CN108471429A - A kind of network attack alarm method and system - Google Patents

Abstract

The invention discloses a kind of network attack alarm method and system, the network attack alarm method includes：Destination host is detected whether by network attack and the attack type of the determining network attack；If the destination host is detected the attack whether network attack succeeds and determine successful network attack by the network attack；If the network attack success, generates the first warning information of the attack of the attack type and the network attack that include the network attack, otherwise generates the second warning information of the attack type for including the network attack.Network attack alarm method provided by the invention and system can screen successful network attack, so as to improve O＆M efficiency, find true loophole.

Description

A kind of network attack alarm method and system

Technical field

The present invention relates to technical field of network security, and in particular to a kind of network attack alarm method and system.

Background technology

Continuous universal with internet with the continuous development of computer technology, network attack form emerges one after another, network Security issues become increasingly urgent, caused by social influence and economic loss it is increasing, Cyberthreat is detected and is proposed with defence New demand and challenge.Exception of network traffic is the pass of one of current main network security threats and network security monitoring Key object.It quickly and accurately finds exception flow of network, malicious code is promptly and accurately captured, is analyzed, is tracked and monitors, it can To provide knowledge support for network safety situation index evaluation and immune decision, to improve the entirety of network security emergency organization Responding ability.

Traditional network attack detecting method, is usually just alerted when detecting network attack, thus will produce big Measure inaccurate warning information, and can not Effective selection go out effective information, the cost of O＆M processing is very high.

Invention content

To be solved by this invention is the high problem of traditional network attack detecting method O＆M processing cost.

The present invention is achieved through the following technical solutions：

A kind of network attack alarm method, including：

Destination host is detected whether by network attack and the attack type of the determining network attack；

If it is whether successful and determining successful to be detected the network attack by the network attack for the destination host The attack of network attack；

If the network attack success, generation includes the attack type of the network attack and attacking for the network attack The first warning information of action is hit, the second warning information of the attack type for including the network attack is otherwise generated.

Optionally, whether the detection destination host is by network attack and the attack type packet of the determining network attack It includes：

Acquire the network data of the destination host；

Feature to be detected is extracted from the network data；

The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described Feature to be detected is sorted out, and determines whether the destination host is attacked by network attack and the network according to categorization results The attack type hit.

Optionally, described to extract feature to be detected from the network data and include：

Request data is extracted from the network data, wherein the request data is used to initiate to the destination host Request service；

The feature to be detected is extracted from the request data.

Optionally, before the artificial intelligence model for pre-establishing the feature importing to be detected, further include：

Establish the artificial intelligence model.

Optionally, described to establish the artificial intelligence model and include：

Collect model training data；

The feature attacked from the model training extracting data known network, obtains attack signature data；

Classify to the attack signature data, obtains training sample；

Model training is carried out according to the training sample, obtains the artificial intelligence model.

Optionally, the collection model training data include：

The published attack data in internet, the published loophole data in internet, the destination host is collected to have acquired Attack data and the loophole data that have acquired of the destination host in one or more combinations.

Optionally, described to include according to training sample progress model training：

According to the training sample, model training is carried out using NB Algorithm.

Optionally, the detection network attack whether include successfully：

Feature to be compared is extracted from the corresponding network data of the network attack；

The feature to be compared is compared with more than one attack-response rule, wherein the attack-response rule It is formed according to the first response data, first response data is for the response that under fire host asks successful attack；

If the feature to be compared matches with the attack-response rule, the network attack success is judged.

Optionally, extracting feature to be compared in the corresponding network data from the network attack includes：

The second response data is extracted from the network data, wherein second response data is used for the target master Machine response request service；

The feature to be compared is extracted from second response data.

Optionally, extracting feature to be compared in the corresponding network data from the network attack includes：

Request data and the second response data are extracted from the network data, wherein the request data is used for institute It states destination host and initiates request service, second response data is for destination host response request service；

The feature to be compared is extracted from the request data and second response data.

Optionally, it is described the feature to be compared is compared with more than one attack-response rule before, also wrap It includes：

Establish the feature database for including one above attack-response rule.

Optionally, the feature database of the foundation comprising one above attack-response rule includes：

Create database；

It is corresponding from more than one first response data to extract more than one attack-response feature；

Each being determined property of attack-response feature is described, more than one attack-response rule is formed；

By in one above attack-response rule storage to the database, the feature database is obtained.

Optionally, the feature database includes N number of subcharacter library, and N is the integer not less than 2, and described establish includes described one The feature database of a above attack-response rule includes：

Create N number of database；

The corresponding more than two attack-response features of extraction from more than two first response datas；

Each being determined property of attack-response feature is described, more than two attack-response rules are formed；

The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical Database in, obtain the subcharacter library.

Optionally, it is described the feature to be compared is compared with more than one attack-response rule including：

By the feature to be compared with and the corresponding subcharacter library of the attack type of the network attack in more than one attack Rule of response is hit to be compared.

Optionally, described to include to the description of each being determined property of attack-response feature：

Each being determined property of attack-response feature is described using regular expression.

Optionally, it is described the feature to be compared is compared with more than one attack-response rule before, also wrap It includes：

Establish the incidence relation between each attack-response rule and attack；

The attack of the successful network attack of determination includes：

It, will be with the feature to be compared according to the incidence relation between each attack-response rule and attack The attack corresponding to attack-response rule matched, is determined as the attack of the successful network attack.

Optionally, after generating first warning information or second warning information, further include：

By one or more combinations in mail, short message, dialog box and instant messaging by first warning information Or second warning information is sent to network management personnel.

Optionally, after generating first warning information or second warning information, further include：

It is that first warning information or second warning information add corresponding attack chain mark according to warning content Label, wherein the attack chain label is used to characterize network attack phase of the attack residing in attacking chain；

Each attack chain label of same attack is counted, the net in each phase of the attack of the attack is obtained Network attacks the attack of total degree, successful network attack number and successful network attack；

According in each phase of the attack of the attack network attack total degree, successful network attack number with And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked Hit action.

Optionally, described to be corresponded to for first warning information or second warning information addition according to warning content Attack chain label include：

According to the warning content, determined from the tag library pre-established and first warning information or described the The corresponding attack chain label of two warning information.

Optionally, the attack chain label includes two-stage or more, it is described according to warning content be first warning information Or second warning information adds corresponding attack chain label and includes：

According to the warning content, determined from the tag library pre-established and first warning information or described the The corresponding labels at different levels of two warning information, wherein the label stock contains M attack chain label, the M attack chain label It is divided into two-stage or more, M is the integer more than 4.

Optionally, the attack route information further includes the beginning and ending time of each phase of the attack, and institute is in the basis State the network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack After attack generates attack route information, further include：

The attack route information is shown according to the sequencing of the initial time of each phase of the attack.

Based on same inventive concept, the present invention also provides a kind of network attack warning systems, including：

First detection module, for detecting whether destination host by network attack and determines that the network attack is attacked Type；

Second detection module, for when the destination host is by the network attack, detecting the network attack to be No success and the attack for determining successful network attack；

Warning information generation module, in network attack success, generation to include the attack of the network attack First warning information of the attack of type and the network attack, otherwise generation includes the attack type of the network attack The second warning information.

Optionally, the first detection module includes：

Acquisition module, the network data for acquiring the destination host；

First extraction module, for extracting feature to be detected from the network data；

Import modul, for the feature to be detected to be imported the artificial intelligence model pre-established, by described artificial Whether model of mind sorts out the feature to be detected, determine the destination host by network attack according to categorization results And the attack type of the network attack.

