A kind of network attack alarm method and system
Technical field
The present invention relates to technical field of network security, and in particular to a kind of network attack alarm method and system.
Background technology
Continuous universal with internet with the continuous development of computer technology, network attack form emerges one after another, network
Security issues become increasingly urgent, caused by social influence and economic loss it is increasing, Cyberthreat is detected and is proposed with defence
New demand and challenge.Exception of network traffic is the pass of one of current main network security threats and network security monitoring
Key object.It quickly and accurately finds exception flow of network, malicious code is promptly and accurately captured, is analyzed, is tracked and monitors, it can
To provide knowledge support for network safety situation index evaluation and immune decision, to improve the entirety of network security emergency organization
Responding ability.
Traditional network attack detecting method, is usually just alerted when detecting network attack, thus will produce big
Measure inaccurate warning information, and can not Effective selection go out effective information, the cost of O&M processing is very high.
Invention content
To be solved by this invention is the high problem of traditional network attack detecting method O&M processing cost.
The present invention is achieved through the following technical solutions:
A kind of network attack alarm method, including:
Destination host is detected whether by network attack and the attack type of the determining network attack;
If it is whether successful and determining successful to be detected the network attack by the network attack for the destination host
The attack of network attack;
If the network attack success, generation includes the attack type of the network attack and attacking for the network attack
The first warning information of action is hit, the second warning information of the attack type for including the network attack is otherwise generated.
Optionally, whether the detection destination host is by network attack and the attack type packet of the determining network attack
It includes:
Acquire the network data of the destination host;
Feature to be detected is extracted from the network data;
The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described
Feature to be detected is sorted out, and determines whether the destination host is attacked by network attack and the network according to categorization results
The attack type hit.
Optionally, described to extract feature to be detected from the network data and include:
Request data is extracted from the network data, wherein the request data is used to initiate to the destination host
Request service;
The feature to be detected is extracted from the request data.
Optionally, before the artificial intelligence model for pre-establishing the feature importing to be detected, further include:
Establish the artificial intelligence model.
Optionally, described to establish the artificial intelligence model and include:
Collect model training data;
The feature attacked from the model training extracting data known network, obtains attack signature data;
Classify to the attack signature data, obtains training sample;
Model training is carried out according to the training sample, obtains the artificial intelligence model.
Optionally, the collection model training data include:
The published attack data in internet, the published loophole data in internet, the destination host is collected to have acquired
Attack data and the loophole data that have acquired of the destination host in one or more combinations.
Optionally, described to include according to training sample progress model training:
According to the training sample, model training is carried out using NB Algorithm.
Optionally, the detection network attack whether include successfully:
Feature to be compared is extracted from the corresponding network data of the network attack;
The feature to be compared is compared with more than one attack-response rule, wherein the attack-response rule
It is formed according to the first response data, first response data is for the response that under fire host asks successful attack;
If the feature to be compared matches with the attack-response rule, the network attack success is judged.
Optionally, extracting feature to be compared in the corresponding network data from the network attack includes:
The second response data is extracted from the network data, wherein second response data is used for the target master
Machine response request service;
The feature to be compared is extracted from second response data.
Optionally, extracting feature to be compared in the corresponding network data from the network attack includes:
Request data and the second response data are extracted from the network data, wherein the request data is used for institute
It states destination host and initiates request service, second response data is for destination host response request service;
The feature to be compared is extracted from the request data and second response data.
Optionally, it is described the feature to be compared is compared with more than one attack-response rule before, also wrap
It includes:
Establish the feature database for including one above attack-response rule.
Optionally, the feature database of the foundation comprising one above attack-response rule includes:
Create database;
It is corresponding from more than one first response data to extract more than one attack-response feature;
Each being determined property of attack-response feature is described, more than one attack-response rule is formed;
By in one above attack-response rule storage to the database, the feature database is obtained.
Optionally, the feature database includes N number of subcharacter library, and N is the integer not less than 2, and described establish includes described one
The feature database of a above attack-response rule includes:
Create N number of database;
The corresponding more than two attack-response features of extraction from more than two first response datas;
Each being determined property of attack-response feature is described, more than two attack-response rules are formed;
The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical
Database in, obtain the subcharacter library.
Optionally, it is described the feature to be compared is compared with more than one attack-response rule including:
By the feature to be compared with and the corresponding subcharacter library of the attack type of the network attack in more than one attack
Rule of response is hit to be compared.
Optionally, described to include to the description of each being determined property of attack-response feature:
Each being determined property of attack-response feature is described using regular expression.
Optionally, it is described the feature to be compared is compared with more than one attack-response rule before, also wrap
It includes:
Establish the incidence relation between each attack-response rule and attack;
The attack of the successful network attack of determination includes:
It, will be with the feature to be compared according to the incidence relation between each attack-response rule and attack
The attack corresponding to attack-response rule matched, is determined as the attack of the successful network attack.
Optionally, after generating first warning information or second warning information, further include:
By one or more combinations in mail, short message, dialog box and instant messaging by first warning information
Or second warning information is sent to network management personnel.
Optionally, after generating first warning information or second warning information, further include:
It is that first warning information or second warning information add corresponding attack chain mark according to warning content
Label, wherein the attack chain label is used to characterize network attack phase of the attack residing in attacking chain;
Each attack chain label of same attack is counted, the net in each phase of the attack of the attack is obtained
Network attacks the attack of total degree, successful network attack number and successful network attack;
According in each phase of the attack of the attack network attack total degree, successful network attack number with
And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described
The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked
Hit action.
Optionally, described to be corresponded to for first warning information or second warning information addition according to warning content
Attack chain label include:
According to the warning content, determined from the tag library pre-established and first warning information or described the
The corresponding attack chain label of two warning information.
Optionally, the attack chain label includes two-stage or more, it is described according to warning content be first warning information
Or second warning information adds corresponding attack chain label and includes:
According to the warning content, determined from the tag library pre-established and first warning information or described the
The corresponding labels at different levels of two warning information, wherein the label stock contains M attack chain label, the M attack chain label
It is divided into two-stage or more, M is the integer more than 4.
Optionally, the attack route information further includes the beginning and ending time of each phase of the attack, and institute is in the basis
State the network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack
After attack generates attack route information, further include:
The attack route information is shown according to the sequencing of the initial time of each phase of the attack.
Based on same inventive concept, the present invention also provides a kind of network attack warning systems, including:
First detection module, for detecting whether destination host by network attack and determines that the network attack is attacked
Type;
Second detection module, for when the destination host is by the network attack, detecting the network attack to be
No success and the attack for determining successful network attack;
Warning information generation module, in network attack success, generation to include the attack of the network attack
First warning information of the attack of type and the network attack, otherwise generation includes the attack type of the network attack
The second warning information.
Optionally, the first detection module includes:
Acquisition module, the network data for acquiring the destination host;
First extraction module, for extracting feature to be detected from the network data;
Import modul, for the feature to be detected to be imported the artificial intelligence model pre-established, by described artificial
Whether model of mind sorts out the feature to be detected, determine the destination host by network attack according to categorization results
And the attack type of the network attack.
Optionally, first extraction module includes:
First extraction unit, for extracting request data from the network data, wherein the request data be used for
The destination host initiates request service;
Second extraction unit, for extracting the feature to be detected from the request data.
