CN108400957A - A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing - Google Patents
A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing Download PDFInfo
- Publication number
- CN108400957A CN108400957A CN201710067543.9A CN201710067543A CN108400957A CN 108400957 A CN108400957 A CN 108400957A CN 201710067543 A CN201710067543 A CN 201710067543A CN 108400957 A CN108400957 A CN 108400957A
- Authority
- CN
- China
- Prior art keywords
- loophole
- access end
- detecting system
- request
- url
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The method that the intelligence based on detecting system that the invention discloses a kind of fighting Web vulnerability scannings and realizes selfreparing, the invention finds web vulnerability scanning behaviors using the detection combined based on loophole feature database and the detection for being not based on feature database, and loophole whether there is for server of testing oneself by the request of hacker, to the purpose realized the ability protected with detection for vulnerability scanning and can realize loophole selfreparing.
Description
Technical field
The present invention relates to a kind of field of information security technology, more particularly to a kind of intelligence confrontation Web based on detecting system
Vulnerability scanning and the method for realizing selfreparing.
Background technology
Currently, being all based on disclosed loophole distribution platform on internet mostly to the guard technology of vulnerability scanning, summarize
The feature database to spring a leak, and remove the prevention policies that generation is coped with using these features.Also one method is be implanted into access end
Js codes send out the HTTP request based on code and judge to detect whether as web vulnerability scanning rows according to judging whether access end has
For.But the method for these protection is all not comprehensive enough at present, there is certain method around detection, user can utilize by hand
Browser detection service device whether there is loophole, or parse the js generations that concurrent inspection examining system is set using program simulation
Code simultaneously sends corresponding http request;Or if immediate updating loophole feature database, server are not all to belong to dangerous at this time
State.
Invention content
To overcome above-mentioned the deficiencies in the prior art, the present invention to provide a kind of intelligence confrontation Web loopholes based on detecting system
The method for scanning and realizing selfreparing, the invention is using the detection combined based on loophole feature database and the detection for being not based on feature database
It was found that web vulnerability scanning behaviors, and loophole whether there is for server of testing oneself by the request of hacker, to realize for leakage
The protection of hole scanning and the ability detected and the purpose that can realize loophole selfreparing.Its technical solution is as follows:
1. going the feature of the request bag of matching access end using loophole feature database;If it does, then illustrating that access end is visited
There are loopholes for the resource asked.
2. on the basis of scheme 1 is unmatched, access end is detected.First, need to exception be set to different IP
Threshold value, for a such as access end within the regular hour, the 404 responsive state codes generated to server request have been more than threshold value, this
The request of IP all can be by " suspicious IP detection modules ";In this module, detecting system can be recorded right in this period of time
The URL for the IP requests answered, forms a corresponding URL table, when the URL of suspicious IP requests is found with recorded in table this section
In URL there are similar, then counter score values+1;After counter reaches the threshold value of setting, then it is assumed that this, which is accessed, rectifies
Implementing vulnerability scanning attack.
When access end is identified that the request of this access end will be sent to vulnerability scanning after implementing vulnerability scanning attack
Protection object processing module;In the module, the URL information that access end is asked can be recorded in database first, and
It is in real time 404 redirection answer code to access end, while browser interface equally disguises oneself as the interface of server 404;Camouflage
The reason of be:Hacker is not allowed to know that server has detecting system protection as possible, it is desirable to which hacker gives up attacking in next step as early as possible
Thought, rather than the detection for detecting system of trying every possible means to have bypassed.While pretending 404 response, this module can also be final
The URL information being collected into is being tested oneself by inside, checks whether there is that there are loopholes, if it find that in the URL tables that preserve
There are loophole, system will automatically come out the feature extraction of these loopholes, be saved in loophole feature database.