Optionally, first extraction module includes：

First extraction unit, for extracting request data from the network data, wherein the request data be used for The destination host initiates request service；

Second extraction unit, for extracting the feature to be detected from the request data.

Optionally, the network attack warning system further includes：

Model creation module, for it is described by the feature to be detected import the artificial intelligence model pre-established it Before, establish the artificial intelligence model.

Optionally, the model creation module includes：

Collection module, for collecting model training data；

Second extraction module, the feature for being attacked from the model training extracting data known network, is attacked Characteristic；

Sort module obtains training sample for classifying to the attack signature data；

Training module obtains the artificial intelligence model for carrying out model training according to the training sample.

Optionally, the model training data include the published attack data in internet, the published loophole in internet One kind or more in the loophole data that the attack data and the destination host that data, the destination host have acquired have acquired Kind combination.

Optionally, the training module is NB Algorithm module.

Optionally, second detection module includes：

Third extraction module, for extracting feature to be compared from the corresponding network data of the network attack；

Comparing module, for the feature to be compared to be compared with more than one attack-response rule, wherein described Attack-response rule is formed according to the first response data, and first response data asks successful attack under fire host Response；

Determination module, for when the feature to be compared and the attack-response rule match, judging the network Success attack；

Attack determining module, the attack for determining successful network attack.

Optionally, the third extraction module includes：

Third extraction unit, for extracting the second response data from the network data, wherein second number of responses It asks to service according to for the destination host response；

4th extraction unit, for extracting the feature to be compared from second response data.

Optionally, the third extraction module includes：

5th extraction unit, for extracting request data and the second response data from the network data, wherein described Request data is used to initiate request service to the destination host, and second response data is asked for the destination host response Ask service；

6th extraction unit, for extracting the spy to be compared from the request data and second response data Sign.

Optionally, the network attack warning system further includes：

Feature database creation module, for comparing the feature to be compared and more than one attack-response rule described To before, establishing the feature database for including one above attack-response rule.

Optionally, the feature database creation module includes：

Database creation module, for creating database；

4th extraction module extracts more than one attack-response spy for corresponding from more than one first response data Sign；

Rule forms module, for being described to each being determined property of attack-response feature, forms more than one attack and rings Answer rule；

Memory module, for by one above attack-response rule storage to the database, obtaining the spy Levy library.

Optionally, the feature database includes N number of subcharacter library, and N is the integer not less than 2, the feature database creation module Including：

Database creation module, for creating N number of database；

4th extraction module, it is special for corresponding to the more than two attack-responses of extraction from more than two first response datas Sign；

Rule forms module, for being described to each being determined property of attack-response feature, forms more than two attacks and rings Answer rule；

Memory module, for advising the attack-response for belonging to same attack type in described two above attack-response rules Then in storage to identical database, the subcharacter library is obtained.

Optionally, the comparing module be used for by the feature to be compared with and the attack type of the network attack it is corresponding Subcharacter library in more than one attack-response rule be compared.

Optionally, it is that regular expression writes module that the rule, which forms module,.

Optionally, the network attack warning system further includes：

Incidence relation creation module, for carrying out the feature to be compared and more than one attack-response rule described Before comparison, the incidence relation between each attack-response rule and attack is established；

The attack determining module is used for according to each attack-response rule and being associated between attack Relationship, by with the attack corresponding to the attack-response rule of the characteristic matching to be compared, be determined as the successful net The attack of network attack.

Optionally, the network attack warning system further includes：

Sending module, for after generating first warning information or second warning information, by mail, First warning information or second alarm are believed in one or more combinations in short message, dialog box and instant messaging Breath is sent to network management personnel.

Optionally, the network attack warning system further includes：

Label add module is used for after generating first warning information or second warning information, according to Warning content is that first warning information or second warning information add corresponding attack chain label, wherein described Attack chain label is used to characterize network attack phase of the attack residing in attacking chain；

Statistical module, each attack chain label for counting same attack obtain each in the attack The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack；

Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack It includes network attack total degree, successful network attack number in each phase of the attack of the attack to hit route information And the successfully attack of network attack.

Optionally, the label add module is used to, according to the warning content, determine from the tag library pre-established Attack chain label corresponding with first warning information or second warning information.

Optionally, the attack chain label includes two-stage or more, and the label add module is used for according in the alarm Hold, marks at different levels corresponding with first warning information or second warning information are determined from the tag library pre-established Label, wherein the label stock contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is big In 4 integer.

Optionally, the attack route information further includes the beginning and ending time of each phase of the attack, the network attack alarm System further includes：

Display module, for the basis be in each phase of the attack of the attack network attack total degree, After the attack of successful network attack number and successful network attack generates attack route information, attacked according to each The sequencing for hitting the initial time in stage shows the attack route information.

Based on same inventive concept, the present invention also provides a kind of computer readable storage mediums, are stored thereon with calculating Machine program, the program realize above-mentioned network attack alarm method when being executed by processor.

Based on same inventive concept, the present invention also provides a kind of computer equipments, including memory, processor and storage On a memory and the computer program that can run on a processor, the processor realize above-mentioned network when executing described program Attack alarm method.

Compared with prior art, the present invention having the following advantages and advantages：

Whether network attack alarm method provided by the invention and system, detect destination host by network attack first, And determine the attack type of the network attack；When detecting the destination host by the network attack, then detect institute State whether network attack succeeds, and determine the attack of successful network attack, to according to the network attack whether at Work(generates the first warning information of the attack of the attack type and the network attack that include the network attack, Huo Zhesheng At the second warning information of the attack type including the network attack.The network attack alarm method that there is provided through the invention and System can screen successful network attack, make network management personnel can not only know the destination host by The network attack of which type, additionally it is possible to which the specific attack for knowing successful network attack carries for network management personnel For effective network attack information true loophole is found so as to improve O＆M efficiency.

Description of the drawings

Attached drawing described herein is used for providing further understanding the embodiment of the present invention, constitutes one of the application Point, do not constitute the restriction to the embodiment of the present invention.In the accompanying drawings：

Fig. 1 is the flow diagram of the network attack alarm method of the embodiment of the present invention；

Fig. 2 be the embodiment of the present invention detection destination host whether by network attack flow diagram；

Fig. 3 is the flow diagram for establishing artificial intelligence model of the embodiment of the present invention；

Fig. 4 is the whether successful flow diagram of detection network attack of the embodiment of the present invention；

Fig. 5 is the flow diagram for establishing feature database of an embodiment of the present invention；

Fig. 6 is the flow diagram for establishing feature database of another embodiment of the invention；

Fig. 7 is the schematic diagram of the attack route information of the embodiment of the present invention；

Fig. 8 is the schematic diagram of the tag library of the embodiment of the present invention.

Specific implementation mode

To make the objectives, technical solutions, and advantages of the present invention clearer, with reference to embodiment and attached drawing, to this Invention is described in further detail, and exemplary embodiment of the invention and its explanation are only used for explaining the present invention, do not make For limitation of the invention.

Embodiment 1

The present embodiment provides a kind of network attack alarm method, Fig. 1 is the flow signal of the network attack alarm method Figure, the network attack alarm method include：

Step S11, whether detection destination host is by network attack and the attack type of the determining network attack；

Step S12, if it is whether successful and true to be detected the network attack by the network attack for the destination host The attack of fixed successful network attack；

Step S13, if network attack success, generation includes the attack type of the network attack and the network Otherwise first warning information of the attack of attack generates the second alarm letter of the attack type for including the network attack Breath.