Optionally, the network attack warning system further includes:
Model creation module, for it is described by the feature to be detected import the artificial intelligence model pre-established it
Before, establish the artificial intelligence model.
Optionally, the model creation module includes:
Collection module, for collecting model training data;
Second extraction module, the feature for being attacked from the model training extracting data known network, is attacked
Characteristic;
Sort module obtains training sample for classifying to the attack signature data;
Training module obtains the artificial intelligence model for carrying out model training according to the training sample.
Optionally, the model training data include the published attack data in internet, the published loophole in internet
One kind or more in the loophole data that the attack data and the destination host that data, the destination host have acquired have acquired
Kind combination.
Optionally, the training module is NB Algorithm module.
Optionally, second detection module includes:
Third extraction module, for extracting feature to be compared from the corresponding network data of the network attack;
Comparing module, for the feature to be compared to be compared with more than one attack-response rule, wherein described
Attack-response rule is formed according to the first response data, and first response data asks successful attack under fire host
Response;
Determination module, for when the feature to be compared and the attack-response rule match, judging the network
Success attack;
Attack determining module, the attack for determining successful network attack.
Optionally, the third extraction module includes:
Third extraction unit, for extracting the second response data from the network data, wherein second number of responses
It asks to service according to for the destination host response;
4th extraction unit, for extracting the feature to be compared from second response data.
Optionally, the third extraction module includes:
5th extraction unit, for extracting request data and the second response data from the network data, wherein described
Request data is used to initiate request service to the destination host, and second response data is asked for the destination host response
Ask service;
6th extraction unit, for extracting the spy to be compared from the request data and second response data
Sign.
Optionally, the network attack warning system further includes:
Feature database creation module, for comparing the feature to be compared and more than one attack-response rule described
To before, establishing the feature database for including one above attack-response rule.
Optionally, the feature database creation module includes:
Database creation module, for creating database;
4th extraction module extracts more than one attack-response spy for corresponding from more than one first response data
Sign;
Rule forms module, for being described to each being determined property of attack-response feature, forms more than one attack and rings
Answer rule;
Memory module, for by one above attack-response rule storage to the database, obtaining the spy
Levy library.
Optionally, the feature database includes N number of subcharacter library, and N is the integer not less than 2, the feature database creation module
Including:
Database creation module, for creating N number of database;
4th extraction module, it is special for corresponding to the more than two attack-responses of extraction from more than two first response datas
Sign;
Rule forms module, for being described to each being determined property of attack-response feature, forms more than two attacks and rings
Answer rule;
Memory module, for advising the attack-response for belonging to same attack type in described two above attack-response rules
Then in storage to identical database, the subcharacter library is obtained.
Optionally, the comparing module be used for by the feature to be compared with and the attack type of the network attack it is corresponding
Subcharacter library in more than one attack-response rule be compared.
Optionally, it is that regular expression writes module that the rule, which forms module,.
Optionally, the network attack warning system further includes:
Incidence relation creation module, for carrying out the feature to be compared and more than one attack-response rule described
Before comparison, the incidence relation between each attack-response rule and attack is established;
The attack determining module is used for according to each attack-response rule and being associated between attack
Relationship, by with the attack corresponding to the attack-response rule of the characteristic matching to be compared, be determined as the successful net
The attack of network attack.
Optionally, the network attack warning system further includes:
Sending module, for after generating first warning information or second warning information, by mail,
First warning information or second alarm are believed in one or more combinations in short message, dialog box and instant messaging
Breath is sent to network management personnel.
Optionally, the network attack warning system further includes:
Label add module is used for after generating first warning information or second warning information, according to
Warning content is that first warning information or second warning information add corresponding attack chain label, wherein described
Attack chain label is used to characterize network attack phase of the attack residing in attacking chain;
Statistical module, each attack chain label for counting same attack obtain each in the attack
The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack;
Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack
The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack
It includes network attack total degree, successful network attack number in each phase of the attack of the attack to hit route information
And the successfully attack of network attack.
Optionally, the label add module is used to, according to the warning content, determine from the tag library pre-established
Attack chain label corresponding with first warning information or second warning information.
Optionally, the attack chain label includes two-stage or more, and the label add module is used for according in the alarm
Hold, marks at different levels corresponding with first warning information or second warning information are determined from the tag library pre-established
Label, wherein the label stock contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is big
In 4 integer.
Optionally, the attack route information further includes the beginning and ending time of each phase of the attack, the network attack alarm
System further includes:
Display module, for the basis be in each phase of the attack of the attack network attack total degree,
After the attack of successful network attack number and successful network attack generates attack route information, attacked according to each
The sequencing for hitting the initial time in stage shows the attack route information.
Based on same inventive concept, the present invention also provides a kind of computer readable storage mediums, are stored thereon with calculating
Machine program, the program realize above-mentioned network attack alarm method when being executed by processor.
Based on same inventive concept, the present invention also provides a kind of computer equipments, including memory, processor and storage
On a memory and the computer program that can run on a processor, the processor realize above-mentioned network when executing described program
Attack alarm method.
Compared with prior art, the present invention having the following advantages and advantages:
Whether network attack alarm method provided by the invention and system, detect destination host by network attack first,
And determine the attack type of the network attack;When detecting the destination host by the network attack, then detect institute
State whether network attack succeeds, and determine the attack of successful network attack, to according to the network attack whether at
Work(generates the first warning information of the attack of the attack type and the network attack that include the network attack, Huo Zhesheng
At the second warning information of the attack type including the network attack.The network attack alarm method that there is provided through the invention and
System can screen successful network attack, make network management personnel can not only know the destination host by
The network attack of which type, additionally it is possible to which the specific attack for knowing successful network attack carries for network management personnel
For effective network attack information true loophole is found so as to improve O&M efficiency.
Description of the drawings
Attached drawing described herein is used for providing further understanding the embodiment of the present invention, constitutes one of the application
Point, do not constitute the restriction to the embodiment of the present invention.In the accompanying drawings:
Fig. 1 is the flow diagram of the network attack alarm method of the embodiment of the present invention;
Fig. 2 be the embodiment of the present invention detection destination host whether by network attack flow diagram;
Fig. 3 is the flow diagram for establishing artificial intelligence model of the embodiment of the present invention;
Fig. 4 is the whether successful flow diagram of detection network attack of the embodiment of the present invention;
Fig. 5 is the flow diagram for establishing feature database of an embodiment of the present invention;
Fig. 6 is the flow diagram for establishing feature database of another embodiment of the invention;
Fig. 7 is the schematic diagram of the attack route information of the embodiment of the present invention;
Fig. 8 is the schematic diagram of the tag library of the embodiment of the present invention.
Specific implementation mode
To make the objectives, technical solutions, and advantages of the present invention clearer, with reference to embodiment and attached drawing, to this
Invention is described in further detail, and exemplary embodiment of the invention and its explanation are only used for explaining the present invention, do not make
For limitation of the invention.
Embodiment 1
The present embodiment provides a kind of network attack alarm method, Fig. 1 is the flow signal of the network attack alarm method
Figure, the network attack alarm method include:
Step S11, whether detection destination host is by network attack and the attack type of the determining network attack;
Step S12, if it is whether successful and true to be detected the network attack by the network attack for the destination host
The attack of fixed successful network attack;
Step S13, if network attack success, generation includes the attack type of the network attack and the network
Otherwise first warning information of the attack of attack generates the second alarm letter of the attack type for including the network attack
Breath.