The advantageous effect that technical solution of the present invention is brought:
Technical solution through the invention combines the detection module for network vulnerability scanning in feature based library, and
It is not based on the vulnerability scanning detection module of feature database, the protective capacities attacked for vulnerability scanning is enhanced, realizes to being based on
The vulnerability scanning of undocumented loophole has protective action.In protection process, collects hacker and the URL accessed is asked to be used for certainly
It surveys, if it find that there is the loophole for being not present in loophole feature database, before being utilized prior to hacker, realizes reviewing one's lessons by oneself for loophole
It is multiple.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is techniqueflow schematic diagram proposed by the present invention;
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts
Embodiment shall fall within the protection scope of the present invention.
1, the http request information at read access end, using the resource path accessed in loophole feature database matching request whether
There are loopholes present in loophole feature database.If so, detecting system thinks that this IP is just implementing vulnerability scanning attack, it will this
Vulnerability scanning protection object processing module is sent in the request of IP whithin a period of time.If not, it will second is implemented to request
Step detection.
2, the responsive state code that the request server that each corresponds to access end generates is recorded.If conditional code is 404,
Counter score values+1;It goes in next step;If it is not, terminating detection.
3, when access IP reaches threshold value for the counter values of server response 404, it will it is suspicious to this IP generations,
Within next a period of time, the request that IP is sent out to server will be sent to suspicious IP detection modules.
4, in suspicious IP detection modules, the URL of request is saved in exclusive table, as the URL and this section for finding request
There are similar, counter+1 by the URL write into time;When counter values reach threshold value, detecting system is thinking this IP just
Implement vulnerability scanning attack, it will vulnerability scanning protection object processing module is sent in the request of this IP whithin a period of time.
5, in vulnerability scanning protection object processing module, access end request whithin a period of time can be preserved first and is accessed
URL.It is 404 states that redirection, which can be responded, to access end simultaneously, is pretended, prevents hacker from finding loophole existing for server.
It is then detected that system can utilize the URL simulations of this IP collected to access server, if it find that there are loophole, then can
Corresponding loophole feature is generated, is added in the loophole feature database for detection, realizes selfreparing loophole.
After disposing corresponding strategies in conjunction with Fig. 1, it is set as 10 suspicious threshold value is generated in responsive state logging modle, can
The threshold value that similar URL is found out in doubtful IP detection modules is set as 3 times.Simultaneously according to online well-known such as CVE, black clouds, the leakage of benefit day
The open loophole feature within recent five years, the loophole feature database as the embodiment are had updated on the platform of hole.
Shielded server will appear following situations:
1, when loophole disclosed in loophole platform, which is utilized, in access end accesses server, detecting system first time
It has been fitted on loophole feature, source IP is set as loophole protection object.Server responsive state has been redirected first, while at one section
URLs of this IP for scanning is collected in time.Then the URl being collected into is accessed service on the detection system by simulating request
Device, if there is loophole, it will the feature of this loophole is updated into loophole feature database automatically.
2, when the loophole that hacker uses is not present in the loophole feature database of detecting system (the reason is that the loophole that hacker obtains
Come from itself discovery or loophole is not disclosed, or updates the loophole feature of itself in loophole platform prior to detecting system
Library), since hacker is still in the detection phase, it is not clear that loophole is present in true path.During detection, based on leakage
The attack characteristics of hole scanning are confirmed as IP implementation vulnerability scanning by the detection of suspicious IP detection modules, are equally sent to the request of IP
Loophole protection object processing module.Therefore newest loophole that server may be grasped using hacker is tested oneself, and is found certainly prior to hacker
Loophole existing for body, and loophole reparation is carried out in time.
3, due to being the user normally accessed, it sometimes can also meet the resource of request and be generated because of the update of server
404, since there are responsive state logging modle, threshold value is all arranged in suspicious IP detection modules.So not influencing this certain customers
All normal access of server.
A kind of intelligence confrontation based on detecting system is provided for the embodiments of the invention above Web vulnerability scannings and to realize
The method of selfreparing is described in detail, and specific case used herein carries out the principle of the present invention and embodiment
It illustrates, the explanation of above example is only intended to facilitate the understanding of the method and its core concept of the invention;Meanwhile for this field
Those skilled in the art, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, to sum up
Described, the content of the present specification should not be construed as limiting the invention.