The destination host can be to provide the server of various services, can also be that by the individual of specific function Computer can also be that other are capable of providing the network equipment of network service.The destination host can be sent out with receiving terminal apparatus The request data for initiating request service to the destination host brought, is counted accordingly according to the request data According to processing to obtain the second response data, i.e., described second response data is serviced for destination host response request, and will Second response data feeds back to the terminal device.The terminal device can with display function and support to interact The various electronic equipments of function, including but not limited to smart mobile phone, tablet computer, personal computer and desktop computer etc.. In this specific application scenarios of detection network attack of the invention, the attacker for initiating network attack is usually that malice is sent greatly Measure the user of request of data.The terminal device that attacker is utilized can be the electronic equipment for having powerful computing function, even It can also be server.

The destination host is detected whether by network attack, traditional network attack detecting method may be used.Consider To traditional network attack detecting method, there are rate of failing to report height, the defects of flexibility difference, described in a kind of detection Destination host whether by network attack specific method.Fig. 2 is whether the detection destination host is flowed by network attack Journey schematic diagram, the detection destination host whether by network attack included：

Step S21 acquires the network data of the destination host；

Step S22 extracts feature to be detected from the network data；

The feature to be detected is imported the artificial intelligence model pre-established, passes through the artificial intelligence mould by step S23 Whether type sorts out the feature to be detected, determine the destination host by network attack and institute according to categorization results State the attack type of network attack.

Specifically, for the acquisition of the network data of the destination host, Network Sniffing mode may be used and obtain, also may be used To be obtained by network port mirror-image fashion.It is to mix that the Network Sniffing mode, which refers to by the Network card setup of the destination host, Pattern captures the network data of the destination host by calling network to cut job contract tool.The network port mirror-image fashion is Refer to and the acquisition port of the destination host is mapped to another port, data is copied in real time, to obtain the target The network data of host.Certainly, the specific implementation for acquiring the network data of the destination host is not limited to above two Mode, the present embodiment are not construed as limiting this.

After collecting the network data, the feature to be detected is extracted from the network data.The network number According to including the request data and second response data, as previously mentioned, the request data is used for the destination host Request service is initiated, is the data for being sent to the destination host by terminal device；Second response data is used for the mesh Host response request service is marked, is the data for being sent to terminal device by the destination host.The extraction of the feature to be detected, Can directly extract the feature of the request data from the network data to obtain the feature to be detected, can also be The request data is first extracted from the network data, then the feature to be detected, this reality are extracted from the request data Example is applied to be not construed as limiting this.The feature to be detected may include request time, IP information, port information, protocol type, give out a contract for a project One or more combinations in frequency, mail address, file name and the addresses target URL.It should be noted that described to be checked It surveys feature can flexibly to be set according to actual conditions, the present embodiment is not restricted this.

According to the difference of the transport protocol used between the destination host and terminal device, such as include but not limited to super Text transfer protocol (HTTP, Hyper Text Transfer Protocol), File Transfer Protocol (FTP, File Transfer Protocol), Simple Mail Transfer protocol (SMTP, Simple Mail Transfer Protocol), it is described The structure of request data also differs.By taking the network request of HTTP types as an example, the request data includes following three parts： Request row, by method (for example, POST), uniform resource identifier (URI, Uniform Resource Identifier) and Three parts of protocol version (for example, HTTP 1.1) are constituted；Request header, for notifying the related terminal device of the destination host The information of request, including but not limited to generate request the identifiable content type list of browser type, terminal device and The host name of request；Request body.After collecting the network data, the solution of each field in HTTP request head is carried out Analysis finds out the field contents for needing to be detected, that is, extracts the feature to be detected.

After obtaining the feature to be detected, the feature to be detected is imported into the artificial intelligence model pre-established, is led to It crosses the artificial intelligence model to sort out the feature to be detected, obtains categorization results.The artificial intelligence model can be with Can also be deep learning disaggregated model for machine learning classification model, such as Naive Bayes Classification Model.If the classification As a result it is the network attack that the feature to be detected is not belonging to any type known attack type, is also not belonging to unknown attack type Network attack, it is determined that the destination host is not affected by network attack；If the categorization results are the feature category to be detected In the network attack of certain known attack type, it is determined that the destination host by this kind of attack type network attack；If The categorization results are the network attack that the feature to be detected belongs to certain unknown attack type, it is determined that the destination host By the network attack of unknown attack type.

The detection provided in this embodiment destination host whether by network attack method, due to the artificial intelligence Model is the disaggregated model using artificial intelligence technology, has the abilities such as self study, self-organizing, adaptive, so can be effectively It was found that novel or mutation network attack, unknown network attack cannot be detected by effectively making up traditional network attack detecting method The shortcomings that, overall network attack detecting ability is improved, rate of failing to report can be reduced, and can be according to described in categorization results determination The attack type of network attack.

Further, before the feature to be detected is imported the artificial intelligence model pre-established, it is also necessary to establish institute State artificial intelligence model.Fig. 3 is the flow diagram for establishing the artificial intelligence model, described to establish the artificial intelligence model Including：

Step S31 collects model training data；

Step S32, the feature attacked from the model training extracting data known network, obtains attack signature data；

Step S33 classifies to the attack signature data, obtains training sample；

Step S34 carries out model training according to the training sample, obtains the artificial intelligence model.

Specifically, the model training data include the published attack data in internet, the published loophole in internet One kind or more in the loophole data that the attack data and the destination host that data, the destination host have acquired have acquired Kind combination.The attack data are the data extracted from existing network attack case, and the loophole data are from existing Loophole case in the data that extract.The attack data and the loophole data can be disclosed in internet, can also It is that the destination host is analyzed and refined according to the assault being subjected in the past.

After obtaining the model training data, the feature attacked from the model training extracting data known network, Obtain attack signature data.Further, the attack signature data of extraction may include request time, IP information, port information, association Discuss one or more combinations in type, frequency of giving out a contract for a project, mail address, file name and the addresses target URL.It needs to illustrate It is that the attack signature data can flexibly be set according to actual conditions, and the present embodiment is not restricted this.It is attacked described in acquisition It hits after characteristic, the attack type attacked according to its belonging network is classified to form training sample, and the network is attacked The attack type hit includes but not limited to SQL injection attack and XSS attack.

Model training is carried out according to the training sample, that is, calculates the network attack of each attack type in the trained sample The frequency of occurrences and each attack signature data in this, which divide, estimates the conditional probability of the network attack of each attack type, And result of calculation is recorded and just obtains the artificial intelligence model.In the present embodiment, the calculation of model training use is carried out Method is NB Algorithm.NB Algorithm is fine to small-scale Data Representation, is suitble to more classification tasks, is suitble to increase Amount formula is trained.It is of course also possible to use other machines learning classification algorithm or deep learning sorting algorithm carry out model training, For example, it is also possible to carry out model training using decision Tree algorithms, the present embodiment is not construed as limiting this.

After detecting the destination host by the network attack, in the present embodiment by the way of rule match Detect whether the network attack succeeds.Fig. 4 is the detection whether successful flow diagram of network attack, the detection institute State network attack whether include successfully：

Step S41 extracts feature to be compared from the corresponding network data of the network attack；

Step S42 the feature to be compared is compared with more than one attack-response rule, wherein the attack Rule of response is formed according to the first response data, and first response data answers successful attack request under fire host It answers；

Step S43, if the feature to be compared matches with the attack-response rule, judge the network attack at Work(.

Specifically, each successful network attack has its uniqueness, this uniqueness mainly to pass through under fire host pair The response of successful attack request embodies.Therefore, the extraction of the feature to be compared is to extract the spy of second response data Sign.It can be that the feature of second response data is directly extracted from the network data to extract the feature to be compared, Can second response data first be extracted from the network data, then waited for described in extraction from second response data Feature is compared, the present embodiment is not construed as limiting this.