The destination host can be to provide the server of various services, can also be that by the individual of specific function
Computer can also be that other are capable of providing the network equipment of network service.The destination host can be sent out with receiving terminal apparatus
The request data for initiating request service to the destination host brought, is counted accordingly according to the request data
According to processing to obtain the second response data, i.e., described second response data is serviced for destination host response request, and will
Second response data feeds back to the terminal device.The terminal device can with display function and support to interact
The various electronic equipments of function, including but not limited to smart mobile phone, tablet computer, personal computer and desktop computer etc..
In this specific application scenarios of detection network attack of the invention, the attacker for initiating network attack is usually that malice is sent greatly
Measure the user of request of data.The terminal device that attacker is utilized can be the electronic equipment for having powerful computing function, even
It can also be server.
The destination host is detected whether by network attack, traditional network attack detecting method may be used.Consider
To traditional network attack detecting method, there are rate of failing to report height, the defects of flexibility difference, described in a kind of detection
Destination host whether by network attack specific method.Fig. 2 is whether the detection destination host is flowed by network attack
Journey schematic diagram, the detection destination host whether by network attack included:
Step S21 acquires the network data of the destination host;
Step S22 extracts feature to be detected from the network data;
The feature to be detected is imported the artificial intelligence model pre-established, passes through the artificial intelligence mould by step S23
Whether type sorts out the feature to be detected, determine the destination host by network attack and institute according to categorization results
State the attack type of network attack.
Specifically, for the acquisition of the network data of the destination host, Network Sniffing mode may be used and obtain, also may be used
To be obtained by network port mirror-image fashion.It is to mix that the Network Sniffing mode, which refers to by the Network card setup of the destination host,
Pattern captures the network data of the destination host by calling network to cut job contract tool.The network port mirror-image fashion is
Refer to and the acquisition port of the destination host is mapped to another port, data is copied in real time, to obtain the target
The network data of host.Certainly, the specific implementation for acquiring the network data of the destination host is not limited to above two
Mode, the present embodiment are not construed as limiting this.
After collecting the network data, the feature to be detected is extracted from the network data.The network number
According to including the request data and second response data, as previously mentioned, the request data is used for the destination host
Request service is initiated, is the data for being sent to the destination host by terminal device;Second response data is used for the mesh
Host response request service is marked, is the data for being sent to terminal device by the destination host.The extraction of the feature to be detected,
Can directly extract the feature of the request data from the network data to obtain the feature to be detected, can also be
The request data is first extracted from the network data, then the feature to be detected, this reality are extracted from the request data
Example is applied to be not construed as limiting this.The feature to be detected may include request time, IP information, port information, protocol type, give out a contract for a project
One or more combinations in frequency, mail address, file name and the addresses target URL.It should be noted that described to be checked
It surveys feature can flexibly to be set according to actual conditions, the present embodiment is not restricted this.
According to the difference of the transport protocol used between the destination host and terminal device, such as include but not limited to super
Text transfer protocol (HTTP, Hyper Text Transfer Protocol), File Transfer Protocol (FTP, File
Transfer Protocol), Simple Mail Transfer protocol (SMTP, Simple Mail Transfer Protocol), it is described
The structure of request data also differs.By taking the network request of HTTP types as an example, the request data includes following three parts:
Request row, by method (for example, POST), uniform resource identifier (URI, Uniform Resource Identifier) and
Three parts of protocol version (for example, HTTP 1.1) are constituted;Request header, for notifying the related terminal device of the destination host
The information of request, including but not limited to generate request the identifiable content type list of browser type, terminal device and
The host name of request;Request body.After collecting the network data, the solution of each field in HTTP request head is carried out
Analysis finds out the field contents for needing to be detected, that is, extracts the feature to be detected.
After obtaining the feature to be detected, the feature to be detected is imported into the artificial intelligence model pre-established, is led to
It crosses the artificial intelligence model to sort out the feature to be detected, obtains categorization results.The artificial intelligence model can be with
Can also be deep learning disaggregated model for machine learning classification model, such as Naive Bayes Classification Model.If the classification
As a result it is the network attack that the feature to be detected is not belonging to any type known attack type, is also not belonging to unknown attack type
Network attack, it is determined that the destination host is not affected by network attack;If the categorization results are the feature category to be detected
In the network attack of certain known attack type, it is determined that the destination host by this kind of attack type network attack;If
The categorization results are the network attack that the feature to be detected belongs to certain unknown attack type, it is determined that the destination host
By the network attack of unknown attack type.
The detection provided in this embodiment destination host whether by network attack method, due to the artificial intelligence
Model is the disaggregated model using artificial intelligence technology, has the abilities such as self study, self-organizing, adaptive, so can be effectively
It was found that novel or mutation network attack, unknown network attack cannot be detected by effectively making up traditional network attack detecting method
The shortcomings that, overall network attack detecting ability is improved, rate of failing to report can be reduced, and can be according to described in categorization results determination
The attack type of network attack.
Further, before the feature to be detected is imported the artificial intelligence model pre-established, it is also necessary to establish institute
State artificial intelligence model.Fig. 3 is the flow diagram for establishing the artificial intelligence model, described to establish the artificial intelligence model
Including:
Step S31 collects model training data;
Step S32, the feature attacked from the model training extracting data known network, obtains attack signature data;
Step S33 classifies to the attack signature data, obtains training sample;
Step S34 carries out model training according to the training sample, obtains the artificial intelligence model.
Specifically, the model training data include the published attack data in internet, the published loophole in internet
One kind or more in the loophole data that the attack data and the destination host that data, the destination host have acquired have acquired
Kind combination.The attack data are the data extracted from existing network attack case, and the loophole data are from existing
Loophole case in the data that extract.The attack data and the loophole data can be disclosed in internet, can also
It is that the destination host is analyzed and refined according to the assault being subjected in the past.
After obtaining the model training data, the feature attacked from the model training extracting data known network,
Obtain attack signature data.Further, the attack signature data of extraction may include request time, IP information, port information, association
Discuss one or more combinations in type, frequency of giving out a contract for a project, mail address, file name and the addresses target URL.It needs to illustrate
It is that the attack signature data can flexibly be set according to actual conditions, and the present embodiment is not restricted this.It is attacked described in acquisition
It hits after characteristic, the attack type attacked according to its belonging network is classified to form training sample, and the network is attacked
The attack type hit includes but not limited to SQL injection attack and XSS attack.
Model training is carried out according to the training sample, that is, calculates the network attack of each attack type in the trained sample
The frequency of occurrences and each attack signature data in this, which divide, estimates the conditional probability of the network attack of each attack type,
And result of calculation is recorded and just obtains the artificial intelligence model.In the present embodiment, the calculation of model training use is carried out
Method is NB Algorithm.NB Algorithm is fine to small-scale Data Representation, is suitble to more classification tasks, is suitble to increase
Amount formula is trained.It is of course also possible to use other machines learning classification algorithm or deep learning sorting algorithm carry out model training,
For example, it is also possible to carry out model training using decision Tree algorithms, the present embodiment is not construed as limiting this.
After detecting the destination host by the network attack, in the present embodiment by the way of rule match
Detect whether the network attack succeeds.Fig. 4 is the detection whether successful flow diagram of network attack, the detection institute
State network attack whether include successfully:
Step S41 extracts feature to be compared from the corresponding network data of the network attack;
Step S42 the feature to be compared is compared with more than one attack-response rule, wherein the attack
Rule of response is formed according to the first response data, and first response data answers successful attack request under fire host
It answers;
Step S43, if the feature to be compared matches with the attack-response rule, judge the network attack at
Work(.
