e-banking)
Fu et al. Multi-agents artificial immune system (maais) inspired by danger theory for anomaly detection
Panimalar et al. A review on taxonomy of botnet detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180814