Still by taking the response of the network of HTTP types as an example, second response data includes following three parts：Statusline, by Protocol version (for example, HTTP 1.1), conditional code and conditional code describe three parts and form；Head is responded, including but unlimited Used by the title of application program, the version of application program, response body type, response text size and response text Coding；Web response body Web.After collecting the network data, the parsing of each field in http response head is carried out, is found out The field contents being compared are needed, that is, extract the feature to be compared.

Further, to judge whether a network attack succeeds, can also inversely be derived from the angle of attacker, be led to The anti-feature that pushes away query-attack and should have of response contents is crossed, the whether successful accuracy of network attack is identified to improve.Therefore, institute The extraction for stating feature to be compared can also be and be extracted jointly from second response data and the request data.Specifically, The request data and second response data can be extracted from the network data, then from the request data and described The feature to be compared is extracted in second response data.Still it is with the network request of HTTP types and the response of the network of HTTP types Example carries out the parsing of each field in HTTP request head and http response head after collecting the network data, searches Go out to need the field contents being compared, that is, extracts the feature to be compared.

After obtaining the feature to be compared, the feature to be compared and more than one attack-response rule are compared It is right.Still by taking the transport protocol of HTTP types as an example, if the feature to be compared matches with some attack-response rule, judge HTTP request is malicious attack, the network attack success that the destination host is subject to；If the feature to be compared cannot with it is arbitrary One attack-response rule matches, then judges that HTTP request is attacked for invalid network, can directly ignore the HTTP request.

Further, feature database can also be pre-established, the feature database is for storing one above attack-response rule Then.The attack-response rule of the feature library storage is formed according to first response data, and first response data is used In the response that under fire host asks successful attack, i.e., the described attack-response rule is asked according to already existing successful attack The response characteristic of corresponding attack-response is asked to be generated in advance.Fig. 5 is provided in this embodiment a kind of to establish the feature database Flow diagram, it is described to establish the feature database and include：

Step S51 creates database；

Step S52, it is corresponding from more than one first response data to extract more than one attack-response feature；

Step S53 describes each being determined property of attack-response feature, forms more than one attack-response rule；

Step S54 obtains the feature database by one above attack-response rule storage to the database.

Specifically, the database that creates is the memory space for creating blank.First response data is for being attacked The response that host asks successful attack is hit, can have been adopted from the published attack data in internet and/or the destination host It is collected in the attack data of collection.For example, attacker reports an error injection attacks to having sent floor () function by attack host Request, and the injection attacks request that reports an error of the floor () function obtains success, it is described by attack host to the floor () Function report an error injection attacks request response be first response data.For the network attack of same attack type, It can also be divided according to the difference of specific attack.Further include count () function for example, being attacked for SQL injection Report an error injection, rand () function reports an error injection and floor () function reports an error injection etc..For the network of each attack Attack, correspondence can collect first response data, thus can correspond to extraction one from more than one first response data A above attack-response feature, i.e., each first response data, which can correspond to, extracts an attack-response feature.It is attacked with described It is similar to hit characteristic, the attack-response feature may include request time, IP information, port information, protocol type, give out a contract for a project One or more combinations in frequency, mail address, file name and the addresses target URL.It should be noted that the attack Response characteristic also can flexibly be set according to actual conditions, and the present embodiment is not restricted this.

After obtaining the attack-response feature, each being determined property of attack-response feature is described, the certainty Description is described according to default rule.In the present embodiment, traditional regular expression may be used to each attack Being determined property of response characteristic describes, and the complexity such as arithmetic logic, matching logic can also be added in the regular expression and patrol Volume, to improve the accuracy of matching result.After obtaining the attack-response rule, by all attack-response rules storage to institute It states in database, i.e., corresponding data is written in the memory space of the blank, just obtain the feature database.

Further, the feature database can also include N number of subcharacter library, and each subcharacter library, which corresponds to, stores same attack All attack-responses rule of type, wherein N is the integer not less than 2.Based on this, Fig. 6 is another kind provided in this embodiment Establish the flow diagram of the feature database, it is described to establish the feature database and include：

Step S61 creates N number of database；

Step S62, the corresponding more than two attack-response features of extraction from more than two first response datas；

Step S63 describes each being determined property of attack-response feature, forms more than two attack-response rules；

Step S64 deposits the attack-response rule for belonging to same attack type in described two above attack-response rules It stores up in identical database, obtains the subcharacter library.

Specifically, step S61~step S63 can refer to the aforementioned description to step S51~step S53, no longer superfluous herein It states.It is same by belonging to according to the attack type belonging to each attack-response rule after obtaining more than two attack-response rules In the attack-response rule storage to identical database of kind attack type, the subcharacter library is obtained.In the present embodiment, institute State subcharacter library can based on feature database, SQL injection feature database, XSS behavioral characteristics library and tool fingerprint base, wherein institute State foundation characteristic library storage is command characteristics and file characteristic, and the SQL injection feature library storage is that SQL injection is attacked Feature, the XSS behavioral characteristics library storage be XSS dynamic attacks feature, the tool fingerprint library storage is that big horse connects Connect fingerprint and kitchen knife fingerprint.It should be noted that the subcharacter library can flexibly be set according to actual conditions, the present embodiment This is not restricted.

It is described to ring the feature to be compared and more than one attack for the feature database established using flow shown in Fig. 6 It answers rule to be compared to specifically include：By the feature to be compared with and the corresponding subcharacter of the attack type of the network attack More than one attack-response rule in library is compared.If for example, the attack type of the network attack is attacked for SQL injection It hits, then the feature to be compared is compared with more than one attack-response rule in SQL injection feature database；If the net The attack type of network attack is XSS dynamic attacks, then attacks the feature to be compared and more than one in XSS behavioral characteristics library Rule of response is hit to be compared.By setting the feature database to multiple subcharacter libraries, it is possible to reduce with the spy to be compared The attack-response rule quantity being compared is levied, need to only be matched with the attack-response rule in some subcharacter library, The comparison efficiency of the feature to be compared and attack-response rule can thus be improved.

For the network attack of each attack, correspondence obtains an attack-response rule, thus can pass through foundation Incidence relation between each attack-response rule and attack, it is dynamic with attack according to each attack-response rule Incidence relation between work, by with the attack corresponding to the attack-response rule of the characteristic matching to be compared, be determined as The attack of the successful network attack.For example, corresponding with the attack-response rule that the feature to be compared matches Attack is that floor () function reports an error injection, then the attack of successful network attack reports an error note for floor () function Enter.

After detecting the network attack and whether succeeding, so that it may to generate warning information according to testing result.Specifically, If the network attack success, generates the first warning information, first warning information includes the attack of the network attack The attack of type and the network attack；If the network attack is unsuccessful, the second warning information is generated, described second Warning information includes the attack type of the network attack.For example, when the destination host is attacked by SQL injection but is attacked not When success, second warning information is generated, second warning information can be " being attacked by SQL injection "；When the mesh It marks that host is attacked by SQL injection and success attack, specific attack are reported an error injection using floor () function, gives birth to At first warning information, first warning information can be " to be attacked by SQL injection, floor () function reports an error note Enter ".

It further, can also be by described the after generating first warning information or second warning information One warning information or second warning information are sent to network management personnel.For example, can be by way of mail by institute It states the first warning information or second warning information is sent to specified email address, can also be incited somebody to action by way of short message First warning information or second warning information are sent to specified mobile terminal, can also pass through the shape of dialog box Formula directly shows first warning information or second warning information in the destination host, can also pass through Instant Messenger First warning information or second warning information are sent to network management personnel by the mode of letter.Of course, it is possible to adopt First warning information or second warning information are sent to network management personnel with any one of the above mode, First warning information or second warning information are sent to network pipe by the combination that arbitrary several ways may be used Reason personnel.