Specifically, each successful network attack has its uniqueness, this uniqueness mainly to pass through under fire host pair
The response of successful attack request embodies.Therefore, the extraction of the feature to be compared is to extract the spy of second response data
Sign.It can be that the feature of second response data is directly extracted from the network data to extract the feature to be compared,
Can second response data first be extracted from the network data, then waited for described in extraction from second response data
Feature is compared, the present embodiment is not construed as limiting this.
Still by taking the response of the network of HTTP types as an example, second response data includes following three parts:Statusline, by
Protocol version (for example, HTTP 1.1), conditional code and conditional code describe three parts and form;Head is responded, including but unlimited
Used by the title of application program, the version of application program, response body type, response text size and response text
Coding;Web response body Web.After collecting the network data, the parsing of each field in http response head is carried out, is found out
The field contents being compared are needed, that is, extract the feature to be compared.
Further, to judge whether a network attack succeeds, can also inversely be derived from the angle of attacker, be led to
The anti-feature that pushes away query-attack and should have of response contents is crossed, the whether successful accuracy of network attack is identified to improve.Therefore, institute
The extraction for stating feature to be compared can also be and be extracted jointly from second response data and the request data.Specifically,
The request data and second response data can be extracted from the network data, then from the request data and described
The feature to be compared is extracted in second response data.Still it is with the network request of HTTP types and the response of the network of HTTP types
Example carries out the parsing of each field in HTTP request head and http response head after collecting the network data, searches
Go out to need the field contents being compared, that is, extracts the feature to be compared.
After obtaining the feature to be compared, the feature to be compared and more than one attack-response rule are compared
It is right.Still by taking the transport protocol of HTTP types as an example, if the feature to be compared matches with some attack-response rule, judge
HTTP request is malicious attack, the network attack success that the destination host is subject to;If the feature to be compared cannot with it is arbitrary
One attack-response rule matches, then judges that HTTP request is attacked for invalid network, can directly ignore the HTTP request.
Further, feature database can also be pre-established, the feature database is for storing one above attack-response rule
Then.The attack-response rule of the feature library storage is formed according to first response data, and first response data is used
In the response that under fire host asks successful attack, i.e., the described attack-response rule is asked according to already existing successful attack
The response characteristic of corresponding attack-response is asked to be generated in advance.Fig. 5 is provided in this embodiment a kind of to establish the feature database
Flow diagram, it is described to establish the feature database and include:
Step S51 creates database;
Step S52, it is corresponding from more than one first response data to extract more than one attack-response feature;
Step S53 describes each being determined property of attack-response feature, forms more than one attack-response rule;
Step S54 obtains the feature database by one above attack-response rule storage to the database.
Specifically, the database that creates is the memory space for creating blank.First response data is for being attacked
The response that host asks successful attack is hit, can have been adopted from the published attack data in internet and/or the destination host
It is collected in the attack data of collection.For example, attacker reports an error injection attacks to having sent floor () function by attack host
Request, and the injection attacks request that reports an error of the floor () function obtains success, it is described by attack host to the floor ()
Function report an error injection attacks request response be first response data.For the network attack of same attack type,
It can also be divided according to the difference of specific attack.Further include count () function for example, being attacked for SQL injection
Report an error injection, rand () function reports an error injection and floor () function reports an error injection etc..For the network of each attack
Attack, correspondence can collect first response data, thus can correspond to extraction one from more than one first response data
A above attack-response feature, i.e., each first response data, which can correspond to, extracts an attack-response feature.It is attacked with described
It is similar to hit characteristic, the attack-response feature may include request time, IP information, port information, protocol type, give out a contract for a project
One or more combinations in frequency, mail address, file name and the addresses target URL.It should be noted that the attack
Response characteristic also can flexibly be set according to actual conditions, and the present embodiment is not restricted this.
After obtaining the attack-response feature, each being determined property of attack-response feature is described, the certainty
Description is described according to default rule.In the present embodiment, traditional regular expression may be used to each attack
Being determined property of response characteristic describes, and the complexity such as arithmetic logic, matching logic can also be added in the regular expression and patrol
Volume, to improve the accuracy of matching result.After obtaining the attack-response rule, by all attack-response rules storage to institute
It states in database, i.e., corresponding data is written in the memory space of the blank, just obtain the feature database.
Further, the feature database can also include N number of subcharacter library, and each subcharacter library, which corresponds to, stores same attack
All attack-responses rule of type, wherein N is the integer not less than 2.Based on this, Fig. 6 is another kind provided in this embodiment
Establish the flow diagram of the feature database, it is described to establish the feature database and include:
Step S61 creates N number of database;
Step S62, the corresponding more than two attack-response features of extraction from more than two first response datas;
Step S63 describes each being determined property of attack-response feature, forms more than two attack-response rules;
Step S64 deposits the attack-response rule for belonging to same attack type in described two above attack-response rules
It stores up in identical database, obtains the subcharacter library.
Specifically, step S61~step S63 can refer to the aforementioned description to step S51~step S53, no longer superfluous herein
It states.It is same by belonging to according to the attack type belonging to each attack-response rule after obtaining more than two attack-response rules
In the attack-response rule storage to identical database of kind attack type, the subcharacter library is obtained.In the present embodiment, institute
State subcharacter library can based on feature database, SQL injection feature database, XSS behavioral characteristics library and tool fingerprint base, wherein institute
State foundation characteristic library storage is command characteristics and file characteristic, and the SQL injection feature library storage is that SQL injection is attacked
Feature, the XSS behavioral characteristics library storage be XSS dynamic attacks feature, the tool fingerprint library storage is that big horse connects
Connect fingerprint and kitchen knife fingerprint.It should be noted that the subcharacter library can flexibly be set according to actual conditions, the present embodiment
This is not restricted.
It is described to ring the feature to be compared and more than one attack for the feature database established using flow shown in Fig. 6
It answers rule to be compared to specifically include:By the feature to be compared with and the corresponding subcharacter of the attack type of the network attack
More than one attack-response rule in library is compared.If for example, the attack type of the network attack is attacked for SQL injection
It hits, then the feature to be compared is compared with more than one attack-response rule in SQL injection feature database;If the net
The attack type of network attack is XSS dynamic attacks, then attacks the feature to be compared and more than one in XSS behavioral characteristics library
Rule of response is hit to be compared.By setting the feature database to multiple subcharacter libraries, it is possible to reduce with the spy to be compared
The attack-response rule quantity being compared is levied, need to only be matched with the attack-response rule in some subcharacter library,
The comparison efficiency of the feature to be compared and attack-response rule can thus be improved.
For the network attack of each attack, correspondence obtains an attack-response rule, thus can pass through foundation
Incidence relation between each attack-response rule and attack, it is dynamic with attack according to each attack-response rule
Incidence relation between work, by with the attack corresponding to the attack-response rule of the characteristic matching to be compared, be determined as
The attack of the successful network attack.For example, corresponding with the attack-response rule that the feature to be compared matches
Attack is that floor () function reports an error injection, then the attack of successful network attack reports an error note for floor () function
Enter.