Claims (5)
1. a kind of method that the intelligence based on detecting system fights Web vulnerability scannings and realizes selfreparing, in conjunction with based on loophole spy
It levies the detection in library and is not based on the detection discovery web vulnerability scanning behaviors of feature database, and by the request of hacker for clothes of testing oneself
Device be engaged in the presence or absence of loophole.The attack characteristics of attack means and vulnerability scanning for current hacker, the invention is from following manner
Detect vulnerability scanning attack:(1) feature of the request bag of matching access end is gone using loophole feature database;(2) access end is carried out
Detection.
2. a kind of intelligence confrontation Web vulnerability scannings based on detecting system according to claim 1 simultaneously realize selfreparing
Method, it is characterised in that the feature of the request bag of matching access end is gone using loophole feature database;If it does, it can be said that being illustrated
There are loopholes for the resource that access end accesses.
3. a kind of intelligence confrontation Web vulnerability scannings based on detecting system according to claim 1 simultaneously realize selfreparing
Method, it is characterised in that can not such as be matched when the feature for going the request bag of matching access end using loophole feature database, then to accessing
End is detected.
4. a kind of intelligence confrontation Web vulnerability scannings based on detecting system according to claim 1 simultaneously realize selfreparing
Method, it is characterised in that different IP need to be arranged abnormal threshold value, a such as access end is within the regular hour, to server
The 404 responsive state codes that request generates have been more than threshold value, the request of this IP all can be by " suspicious IP detection modules ";In this mould
In block, detecting system can record the URL of corresponding IP requests in this period of time, a corresponding URL table be formed, when suspicious
The URL of IP requests is found to the URL in this period recorded in table there are similar, then counter score values+1;When
After counter reaches the threshold value of setting, then it is assumed that this access, which is rectified, is implementing vulnerability scanning attack.
5. a kind of intelligence confrontation Web vulnerability scannings based on detecting system according to claim 1 simultaneously realize selfreparing
Method, which is characterized in that when access end is identified that the request of this access end will be sent to after implementing vulnerability scanning attack
Vulnerability scanning protection object processing module;In the module, the URL information that access end is asked can be recorded in database first and worked as
In, and in real time to access end redirection answer code be 404;Browser interface equally disguises oneself as the boundary of server 404 simultaneously
Face;While pretending 404 response, this module can also tested oneself the URL information being finally collected by inside, inspection
Whether have there are loophole, will be automatically the spy of these loopholes if it find that there are loopholes, system in the URL tables that preserve if looking into
Sign extracts, and is saved in loophole feature database.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710067543.9A CN108400957A (en) | 2017-02-07 | 2017-02-07 | A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710067543.9A CN108400957A (en) | 2017-02-07 | 2017-02-07 | A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108400957A true CN108400957A (en) | 2018-08-14 |
Family
ID=63093616
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710067543.9A Pending CN108400957A (en) | 2017-02-07 | 2017-02-07 | A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108400957A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109768992A (en) * | 2019-03-04 | 2019-05-17 | 深信服科技股份有限公司 | Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing |
CN110460571A (en) * | 2019-07-05 | 2019-11-15 | 深圳壹账通智能科技有限公司 | Operation system loophole processing method, device, computer equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102469045A (en) * | 2010-11-05 | 2012-05-23 | 中科正阳信息安全技术有限公司 | Method for improving concurrency of WEB security gateway |