Successful network attack can be screened, make network management people by network alarm method provided in this embodiment Member can not only know that the destination host is subject to the network attack of which type, additionally it is possible to know successful network attack Specific attack provides effective network attack information for network management personnel, so as to improve O＆M efficiency, finds true Real loophole.

Embodiment 2

What embodiment 1 was taken is the alarm mode that a network attack corresponds to a warning information, that is, detects a net Network is attacked, and correspondence just will produce a warning information.However, isolated warning information cannot accurately reflect the destination host Safe condition, such attack shows and cannot hold attack process on the whole.Therefore, the present embodiment provides another networks to attack Hit alarm method.Compared with the network attack alarm method that embodiment 1 provides, the present embodiment is generating first warning information Or after second warning information, further include：

It is that first warning information or second warning information add corresponding attack chain mark according to warning content Label, wherein the attack chain label is used to characterize network attack phase of the attack residing in attacking chain；

Each attack chain label of same attack is counted, the net in each phase of the attack of the attack is obtained Network attacks the attack of total degree, successful network attack number and successful network attack；

According in each phase of the attack of the attack network attack total degree, successful network attack number with And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked Hit action.

According to the phase of the attack difference for the network attack that the destination host is subject to, the warning content of warning information also differs Sample, the i.e. warning content of warning information disclose the corresponding network attack of warning information and want the attack purpose realized, difference is accused The warning information of alert content corresponds to different phase of the attack.Therefore, the corresponding alarm letter of network attack being subjected to according to destination host The warning content of breath can determine phase of the attack.The warning content of first warning information includes the attack of the network attack The warning content of the attack of type and the network attack, second warning information includes the attack of the network attack Type.Specifically, it according to the warning content, is determined and first warning information or institute from the tag library pre-established State the corresponding attack chain label of the second warning information.The label stock contains M attack chain label, each to attack chain label pair A phase of the attack in attack chain should be characterized.The attack chain refers to attacker to destination host from the system for detecting destruction Row circulating treatment procedure is usually made of several different phase of the attack.For example, the attack chain can be by reconnaissance stage, invasion Stage, order control stage, horizontal infiltration stage, data six phase of the attack of stage and trace clean-up phase that leak are constituted, I.e. the value of M is 6.Correspondingly, the M attack chain label is to scout label, invasion label, order abstract factory, horizontal infiltration Label, data leak label and trace cleaning label.Certainly, the division of the attack chain is not limited to such mode, specifically Can flexibly it be arranged according to actual conditions.

As previously mentioned, the warning information of different warning contents corresponds to different phase of the attack, and each attack chain label correspondence A phase of the attack is characterized, thus the alarm of different warning contents can be pre-established according to published assault Incidence relation between information and different attack chain labels.It, can be from the tag library pre-established according to the warning content Determine attack chain label corresponding with first warning information or second warning information.With first warning information Or the attack type of network attack described in second warning information is for PHP code executes attack, for PHP code Attack is executed, the order control stage is in attacking chain, therefore is first warning information or second alarm The attack chain label of information addition is order abstract factory.Further, the attack chain label can be used as described first to alert The attribute of information or second warning information is added.

After adding corresponding attack chain label for all warning information of an attack, attacked by counting all Hit the quantity of identical attack chain label in chain label, you can obtain the network attack in each phase of the attack of the attack Total degree.For example, scouting the quantity of label by statistics, the network attack in the attack reconnaissance stage can be obtained Total degree；It is always secondary can to obtain the network attack in the attack invasion stage for the quantity that label is invaded by statistics Number.By the quantity for counting identical attack chain label in the corresponding attack chain label of all first warning information, you can obtain Obtain the successful network attack number in each phase of the attack of the attack.In conjunction with described in first warning information The attack of network attack, you can obtain the attack of the successful network attack in each phase of the attack of the attack Action.

By taking destination host described in the attack is by 10 network attacks as an example, correspondence produces 4 first announcements Alert information and 6 the second warning information, the corresponding attack chain label of 4 first warning information are respectively：Invasion label enters Invade label, order abstract factory and order abstract factory, the corresponding attack chain label difference of 6 second warning information For：Label is scouted, label is scouted, invasion label, scouts label, invasion label and order abstract factory.By being attacked to 10 Chain label is hit to be counted, it is known that the destination host by reconnaissance stage network attack 3 times, by the network in invasion stage Attack 4 times, by the network attack 3 times in order control stage；By to the corresponding attack chain label of 4 the first warning information into Row statistics, it is known that the destination host by the invasion stage successful network attack 2 times, it is successful by the order control stage Network attack 2 times.

Obtaining network attack total degree, successful network attack number in each phase of the attack of the attack And successfully the attack route information is generated after the attack of network attack.Further, the attack route information The beginning and ending time that can also include each phase of the attack can also attack after route information is attacked in the generation according to each The sequencing for hitting the initial time in stage shows the attack route information.The initial time of each phase of the attack is in this The termination time of the first Network Attack Time of phase of the attack, each phase of the attack is that the end network in the phase of the attack is attacked Hit the time.Or by taking destination host described above is by 10 network attacks as an example, if the beginning and ending time of reconnaissance stage is 2018- 3-15 03：20~2018-3-19 15：12, the beginning and ending time for invading the stage is 2018-3-17 07：38~2018-3-21 05：21, the beginning and ending time in order control stage is 2018-3-20 14：47~2018-3-20 18：21, then according to statistical result The network attack route information of generation can be shown as " 2018-3-15 03：20~2018-3-19 15：12, investigation stage：3 It is secondary；2018-3-17 07：38~2018-3-21 05：21, it invades the stage, 4 times；2018-3-2014：47~2018-3-20 18：21, the order control stage, 4 times ".Certainly, it is described attack route information can also include the destination host IP address and The information such as the duration of entire attack, as shown in fig. 7, the present embodiment is not construed as limiting this.

Further, since each phase of the attack in the attack chain can also be divided into several smaller attack ranks Section, each smaller phase of the attack is also by attack chain tag characterization.Correspondingly, the attack chain label may include two-stage with On, it is described that corresponding attack chain label is added for first warning information or second warning information according to warning content Including：According to the warning content, labels at different levels corresponding with the warning information are determined from the tag library pre-established, In, the label stock contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is more than 4 Integer.

Fig. 8 is a kind of schematic diagram of tag library provided in this embodiment, and the attack chain label in the tag library is divided into three A grade.Level-one label include scout label, invasion label, order abstract factory, horizontal infiltration label, data leak label with And trace clears up label.It includes port scan label, information leakage label, IP scanning labels to scout the corresponding two level label of label And subdomain name collects label；The corresponding two level label of invasion label includes vulnerability detection label, vulnerability exploit label, refusal clothes Business label, Brute Force label and high-risk operation label；The corresponding two level label of order abstract factory includes the controlled mark of host Label, hack tool upload label, transit server behavior label, carry token label, close antivirus software label and host information Obtain label；Horizontal infiltration label includes Intranet investigation label, Sniffing Attack label, Intranet vulnerability detection label and Intranet leakage Hole utilizes label；The data corresponding two level label of label that leaks includes file download label and dragging library behavior label；Trace is cleared up The corresponding two level label of label includes that back door deletes label, closes attack service labels and removes Log Label.High-risk operation The corresponding three-level label of label includes that database manipulation label and weak passwurd successfully log in label.