After detecting the network attack and whether succeeding, so that it may to generate warning information according to testing result.Specifically,
If the network attack success, generates the first warning information, first warning information includes the attack of the network attack
The attack of type and the network attack;If the network attack is unsuccessful, the second warning information is generated, described second
Warning information includes the attack type of the network attack.For example, when the destination host is attacked by SQL injection but is attacked not
When success, second warning information is generated, second warning information can be " being attacked by SQL injection ";When the mesh
It marks that host is attacked by SQL injection and success attack, specific attack are reported an error injection using floor () function, gives birth to
At first warning information, first warning information can be " to be attacked by SQL injection, floor () function reports an error note
Enter ".
It further, can also be by described the after generating first warning information or second warning information
One warning information or second warning information are sent to network management personnel.For example, can be by way of mail by institute
It states the first warning information or second warning information is sent to specified email address, can also be incited somebody to action by way of short message
First warning information or second warning information are sent to specified mobile terminal, can also pass through the shape of dialog box
Formula directly shows first warning information or second warning information in the destination host, can also pass through Instant Messenger
First warning information or second warning information are sent to network management personnel by the mode of letter.Of course, it is possible to adopt
First warning information or second warning information are sent to network management personnel with any one of the above mode,
First warning information or second warning information are sent to network pipe by the combination that arbitrary several ways may be used
Reason personnel.
Successful network attack can be screened, make network management people by network alarm method provided in this embodiment
Member can not only know that the destination host is subject to the network attack of which type, additionally it is possible to know successful network attack
Specific attack provides effective network attack information for network management personnel, so as to improve O&M efficiency, finds true
Real loophole.
Embodiment 2
What embodiment 1 was taken is the alarm mode that a network attack corresponds to a warning information, that is, detects a net
Network is attacked, and correspondence just will produce a warning information.However, isolated warning information cannot accurately reflect the destination host
Safe condition, such attack shows and cannot hold attack process on the whole.Therefore, the present embodiment provides another networks to attack
Hit alarm method.Compared with the network attack alarm method that embodiment 1 provides, the present embodiment is generating first warning information
Or after second warning information, further include:
It is that first warning information or second warning information add corresponding attack chain mark according to warning content
Label, wherein the attack chain label is used to characterize network attack phase of the attack residing in attacking chain;
Each attack chain label of same attack is counted, the net in each phase of the attack of the attack is obtained
Network attacks the attack of total degree, successful network attack number and successful network attack;
According in each phase of the attack of the attack network attack total degree, successful network attack number with
And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described
The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked
Hit action.
According to the phase of the attack difference for the network attack that the destination host is subject to, the warning content of warning information also differs
Sample, the i.e. warning content of warning information disclose the corresponding network attack of warning information and want the attack purpose realized, difference is accused
The warning information of alert content corresponds to different phase of the attack.Therefore, the corresponding alarm letter of network attack being subjected to according to destination host
The warning content of breath can determine phase of the attack.The warning content of first warning information includes the attack of the network attack
The warning content of the attack of type and the network attack, second warning information includes the attack of the network attack
Type.Specifically, it according to the warning content, is determined and first warning information or institute from the tag library pre-established
State the corresponding attack chain label of the second warning information.The label stock contains M attack chain label, each to attack chain label pair
A phase of the attack in attack chain should be characterized.The attack chain refers to attacker to destination host from the system for detecting destruction
Row circulating treatment procedure is usually made of several different phase of the attack.For example, the attack chain can be by reconnaissance stage, invasion
Stage, order control stage, horizontal infiltration stage, data six phase of the attack of stage and trace clean-up phase that leak are constituted,
I.e. the value of M is 6.Correspondingly, the M attack chain label is to scout label, invasion label, order abstract factory, horizontal infiltration
Label, data leak label and trace cleaning label.Certainly, the division of the attack chain is not limited to such mode, specifically
Can flexibly it be arranged according to actual conditions.
As previously mentioned, the warning information of different warning contents corresponds to different phase of the attack, and each attack chain label correspondence
A phase of the attack is characterized, thus the alarm of different warning contents can be pre-established according to published assault
Incidence relation between information and different attack chain labels.It, can be from the tag library pre-established according to the warning content
Determine attack chain label corresponding with first warning information or second warning information.With first warning information
Or the attack type of network attack described in second warning information is for PHP code executes attack, for PHP code
Attack is executed, the order control stage is in attacking chain, therefore is first warning information or second alarm
The attack chain label of information addition is order abstract factory.Further, the attack chain label can be used as described first to alert
The attribute of information or second warning information is added.
After adding corresponding attack chain label for all warning information of an attack, attacked by counting all
Hit the quantity of identical attack chain label in chain label, you can obtain the network attack in each phase of the attack of the attack
Total degree.For example, scouting the quantity of label by statistics, the network attack in the attack reconnaissance stage can be obtained
Total degree;It is always secondary can to obtain the network attack in the attack invasion stage for the quantity that label is invaded by statistics
Number.By the quantity for counting identical attack chain label in the corresponding attack chain label of all first warning information, you can obtain
Obtain the successful network attack number in each phase of the attack of the attack.In conjunction with described in first warning information
The attack of network attack, you can obtain the attack of the successful network attack in each phase of the attack of the attack
Action.
By taking destination host described in the attack is by 10 network attacks as an example, correspondence produces 4 first announcements
Alert information and 6 the second warning information, the corresponding attack chain label of 4 first warning information are respectively:Invasion label enters
Invade label, order abstract factory and order abstract factory, the corresponding attack chain label difference of 6 second warning information
For:Label is scouted, label is scouted, invasion label, scouts label, invasion label and order abstract factory.By being attacked to 10
Chain label is hit to be counted, it is known that the destination host by reconnaissance stage network attack 3 times, by the network in invasion stage
Attack 4 times, by the network attack 3 times in order control stage;By to the corresponding attack chain label of 4 the first warning information into
Row statistics, it is known that the destination host by the invasion stage successful network attack 2 times, it is successful by the order control stage
Network attack 2 times.
Obtaining network attack total degree, successful network attack number in each phase of the attack of the attack
And successfully the attack route information is generated after the attack of network attack.Further, the attack route information
The beginning and ending time that can also include each phase of the attack can also attack after route information is attacked in the generation according to each
The sequencing for hitting the initial time in stage shows the attack route information.The initial time of each phase of the attack is in this
The termination time of the first Network Attack Time of phase of the attack, each phase of the attack is that the end network in the phase of the attack is attacked
Hit the time.Or by taking destination host described above is by 10 network attacks as an example, if the beginning and ending time of reconnaissance stage is 2018-
3-15 03:20~2018-3-19 15:12, the beginning and ending time for invading the stage is 2018-3-17 07:38~2018-3-21
05:21, the beginning and ending time in order control stage is 2018-3-20 14:47~2018-3-20 18:21, then according to statistical result
The network attack route information of generation can be shown as " 2018-3-15 03:20~2018-3-19 15:12, investigation stage:3
It is secondary;2018-3-17 07:38~2018-3-21 05:21, it invades the stage, 4 times;2018-3-2014:47~2018-3-20
18:21, the order control stage, 4 times ".Certainly, it is described attack route information can also include the destination host IP address and
The information such as the duration of entire attack, as shown in fig. 7, the present embodiment is not construed as limiting this.