CN104426850A (en) * | 2013-08-23 | 2015-03-18 | 南京理工大学常熟研究院有限公司 | Vulnerability detection method based on plug-in |
CN104580230A (en) * | 2015-01-15 | 2015-04-29 | 广州唯品会信息科技有限公司 | Website attack verification method and device |
CN105227582A (en) * | 2015-11-03 | 2016-01-06 | 蓝盾信息安全技术股份有限公司 | Hacker's behavior based on intrusion detection and vulnerability scanning interlock finds and analyzes |
CN106302337A (en) * | 2015-05-22 | 2017-01-04 | 腾讯科技(深圳)有限公司 | leak detection method and device |
-
2017
- 2017-02-07 CN CN201710067543.9A patent/CN108400957A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102469045A (en) * | 2010-11-05 | 2012-05-23 | 中科正阳信息安全技术有限公司 | Method for improving concurrency of WEB security gateway |
CN104426850A (en) * | 2013-08-23 | 2015-03-18 | 南京理工大学常熟研究院有限公司 | Vulnerability detection method based on plug-in |
CN104580230A (en) * | 2015-01-15 | 2015-04-29 | 广州唯品会信息科技有限公司 | Website attack verification method and device |
CN106302337A (en) * | 2015-05-22 | 2017-01-04 | 腾讯科技(深圳)有限公司 | leak detection method and device |
CN105227582A (en) * | 2015-11-03 | 2016-01-06 | 蓝盾信息安全技术股份有限公司 | Hacker's behavior based on intrusion detection and vulnerability scanning interlock finds and analyzes |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109768992A (en) * | 2019-03-04 | 2019-05-17 | 深信服科技股份有限公司 | Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing |
CN109768992B (en) * | 2019-03-04 | 2021-09-17 | 深信服科技股份有限公司 | Webpage malicious scanning processing method and device, terminal device and readable storage medium |
CN110460571A (en) * | 2019-07-05 | 2019-11-15 | 深圳壹账通智能科技有限公司 | Operation system loophole processing method, device, computer equipment and storage medium |
CN110460571B (en) * | 2019-07-05 | 2022-11-04 | 深圳壹账通智能科技有限公司 | Business system vulnerability processing method and device, computer equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11374960B2 (en) | Methods, systems and media for evaluating layered computer security products | |
US10178121B2 (en) | Domain reputation evaluation process and method | |
Fraunholz et al. | Demystifying deception technology: A survey | |
US20210240825A1 (en) | Multi-representational learning models for static analysis of source code | |
Nikiforakis et al. | Privaricator: Deceiving fingerprinters with little white lies | |
CN111490970A (en) | Tracing analysis method for network attack | |
CN105915532B (en) | A kind of recognition methods of host of falling and device | |
Onarlioglu et al. | Insights into User Behavior in Dealing with Internet Attacks. | |
CN107046543A (en) | A kind of threat intelligence analysis system traced to the source towards attack | |
Sharma et al. | A comparative analysis and awareness survey of phishing detection tools | |
CN111786966A (en) | Method and device for browsing webpage | |
Shabut et al. | Cyber attacks, countermeasures, and protection schemes—A state of the art survey | |
CN108369542A (en) | System and method for detecting transverse movement and data leak | |
Ng et al. | Honeypot frameworks and their applications: a new framework | |
CN103986706A (en) | Safety architecture design method for coping with APT attack | |
CN108400957A (en) | A method of the intelligence confrontation Web vulnerability scannings based on detecting system simultaneously realize selfreparing | |
US10462158B2 (en) | URL selection method, URL selection system, URL selection device, and URL selection program | |
Bodeau et al. | Characterizing effects on the cyber adversary: A vocabulary for analysis and assessment | |
CN112583841B (en) | Virtual machine safety protection method and system, electronic equipment and storage medium | |
KR102381277B1 (en) | Method And Apparatus for Providing Security for Defending Cyber Attack | |
CN116566687A (en) | Early warning treatment system and method based on network attack recognition behavior | |
Bodeau et al. | Characterizing effects on the cyber adversary | |
Kara | Don't bite the bait: phishing attack for internet banking (e-banking) | |
Fu et al. | Multi-agents artificial immune system (maais) inspired by danger theory for anomaly detection | |
Panimalar et al. | A review on taxonomy of botnet detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180814 |