Multiple grades are set as by the way that chain label will be attacked, the phase of the attack in attack chain can be more fully described, from And the whole process of attack is showed to network management personnel in more detail.It should be noted that the tag library can be with It is created, can also be created by other hosts by the destination host, the destination host needs to add corresponding attack chain label When directly call the tag library from other hosts.Further, can also be directly first warning information or institute It states the second warning information and adds corresponding attack chain label, without creating the tag library.

After generating the attack route information, one in mail, short message, dialog box and instant messaging can be passed through The attack route information is sent to network management personnel by kind or multiple combinations mode.By for first warning information or Second warning information described in person adds corresponding attack chain label, and the attack is according to attack chain label statistics The attack of the network attack total degree of each phase of the attack, successful network attack number and successful network attack, Attack can be divided according to the attack chain of event again, net can be given with dividing phase of the attack from the angle of big data analysis Network administrative staff show the whole process of attack, avoid attack circuit chaotic.

Embodiment 3

The present embodiment provides a kind of network attack warning system, the network attack warning system includes：First detection mould Block, for whether detecting destination host by network attack and the attack type of the determining network attack；Second detection module, It is whether successful and determine successful network for when the destination host is by the network attack, detecting the network attack The attack of attack；Warning information generation module, in network attack success, generation to include the network attack Attack type and the network attack attack the first warning information, otherwise generate include attacking for the network attack Hit the second warning information of type.

Further, the first detection module includes：Acquisition module, the network data for acquiring the destination host； First extraction module, for extracting feature to be detected from the network data；Import modul is used for the feature to be detected The artificial intelligence model pre-established is imported, the feature to be detected is sorted out by the artificial intelligence model, according to Whether categorization results determine the destination host by network attack and the attack type of the network attack.

Further, first extraction module includes：First extraction unit, for extracting request from the network data Data, wherein the request data is used to initiate request service to the destination host；Second extraction unit is used for from described The feature to be detected is extracted in request data.

Further, the network attack warning system further includes：Model creation module, for it is described will be described to be detected Feature imports before the artificial intelligence model pre-established, establishes the artificial intelligence model.Specifically, the model creation mould Block includes：Collection module, for collecting model training data；Second extraction module, for being carried from the model training data The feature for taking known network to attack obtains attack signature data；Sort module, for dividing the attack signature data Class obtains training sample；Training module obtains the artificial intelligence mould for carrying out model training according to the training sample Type.

Further, second detection module includes：Third extraction module is used for from the corresponding network of the network attack Extracting data feature to be compared；Comparing module, for carrying out the feature to be compared and more than one attack-response rule It compares, wherein the attack-response rule is formed according to the first response data, and first response data is under fire host Response to successful attack request；Determination module, for when the feature to be compared and the attack-response rule match, Judge the network attack success；Attack determining module, the attack for determining successful network attack.

Further, the third extraction module includes：Third extraction unit, for extracting second from the network data Response data, wherein second response data is for destination host response request service；4th extraction unit, is used for The feature to be compared is extracted from second response data.

Further, the third extraction module includes：5th extraction unit, for extracting request from the network data Data and the second response data, wherein the request data is used to initiate request service, second sound to the destination host Data are answered to ask to service for the destination host response；6th extraction unit is used for from the request data and described second The feature to be compared is extracted in response data.

Further, the network attack warning system further includes：Feature database creation module, for waiting comparing by described described Before feature is compared with more than one attack-response rule, the spy for including one above attack-response rule is established Levy library.Specifically, the feature database creation module may include：Database creation module, for creating database；4th extraction Module extracts more than one attack-response feature for corresponding from more than one first response data；Rule forms module, uses It is described in each being determined property of attack-response feature, forms more than one attack-response rule；Memory module is used for institute It states in the storage to the database of more than one attack-response rule, obtains the feature database.

The feature database may include N number of subcharacter library, and N is the integer not less than 2, is based on this, the feature database creates Module can also include：Database creation module, for creating N number of database；4th extraction module, for from more than two the The corresponding more than two attack-response features of extraction in one response data；Rule forms module, for each attack-response feature Being determined property describes, and forms more than two attack-response rules；Memory module, for advising described two above attack-responses Belong in then in the attack-response rule storage to identical database of same attack type, obtains the subcharacter library.

Further, the network attack warning system further includes：Incidence relation creation module, for being waited for described described Before comparison feature is compared with more than one attack-response rule, each attack-response rule and attack are established Between incidence relation；The attack determining module is used for according between each attack-response rule and attack Incidence relation, by with the attack corresponding to the attack-response rule of the characteristic matching to be compared, be determined as it is described at The attack of the network attack of work(.

Further, the network attack warning system further includes：Sending module, for generating first warning information It, will by one or more combinations in mail, short message, dialog box and instant messaging or after second warning information First warning information or second warning information are sent to network management personnel.

The concrete operating principle of the network attack warning system can refer to the description in embodiment 1 to each step, this Details are not described herein for embodiment.

Embodiment 4

The present embodiment provides another network attack warning system, the network attack warning system phase provided with embodiment 3 Than the network attack warning system further includes：Label add module, for generating first warning information or described It is that first warning information or second warning information addition are corresponding according to warning content after second warning information Attack chain label, wherein the attack chain label is used to characterize network attack phase of the attack residing in attacking chain；System Module is counted, each attack chain label for counting same attack obtains and is in each phase of the attack of the attack Network attack total degree, successful network attack number and successful network attack attack；Route information generates Module, for according to network attack total degree, the successful network attack number for being in each phase of the attack of the attack And successfully the attack of network attack generates attack route information, wherein the attack route information includes being in institute State the network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack Attack.

Further, the attack chain label includes two-stage or more, and the label add module is used for according in the alarm Hold, labels at different levels corresponding with the warning information is determined from the tag library pre-established, wherein the label stock contains M attack chain label, the M attack chain label are divided into two-stage or more, and M is the integer more than 4.

Further, the attack route information further includes the beginning and ending time of each phase of the attack, described to be based on artificial intelligence Network attack detection system further include：Display module, the sequencing for the initial time according to each phase of the attack are aobvious Show the attack route information.

The concrete operating principle of the network attack warning system can refer to the description in embodiment 2 to each step, this Details are not described herein for embodiment.

Embodiment 5

The present embodiment provides a kind of computer readable storage mediums, are stored thereon with computer program, the embodiment of the present invention 1 If or any network attack alarm method that embodiment 2 provides is realized in the form of SFU software functional unit and as independent Product is sold or in use, can be stored in a computer read/write memory medium.Based on this understanding, the present invention is real All or part of flow in any network attack alarm method that current embodiment 1 or embodiment 2 provide, can also pass through meter Calculation machine program is completed to instruct relevant hardware.The computer program can be stored in a computer readable storage medium, The computer program is when being executed by processor, it can be achieved that the step of above-mentioned each embodiment of the method.

Wherein, the computer program includes computer program code, and the computer program code can be source code Form, object identification code form, executable file or certain intermediate forms etc..The computer-readable medium may include：It can Carry any entity or device, medium, USB flash disk, mobile hard disk, magnetic disc, CD, the computer storage of the computer program code Device, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), Electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that the computer-readable medium include it is interior Increase and decrease appropriate can be carried out according to legislation in jurisdiction and the requirement of patent practice by holding, such as in certain jurisdictions of courts Area, according to legislation and patent practice, computer-readable medium does not include electric carrier signal and telecommunication signal.

Above-described specific implementation mode has carried out further the purpose of the present invention, technical solution and advantageous effect It is described in detail, it should be understood that the foregoing is merely the specific implementation mode of the present invention, is not intended to limit the present invention Protection domain, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include Within protection scope of the present invention.