Further, since each phase of the attack in the attack chain can also be divided into several smaller attack ranks
Section, each smaller phase of the attack is also by attack chain tag characterization.Correspondingly, the attack chain label may include two-stage with
On, it is described that corresponding attack chain label is added for first warning information or second warning information according to warning content
Including:According to the warning content, labels at different levels corresponding with the warning information are determined from the tag library pre-established,
In, the label stock contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is more than 4
Integer.
Fig. 8 is a kind of schematic diagram of tag library provided in this embodiment, and the attack chain label in the tag library is divided into three
A grade.Level-one label include scout label, invasion label, order abstract factory, horizontal infiltration label, data leak label with
And trace clears up label.It includes port scan label, information leakage label, IP scanning labels to scout the corresponding two level label of label
And subdomain name collects label;The corresponding two level label of invasion label includes vulnerability detection label, vulnerability exploit label, refusal clothes
Business label, Brute Force label and high-risk operation label;The corresponding two level label of order abstract factory includes the controlled mark of host
Label, hack tool upload label, transit server behavior label, carry token label, close antivirus software label and host information
Obtain label;Horizontal infiltration label includes Intranet investigation label, Sniffing Attack label, Intranet vulnerability detection label and Intranet leakage
Hole utilizes label;The data corresponding two level label of label that leaks includes file download label and dragging library behavior label;Trace is cleared up
The corresponding two level label of label includes that back door deletes label, closes attack service labels and removes Log Label.High-risk operation
The corresponding three-level label of label includes that database manipulation label and weak passwurd successfully log in label.
Multiple grades are set as by the way that chain label will be attacked, the phase of the attack in attack chain can be more fully described, from
And the whole process of attack is showed to network management personnel in more detail.It should be noted that the tag library can be with
It is created, can also be created by other hosts by the destination host, the destination host needs to add corresponding attack chain label
When directly call the tag library from other hosts.Further, can also be directly first warning information or institute
It states the second warning information and adds corresponding attack chain label, without creating the tag library.
After generating the attack route information, one in mail, short message, dialog box and instant messaging can be passed through
The attack route information is sent to network management personnel by kind or multiple combinations mode.By for first warning information or
Second warning information described in person adds corresponding attack chain label, and the attack is according to attack chain label statistics
The attack of the network attack total degree of each phase of the attack, successful network attack number and successful network attack,
Attack can be divided according to the attack chain of event again, net can be given with dividing phase of the attack from the angle of big data analysis
Network administrative staff show the whole process of attack, avoid attack circuit chaotic.
Embodiment 3
The present embodiment provides a kind of network attack warning system, the network attack warning system includes:First detection mould
Block, for whether detecting destination host by network attack and the attack type of the determining network attack;Second detection module,
It is whether successful and determine successful network for when the destination host is by the network attack, detecting the network attack
The attack of attack;Warning information generation module, in network attack success, generation to include the network attack
Attack type and the network attack attack the first warning information, otherwise generate include attacking for the network attack
Hit the second warning information of type.
Further, the first detection module includes:Acquisition module, the network data for acquiring the destination host;
First extraction module, for extracting feature to be detected from the network data;Import modul is used for the feature to be detected
The artificial intelligence model pre-established is imported, the feature to be detected is sorted out by the artificial intelligence model, according to
Whether categorization results determine the destination host by network attack and the attack type of the network attack.
Further, first extraction module includes:First extraction unit, for extracting request from the network data
Data, wherein the request data is used to initiate request service to the destination host;Second extraction unit is used for from described
The feature to be detected is extracted in request data.
Further, the network attack warning system further includes:Model creation module, for it is described will be described to be detected
Feature imports before the artificial intelligence model pre-established, establishes the artificial intelligence model.Specifically, the model creation mould
Block includes:Collection module, for collecting model training data;Second extraction module, for being carried from the model training data
The feature for taking known network to attack obtains attack signature data;Sort module, for dividing the attack signature data
Class obtains training sample;Training module obtains the artificial intelligence mould for carrying out model training according to the training sample
Type.
Further, second detection module includes:Third extraction module is used for from the corresponding network of the network attack
Extracting data feature to be compared;Comparing module, for carrying out the feature to be compared and more than one attack-response rule
It compares, wherein the attack-response rule is formed according to the first response data, and first response data is under fire host
Response to successful attack request;Determination module, for when the feature to be compared and the attack-response rule match,
Judge the network attack success;Attack determining module, the attack for determining successful network attack.
Further, the third extraction module includes:Third extraction unit, for extracting second from the network data
Response data, wherein second response data is for destination host response request service;4th extraction unit, is used for
The feature to be compared is extracted from second response data.
Further, the third extraction module includes:5th extraction unit, for extracting request from the network data
Data and the second response data, wherein the request data is used to initiate request service, second sound to the destination host
Data are answered to ask to service for the destination host response;6th extraction unit is used for from the request data and described second
The feature to be compared is extracted in response data.
Further, the network attack warning system further includes:Feature database creation module, for waiting comparing by described described
Before feature is compared with more than one attack-response rule, the spy for including one above attack-response rule is established
Levy library.Specifically, the feature database creation module may include:Database creation module, for creating database;4th extraction
Module extracts more than one attack-response feature for corresponding from more than one first response data;Rule forms module, uses
It is described in each being determined property of attack-response feature, forms more than one attack-response rule;Memory module is used for institute
It states in the storage to the database of more than one attack-response rule, obtains the feature database.
The feature database may include N number of subcharacter library, and N is the integer not less than 2, is based on this, the feature database creates
Module can also include:Database creation module, for creating N number of database;4th extraction module, for from more than two the
The corresponding more than two attack-response features of extraction in one response data;Rule forms module, for each attack-response feature
Being determined property describes, and forms more than two attack-response rules;Memory module, for advising described two above attack-responses
Belong in then in the attack-response rule storage to identical database of same attack type, obtains the subcharacter library.
Further, the network attack warning system further includes:Incidence relation creation module, for being waited for described described
Before comparison feature is compared with more than one attack-response rule, each attack-response rule and attack are established
Between incidence relation;The attack determining module is used for according between each attack-response rule and attack
Incidence relation, by with the attack corresponding to the attack-response rule of the characteristic matching to be compared, be determined as it is described at
The attack of the network attack of work(.
Further, the network attack warning system further includes:Sending module, for generating first warning information
It, will by one or more combinations in mail, short message, dialog box and instant messaging or after second warning information
First warning information or second warning information are sent to network management personnel.
The concrete operating principle of the network attack warning system can refer to the description in embodiment 1 to each step, this
Details are not described herein for embodiment.
Embodiment 4
The present embodiment provides another network attack warning system, the network attack warning system phase provided with embodiment 3
Than the network attack warning system further includes:Label add module, for generating first warning information or described
It is that first warning information or second warning information addition are corresponding according to warning content after second warning information
Attack chain label, wherein the attack chain label is used to characterize network attack phase of the attack residing in attacking chain;System
Module is counted, each attack chain label for counting same attack obtains and is in each phase of the attack of the attack
Network attack total degree, successful network attack number and successful network attack attack;Route information generates
Module, for according to network attack total degree, the successful network attack number for being in each phase of the attack of the attack
And successfully the attack of network attack generates attack route information, wherein the attack route information includes being in institute
State the network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack
Attack.
Further, the attack chain label includes two-stage or more, and the label add module is used for according in the alarm
Hold, labels at different levels corresponding with the warning information is determined from the tag library pre-established, wherein the label stock contains
M attack chain label, the M attack chain label are divided into two-stage or more, and M is the integer more than 4.