The present invention discloses A 1, a kind of network attack alarm method, including：

Destination host is detected whether by network attack and the attack type of the determining network attack；

If it is whether successful and determining successful to be detected the network attack by the network attack for the destination host The attack of network attack；

If the network attack success, generation includes the attack type of the network attack and attacking for the network attack The first warning information of action is hit, the second warning information of the attack type for including the network attack is otherwise generated.

A2, a kind of network attack alarm method according to A1, whether the detection destination host is by network attack And determine that the attack type of the network attack includes：

Acquire the network data of the destination host；

Feature to be detected is extracted from the network data；

The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described Feature to be detected is sorted out, and determines whether the destination host is attacked by network attack and the network according to categorization results The attack type hit.

A3, a kind of network attack alarm method according to A2, it is described that spy to be detected is extracted from the network data Sign includes：

Request data is extracted from the network data, wherein the request data is used to initiate to the destination host Request service；

The feature to be detected is extracted from the request data.

A4, a kind of network attack alarm method according to A2 build the feature importing to be detected described in advance Before vertical artificial intelligence model, further include：

Establish the artificial intelligence model.

A5, a kind of network attack alarm method according to A4, it is described to establish the artificial intelligence model and include：

Collect model training data；

The feature attacked from the model training extracting data known network, obtains attack signature data；

Classify to the attack signature data, obtains training sample；

Model training is carried out according to the training sample, obtains the artificial intelligence model.

A6, a kind of network attack alarm method according to A5, the collection model training data include：

The published attack data in internet, the published loophole data in internet, the destination host is collected to have acquired Attack data and the loophole data that have acquired of the destination host in one or more combinations.

A7, a kind of network attack alarm method according to A5, it is described that model training is carried out according to the training sample Including：

According to the training sample, model training is carried out using NB Algorithm.

A8, a kind of network attack alarm method according to A1, the detection network attack whether include successfully：

Feature to be compared is extracted from the corresponding network data of the network attack；

The feature to be compared is compared with more than one attack-response rule, wherein the attack-response rule It is formed according to the first response data, first response data is for the response that under fire host asks successful attack；

If the feature to be compared matches with the attack-response rule, the network attack success is judged.

A9, a kind of network attack alarm method according to A8, it is described from the corresponding network data of the network attack Middle extraction feature to be compared includes：

The second response data is extracted from the network data, wherein second response data is used for the target master Machine response request service；

The feature to be compared is extracted from second response data.

A10, a kind of network attack alarm method according to A8, it is described from the corresponding network data of the network attack Middle extraction feature to be compared includes：

Request data and the second response data are extracted from the network data, wherein the request data is used for institute It states destination host and initiates request service, second response data is for destination host response request service；

The feature to be compared is extracted from the request data and second response data.

A11, a kind of network attack alarm method according to A8, described by the feature to be compared and more than one Before attack-response rule is compared, further include：

Establish the feature database for including one above attack-response rule.

A12, a kind of network attack alarm method according to A11, described establish are rung comprising one above attack Answer rule feature database include：

Create database；

It is corresponding from more than one first response data to extract more than one attack-response feature；

Each being determined property of attack-response feature is described, more than one attack-response rule is formed；

By in one above attack-response rule storage to the database, the feature database is obtained.

A13, a kind of network attack alarm method according to A11, the feature database include N number of subcharacter library, and N is not Integer less than 2, the feature database of the foundation comprising one above attack-response rule include：

Create N number of database；

The corresponding more than two attack-response features of extraction from more than two first response datas；

Each being determined property of attack-response feature is described, more than two attack-response rules are formed；

The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical Database in, obtain the subcharacter library.

A14, a kind of network attack alarm method according to A13, it is described by the feature to be compared and more than one Attack-response rule be compared including：

By the feature to be compared with and the corresponding subcharacter library of the attack type of the network attack in more than one attack Rule of response is hit to be compared.

A15, a kind of network attack alarm method according to A12 or A13, it is described that each attack-response feature is carried out Definite description includes：

Each being determined property of attack-response feature is described using regular expression.

A16, a kind of network attack alarm method according to A12 or A13, described by the feature to be compared and one Before a above attack-response rule is compared, further include：

Establish the incidence relation between each attack-response rule and attack；

The attack of the successful network attack of determination includes：

It, will be with the feature to be compared according to the incidence relation between each attack-response rule and attack The attack corresponding to attack-response rule matched, is determined as the attack of the successful network attack.

A17, a kind of network attack alarm method according to A1 are generating first warning information or described the After two warning information, further include：

By one or more combinations in mail, short message, dialog box and instant messaging by first warning information Or second warning information is sent to network management personnel.

A18, a kind of network attack alarm method according to A1 are generating first warning information or described the After two warning information, further include：

It is that first warning information or second warning information add corresponding attack chain mark according to warning content Label, wherein the attack chain label is used to characterize network attack phase of the attack residing in attacking chain；

Each attack chain label of same attack is counted, the net in each phase of the attack of the attack is obtained Network attacks the attack of total degree, successful network attack number and successful network attack；

According in each phase of the attack of the attack network attack total degree, successful network attack number with And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked Hit action.

A19, a kind of network attack alarm method according to A18, it is described to be alerted for described first according to warning content Information or second warning information add corresponding attack chain label：

According to the warning content, determined from the tag library pre-established and first warning information or described the The corresponding attack chain label of two warning information.

A20, a kind of network attack alarm method according to A18, the attack chain label includes two-stage or more, described According to warning content be first warning information or the corresponding attack chain label of second warning information addition includes：

According to the warning content, determined from the tag library pre-established and first warning information or described the The corresponding labels at different levels of two warning information, wherein the label stock contains M attack chain label, the M attack chain label It is divided into two-stage or more, M is the integer more than 4.

A21, a kind of network attack alarm method according to A18, the attack route information further includes each attack The beginning and ending time in stage, the basis be in each phase of the attack of the attack network attack total degree, successfully After the attack of network attack number and successful network attack generates attack route information, further include：

The attack route information is shown according to the sequencing of the initial time of each phase of the attack.

The invention also discloses B 22, a kind of network attack warning systems, including：

First detection module, for detecting whether destination host by network attack and determines that the network attack is attacked Type；

Second detection module, for when the destination host is by the network attack, detecting the network attack to be No success and the attack for determining successful network attack；

Warning information generation module, in network attack success, generation to include the attack of the network attack First warning information of the attack of type and the network attack, otherwise generation includes the attack type of the network attack The second warning information.

B23, a kind of network attack warning system according to B22, the first detection module include：

Acquisition module, the network data for acquiring the destination host；

First extraction module, for extracting feature to be detected from the network data；

Import modul, for the feature to be detected to be imported the artificial intelligence model pre-established, by described artificial Whether model of mind sorts out the feature to be detected, determine the destination host by network attack according to categorization results And the attack type of the network attack.

B24, a kind of network attack warning system according to B23, first extraction module include：

First extraction unit, for extracting request data from the network data, wherein the request data be used for The destination host initiates request service；

Second extraction unit, for extracting the feature to be detected from the request data.

B25, a kind of network attack warning system according to B23 further include：

Model creation module, for it is described by the feature to be detected import the artificial intelligence model pre-established it Before, establish the artificial intelligence model.

B26, a kind of network attack warning system according to B25, the model creation module include：

Collection module, for collecting model training data；

Second extraction module, the feature for being attacked from the model training extracting data known network, is attacked Characteristic；

Sort module obtains training sample for classifying to the attack signature data；

Training module obtains the artificial intelligence model for carrying out model training according to the training sample.

B27, a kind of network attack warning system according to B26, the model training data include that internet is public The attack data and the target that the attack data opened, the published loophole data in internet, the destination host have acquired One or more combinations in the loophole data that host has acquired.

B28, a kind of network attack warning system according to B26, the training module are NB Algorithm mould Block.

B29, a kind of network attack warning system according to B22, second detection module include：

Third extraction module, for extracting feature to be compared from the corresponding network data of the network attack；

Comparing module, for the feature to be compared to be compared with more than one attack-response rule, wherein described Attack-response rule is formed according to the first response data, and first response data asks successful attack under fire host Response；

Determination module, for when the feature to be compared and the attack-response rule match, judging the network Success attack；

Attack determining module, the attack for determining successful network attack.

B30, a kind of network attack warning system according to B29, the third extraction module include：

Third extraction unit, for extracting the second response data from the network data, wherein second number of responses It asks to service according to for the destination host response；

4th extraction unit, for extracting the feature to be compared from second response data.

B31, a kind of network attack warning system according to B29, the third extraction module include：

5th extraction unit, for extracting request data and the second response data from the network data, wherein described Request data is used to initiate request service to the destination host, and second response data is asked for the destination host response Ask service；

6th extraction unit, for extracting the spy to be compared from the request data and second response data Sign.

B32, a kind of network attack warning system according to B29 further include：

Feature database creation module, for comparing the feature to be compared and more than one attack-response rule described To before, establishing the feature database for including one above attack-response rule.

B33, a kind of network attack warning system according to B32, the feature database creation module include：

Database creation module, for creating database；

4th extraction module extracts more than one attack-response spy for corresponding from more than one first response data Sign；

Rule forms module, for being described to each being determined property of attack-response feature, forms more than one attack and rings Answer rule；

Memory module, for by one above attack-response rule storage to the database, obtaining the spy Levy library.

B34, a kind of network attack warning system according to B32, the feature database include N number of subcharacter library, and N is not Integer less than 2, the feature database creation module include：

Database creation module, for creating N number of database；

4th extraction module, it is special for corresponding to the more than two attack-responses of extraction from more than two first response datas Sign；

Rule forms module, for being described to each being determined property of attack-response feature, forms more than two attacks and rings Answer rule；

Memory module, for advising the attack-response for belonging to same attack type in described two above attack-response rules Then in storage to identical database, the subcharacter library is obtained.

B35, a kind of network attack warning system according to B34, the comparing module are used for the spy to be compared Sign with and the corresponding subcharacter library of attack type of the network attack in more than one attack-response rule be compared.

B36, a kind of network attack warning system according to B33 or B34, it is regular expressions that the rule, which forms module, Formula writes module.

B37, a kind of network attack warning system according to B33 or B34 further include：

Incidence relation creation module, for carrying out the feature to be compared and more than one attack-response rule described Before comparison, the incidence relation between each attack-response rule and attack is established；

The attack determining module is used for according to each attack-response rule and being associated between attack Relationship, by with the attack corresponding to the attack-response rule of the characteristic matching to be compared, be determined as the successful net The attack of network attack.

B38, a kind of network attack warning system according to B22 further include：

Sending module, for after generating first warning information or second warning information, by mail, First warning information or second alarm are believed in one or more combinations in short message, dialog box and instant messaging Breath is sent to network management personnel.

B39, a kind of network attack warning system according to B22 further include：

Label add module is used for after generating first warning information or second warning information, according to Warning content is that first warning information or second warning information add corresponding attack chain label, wherein described Attack chain label is used to characterize network attack phase of the attack residing in attacking chain；

Statistical module, each attack chain label for counting same attack obtain each in the attack The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack；

Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack It includes network attack total degree, successful network attack number in each phase of the attack of the attack to hit route information And the successfully attack of network attack.

B40, a kind of network attack warning system according to B39, the label add module are used for according to the announcement Alert content determines and first warning information or second warning information is corresponding attacks from the tag library pre-established Hit chain label.

B41, a kind of network attack warning system according to B39, the attack chain label includes two-stage or more, described Label add module is used for according to the warning content, determined from the tag library pre-established with first warning information or The corresponding labels at different levels of second warning information described in person, wherein the label stock contains M attack chain label, and the M are attacked It hits chain label and is divided into two-stage or more, M is the integer more than 4.

B42, a kind of network attack warning system according to B39, the attack route information further includes each attack The beginning and ending time in stage, further include：

Display module, for the basis be in each phase of the attack of the attack network attack total degree, After the attack of successful network attack number and successful network attack generates attack route information, attacked according to each The sequencing for hitting the initial time in stage shows the attack route information.

The invention also discloses C 43, a kind of computer readable storage mediums, are stored thereon with computer program, feature It is, realizes A1 to a kind of network attack alarm method of A21 any one of them when which is executed by processor.

The invention also discloses D44, a kind of computer equipment, including memory, processor and storage are on a memory simultaneously The computer program that can be run on a processor, which is characterized in that the processor realizes that A1 to A21 appoints when executing described program A kind of network attack alarm method described in one.

Claims (10)

1. a kind of network attack alarm method, which is characterized in that including：

Destination host is detected whether by network attack and the attack type of the determining network attack；

If the destination host is detected whether the network attack succeeds and determine successful network by the network attack The attack of attack；

If the network attack success, the attack for generating the attack type and the network attack that include the network attack are dynamic Otherwise the first warning information made generates the second warning information of the attack type for including the network attack.

2. a kind of network attack alarm method according to claim 1, which is characterized in that whether the detection destination host By network attack and determine that the attack type of the network attack includes：

Acquire the network data of the destination host；

Feature to be detected is extracted from the network data；

The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described to be checked It surveys feature to be sorted out, determines the destination host whether by network attack and the network attack according to categorization results Attack type.

3. a kind of network attack alarm method according to claim 2, which is characterized in that described from the network data Extracting feature to be detected includes：

Request data is extracted from the network data, wherein the request data is used to initiate to ask to the destination host Service；

The feature to be detected is extracted from the request data.

4. a kind of network attack alarm method according to claim 2, which is characterized in that described by the spy to be detected Sign imports before the artificial intelligence model pre-established, further includes：

Establish the artificial intelligence model.

5. a kind of network attack alarm method according to claim 4, which is characterized in that described to establish the artificial intelligence Model includes：

Collect model training data；

The feature attacked from the model training extracting data known network, obtains attack signature data；

Classify to the attack signature data, obtains training sample；

Model training is carried out according to the training sample, obtains the artificial intelligence model.

6. a kind of network attack alarm method according to claim 5, which is characterized in that the collection model training data Including：

What the published attack data in collection internet, the published loophole data in internet, the destination host had acquired attacks One or more combinations in hitting data and loophole data that the destination host has acquired.

7. a kind of network attack alarm method according to claim 5, which is characterized in that described according to the training sample Carrying out model training includes：

According to the training sample, model training is carried out using NB Algorithm.

8. a kind of network attack warning system, which is characterized in that including：

First detection module, for detecting whether destination host by network attack and determines the attack class of the network attack Type；

Second detection module, for when the destination host is by the network attack, detect the network attack whether at Work(and the attack for determining successful network attack；

Warning information generation module, in network attack success, generation to include the attack type of the network attack With the first warning information of the attack of the network attack, the of the attack type for including the network attack is otherwise generated Two warning information.

9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor A kind of network attack alarm method of claim 1 to 7 any one of them is realized when row.

10. a kind of computer equipment, including memory, processor and storage are on a memory and the meter that can run on a processor Calculation machine program, which is characterized in that the processor realizes that claim 1 to 7 any one of them is a kind of when executing described program Network attack alarm method.