Further, the attack route information further includes the beginning and ending time of each phase of the attack, described to be based on artificial intelligence
Network attack detection system further include:Display module, the sequencing for the initial time according to each phase of the attack are aobvious
Show the attack route information.
The concrete operating principle of the network attack warning system can refer to the description in embodiment 2 to each step, this
Details are not described herein for embodiment.
Embodiment 5
The present embodiment provides a kind of computer readable storage mediums, are stored thereon with computer program, the embodiment of the present invention 1
If or any network attack alarm method that embodiment 2 provides is realized in the form of SFU software functional unit and as independent
Product is sold or in use, can be stored in a computer read/write memory medium.Based on this understanding, the present invention is real
All or part of flow in any network attack alarm method that current embodiment 1 or embodiment 2 provide, can also pass through meter
Calculation machine program is completed to instruct relevant hardware.The computer program can be stored in a computer readable storage medium,
The computer program is when being executed by processor, it can be achieved that the step of above-mentioned each embodiment of the method.
Wherein, the computer program includes computer program code, and the computer program code can be source code
Form, object identification code form, executable file or certain intermediate forms etc..The computer-readable medium may include:It can
Carry any entity or device, medium, USB flash disk, mobile hard disk, magnetic disc, CD, the computer storage of the computer program code
Device, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory),
Electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that the computer-readable medium include it is interior
Increase and decrease appropriate can be carried out according to legislation in jurisdiction and the requirement of patent practice by holding, such as in certain jurisdictions of courts
Area, according to legislation and patent practice, computer-readable medium does not include electric carrier signal and telecommunication signal.
Above-described specific implementation mode has carried out further the purpose of the present invention, technical solution and advantageous effect
It is described in detail, it should be understood that the foregoing is merely the specific implementation mode of the present invention, is not intended to limit the present invention
Protection domain, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include
Within protection scope of the present invention.
The present invention discloses A 1, a kind of network attack alarm method, including:
Destination host is detected whether by network attack and the attack type of the determining network attack;
If it is whether successful and determining successful to be detected the network attack by the network attack for the destination host
The attack of network attack;
If the network attack success, generation includes the attack type of the network attack and attacking for the network attack
The first warning information of action is hit, the second warning information of the attack type for including the network attack is otherwise generated.
A2, a kind of network attack alarm method according to A1, whether the detection destination host is by network attack
And determine that the attack type of the network attack includes:
Acquire the network data of the destination host;
Feature to be detected is extracted from the network data;
The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described
Feature to be detected is sorted out, and determines whether the destination host is attacked by network attack and the network according to categorization results
The attack type hit.
A3, a kind of network attack alarm method according to A2, it is described that spy to be detected is extracted from the network data
Sign includes:
Request data is extracted from the network data, wherein the request data is used to initiate to the destination host
Request service;
The feature to be detected is extracted from the request data.
A4, a kind of network attack alarm method according to A2 build the feature importing to be detected described in advance
Before vertical artificial intelligence model, further include:
Establish the artificial intelligence model.
A5, a kind of network attack alarm method according to A4, it is described to establish the artificial intelligence model and include:
Collect model training data;
The feature attacked from the model training extracting data known network, obtains attack signature data;
Classify to the attack signature data, obtains training sample;
Model training is carried out according to the training sample, obtains the artificial intelligence model.
A6, a kind of network attack alarm method according to A5, the collection model training data include:
The published attack data in internet, the published loophole data in internet, the destination host is collected to have acquired
Attack data and the loophole data that have acquired of the destination host in one or more combinations.
A7, a kind of network attack alarm method according to A5, it is described that model training is carried out according to the training sample
Including:
According to the training sample, model training is carried out using NB Algorithm.
A8, a kind of network attack alarm method according to A1, the detection network attack whether include successfully:
Feature to be compared is extracted from the corresponding network data of the network attack;
The feature to be compared is compared with more than one attack-response rule, wherein the attack-response rule
It is formed according to the first response data, first response data is for the response that under fire host asks successful attack;
If the feature to be compared matches with the attack-response rule, the network attack success is judged.
A9, a kind of network attack alarm method according to A8, it is described from the corresponding network data of the network attack
Middle extraction feature to be compared includes:
The second response data is extracted from the network data, wherein second response data is used for the target master
Machine response request service;
The feature to be compared is extracted from second response data.
A10, a kind of network attack alarm method according to A8, it is described from the corresponding network data of the network attack
Middle extraction feature to be compared includes:
Request data and the second response data are extracted from the network data, wherein the request data is used for institute
It states destination host and initiates request service, second response data is for destination host response request service;
The feature to be compared is extracted from the request data and second response data.
A11, a kind of network attack alarm method according to A8, described by the feature to be compared and more than one
Before attack-response rule is compared, further include:
Establish the feature database for including one above attack-response rule.
A12, a kind of network attack alarm method according to A11, described establish are rung comprising one above attack
Answer rule feature database include:
Create database;
It is corresponding from more than one first response data to extract more than one attack-response feature;
Each being determined property of attack-response feature is described, more than one attack-response rule is formed;
By in one above attack-response rule storage to the database, the feature database is obtained.
A13, a kind of network attack alarm method according to A11, the feature database include N number of subcharacter library, and N is not
Integer less than 2, the feature database of the foundation comprising one above attack-response rule include:
Create N number of database;
The corresponding more than two attack-response features of extraction from more than two first response datas;
Each being determined property of attack-response feature is described, more than two attack-response rules are formed;
The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical
Database in, obtain the subcharacter library.
A14, a kind of network attack alarm method according to A13, it is described by the feature to be compared and more than one
Attack-response rule be compared including:
By the feature to be compared with and the corresponding subcharacter library of the attack type of the network attack in more than one attack
Rule of response is hit to be compared.
A15, a kind of network attack alarm method according to A12 or A13, it is described that each attack-response feature is carried out
Definite description includes:
Each being determined property of attack-response feature is described using regular expression.
A16, a kind of network attack alarm method according to A12 or A13, described by the feature to be compared and one
Before a above attack-response rule is compared, further include:
Establish the incidence relation between each attack-response rule and attack;
The attack of the successful network attack of determination includes:
It, will be with the feature to be compared according to the incidence relation between each attack-response rule and attack
The attack corresponding to attack-response rule matched, is determined as the attack of the successful network attack.
A17, a kind of network attack alarm method according to A1 are generating first warning information or described the
After two warning information, further include:
By one or more combinations in mail, short message, dialog box and instant messaging by first warning information
Or second warning information is sent to network management personnel.
A18, a kind of network attack alarm method according to A1 are generating first warning information or described the
After two warning information, further include:
It is that first warning information or second warning information add corresponding attack chain mark according to warning content
Label, wherein the attack chain label is used to characterize network attack phase of the attack residing in attacking chain;
Each attack chain label of same attack is counted, the net in each phase of the attack of the attack is obtained
Network attacks the attack of total degree, successful network attack number and successful network attack;
According in each phase of the attack of the attack network attack total degree, successful network attack number with
And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described
The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked
Hit action.
A19, a kind of network attack alarm method according to A18, it is described to be alerted for described first according to warning content
Information or second warning information add corresponding attack chain label:
According to the warning content, determined from the tag library pre-established and first warning information or described the
The corresponding attack chain label of two warning information.
A20, a kind of network attack alarm method according to A18, the attack chain label includes two-stage or more, described
According to warning content be first warning information or the corresponding attack chain label of second warning information addition includes:
According to the warning content, determined from the tag library pre-established and first warning information or described the
The corresponding labels at different levels of two warning information, wherein the label stock contains M attack chain label, the M attack chain label
It is divided into two-stage or more, M is the integer more than 4.
A21, a kind of network attack alarm method according to A18, the attack route information further includes each attack
The beginning and ending time in stage, the basis be in each phase of the attack of the attack network attack total degree, successfully
After the attack of network attack number and successful network attack generates attack route information, further include:
The attack route information is shown according to the sequencing of the initial time of each phase of the attack.
The invention also discloses B 22, a kind of network attack warning systems, including:
First detection module, for detecting whether destination host by network attack and determines that the network attack is attacked
Type;
Second detection module, for when the destination host is by the network attack, detecting the network attack to be
No success and the attack for determining successful network attack;
Warning information generation module, in network attack success, generation to include the attack of the network attack
First warning information of the attack of type and the network attack, otherwise generation includes the attack type of the network attack
The second warning information.
B23, a kind of network attack warning system according to B22, the first detection module include:
Acquisition module, the network data for acquiring the destination host;
First extraction module, for extracting feature to be detected from the network data;
Import modul, for the feature to be detected to be imported the artificial intelligence model pre-established, by described artificial
Whether model of mind sorts out the feature to be detected, determine the destination host by network attack according to categorization results
And the attack type of the network attack.
B24, a kind of network attack warning system according to B23, first extraction module include:
First extraction unit, for extracting request data from the network data, wherein the request data be used for
The destination host initiates request service;
Second extraction unit, for extracting the feature to be detected from the request data.
B25, a kind of network attack warning system according to B23 further include:
Model creation module, for it is described by the feature to be detected import the artificial intelligence model pre-established it
Before, establish the artificial intelligence model.
B26, a kind of network attack warning system according to B25, the model creation module include:
Collection module, for collecting model training data;
Second extraction module, the feature for being attacked from the model training extracting data known network, is attacked
Characteristic;
Sort module obtains training sample for classifying to the attack signature data;
Training module obtains the artificial intelligence model for carrying out model training according to the training sample.
B27, a kind of network attack warning system according to B26, the model training data include that internet is public
The attack data and the target that the attack data opened, the published loophole data in internet, the destination host have acquired
One or more combinations in the loophole data that host has acquired.
B28, a kind of network attack warning system according to B26, the training module are NB Algorithm mould
Block.
B29, a kind of network attack warning system according to B22, second detection module include:
Third extraction module, for extracting feature to be compared from the corresponding network data of the network attack;
Comparing module, for the feature to be compared to be compared with more than one attack-response rule, wherein described
Attack-response rule is formed according to the first response data, and first response data asks successful attack under fire host
Response;
Determination module, for when the feature to be compared and the attack-response rule match, judging the network
Success attack;
Attack determining module, the attack for determining successful network attack.
B30, a kind of network attack warning system according to B29, the third extraction module include:
Third extraction unit, for extracting the second response data from the network data, wherein second number of responses
It asks to service according to for the destination host response;
4th extraction unit, for extracting the feature to be compared from second response data.
B31, a kind of network attack warning system according to B29, the third extraction module include:
5th extraction unit, for extracting request data and the second response data from the network data, wherein described
Request data is used to initiate request service to the destination host, and second response data is asked for the destination host response
Ask service;
6th extraction unit, for extracting the spy to be compared from the request data and second response data
Sign.
B32, a kind of network attack warning system according to B29 further include:
Feature database creation module, for comparing the feature to be compared and more than one attack-response rule described
To before, establishing the feature database for including one above attack-response rule.
B33, a kind of network attack warning system according to B32, the feature database creation module include:
Database creation module, for creating database;
4th extraction module extracts more than one attack-response spy for corresponding from more than one first response data
Sign;
Rule forms module, for being described to each being determined property of attack-response feature, forms more than one attack and rings
Answer rule;
Memory module, for by one above attack-response rule storage to the database, obtaining the spy
Levy library.
B34, a kind of network attack warning system according to B32, the feature database include N number of subcharacter library, and N is not
Integer less than 2, the feature database creation module include:
Database creation module, for creating N number of database;
4th extraction module, it is special for corresponding to the more than two attack-responses of extraction from more than two first response datas
Sign;
Rule forms module, for being described to each being determined property of attack-response feature, forms more than two attacks and rings
Answer rule;
Memory module, for advising the attack-response for belonging to same attack type in described two above attack-response rules
Then in storage to identical database, the subcharacter library is obtained.
B35, a kind of network attack warning system according to B34, the comparing module are used for the spy to be compared
Sign with and the corresponding subcharacter library of attack type of the network attack in more than one attack-response rule be compared.
B36, a kind of network attack warning system according to B33 or B34, it is regular expressions that the rule, which forms module,
Formula writes module.
B37, a kind of network attack warning system according to B33 or B34 further include:
Incidence relation creation module, for carrying out the feature to be compared and more than one attack-response rule described
Before comparison, the incidence relation between each attack-response rule and attack is established;
The attack determining module is used for according to each attack-response rule and being associated between attack
Relationship, by with the attack corresponding to the attack-response rule of the characteristic matching to be compared, be determined as the successful net
The attack of network attack.
B38, a kind of network attack warning system according to B22 further include:
Sending module, for after generating first warning information or second warning information, by mail,
First warning information or second alarm are believed in one or more combinations in short message, dialog box and instant messaging
Breath is sent to network management personnel.
B39, a kind of network attack warning system according to B22 further include:
Label add module is used for after generating first warning information or second warning information, according to
Warning content is that first warning information or second warning information add corresponding attack chain label, wherein described
Attack chain label is used to characterize network attack phase of the attack residing in attacking chain;
Statistical module, each attack chain label for counting same attack obtain each in the attack
The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack;
Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack
The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack
It includes network attack total degree, successful network attack number in each phase of the attack of the attack to hit route information
And the successfully attack of network attack.
B40, a kind of network attack warning system according to B39, the label add module are used for according to the announcement
Alert content determines and first warning information or second warning information is corresponding attacks from the tag library pre-established
Hit chain label.
B41, a kind of network attack warning system according to B39, the attack chain label includes two-stage or more, described
Label add module is used for according to the warning content, determined from the tag library pre-established with first warning information or
The corresponding labels at different levels of second warning information described in person, wherein the label stock contains M attack chain label, and the M are attacked
It hits chain label and is divided into two-stage or more, M is the integer more than 4.
B42, a kind of network attack warning system according to B39, the attack route information further includes each attack
The beginning and ending time in stage, further include:
Display module, for the basis be in each phase of the attack of the attack network attack total degree,
After the attack of successful network attack number and successful network attack generates attack route information, attacked according to each
The sequencing for hitting the initial time in stage shows the attack route information.
The invention also discloses C 43, a kind of computer readable storage mediums, are stored thereon with computer program, feature
It is, realizes A1 to a kind of network attack alarm method of A21 any one of them when which is executed by processor.
The invention also discloses D44, a kind of computer equipment, including memory, processor and storage are on a memory simultaneously
The computer program that can be run on a processor, which is characterized in that the processor realizes that A1 to A21 appoints when executing described program
A kind of network attack alarm method described in one.